Proposal for Prebid.js Enforcement of Device Access #4747
Comments
|
@bretg 100% agree with this proposal, also thanks for taking it under serious consideration. |
|
This proposal implements a healthy skepticism on the front-side of the header bidding auction: usersync calls will not be made in the scenarios described above. If they are made, it's up to each vendor's end point to do the right thing. PBJS cannot control whether a vendor tries to set storage when an ad is rendered. |
|
Rubicon is offering to staff this one. @mkendall07 - this is probably a big enough change to consider making it a 4.0 because it could change monetization characteristics for pubs... there are settings they should be thinking about before releasing. The sub-committee discussed releasing this feature with 3.x and defaulting to equivalent 'permissive' config, but we're leaning towards biting the bullet here and tightening sooner rather than later. The issue being that we're still putting out patches for 2.44.x. Worth discussing. |
|
The PBJS committee met and agreed that this feature should be developed in the context of 3.x with default that don't change behavior. At some point (perhaps soon), we may decide to change the defaults with a 4.0. FWIW - this item didn't make the cut for the current Rubicon sprint. If there's anyone else who can implement sooner, we're happy to review. |
|
It seems there may be one more scenario to consider: California users under 16, which become opt in required instead of opt out like California adults. |
|
PBJS doesn't know the age of the user. But point taken that the COPPA flag should take precedence. |
|
My concern is that when a publisher knows they have content aimed at users
14 to 16 years old, they may wish for gdpr like controls to be in place on
device access for California users rather than CCPA like controls. An
article in adexchanger today reports that for teenagers not covered by
COPPA in California, USP should default to opted-out rather than opted-in.
This seems to have relevance to this issue.
…On Mon, Jan 27, 2020 at 2:13 PM bretg ***@***.***> wrote:
PBJS doesn't know the age of the user. But point taken that the COPPA flag
should take precedence.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#4747?email_source=notifications&email_token=AAM25ZYFM7OKTJQIKH2AUSTQ74W6DA5CNFSM4KIB23S2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEKAWLTQ#issuecomment-578905550>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAM25ZYIZLLFQBBOS2FG6A3Q74W6DANCNFSM4KIB23SQ>
.
|
|
Patrick - I think this scenario should be covered by the flexibility being required, but I added a specific row nonetheless. |
|
I'm going to propose that we defer this effort -- instead of building it for TCF 1.1 when we're so close to it's end-of-life. How about we instead implement as part of #4867 directly in TCF2.0 instead? |
|
That unnerves me a bit given the genesis of the ticket this was based on.
TCF 2.0 is IAB guidance, but this ticket stems from an actual government
complaint.
…On Tue, Feb 18, 2020 at 7:29 PM bretg ***@***.***> wrote:
I'm going to propose that we defer this effort -- instead of building it
for TCF 1.1 when we're so close to it's end-of-life.
How about we instead implement as part of #4867
<#4867> directly in TCF2.0
instead?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#4747?email_source=notifications&email_token=AAM25Z5TDPFMKW7M3BEZMHLRDR4ORA5CNFSM4KIB23S2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEMF4HEY#issuecomment-587973523>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAM25Z5GF4U6X4FNAMTNWPTRDR4ORANCNFSM4KIB23SQ>
.
|
|
My views on this are:
That way publishers and networks are being informed of possible legal problems without having to test things by themselves and can choose to include (or not) problematic modules. |
|
We discussed in today's Prebid.js meeting and came up with a radically simpler (and quicker) approach, relying on the publisher to determine when to turn off device access and then configure:
The proposed new config option is: |
|
Mmm... How do you see this working @bretg? Since Prebid.js is waiting for the CMP to get the consent string, wouldn't it be normal for Prebid.js to parse the response and apply the appropriate config? Otherwise I only see it delaying the bid requests even further. |
|
@benjaminclot, do you not see an urgent need to do something before TCF 2.0
consent string parsing and enforcement is developed? In the meeting today
your comments on #4701 were mentioned reflecting the urgency of an interim
solution.
…On Wed, Feb 19, 2020 at 1:57 PM Benjamin Clot ***@***.***> wrote:
Mmm... How do you see this working? Since Prebid.js is waiting for the CMP
to get it the consent string, wouldn't it be normal for Prebid.js to parse
the response and apply the appropriate config? Otherwise I only see it
delaying the bid requests even further.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#4747?email_source=notifications&email_token=AAM25ZZDADMRMFDMJOU6B6DRDV6JZA5CNFSM4KIB23S2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEMJBNWQ#issuecomment-588388058>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAM25Z3W2ZQRP3ZBKH6YNC3RDV6JZANCNFSM4KIB23SQ>
.
|
|
@patmmccann interim yes, but useful. As described, the proposal is not very useful and doesn't rely on the user's choice. And it doesn't fix the endpoints writing cookies (even with usersync disabled) whatever the consent is, which is what the government agency is looking at: "no consent, are cookies being written?". |
Building full TCF-parsing capability in Prebid.js is going to take some time. At least weeks. In the meantime, we want to give publishers the ability to manage these scenarios. The idea is that logic on the publisher's page determines "Purpose 1 consent needed but not granted", and takes the following actions:
We will make sure that all modules (including criteo) Do The Right Thing when deviceAccess is false. They must either use the core storage utilities or read the deviceAccess config themselves.
It does rely on the user's choice, but it's up to the publisher to parse that choice and set up Prebid appropriately.
We'll get there. But as you see from the PRD, TCF support is bigger than we understood. We've already lost a month since you opened the original issue, and need to provide a very short term workaround. So - before Prebid.org goes and builds this rather complicated functionality into javascript, we really need feedback from publishers that it will be utilized. From this conversation, it appears to desired, but so far there's been no response from the pubs that are members of prebid.org. The other strategic approach Prebid could take is to just suggest hooks for publishers to parse the strings on their own and implement callback functions to configure Prebid behavior. e.g. say the user rejects bidderA. There are four approaches:
|
|
First off, thanks to everyone involved in this project, I know it's hard to hear everyone's opinion while still trying to make things go forward and be fast and efficient in a post-GDPR world. That being said, it's been almost two years, so I think it's time laws be enforced, not just because the IAB changed the TCF version. Also, the base subject kind of got sidetracked, with focus being made on userSync and having to parse the consent string client-side. As of today, here is the situation:
This is why my previous proposal still stands, at almost no dev cost to Prebid.js core maintainers:
Then you have two choices: either Prebid.js becomes a "cop", thus enforcing GDPR, and removes non-compliant modules (after a grace period?); or Prebid.js publishers, knowing fully well which modules are compliant or not, take their own responsibilities. This solution, while being easy on the Prebid.js team, will ensure basic GDPR compliancy, hopefully in a short time. PS: virtually no one blocks purpose 1 for a single bidder, so these tests can come at a later time. |
|
I appreciate your thoughtful writeup @benjaminclot , but disagree with the statement "almost no dev cost to Prebid.js core maintainers". Becoming an automated and proactive "cop" or "auditor" is big change for Prebid and will come with dozens of hours of edge cases, debate, documentation, communication, coding, testing, and troubleshooting. I personally agree that Prebid needs to head in this direction, but it will not be a quick transition. @mkendall07 may have a different view, but I stand by my short-term proposal and have asked a Rubicon Project engineer to build the And then we'll:
|
|
As I see things, the As for our publisher and its upcoming audit, the only real solution for GDPR compliancy will be to wait for the consent string, parse it and in the absence of consent, don't retrieve ads... CMPs are now ad blockers 😞 |
I disagree with this. When it comes to purpose 1, Prebid.js will enforce that the open source bid adapters are using the core cookie functions which will pay attention to the flag. As a result, they will not be able to set first party cookies if they shouldn't. We cannot prevent their endpoints from attempting to set 3rd party cookies. I argue that this is an adequate near-term solution. If deviceAccess is set to false, there won't be any first party cookies. You can already control usersyncs. You can already control userId modules. What's missing? (at least in the context of Purpose 1) |
GDPR dooesn't make the distinction between 1st party and 3rd party cookies (nor does the French CNIL). No device access means no cookie (well, except for the consent one, obviously). At all. They don't expect half measures on this front and have clearly stated it. |
|
I'm skeptical that any major vendor's endpoint is trying to set a 3rd party cookie on an auction request. Happy to be proven wrong. But if they are, we will have to address it case-by-base for now. Setting up test pages that hit real end points for 250 bid adapters is going to be an unbelievable headache. I've tried this for just ~10 adapters in Prebid Server and it sucked... test params don't work, contacting the listed "maintainers" often results in bounced email or no response. And when it comes to the theory that auction endpoints are setting 3rd party cookies, how are we to know whether a no-bid or test params has the same behavior as a real bid params? Anyone who wanted to trick us would have no trouble doing so. We will continue to discuss Prebid's role in policing the whole internet, but solving the first-party cookie problem is clearly something that we can do and perhaps should have done last year. I would not bet that Prebid ever becomes a perfect auditor/cop. It's too easy to hack the auditor. (will try not to make a VW reference. oops, failed.) Each publisher should consult with their legal counsel to determine their course of action should a vendor be found attempting to set 3rd party cookies. One obvious remedy is to boot them from your auction until they clean up their act. That will get better action than a nag email from an open source group. |
Just to prove my point, with Rubicon, on the fastlane endpoint in a private window and no consent, here is what happens:
Yes, this is a good first step.
I agree, this will be tough. |
|
Thanks. I've slacked you on AdOps to get some more details about what you're seeing with Rubicon. |
|
Adding people whose modules are going to be affected by this effort: @loorke, @goosemanjack, @rcheptanariu, @pycnvr, @mizmaar3, @vgrigory, @jrosendahl Your modules were making native JS calls to setcookie, getcookie, setlocalstorage, or getlocalstorage. This isn't allowed under certain scenarios, so they've all been changed to use the centralize functions in utils.js which will enforce the access rules. The moules:
|
|
At the request of @patmmccann adding a few thoughts here. If these should go elsewhere, please let me know. Parrable, as an Identity provider, has a need to persist certain signals in our first party cookie and pass them to the publisher partners that are accessing our UserID module. Specifically, users can indicate an opt-out signal to IBA and CCPA through the NAI/DAA consumer choice and privacy tools and those choice. These essentially are signaling an opt-out through the identity provider, not the publisher... globally essentially. The implementations of IBA and CCPA may be different rom each other depending on the implementation of the service provider. With IBA, perhaps the ID is suppressed, or perhaps it is a signal that is passed to the bidder so that if the bidder is performing IBA they know not to. Parrable uses the latter. We does not require that the ID be suppressed only that the signal be present and respected. With respect to CCPA, we do suppress the ID, but we still pass the opt-out signal so that the bidder knows that the ID is not present because of consumer choice (useful statistically). We have run into a few issues here:
Happy to engage in further discussion here or elsewhere. I think that these are important need for the user ID module interface. It needs to be a little more flexible. |
Not correct. Each userID module is (and was) free to define its interface to bid adapters. Only digitrust took advantage of this. Since only Conversant, Ozone, and Pubmatic are referring to parrableid, you would just need to work with the three of them to change your interface to an object. I would recommend just changing the code for them in a single PR and let them review. You're welcome to version the object if you wish. I'm not sure if you're asking for permission to do your own setCookie without going through the central utils.js functions, but if you are, that will only be allowed with clear documentation in your user ID module indicating to publishers that you have requested an exception they need to be aware of. |
|
Following up on the thread with @benjaminclot from above, did some digging and found that there is a change we should consider making. It's sorta separate from the device access piece, but is related to GDPR, so I'm proposing we discuss here.
Proposal: Between this and manually turning off usersync, I think we'd be in better shape. |
|
The default scope flag would work well in our stack, great idea!
…On Sun, Mar 1, 2020, 3:06 PM bretg ***@***.***> wrote:
Following up on the thread with @benjaminclot
<https://github.com/benjaminclot> from above, did some digging and found
that there is a change we should consider making. It's sorta separate from
the device access piece, but is related to GDPR, so I'm proposing we
discuss here.
1. Rubicon (and perhaps other bidders?) is not always doing IP address
lookups to determine GDPR scope. So if the CMP doesn't load and an EU
request goes out without the "&gdpr=1" flag, a cookie may be set.
2. Prebid.js could solve this problem allowing pubs to force the page
into GDPR mode.
Proposal:
pbjs.setConfig({
consentManagement: {
gdpr: {
cmpApi: 'iab',
timeout: 8000,
allowAuctionWithoutConsent: false,
defaultGdprScope: true // always send gdprApplies: true to adapters
}
}
});
Between this and manually turning off usersync, I think we'd be in better
shape.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#4747?email_source=notifications&email_token=AAM25Z3DXR4WYPIVIKH2V3LRFK55LA5CNFSM4KIB23S2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOENNJK4Q#issuecomment-593139058>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAM25Z6CD4FU4IEVBJN7EWLRFK55LANCNFSM4KIB23SQ>
.
|
|
apparently there are a lot more adapters affected by this. Heads up to:
Please check the PR and confirm you're good with the changes we're making for you. |
|
This looks good from my end. Edit: Actually, @bretg I was wondering, just to confirm, are these settings overridable per-adaptor by the publisher? I haven't followed the thread closely but the initial design at the top seems to indicate they are. However I'm just double checking if the changes made to our adapter will be configurable by the pub for our adaptor specifically, if desired. |
|
@samuelhorwitz - this phase of the update isn't overridable per adapter. We're working on the full TCF2.0 support where flexible overrides will be available. The assumption for this phase is that the page already knows the GDPR scope and has to parse the TCF string because header bidding isn't the only service that needs it. Since the page already knows this info it can Do The Right Thing:
|
|
Thank you bret! |
|
This looks good for me
Best regards, Mikhail Necheporenko CTO at Roxot
12 марта 2020 г., 18:05 +0300, Samuel Horwitz <notifications@github.com>, писал:
… Thank you bret!
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
|
@benjaminclot - the PR for DeviceAccess is part of 3.12. See http://prebid.org/dev-docs/modules/consentManagement.html#page-control-of-consented-activities and http://prebid.org/dev-docs/publisher-api-reference.html#setConfig-deviceAccess Unfortunately the |
|
|
|
"PBJS should prevent header bidding activity from accessing the device." |
(followup to #4701)
Proposal for Prebid.js Enforcement of Device Access
Objectives
Assumptions
Scenarios
Functional Requirements
The general structure of the feature is to establish:
The system must support setting device access permissions in the following ways:
Default: User settings (i.e. GDPR consent string, COPPA flag) over publisher settings (e.g. setConfig)
Publisher settings over user settings
The system must be able to enforce the device access permissions.
If a bidder or UserId module wants to be excluded from the rules, they must add a comment into the code and on their prebid.org documentation with a link to their privacy policy.
The text was updated successfully, but these errors were encountered: