Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possible Data Leakage Through AMP Load Cookie iFrame #490

Closed
gramorris opened this issue May 2, 2018 · 11 comments
Closed

Possible Data Leakage Through AMP Load Cookie iFrame #490

gramorris opened this issue May 2, 2018 · 11 comments

Comments

@gramorris
Copy link

Just checking on this. It seems that the AMP Cookie Sync iFrame is loading against all possible bidders irrespective of whether they're being used on the page. In the two examples below e-planning and conversant are dropping cookies despite not being bidders.

This would breach GDPR where the data is neither being used and presumably consent would not have been received to do this.

I don't know if it's possible but it would seem that the possible solution may be to pass bidders through to the cookie sync in url vars. If my observations are correct.

screen shot 2018-05-02 at 18 01 49

screen shot 2018-05-02 at 18 01 11
@dbemiller
Copy link
Contributor

That's a really good catch!

@jaiminpanchal27, @mkendall07, @jsnellbaker ... thoughts?

@jaiminpanchal27
Copy link
Contributor

@dbemiller https://github.com/prebid/prebid-universal-creative/blob/master/src/cookieSync.js#L97

@mkendall07
Copy link
Member

it looks like AMP is integrating some kind of consent framework. We'll need to look into that and see if it's possible to pass consent data into PBS. ampproject/amphtml#13716

@dbemiller
Copy link
Contributor

@mkendall07 I dove through AMP a bit to understand the amp-consent tag, and how it relates to amp-ad and amp-iframe. The former is used for PBS auctions, and the latter for PBS cookie syncs.

Here are some highlights:

  1. This comment says that the amp-consent tag only exposes an enum value to other elements. There won't be enough info there for us to make bidder-specific decisions.

  2. Consent status is available to amp-ad extensions, but amp-iframe ones are a work in progress... so we couldn't use it in our amp-iframe yet even if we wanted to.

  3. We may be able to pass this flag into the actual auction call, depending on the ad network being used. amp-ad implementations can define their own macros, which we could then encode into our vendor URL. I doubt any ad networks are doing this yet, so we would have to submit PRs to the networks we care about, or convince them. As an example, the doubleclick code is here

@dbemiller
Copy link
Contributor

dbemiller commented May 3, 2018
edited
Loading

@gramorris I'm not a GDPR expert, so... a question about this:

I don't know if it's possible but it would seem that the possible solution may be to pass bidders through to the cookie sync in url vars. If my observations are correct.

I thought that GDPR required users to give their consent to each company who wanted to use their personal info. If we added query string param support for bidders, how would the publisher setting up their AMP page know which bidders the user had consented to?

@gramorris
Copy link
Author

Yeah you're right, that doesn't satisfy GDPR.

On the consent flags in the amp implementation I don't think that's fit for purpose yet. We've just got to the testing stage now but I don't think there's the ability (there should be and hopefully will be) to get optional consent for multiple vendors and have separate consent flags for each.

Google are selling the AMP solution so I'm assuming they intend to have it complete at some point.

@dbemiller
Copy link
Contributor

dbemiller commented May 3, 2018
edited
Loading

Actually... I may have spoken too soon here.

This Issue is making sure that amp-consent info can be seen from amp-iframe and amp-ad tags.

The amp-consent docs say that the tag only supports a single consent ID instance (for now), and @mkendall07 found an amp-story-consent tag PR opened just yesterday. Note the vendors list in the example:

“story-consent”: {
         “title”: "Foo",
         “message”: "Bar",
         “vendors”: ["Item 1", "Item 2", "Item 3", "Item 4"],
         “color”: "#0379c4"
     }

All that in mind: it seems like their strategy is for publishers to use a single Consent instance/UI, and list all the vendors who they plan to share data with in their consent modal.

If that's all accurate, then it seems like we could pass query strings, the way you suggested. You could do the following

{
  "consents": {
    "some-id": {
      "checkConsentHref": "http://path.to.your/amp_consent_url",
      "promptUI": "consent-ui"
    }
  }
}

And then make sure that the consent-ui element lists off the PBS Host company and all the Bidders who you plan to sync.

We could enhance /cookie_sync to allow Bidders as arguments, as well as in query params to cookieSync script that @jaiminpanchal27 linked. It would then be up to the Publisher to make sure they include any Bidders who they drop cookie syncs for in their consent UI.

@dbemiller
Copy link
Contributor

dbemiller commented May 10, 2018
edited
Loading

I was researching stuff for #501 (similar issue in non-AMP pages), and found that the IAB defines a spec for CMPs. These manage consent data across pages, and have some standards for use in iframes:

If there's some way to load your CMP onto an AMP page and we can find a way to get the consent info into it, this would be a much better solution.

@jasti
Copy link

jasti commented May 11, 2018

@dbemiller, Vamsee from the AMP team here.

It would then be up to the Publisher to make sure they include any Bidders who they drop cookie syncs for in their consent UI.

This is exactly the assumption under which is currently developed. Having said that we are looking at supporting per vendor, per purpose based consent post May 25th if that's something publisher absolutely request.

@dbemiller dbemiller mentioned this issue May 15, 2018
Closed
@dbemiller
Copy link
Contributor

@jasti Thanks for the details Vamsee.

I did a bit more research, and I don't think AMP's localstorage scheme will integrate well with the IAB's
Transparency and Consent framework. In particular, it's very difficult (if not impossible) to implement the CMP APIs given the state: amp-consent:${consentInstanceId}: true/false.

So... I don't think it's possible for publishers using the Prebids to be able to share the user's consent between AMP and non-AMP pages. All that in mind, I logged prebid/prebid-universal-creative#19 to add the query params and update the AMP docs. Once closed, publishers will need to update their amp-iframe tags to send in the query params of the bidders they want to sync.

Since Prebid Server's /cookie_sync endpoint already accepts a list of Bidders to sync, I don't think there's any more work to do for AMP in this project.

@gramorris please close this and follow prebid/prebid-universal-creative#19 if you feel like this sufficiently addresses your concerns.

@gramorris
Copy link
Author

@dbemiller @jasti

Thanks I'll close this, in the immediate term with the amp-consent limitations I'd accept this as the solution. We have a non-optimal solution to ensure we have some level of consent on AMP pages.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@mkendall07 @jasti @gramorris @jaiminpanchal27 @dbemiller