Closed SebastianZimmeck closed 3 years ago
Got it, I will just continue researching and try to follow what people are talking about on keybase. Also, will be working on the extension
Here is an explanation I received as to whether it is possible to detect at the frontend whether Do Not Sell is followed:
Regarding detection, it's complicated, but it should be possible to:
Check that calls to GAM include the RDP flag
Check that calls to adtech vendors (especially header bidding) are either suppressed or include the appropriate USPAPI flags
(I do not know what GAM is; maybe something related to Google.)
And:
Basically, when ads are inserted the URL is known as an "ad call". This is just a series of query string parameters that control how the ad server will process the ad.
One such parameter is "Restricted Data Processing" aka RDP. It's present in URLs as rdp=1 (I think it can be any truthy int). These should look like:
https://securepubads.g.doubleclick.net/gampad/ad?iu=/12345/adunit&sz=728x90&rdp=1&c=12345
(Note that I don't know if there are variations on the domain, etc. — the important part is that before Do Not Sell has been activated, rdp should be absent or 0, and after it should be present and truthy.)
For USPAPI, that piece of information should be interceptable too
Got it. Correct me if I'm wrong, but this would only check do not sell compliance for apps/sites in the Google ecosystem, or on the Adsense network?
I've got a basic extension running for finding "do not sell" links in webpages, going to try logging ad calls next and see how that goes.
Correct me if I'm wrong, but this would only check do not sell compliance for apps/sites in the Google ecosystem, or on the Adsense network?
Yes, that is correct. RDP covers all of Google. For example, per their explanation, AdMob, for ads on mobile devices, is also covered. As the ad ecosystem on the web is dominated by Google, that is OK.
In addition to RDP we could also look in the US Privacy String (USPAPI). That would be more general as it requires every member of the Interactive Advertising Bureau (IAB) to set the privacy string of a user to opt out if they have opted out. (Google is one of the members of the IAB.) We can keep this in the back of our mind. There is a short paper I wrote with @kalicki1 that has a bit of a discussion in section 5.
Closing this issue and opening a corresponding issue as we are moving to the optmeowt-browser-extension repo.
Google has acknowledged GPC telling their customers:
So, Google sees GPC as part of their RDP efforts.
We will be having more detailed conversations with Robin, Aram, Don, and others to understand RDP, its different options, how to identify it in HTTP traffic, etc.
Nothing really concretely to do at this moment. But I wanted to keep track of this point.