-
-
Notifications
You must be signed in to change notification settings - Fork 381
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"I am using a 3rd party service that has both super-creepy and low-creepy modes. How do I get Privacy Badger to yellow-list that service on my site if I promise to only use them in low-creepy mode?" #2421
Comments
Yikes... So you're suggesting we trust the most notorious tracker on the web, that is going to behave like a tracker, even after making a request not to be tracked? And you want Privacy Badger to give them a yellow light? I'm all for encouraging site creators and ad networks to respect user privacy, but to make an exception for the biggest violator of privacy on the web, to reward site creators for actively being less creepy, isn't an approach I agree with. |
To be clear, non personalized mode would turn off all personalized tracking and just uses cookies for ad pacing purposes. If those cookies are blocked the system does not do user tracking, as is required by GDPR compliance, for which this particular functionality was built. |
Does DFP in non-personalized mode meet the criteria for yellow listing? https://github.com/EFForg/privacybadger/blob/master/doc/yellowlist-criteria.md One item is "Is the domain's privacy policy clear that it does not perform non-consensual tracking?" I can see a bunch of publisher-facing docs for personalized/non-personalized ads -- https://support.google.com/admanager/answer/9005435?hl=en# -- but can't find anything user-facing. |
Great info. I'd like to know more about how GTM gets listed in comparison to Enlighten or other tag managers. (I don't have googletagmanager domain listed for me.) Looking at my own tracking list, I have tagger.opecloud.com green-listed because it provides DNT policy (https://www.eff.org/privacybadger/faq#-I-am-an-online-advertising-/-tracking-company.--How-do-I-stop-Privacy-Badger-from-blocking-me) If GTM won't track users like its policy describes, then providing a DNT policy would solve this. (Going a step further than yellow and getting green-listed) But I'm guessing this |
So, let me create some clarity here, GTM is a substantially different case in a lot of ways, though I would argue that its current state of affairs ( https://support.google.com/tagmanager/answer/9323295#data ) would indicate that it is not doing anything itself to implement third party tracking and shouldn't be set to red by default, but yellow. But I also do see the point made in the other thread - it is fundamentally designed to be a black box of a tool that could be harboring arbitrary scripts that do anything. Depending on your blocking methodology and philosophy I can see both sides of that argument. I am not familiar with Ensighten. Google's ad server (when in non-personalized mode) is a different matter, in part because its behavior is significantly more predictable. I agree that it would be preferable if Google Ad Manager/DFP used a different domain that could have a different DNT policy on it, but because the form of the request is not known on its initial transmission (the first request specifies if it is personalized or not personalized) that doesn't seem technically possible. Especially because the specificiations involved would treat all base-domains the same, regardless of subdomain, if I understand the expected use of In either case I think that Google Ad Manager will continue to use cookies, and I'm not sure it would be make sense for them to post a DNT policy on their server into Alternatively, if we could get Google to articulate a clear public/user-facing policy for non-personalized mode on one of their help pages, would this resolve the issue? |
From testing this myself, I can confirm that GTM is listed as a domain that doesn't appear to be tracking. Even though the RFC for |
I stole the issue phrasing from @dmarti here, which I think is accurate in this context. This issues comes off our discussion in #1596 at the request of @ghostwords.
The issue at hand is that it is possible to use DFP, which is the primary ad server of most legit sites, in low-tracking mode (nonPersonalizedAds which complies with the current assumed state of law under GDPR). To quote liberally from the previous issue:
I said:
@dmarti said:
I think the goal of this issue is to yellow-list DFP/Google Ads Manager use that is in non-personalized mode.
While it would be nice for sites to seek other options that are more in line with Privacy Badger's philosophy, the economic and marketplace realities push sites into use of DFP (see: https://adexchanger.com/the-sell-sider/are-unified-pricing-changes-good-for-publishers-or-good-for-google/amp/?__twitter_impression=true ) and if a site expresses an interest in aligning against a tracking methodology by setting
setRequestNonPersonalizedAds
they should see a positive incentive for doing so. Especially when, if such a system were yellow-listed, it would presumably match the interests of Privacy Badger's users and serve to push the marketplace away from user-tracking ads.The text was updated successfully, but these errors were encountered: