"I am using a 3rd party service that has both super-creepy and low-creepy modes. How do I get Privacy Badger to yellow-list that service on my site if I promise to only use them in low-creepy mode?"

[AramZS]

I stole the issue phrasing from @dmarti here, which I think is accurate in this context. This issues comes off our discussion in #1596 at the request of @ghostwords.

The issue at hand is that it is possible to use DFP, which is the primary ad server of most legit sites, in low-tracking mode (nonPersonalizedAds which complies with the current assumed state of law under GDPR). To quote liberally from the previous issue:

I said:

For example, in/for the EU many publishers switch Google to setRequestNonPersonalizedAds mode (see: support.google.com/admanager/answer/7678538?hl=en ), in which case DFP does no meaningful user tracking itself with requests coming from those URLs.

I agree, the direction of the web needs to move to eliminate unasked-for tracking, and I think tools like Privacy Badger are good for pushing publishers and advertisers towards a less-tracked environment on the web. I don't think the status quo need continue the way it is (I suspect we'll see regulatory action to force the situation in the US anyway), but at the same time: if Google turned off all tracking tomorrow (unlikely I know!), or if the the publisher has their system configured to not use tracking, Privacy Badger will still block completely non-invasive ad calls.

There are sites that actually do the work to turn off user tracking and they are being penalized for using particular software, which is non-optimal. If the goal is to incentivize sites to become more private, I'm not sure this helps.

Specifically we're looking at the activation of non-personalized ad mode in DFP's configuration script. Which doesn't implement any DNT policy transmission on behalf of Google's service, but does turn off a great deal of tracking.

@dmarti put together a plugin that tries to switch sites into the non-tracking mode that might be useful to look at as well - dmarti/trans-europa-express

@dmarti said:

It would be great to see that work, but it looks like Google scripts are still going to try to set a cookie that will get Privacy Badger to block them entirely.

"Although these ads don’t use cookies for ad personalization, they do use cookies to allow for frequency capping, aggregated ad reporting, and to combat fraud and abuse." -- support.google.com/admanager/answer/7678538

So if users can't get the ideal behavior because Google in "non-personalized" mode is still detected as a tracker, what about:

If a page has Google Tag Manager, inject JS to try to put it into "non-personalized" mode

If you can successfully switch on "non-personalized" mode then yellow-list Google for the site where it succeeded.

I think the goal of this issue is to yellow-list DFP/Google Ads Manager use that is in non-personalized mode.

While it would be nice for sites to seek other options that are more in line with Privacy Badger's philosophy, the economic and marketplace realities push sites into use of DFP (see: https://adexchanger.com/the-sell-sider/are-unified-pricing-changes-good-for-publishers-or-good-for-google/amp/?__twitter_impression=true ) and if a site expresses an interest in aligning against a tracking methodology by setting setRequestNonPersonalizedAds they should see a positive incentive for doing so. Especially when, if such a system were yellow-listed, it would presumably match the interests of Privacy Badger's users and serve to push the marketplace away from user-tracking ads.

[colinje]

Yikes... So you're suggesting we trust the most notorious tracker on the web, that is going to behave like a tracker, even after making a request not to be tracked? And you want Privacy Badger to give them a yellow light?

I'm all for encouraging site creators and ad networks to respect user privacy, but to make an exception for the biggest violator of privacy on the web, to reward site creators for actively being less creepy, isn't an approach I agree with.

[AramZS]

To be clear, non personalized mode would turn off all personalized tracking and just uses cookies for ad pacing purposes. If those cookies are blocked the system does not do user tracking, as is required by GDPR compliance, for which this particular functionality was built.

[dmarti]

Does DFP in non-personalized mode meet the criteria for yellow listing?

https://github.com/EFForg/privacybadger/blob/master/doc/yellowlist-criteria.md

One item is "Is the domain's privacy policy clear that it does not perform non-consensual tracking?"

I can see a bunch of publisher-facing docs for personalized/non-personalized ads -- https://support.google.com/admanager/answer/9005435?hl=en# -- but can't find anything user-facing.

[ghostwords]

Related: disconnectme/disconnect-tracking-protection#31, disconnectme/disconnect-tracking-protection#84

[colinje]

Great info. I'd like to know more about how GTM gets listed in comparison to Enlighten or other tag managers. (I don't have googletagmanager domain listed for me.) Looking at my own tracking list, I have tagger.opecloud.com green-listed because it provides DNT policy (https://www.eff.org/privacybadger/faq#-I-am-an-online-advertising-/-tracking-company.--How-do-I-stop-Privacy-Badger-from-blocking-me) If GTM won't track users like its policy describes, then providing a DNT policy would solve this. (Going a step further than yellow and getting green-listed) But I'm guessing this setRequestNonPersonalizedAds request doesn't go to a particular non-tracking subdomain. Maybe GTM and EFF could meet halfway, where you can specify non-tracking requests for your domain in the DNT policy GTM would provide, and PB could consume those non-tracking requests and allow them?

[AramZS]

So, let me create some clarity here, GTM is a substantially different case in a lot of ways, though I would argue that its current state of affairs ( https://support.google.com/tagmanager/answer/9323295#data ) would indicate that it is not doing anything itself to implement third party tracking and shouldn't be set to red by default, but yellow. But I also do see the point made in the other thread - it is fundamentally designed to be a black box of a tool that could be harboring arbitrary scripts that do anything. Depending on your blocking methodology and philosophy I can see both sides of that argument. I am not familiar with Ensighten.

Google's ad server (when in non-personalized mode) is a different matter, in part because its behavior is significantly more predictable.

I agree that it would be preferable if Google Ad Manager/DFP used a different domain that could have a different DNT policy on it, but because the form of the request is not known on its initial transmission (the first request specifies if it is personalized or not personalized) that doesn't seem technically possible. Especially because the specificiations involved would treat all base-domains the same, regardless of subdomain, if I understand the expected use of /.well-known/ correctly?

In either case I think that Google Ad Manager will continue to use cookies, and I'm not sure it would be make sense for them to post a DNT policy on their server into /.well-known/. I doubt we could get them to the point of being marked 'green'. But I do like the idea of a contingent policy transmission as a possible half-way point. Would it be possible to create a situation where Google or the top-level page could transmit a DNT policy (or a policy that would comply with requirements to go 'yellow') in some situations? Perhaps in a way that Privacy Badger could check that there was an indicator the site was in DNT-mode? It would be very useful in that it could create a pathway to allows sites to potentially measure impact, respond thoughtfully on what occurs in both modes, and potentially slowly move off tracking mode to non-tracking mode.

Alternatively, if we could get Google to articulate a clear public/user-facing policy for non-personalized mode on one of their help pages, would this resolve the issue?

[colinje]

From testing this myself, I can confirm that GTM is listed as a domain that doesn't appear to be tracking.

Even though the RFC for /.well-known domain registration gives example.com, I don't think it rules out registering sub-domains. (Looking for @ghostwords for clarity) If Google was to stand up a sub-domain, register a /.well-known/ DNT policy, and notify publishers of the new non-tracking end-point, then that would work. I have a feeling this would be the easiest path to take in comparison to modifying the DNT policy to allow specifying a list of non-tracking requests. If there was an update to DNT where you could specify non-tracking requests, Google would still need to register the policy, and I agree that such a policy should be flagged as "yellow" and not the typical "green".