Re: [Pearg] Call for adoption: draft-learmonth-pearg-safe-internet-measurement-02.txt

Eric Rescorla <> Mon, 27 May 2019 15:44 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id DCADE12015F for <>; Mon, 27 May 2019 08:44:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id n3BZtkrhUdWG for <>; Mon, 27 May 2019 08:44:44 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C6886120074 for <>; Mon, 27 May 2019 08:44:43 -0700 (PDT)
Received: by with SMTP id h19so6673270ljj.4 for <>; Mon, 27 May 2019 08:44:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=8auagqmd4GgjqWqHutKDMtsG+aLCSs27JQEFLltrXL0=; b=n8pFq7xXP5rU7g+vba283v+f2rC2y/oLc73iTwmmjBY5OQQFeT4ZdzDtFArlKG7TLZ sfiLLHktfqjL1jURTd9J1uCPqXdtm5DRkRHykl0RXrMJlLRItFQYVKO19sOldxdbxWUy 2DQGiRmQNGm3ygMwGxfcdnefNR3+XT0VXI9u9EotKBRSlG2lOQ4kaOx3gEp+NzpDWAC0 nZduVL0czFCx1VmO82Uyid2T9P3G0vHP2Y5Li8x6iMvsq2VFCKjYy98pwyjosFGMBYcy cwttZ66iMwKygoTsucPFnYO2rlho0lvP0R0NNS9ucXnkAX/lKcteXBHoxAjvJwWDpNRN YLxw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8auagqmd4GgjqWqHutKDMtsG+aLCSs27JQEFLltrXL0=; b=elKp7D71ENYjNQZrtvfw0oVa2Dt5B6zl+vmKkUlSp5esTwpqroiHdeV/uVnUWgQWV8 r6HYZS/ijxlFBHb4Bak/NitZqXSDHTD433C5kJbBZNQimgLEn3FSK3hpnOFlihL44IKC YYHRtp43Fnm1D8XDpke2Pwl9t9Vp5H3p3jD7kKGt0h2ZeyW0E3r7+T+HoPx3NS2Pwjr2 vy/0iYUFHWbeMrJDW4awRNyzB10CS0Z4MNxwdfymheZEDc39vPP6Gnxob7yTtdl3FWgD dMctFN8WUXwzXvSmrbVlpOF6AD0Qvb3WKg2IKEA9H9e/N3k8bFaypTJKkm5E16gkuPnZ 83mg==
X-Gm-Message-State: APjAAAVUZXY5JpFAhBPg6bmdzybQfKkUSJ+O5I64q+EX1hJX8xvTIERJ FN3KWm4AuUr93fQs6mvvQjIswjNec35+lrzSomDEnhVz
X-Google-Smtp-Source: APXvYqz9BkzcsuH0T/Va4vifzWD36G7WJCAdhT/g9BPk+W8HWQmc6x2Gez9wk5lpYIRxRnchqXSzPLjxzKX5tdWaORE=
X-Received: by 2002:a2e:809a:: with SMTP id i26mr9237293ljg.182.1558971882039; Mon, 27 May 2019 08:44:42 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <> <>
In-Reply-To: <>
From: Eric Rescorla <>
Date: Mon, 27 May 2019 08:44:05 -0700
Message-ID: <>
To: Vittorio Bertola <>
Cc: "" <>
Content-Type: multipart/alternative; boundary="0000000000003e82370589e06def"
Archived-At: <>
Subject: Re: [Pearg] Call for adoption: draft-learmonth-pearg-safe-internet-measurement-02.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Privacy Enhancements and Assessment Proposed RG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 27 May 2019 15:44:47 -0000

On Mon, May 27, 2019 at 8:23 AM Vittorio Bertola <> wrote:

> Il 27 maggio 2019 15:34 Eric Rescorla <> ha scritto:
> The text in this draft leans pretty heavily on getting consent,
> either direct consent (including all users of the shared network)
> or "proxy consent".
> However, many of these kinds of studies don't really lend themselves
> to detailed consent from individual users of the browser -- let alone
> to from every user on the network they are on. As a concrete example,
> ad-type studies don't generally get any kind of consent at all.  For
> instance, here's the experimental setup for APNIC's DNSSEC
> measurements:
>     The experiment uses an online advertisement campaign to deliver
>     the test code to end systems. When the end system is passed an ad
>     that is carrying the experiment the system runs embedded Adobe
>     Flash code. The code is executed when the ad is passed to the
>     user, and does not rely on a user "click" or any other user
>     trigger action. The active code interrogates one of two experiment
>     controllers by performing a URL fetch. The contents of the fetched
>     experiment control URL are a dynamically generated sequence of
>     four URLs. These four URLs are the substance of the test setup.
> It's worth noting at this point that the Web is a platform for running
> remote code, and by browsing you're opting into that, and ad studies
> just leverage that behavior.
> That's not very accurate, at least under European regulations. It's not
> "by browsing you're opting into that", it's rather that each website shows
> you a cookie consent popup, and that's where you provide your consent and
> opt into receiving various types of cookies, including the ones that make
> ad-based experiments work. If you reject advertising/customization cookies,
> of course the ad-based experiment should not work.
On top of that, the text asking for consent to these cookies should specify
> that you will not just be shown customized ads, but that personal
> information about you will be collected.

You may be misunderstanding my point here, as these studies don't really
rely on tracking cookies. If you're browsing the Web with JS on, your
browser will execute whatever code it gets served. That's just the nature
of the Web.The reason you use an ad network isn't primarily to take
advantage of tracking behavior but rather to cheaply get a large sample of
users (note that big sites like Google or Facebook can do this without
taking advantage of an ad network). Now, as it happens, ad networks do
generally use tracking cookies, and it's sometimes useful to use that for
targeting, but in general these studies run fine even in environments where
third party cookies are completely disabled, as in Safari ITP or Firefox

By the way, the fact that "these kinds of studies don't really lend
> themselves
> to detailed consent from individual users of the browser" is not a legally
> valid justification for doing these studies without explicit user consent,
> at least if they collect personal information and unless they fall into a
> well specified set of exceptions.

This isn't really the appropriate place to discuss the legal parameters of
various methodologies, especially as they vary from jurisdiction to
jurisdiction. I would advise people to consult their own legal/compliance
departments rather than relying on advice they got on the Internet.