Prebid.js icon indicating copy to clipboard operation
Prebid.js copied to clipboard
verified publisher icon prebid

Activity controls: transmit ip using geo activity, document publisher provided IP address

Open jdwieland8282 opened this issue 2 years ago • 3 comments

Type of issue

Feature request

Description

Google Chrome has announced, and is actively developing, a list-based, two-hop HTTP request proxy scheme in the Privacy Sandbox IP Protection feature. This is similar to Apple’s iCloud Private Relay. “Limiting access to IP addresses,” as IP Protection describes it, has the potential to degrade IVT/fraud evaluation and targeting use cases.

Publishers, who as first-parties should not be restricted by Chrome’s feature, may opt to share a visitor’s IP address with trusted partners.

Expected results

Publishers can configure on/off adding the device's ip to ortb.device.ip

pbjs.mergeConfig({
   ortb2: {
      device: {
        ip: '1.1.1.1'
           /* or */
        ipv6: '2001:db8:3333:4444:5555:6666:7777:8888'
      }
   }
});

Other information

@pm-harshad-mane has offered some server side code that can be used to return the clients IP https://github.com/pm-harshad-mane/cloudflare-ip-example

jdwieland8282 avatar Apr 24 '24 21:04 jdwieland8282

I'll make an effort to discuss in documentation and include consent considerations

patmmccann avatar Apr 25 '24 18:04 patmmccann

Two major problems here:

  1. If the user is leveraging a service that obscures their IP but somehow the publisher has access to that IP why would counteracting the user's intent make sense?
  2. Where has it been indicated that the publisher would have special access to the IP? I haven't seen that yet and it doesn't make a ton of sense for anyone to do.

That said, transmitting an IP address across network requests seems to be a HUGE security challenge the minute the bidstream departs the hands of those with immediate access to the network request.

AramZS avatar May 08 '24 17:05 AramZS

Will also note here that transmitting the IP address would be blocked by user opt outs in California and we'd need to be sure that Activity Controls could restrict that behavior on that basis.

AramZS avatar May 10 '24 19:05 AramZS

Just adding an additional note that there are now new state laws that identify IP as PII specifically.

AramZS avatar Jul 17 '24 17:07 AramZS

there are now new state laws that identify IP as PII specifically

Can you provide references to specific sources?

bmayd avatar Jul 17 '24 17:07 bmayd

as an FYI - it doesn't look like clarifications have been made if subdomain is considered 3p in this context (https://github.com/GoogleChrome/ip-protection/issues/13) will have an impact on workarounds for pubs.

mkendall07 avatar Jul 17 '24 18:07 mkendall07

so if a p[ub or an rtd modules sets the ip or the lat long, we'll follow server and censor / round these values with their same logic using the transmitPreciseGeo activity

patmmccann avatar Jul 18 '24 14:07 patmmccann