12-1 PM EST / 9-10AM PST / 5-6PM GMT
- Capabilities Survey Results (30 mins)
Steven: Presentation on capabilities survey that was sent earlier in Jan. Looking at results that were potentially surprising or can help direct future conversations in the AFCG. Upcoming meetings + DST change reminder Neha: Full report is available for anyone looking to deep dive. Originally sent out the survey to ensure completeness of inventory for the ecosystem. In terms of anonymization, did not make it mandatory to include email and name. Some provided names and chose to make their results public. Shared the survey through AFCG and 1:1 convos with companies. Survey was open through Jan 31, 2023. Highlights we had 30 orgs respond. Good representation from various geos and company sizes. Got one in every category, but 5 really large companies as well. Diversity in the type of the industry as well. Wanted to ensure that we had a good mix and turns out we do. Good number from the anti-fraud vendors but representation from financial services as well. Key use cases are represented by what were there in the survey but “other” was provided as an option and chosen by a few respondents as well. Account takeover, account creation, payment fraud, eCommerce fraud were chosen as the top use cases Though IVT in ads was not chosen as the top use case, it shows up highest in the list of important use cases (ranked highest) Brian: Probably need more context in how these are prioritized and ranked. IVT is one of my highest priorities but for eCommerce company, something else would be high priority. If we can look at this by sector/industry, it would be helpful. Neha: Concern around anonymity. Will recheck before sharing the breakdown. For each of the use cases, what are the capabilities that are most important. Gave folks the option to add their own responses. Offered the same list of capabilities for each use case and also looked at if we could look at the same list of capabilities. Geo attestation, counters, came to the top. Most commonly selected capabilities: Recognize the same device, Geo attestation. In terms of importance, Geo attestation came further down (4 to 5 position). Maybe it’s a catchall but not necessarily the most important. Per: Were these provided as options or were they free-form? Neha: Pre-provided, but there are others added by respondents Martin: Similar perspective on geo attestation. Most commonly available but the reason it’s not as important is because it’s easy to fake. Easy for bot operators to pivot to other geos. Michael: Is there a similar summary for importance as exists for use cases? Neha: Still trying to figure out if we should weight it by use case / importance. Steven: On geo attestation, curious if the folks who do anti-fraud. Do you see geo attestation as a key capability? Nathan: Fight IVT at Google. One use of location falsification is that there’s a bad publisher trying to fake the country they are in. Users that are generating traffic, spammers will try to falsify their location. IP is part of it, but we can look at language, etc. Geo attestation should not just be IP based. We should have trusted cell phone provider, bank, etc. attesting that the user has activities in the country. Brian: We’re still relying on IP address to determine where the user is. People who get more sophisticated can change the browser language etc, but it’s not commonly done. Per: Geo is important, not most important Brian: Could start seeing issues due to new regulations. We may start seeing people faking where users are coming up to maintain monetization Steven: Sounds like Geo attestation looked at through the lens of the industry would help Neha: Don’t have verticals yet, but we can do that Betul: Token mining - what does it exactly mean to bind the credential to the device? Do we mean hardware-encrypted storage being used? What’s the purpose exactly? Philipp: It’s against cookie / token theft replanting. Betul: Are you aware of any work in different spaces? Have seen some IETF drafts talking about TLS binding/token binding Philipp: We need some secure element to bind the token. Maybe worthy of a separate deep dive. Wanted to get a sense of the use cases which is why I added it. Neha: Other capabilities in free form text: identity verification, unique identifier, technologically enforce a “1 per person” limit, automatic connection from a bot, whether device is being controlled by automation software, etc. Account creation - most commonly selected was geo attestation, but token binding came up as more important in comparison. Other capabilities entered were also similar to account takeover use case Payment fraud - third most commonly selected use case. Similar capabilities selected as account creation and takeover. Ditto for importance. Other capabilities were also similar. These might be potential capabilities to bubble up. eCommerce Fraud - same pattern with geo attestation and token binding. Post-boot attestation was most commonly selected but not most important. Other capabilities - very similar capabilities to earlier use cases. IVT in advertising - Distinct from other use cases. App/site attestation, element visibility, counters, device & boot attestation came up as most important capabilities. Seems like IVT may require different treatment compared to other use cases. Out-of-band feedback mechanism - almost even mix of respondents willing to share out-of-band info vs not. Per: Did we differentiate between Geo attestation for compliance (distribution rights) vs using it for abuse/fraud fighting. Neha: We did not. Per: In the future it would be useful to separate, because they are quite different. Was there a good distribution from companies? Neha: All individual companies that were responding. Consolidated multiple responses from the same company. For anonymous, we weren’t able to do that. Brian: Looks like we’re seeing the top n capabilities repeated. Neha: Slide on top capabilities selected. Geo attestation, counters, token binding, recognizing whether it’s the same device. Brian: Sounds like these would be 4 candidates for follow-up work. On the out–of-band feedback question, would be good to get a sense of why people would be reluctant to provide feedback. Neha: Sam’s feedback was that it might be sensitive client content and they may not be able to share without consent from the client. Steven: Curious if more orgs would be willing to provide feedback that’s aggregated (out of band feedback). Maybe worth a follow up survey. Brian: We should include some mechanism to provide feedback in future proposals we work on. Steven: Feedback’s definitely useful, but it should be top of mind. Brian: We should still have a section in the proposal stating it doesn’t make sense to have a feedback mechanism Per: Risk of feedback to bad actors. Steven: Wonder if the answers would change to the question on whether the feedback is likely to go to the bad actor. Per: Can’t assume that attesters are not bad actors. The way people are using the attestation mechanism may not be the same way as it was originally intended. Brian: If the attester was repurposing the feedback for other uses, I’d be concerned about it as well Scott: Under geo attestation, what granularity would it need to operate under. Country level or more specific? Is geo attestation clumped under IP org or is this just about attestation? Per: We typically don’t do it super granular, but it could be potentially useful. Country helps a lot. For policy and contractual enforcement, allowed/disallowed, it’s mostly at country level. It can be state or local jurisdiction as well. In many cases, IP org and ASN can be very useful, but typically not needed. Metadata is often very useful, but IP info can be very useful. (reading for those interested: 3ve ad fraud case: https://services.google.com/fh/files/blogs/3ve_google_whiteops_whitepaper_final_nov_2018.pdf) Neha: If we had the drop down of what granularity of geo attestation is most important, would then those be important to surface? Brian: Would want different levels of accuracy. Per: For compliance, country should be OK. For fraud fighting, IP org, ASN, detailed IP with geo. Brian: For regulation in state we may need state-level info. Steven: Helps direct future conversations for this CG. Brian: Given we have the top 5, should we prioritize? Steven: Maybe focus on top 3 and see what else floats out. Brian: Given these top 5, what’s most useful to work on first Steven: Maybe we would want to dig into these in separate meetings/groups. Neha: What is used or what is important but doesn’t indicate what’s most important. Would recommend folks Vinod: Can we prioritize based on what’s likely to be rolled out in the near term given ongoing work Steven: Agreed. Time tradeoff may not be worth it. Per: When we look at the ranking of geo attestation, we don’t know if it’s ranked high due to anti-abuse or compliance. Need to be cautious about how we interpret the data. Steven: Compliance would fall out of charter. Hopefully we have people call out how important it is for their work when we take it up. Brian: Wonder how the availability of these capabilities influenced the ranking. Given the ubiquity of geo attestation was it ranked higher? Per: +1 to that. Also doesn’t take into account what approaches bad actors will take in the future. Need to apply some common sense to this data.