As public fears mount over online surveillance and lack of control, advertising industry gets privacy religion – sort of…

Posted on Dec 31, 2019 by Glyn Moody

A new Pew Research Center survey confirms what readers of this blog already know: many people are deeply worried about the routine tracking of their activities online:

A majority of Americans believe their online and offline activities are being tracked and monitored by companies and the government with some regularity. It is such a common condition of modern life that roughly six-in-ten U.S. adults say they do not think it is possible to go through daily life without having data collected about them by companies or the government.

Among the results of this survey are the following. Some 72% of Americans report feeling that all, almost all or most of what they do online or while using their mobile phone is being tracked by advertisers, technology firms or other companies; 81% think that the potential risks they face because of data collection by companies outweigh the benefits they receive; 79% of adults say they are very or somewhat concerned about how companies are using the data they collect about them. This research makes clear that the current online advertising model is simply not acceptable to the vast majority of US citizens. The same is almost certainly true in other countries. Indeed, concerns in countries like Germany, where privacy has long been of paramount importance for historical reasons, are likely to be even greater. The advertising industry is well aware of this growing discontent, and is urgently trying to head off moves to bring in legislation strengthening privacy protection, particularly in the US, which lags behind the EU in this regard.

Last year, the Interactive Advertising Bureau Technology Laboratory (IAB Tech Lab) acquired DigiTrust, which it described as “a non-profit, industry consortium recognized for building a real-time standardized identity service designed to improve the digital experience for consumers, publishers, advertisers, and third-party platforms”. IAB Tech Lab has launched the DigiTrust service. It creates a randomly-generated user token, which is propagated by and between DigiTrust supporters instead of the proprietary pixels and trackers that are used on Web pages today. As the DigiTrust FAQ rightly points out, a large number of third-party requests slows down the loading of Web pages; replacing them with a single, standardized one will avoid that problem. However, it also brings with it another one, that is arguably more serious from a privacy point of view.

By creating a single, albeit pseudonymous token, it makes the aggregation of information much easier. The veil of pseudonymity only needs to be pierced once for the token to become a unique identifier for an individual. Because of the privacy issues, the Mozilla team behind the open source Firefox browser regards DigiTrust as a tracker and blocks it. As Digiday reported, that hardly came as a surprise to IAB Tech Lab, since Mozilla had already made tracker cookie blocking the Firefox default back in September.

The IAB knows that DigiTrust on its own would not be enough to quell calls for online advertising’s tracking to be reined in. As part of its larger strategy, it published on its Web site a long post entitled “The Evolution of the Internet, Identity, Privacy and Tracking – How Cookies and Tracking Exploded, and Why We Need New Standards for Consumer Privacy”.

The basic solution is still the same – “We propose standardized privacy settings and consumer controls tied to a neutral, standardized identifier” – but now the IAB has bolted on “a joint accountability system”. The idea is fleshed out in a 41-page document “Principles for Privacy Legislation“, released by the grandly-named “Privacy for America” coalition. One key idea is to impose restrictions on data use for advertising, including bans on certain types of data being collected and used for advertising, as well as limits on the purposes for which advertising data may be used. According to the proposed principles, consumers would be allowed to specify their preferences as to what advertising they do or do not wish to receive. Another suggestion is to beef up the enforcement of privacy protections:

a new Federal Trade Commission (FTC) Data Protection Bureau, to enhance the FTC’s longstanding expertise in overseeing privacy matters; granting strengthened rulemaking authority to the FTC; and authorizing strict penalties for companies that engage in prohibited privacy practices – to increase substantially privacy oversight and enforcement

That would clearly move the US closer to the EU in terms of government oversight of data protection. There, IAB Europe has already drawn up its Transparency and Consent Framework (TCF). The TCF is designed “to help all parties in the digital advertising chain ensure that they comply with the EU’s GDPR and ePrivacy Directive when processing personal data or accessing and/or storing information on a user’s device, such as cookies, advertising identifiers, device identifiers and other tracking technologies.” Academic research looking at GDPR compliance of TCF advertising banners has just been published. The results are not good:

This is the first study that analyses what happens behind the scenes of cookie banners when a user gives consent to tracking. We systematically collect consent stored by cookie banners and measure GDPR and ePrivacy Directive violations on hundreds of websites. As a result, we identified violations on 54% of websites we analysed.

The researchers have created the Cookie Glasses browser extension for Firefox and Chrome. The interface shows all the purposes and all the third party advertisers that are present on a Web site that uses cookie banners following the TCF. The same tool has been used by the privacy activist Max Schrems, mentioned previously on this blog, to identify violations of European and French cookie privacy laws on the sites of CDiscount, Allociné and Vanity Fair. According to Schrems, these all turn a rejection of cookies by users into a “fake consent”. As a result, the privacy enforcement non-profit noyb.eu has filed three formal GDPR complaints with the French Data Protection Authority (CNIL).

It will be a while before a decision is made. If, as seems likely, CNIL finds that the GDPR has been infringed by the use of fake consent, there will be important implications for Web sites in the EU – and for moves in the US to bring in similar legal frameworks. More generally, the widespread failure to respect users’ wishes suggests that the only real solution to the privacy problem of tracking cookies is to get rid of them completely, and move to contextual advertising.

Featured image by Daniel Stockman.