Gambling with Our Privacy: New Report Shows the Reality of Surveillance Advertising
This blog has written many times about the risks to privacy of surveillance advertising. Nonetheless, it can be hard to appreciate what that might mean in real life. A new report from Cracked Labs helps flesh out what pervasive tracking online really means. It comes from the researcher, Wolfie Christl, who five years ago, wrote a report looking at the world of corporate surveillance. In a sense, that was the theory, and Christl’s new report, “Digital Profiling in the Online Gambling Industry“, commissioned by the UK not-for-profit organization Clean Up Gambling, can be thought of as looking at the practice. In addition to the main report, there’s also the detailed technical report .
It’s appropriate that the gambling industry’s use of online surveillance and profiling should be examined in this way, since it pioneered the approach in the physical world, as the report explains: “Typical large casinos are high-security areas with an estimated 3,000 cameras monitoring every step and activity in order to detect suspicious behavioral patterns and persons”.
Christl worked with the AWO agency, and two members of the public who made use of gambling sites. In addition to monitoring the network traffic flowing to gambling sites owned by Sky Betting and Gaming (SBG), Christl also used subject access requests, made under by the UK’s data protection laws, to ask the companies involved to reveal what personal data they held for the two individuals taking part in the research.
During 37 visits to the SBG websites skycasino.com, skybet.com, and skyvegas.com, Christl observed 2,154 network requests to 83 third-party hosts operated by at least 44 third-party companies. Signal, a company that provides consumer data and profiling services for marketing, received data 401 times. It is owned by the US consumer credit reporting agency TransUnion, as is the company Iovation, which received data 28 times. Although a small number in itself, Iovation casts a wide net: it claims to collect data on 7 billion devices across 50 countries, which means that it doubtless has huge databases of personal information.
As you might expect, Facebook, Google, and Microsoft all received high levels of data: respectively 358, 240 and 71 times. Perhaps the biggest surprise in terms of a well-known company receiving large quantities of data from those 37 visits is Adobe, which was contacted no less than 499 times — more than any other site. It turns out that what is thought of by most people as a “pure” software company, is in fact deeply mired in the world of surveillance advertising, as the report explains:
Adobe provides web analytics services that helps its clients “recognise” site visitors, as well as digital advertising services. Its “Audience Manager” helps clients to “collect and merge data from practically any source”, build “profiles” and “segments” based on user “behaviour” as well as “personal interests” based on “online and off-line data”, merging “user identities from devices and touchpoints”, and ingesting data from “data providers, off-line data on-boarders, ad servers, device graphs and more”.
Adobe is also engaged directly in reselling consumer data from a wide range of data companies and data brokers, which makes Adobe itself a data broker.
That’s significant for several reasons. It shows how traditional software companies like Microsoft and Adobe are increasingly facilitating the tracking of people online. On the basis of the current analysis of the gambling sector, Adobe emerges as even more significant than big names like Facebook and Google. Its appearance here demonstrates that this realignment of interests is happening discreetly, without any great fanfare. It’s problematic because it means yet another major software company will now be promoting and defending the entire advertising surveillance system it is now part of, which will make changing it harder.
Another theoretical concern that the new report makes all-too real, is the use of a single personal identifier across multiple Web sites. In this case, Christl found that unique identifiers used by Adobe, Facebook, Google and others on the site skycasino.com were also deployed on other gambling sites. This means that the tracking companies were able to follow an individual as they moved around the Web, building up a more detailed picture of their activities.
The subject access requests to various companies produced widely varying results — in itself a troubling result, since the law is clear that full details should always be available. Signal and Iovation provided some information about their personal data processing activities, but Adobe provided none. Sky Betting and Gaming (SBG) provided information about its own data processing, but details about the processing carried out by third parties on its behalf were incomplete. For example, SBG did not provide any details about the personal data processing carried out by Facebook, Google, and Microsoft, among others. The information from Signal allowed Christl to make the following observations about the profiles the company builds:
Signal processes up to 186 profile attributes on a SBG customer, including information that is useful for profiling, information that is the result of basic inferences and information that is the result of advanced profiling. The latter includes information about the predicted customer value (customer value scores, value band classifications, win-back margin, the predicted share of a customer’s betting wallet compared with competitors), the estimated degree of how easy or difficult it may be to influence a customer by promotions, and about recommended actions (“win back”, “grow”, “cross-sell product”)”.
Although it might be thought that the gambling industry’s use of surveillance advertising is a special case without much relevance to the rest of the population, that is far from the case. The techniques employed here are exactly the same as those employed routinely to track and profile everyone online. Christl’s latest report is valuable for reminding us just how intrusive the online advertising industry has become, and why it must be reined in if we are to retain core elements of our privacy.
Featured image by Glyn Moody.