1. IAB Lab exec floats ideas for a neutral, ‘publicly owned’ single identifier’ for sharing user data with permission

A former ad-tech industry executive who now works at the IAB Tech Lab is floating an idea for industry collaboration around a “neutral” governed “single identifier” to replace third-party cookies as a mechanism for serving targeted advertising. He says such a mechanism should be “publicly owned.” 

“We propose standardized privacy settings and consumer controls tied to a neutral, standardized identifier,” writes Jordan Mitchell, senior vice president, membership and operations at IAB Tech Lab, in a lengthy Sept. 4, blog post that summarizes the failed privacy history of third-party cookies.  His post is entitled: “The Evolution of the Internet, Identity, Privacy and Tracking – How Cookies and Tracking Exploded, and Why We Need New Standards for Consumer Privacy.”

Mitchell joined Tech Lab a couple of years ago from an ad-tech-industry association called DigiTrust which he helped form while being paid by Rubicon, an ad-tech company. DigiTrust sought to develop a single, first-party cookie, owned by the ad-tech industry, that would eliminate the need for third-party cookie matching. A goal was to reduce the dozens of third-party cookie calls to websites, slowing them down and annoying users. The idea did not catch on with publishers, and DigiTrust was acquired by IAB Tech Lab. 

Mitchell’s new proposal, as he outlines in his Sept. 4 post, acknowledges the need to find a trustworthy approach that is consistent with emerging government regulation, respects user privacy signals, and is supported by publishers as well as technology companies. He writes that standards should  “be set up as public utilities” governed jointly by the digital media and marketing industries.

“We’re calling for a centralized mechanism so that you can convey your preferences and all parties…can respect those preferences,” Mitchell wrote. CNET’s Stephen Shankland reported the technology would be jointly developed by advertisers, publishers, browser makers and privacy advocates and submitted to standards bodies. 

Mitchell’s post continues: “Eliminating cookies today without an adequate, planned transition to a new, publicly-owned mechanism for recording and honoring consumer preferences will disenfranchise millions of independent businesses, entrepreneurs, influencers, and individual communicators, and concentrate control of the internet with four or five giant technology companies.”

TechCrunch’s Anthony Ha picked up on Mitchell’s IAB post and wrote in his story, entitled, “IAB proposes a new tracking alternative to the cookie,” that Mitchell realizes a single-identifier network would have to have governed privacy standards and, Mitchell said, “these standards be set up as public utilities, subject to regulations promulgated by government entities, with the digital media and marketing industries jointly governing the standards with the browser providers.”

Ha’s story quoted Brendan Eich, CEO of ad-blocking browser company Brave, as tweeting “who’re they kidding” if the single identifier can match to an individual.  Eich suggested looking at a 2013 proposal by Mozilla — when he was CTO there — that called for a different identity hash for each website, tied to a common identity at one location. 

Mitchell told the CNET interviewer: “Who’s going to trust the [ad] industry [to] come save the day? No one. We recognize we need to show accountability and reliability to the preferences set by consumers.”

2. Privacy advocates fear last-minute push by ad-tech could threaten CCPA guarantees to consumers

The Washington Post was out this week with a story by one of its veteran tech writers — Tony Romm — suggesting ad-tech and tech-platform interests are readying a last-minute lobbying push on the California Legislature to try and ease provisions of the California Consumer Privacy Act (CCPA). They have to move fast — there is a self-imposed legislative deadline of Sept. 14 for all bills to be either passed on to the governor — or dead for the session. 

Romm looked at Twitter’s ad-transparency archive site and figured one set of targetted ads, run by the Internet Association (whose members include Facebook, Google, Microsoft and Twitter) went only to 184,000 people located in California’s state capital — Sacramento.  An Internet Association spokesman said they group merely seeks amendments to make the law “easier for businesses to understand,” not weaker. 

In another story, Bloomberg Business News reported that Google and the ad-tech/marketing industry has been trying for months to get a rewrite of the CCPA on the calendar in Sacramento but with no success to date.

Groups such as the American Civil Liberties Union, Common Sense Media and the Electronic Frontier Foundation have tried and failed this legislative session to broaden the definition of “sale” of data to make it harder for ad-tech to share user data. They also want to keep the definition of “personal information” broad. But they haven’t been effective at getting their amendments moving, nor have advertising interests, really. 

The effort to rollback CCPA has been ongoing. Back in April,  Los Angeles Times business columnist Michael Hiltzik reported on Assembly Bill 1416, which is said to be backed by the California Chamber of Commerce and big Internet companies.  There is no indication the bill is moving now, however. 

The bill analysis prepared in July by Democratic staff for the Senate Judiciary Committee said AB 1416 “would dramatically erode the rights of consumers pursuant to the nascent law and allow businesses to disregard consumers’ choices to restrict the sale of their personal information or to delete it.”

The argument advanced in favor of AB 1416 is that companies which collect user data for marketing purposes would be prohibited by the CCPA from selling or giving that data to government agencies for legitimate public purposes. Privacy folks say that is an argument designed to support a bill which would relax sale and use regulations already embodied in CCPA — that that is the real concern of business.  

“It’s a massive land grab,”  said Alastair MacTaggart, the privacy activist who proposed a ballot initiative to protect consumer rights, and settled for ensuring passage of the CCPA last year. His comment was in the LA Times story in April. 

At that time, Justin Brookman of Consumer Reports, told the LA TImes: “This provision is so unfathomably broad that a company could do anything it wants. There’s no guard railing at all.”

RELATED LINK:

• A wrapup by California daily on CCPA impact (Kevin Smith, East Bay Times)

3. Competitor alleges Google’s “invisible” tracking can share and send personal data among advertisers and marketers; Meanwhile, Facebook suggests policy future

Johnny Ryan, a technologist at Brave, the ad-blocking browser maker, has filed a new complaint with data protection authorities in Ireland that describes what he asserts is an opaque Google effort to facilitate sharing of personal data to advertisers. See: “Brave Uncovers Google’s GDPR Workaround.” 

The complaint comes the same week Facebook publishes a blog post and a major white paper: “Data Portability and Privacy: Charting a Way Forward” by Erin Egan, Facebook’s Vice President and Chief Privacy Officer, Policy.

Covering Ryan’s complaint, the Financial Time’s Madhumita Murgia put it this way in the lead to her Sept. 4 story: “Google is secretly using hidden web pages that feed the personal data of its users to advertisers, undermining its own policies and circumventing EU privacy regulations that require consent and transparency, according to one of its smaller rivals.” 

In the FT account, Ryan found Google set up a “hidden” web page — one with no content — that contained an identifying tracker unique to Ryan and linked to Ryan’s browsing activity. He told the FT this could allow Google ad partners visiting the page to match their profiles of Ryan and his browsing with their own data and data from other companies — to target him with ads. 

“This practice is hidden in two ways:  The most basic way is that Google creates a page that the user never sees it’s blank, has no content, but allows…third parties to snoop on the user and the user is none the wiser,” the FT quoted Ryan as saying. “I had no idea this was happening. If I consulted my browser log, I wouldn’t have had an idea either.” 

Google told the FT it would cooperate with Irish authorities investigating the company and added, “We do not serve personalized ads or send bid requests to bidders without user consent.” 

RELATED LINKS:

• Brave browser catches Google tracking users with hidden web pages (David Canellis, TheNextWeb.com)

• “Data Portability and Privacy: Charting a Way Forward”  (Erin Egan, Vice President and Chief Privacy Officer, Policy at Facebook)