PRIVACY BEAT: Google, Facebook join ad-tech in plea to end “arms race” with browser makers over privacy; who would control common identifier?

Privacy Beat

Your weekly privacy news update.

1. Google, Facebook join ad-tech in plea to end “arms race” with browser makers over privacy; who would control common identifier?

Google, Facebook and the rest of the ad-tech industry are ramping up their bid to create a common identity framework for the web that they might control, and which would begin to end the proliferation of third-party cookies and opaque identity matching. They are seeking cooperation with other browser makers besides Google.

“We would like to end the current arms race between browser tech and ad tech, and forge cooperation around consumer identifiers, privacy, data, security and accountability,” the proposal reads, adding: “A standardized user token in browser environments would eliminate the need for ‘cookie syncing’ across 1000s of proprietary cookies… designed solely as a persistent mechanisms to store, communicate and adhere to consumer preferences.”

A key part of the proposal — ad-tech would have to agree to enhanced privacy protections before it could access the common-identity “token” ecosystem. 

The latest proposal does not appear to mention if the common “token” would be within a particular domain or who would control access to it. However, DigitalNewsDaily wrote that “the standardized identifier, set up as a public utility and not owned by any one organization or company, aims to improve the way advertisers identify audiences and personalize data targeting without giving away information about.”

The latest ad-tech industry proposal comes in the form of a white paper, “A Proposal for Enhanced Accountability to Consumer Privacy with the Digital Marketing Industry,” released this week by the Interactive Advertising Bureau’s affiliated IAB Technology Laboratory Inc. and by the Network Advertising Initiative. It expands upon a blog post issued Sept. 4 by Jordan Mitchell, the lab’s senior VP of membership and operations, and covered in the Sept. 5 Privacy Beat.

In a new Sept. 19 blog post, and the accompanying white paper, Mitchell asks for industry and outsider input adding, “We intend to set up meetings with other important stakeholders who are not Tech Lab members.” He says collaboration is sought among premium publishers, brands, third-party platforms, browser/OS platforms, academics and privacy engineers.” 

Mitchell, in his blog post says “we are not proposing specific technical designs or policy at this point for either a standardized identifier, privacy preferences, enhanced accountability mechanisms or governance or enforcement.” He said he the IAB Tech Lab wants to convey ideas and “good-faith willingness to collaborate… ” 

The longer white paper, in a section called “Our Objectives,” reads in part: “We care about consumer privacy, believe that access to quality online content and services is a fundamental human right, and that paid access is a privilege of some, but not all.” 

The IAB Tech Lab’s board includes executives of Google, Facebook, LiveRamp, Rakuten, Twitter, Verizon, Index Exchange, Neustar, and one publisher, Hearst Interactive. NAI’s members include most of ad-tech, including Krux, MediaMath, Lotame, PubMatic, Taboola, TheTradeDesk and Throtle. No publishers are represented.

RELATED LINK: 

So many people have told us this newsletter is valuable.
Please support the continued work of ITEGA to foster a digital marketplace that respects privacy and identity.

Donate

2. Game over: Amendments leave CCPA largely intact for Gov. Newsom’s signature; now the implementation task begins — and most aren’t ready

It’s game over — for now — in the battle to weaken privacy rights of California-based consumers. 

The California Legislature’s self-imposed deadline last week for amending the California Consumer Privacy Act (CCPA) before it becomes effective Jan. 1 passed with no surprise initiatives getting over the finish line. What’s left are a series of largely technical amendments that leave provisions of the law — enacted last year — largely intact. Gov. Gavin Newsome is expected to sign amendments which passed by mid-October if not sooner.

The big news now is that most companies aren’t ready to comply with either the CCPA or EU’s General Data Protection Regulation (GDPR), according to a review of 1,200 online privacy statements by the non-profit Online Trust Alliance, a unit of The Internet Society. 

For the CCPA, data users have at least six months, until July 1, until enforcement of the law begins, and possibly longer if California Atty. Gen. Xavier Becerra delays issuing implementing regulations. So all eyes now turn to his office.  

But for the GDPR, enforcement talks is already heating up — and ad-tech is in the cross-hairs. 

Multiple law firm teams had been following and reporting on the machinations by Internet platforms, ad-tech and consumer data companies to try and ease disclosure burdens of the CCPA, and the consensus is they didn’t get very far.  Links to some of the best roundups are below. A few key points:

  • According to an FAQ by the International Association of Privacy Professionals: “Personal information” now includes information that is “reasonably capable of being associated with” a particular consumer or household, instead of simply “capable of being [so] associated.” Deidentified and aggregate consumer information are wholly excluded. Information that is lawfully made available from federal, state or local government records is also exempt.

  • Publishers seeking to comply with CCPA will now face ambiguity about whether they can “discriminate” by forcing consumers to consent to data sharing or else subscribe. That’s because one amendment not passing — AB 846 — would have protected certain customer loyalty programs. (Read an analysis of the issue and a second law firm’s take.

  • AB 1202 enacted and sent to Gov. Newsom requires the registration of “data brokers” on a public website maintained by the California attorney general. Vermont enacted a similar law a year ago. The measure was amended at the last minute to make it compatible with the CCPA. It creates a registry of data brokers so that California consumers may better know what businesses to contact in order to opt-out of the sale of their personal information (PI).

RELATED LINKS: 

3. Questions abound at worldwide ad-tech summit in Germany: AdProfs and DigiDay

DigiDay reporter Seb Joseph was in Cologne, Germany, last week for the world’s biggest ad-tech gathering, called Dmexco, and the headline on his post reads: “There’s a big question mark: At Dmexco, ad tech braces for the challenges ahead.”

AdProfs email newsletter author Ratko Vidalkovic summarized the reporting from Dmexco. He quoted Joseph’s quoting of Raman Sidhu, VP of business development at Beemray. “The industry seems to be ignoring much of the major underlying problems to finding feasible solutions that solve the problems it has defining online identities and cookie problems,” If you consider that the lifetime of a cookie is less than a day, then it’s very difficult to map that identity around the advertising ecosystem, Sidhu was quoted as saying, adding: “It means the currency used by the marketing industry today to validate the price of a user has diminished in a big way.”

Other points noted by Vidalkovic: 

  • Supply-side platforms (SSP) are losing favor as lines blur between who does what in the ad-tech ecosystem.  

  • Many executives seem to have stayed away from Dmexco to focus on overcoming challenges in their existing ad-tech stacks rather than look for new ideas.  

MORE AD / TECH

Like what you see? Then recommend to a friend.

Subscribe to Privacy Beat

4. Washington Post appears to take-on Google’s dominance in ad-serving technology with “Zeus Prime” launch

On Tuesday, the Washington Post announced the third product in their ad tech suite, an ad-buying user interface called Zeus Prime saying, “We believe that local news can move beyond sustainability into profitability with state-of-the-art tools to make buying, targeting and transacting more efficient.” 

After a limited release in Washington, the platform is expected to be more widely available to advertisers and publishers through a nationwide ad network that will compete with Google and Facebook in 2020.

“Through Zeus Prime, buyers will be able to easily execute an ad campaign by creating an ad format in a single click and targeting across a marketplace of trusted publishers. Creating a campaign will take under one minute and can be launched within a day. Zeus Prime marries the value of programmatic (automated direct buying) with the value of direct (premium formats and premium inventory) in a trusted environment. We believe that through Zeus Prime, we are shepherding in the next era of advertising efficiency and effectiveness to media.”

The suite also includes an ad-targeting system, Zeus Insights, that delivers relevant ads based on appropriate content, rather than invasive cookies that may track users around the web.

READ MORE:

5. Federal appeals ruling suggest publishers have no control over who can scrape information from open websites; EU and US now may differ

Publishers who hope to exercise legal control over how information is “scraped” from their websites are facing a setback because of a Sept. 9 federal appeals court’s preliminary ruling. And the court’s decision raises key questions about privacy vs. public access to information posted publicly.

The Ninth Circuit U.S. Court of Appeals ruled in a case arguing that scraping data from public portions of a website doesn’t violate federal law. The decision and opinion, in hiQ Labs, Inc. v. LinkedIn Corp., No. 17-16783 (9th Cir. Sept. 9, 2019), may limit the ability for companies to invoke the Computer Fraud and Abuse Act (“CFAA”) to block scraping of their publicly available information. The CFAA, enacted back in 1986, makes it a crime to access a computer “without authorization.”

The ruling came on a procedural motion which upheld a preliminary injunction and allowed data-analytics firm hiQ’s case to continue to substantive argument in a lower court. One law firm’s analysis called the decision broadly in favor of the “open internet.” The profile data on LinkedIn was and is public. But LinkedIn didn’t like hiQ scraping its content and issued a cease-and-desist order in 2017. LinkedIn also said that it would technically block hiQ’s efforts to scrape the site. hiQ then sued for a preliminary injunction against LinkedIn and won at the district court level. The court ordered LinkedIn to allow hiQ access to the content again. LinkedIn appealed to the Ninth Circuit. The LinkedIn appeal position was supported by publisher Craigslist, which argued in its own 2015 case that that data scraping could make it easier for ‘bad actors’ to spam users via email, text or phone.

LinkedIn, a subsidiary of Microsoft, is considering an appeal, which could go to the U.S. Supreme Court. Who’s “authorized” to access website content? A central question in the case involved determining, once hiQ received LinkedIn’s cease-and-desist letter, whether it was “without authorization” under CFAA. LinkedIn argued that HiQ violated the terms of its user agreement. The Ninth Circuit pointed out that its status as a “user” was terminated by LinkedIn with the cease-and-desist letter. In addition, LinkedIn didn’t claim any ownership interest in the public profile content. And while LinkedIn also said it was also seeking to protect users’ privacy rights in blocking HiQ, the court didn’t buy that argument regarding public profile information — where there was little or no expectations of privacy.

Electronic Frontier Foundation Senior Staff Attorney Andrew Crocker told Motherboard that the ruling was a good thing. “This sort of scraping is a commonplace technique that supports research in the public interest, among other beneficial uses,” Crocker said.

Dylan Gilbert, a privacy expert at the consumer group Public Knowledge also applauded the ruling, but told Motherboard that the United States still needs a cohesive privacy law giving consumers not only transparency into the scope of datasets being collected, but control over how this data is used.

SearchEngineLand’s Greg Sterling summarized as follows: “Why we should care. This case may not be over and could ultimately wind up before the U.S. Supreme Court. Its broadest interpretation, however, appears to be: any “public” online data not owned or password protected by a publisher — and facts cannot be copyrighted — can be freely captured by third parties.”

In contrast, scraping is largely forbidden in Europe, Christopher Hart of the Foley Hoag LLP law firm wrote in a Sept. 11 blog post which considers implications of scraping on acquisition of personal data under the GDPR.  He writes: “The contrast between the different approaches to data processing and data aggregation activities could not be more striking–even the toolkits available to regulators and consumers on either side of the Atlantic are different.”

QUOTE OF THE WEEK

With everyone’s personal informed stored in the cloud, an authoritarian regime bent on broad surveillance can unleash draconian demands to monitor not only what people are communicating but even what they are reading and watching online and armed with this knowledge, governments can prosecute, persecute or even execute those they consider threats. This is a fundamental fact of life that everyone who works in the technology sector needs to remember, every day…I think it starts with just helping us all understand how the cloud works. It sounds fuzzy, warm, but it’s in fact data in massive data centers. That’s why we start the book by taking people on a tour of a data center, in effect. It does mean that the location of data, the building of data centers, it actually is one of the central human rights issues of our time. Tech companies need to think more about it, as a society, across this country, we need to think more about it.

–  Microsoft President Brad Smith, in his book released Sept. 10: “Tools and Weapons: The Promise and the Peril of the Digital Age” and during a FOXBusiness interview video posted Sept. 13, 2019.

TIDBITS

Share Share

Tweet Tweet

Share Share

Forward Forward

Facebook

Twitter

Website

Copyright © 2019 Information Trust Exchange Governing Association, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp