Could web browsers create privacy-protecting cohorts of users for serving advertising? UDEX as alternative

An ad-tech follower with many years of experience as a consulting corporate privacy lawyer is suggesting that the makers of web-browser software may impose a new approach to targeted advertising based upon “cohorts” big enough to, in theory, to assure anonymity for users.

Alan Chapell’s insight is contained an April 20 column he wrote on the AdExchange website called, “Planning for the future While Your Hair is on Fire.”  Chapell heads Chappell & Associates, in Brooklyn, N.Y., and Sausalito, Calif.

Chapell says the browser makers are discussing such ideas in a preliminary way in a World Wide Web Consortium (W3C) working group. He goes on to write:

“The browsers will create cohorts of users that are large enough so that it would be nearly impossible for anyone to identify any of the users in the cohort. My back-of-the-envelope guesstimate is that we’ll see cohorts of 500 to 2,000 users depending on the campaign. The basic idea is that ads get served into each cohort as a group, and that no entity within the ad chain will be able to break up a cohort. That may create some challenges for attribution (among other things), but let’s leave that to the side for now.”

Chapell writes that this approach creates the possibility for a lack of transparency in how the cohorts are selected and managed, meaning that browser makers — Google, Mozilla, Microsoft and Apple, primarily — “just become another set of walled gardens where everybody just needs to trust them?” 

The nonprofit World Wide Web Consortium (W3C) manages technical discussions on proposed web standards. One proposal pending in the W3C’s “Improving Web Advertising  Business Group” is called “restricting ad delivery by audience.”  Another independent proposal submitted to the W3C  is called “Federated Learning of Cohorts” (FLoC). It was first proposed in August but little discussion has occurred around it yet. The W3C also hosts a Privacy Community Group where browser makers have been among recent discussion participants.

(The nonprofit Information Trust Exchange Governing Association, sponsor of this Privacy Beat blog, has proposed the creation of an anonymizing user data exchange (UDEX.ORG)  that would be governed in the public interest and with transparent algorithms.)

Google created what it calls a “Privacy Sandbox” months ago to consider approaches to privacy if the use of third-party cookies — a mainstay of the current real-time-bidding advertising ecosystem — comes gradually to an end.  Read Sam Dutton’s Digging into Google’s “Privacy Sandbox” — 3rd party use without 3rd party cookies?

ADVERTISING TECH

• Google will make all its advertisers verify their identities | Adi Robertson, TheVerge.com

• Google explains policy of advertiser identification for all ads | John Canfield, Google Ads Blog

• Australian law professor files complaint over pervasive tracking | Katherine Kemp, SSRN

• Why regulations like CCPA can elevate personalization for marketers | David Mirsky, MediaPost/MarketingInsider

• Why contextual targeting is the future of digital advertising | Phil Schrader, AdAge.com

• Identity will survive the “death” of the third-party cookie, agency exec says | Ciaran O’Kane, ExchangeWire.com

• Ad-tech company Critero suffers $24M hit; Qt1 revenue tumbles 10% | Ronan Shields, AdWeek

• “Scale of advertising downturn is appalling” | Gideon Spanier, CampaignLife.co.uk

• YouTube advertising surges 33% to $4B in QT1 | Joe Mandese, MediaPost. 

• Ad revenue or readers: Which should you choose? | Jon Fletcher, Marfeel via DCN

• COVID-19 has torn open Pandora’s Box of ad tech | Ronan Shields, AdWeek

Tracking and tracing privacy benchmarks: Six questions from Britain’s privacy “czar” Elizabeth Denham

Britain’s information commissioner, Elizabeth Denham, has offered six questions that governments and privacy advocates might use to evaluate COVID-19 tracking and tracing initiatives.  Denham posted the six points in an April blog.

The six questions, detailed in the post here, are (1) have you demonstrated how privacy is built in to the processor technology (2) Is the planned collection and use of personal data necessary and proportionate? (3) What control do users have over their data? (4) How much data needs to be gathered and processed centrally? (5) When in operation, what are the governance and accountability processes in your organization for ongoing monitoring and evaluation of data processing  (6) What happens when the processing is no longer necessary?

COVID TRACING — US

• Nearly 3 of 5 Americans unable or unwilling to use racing app | Craig Timberg, Drew Haarwell and Alauna Safapour, The Washington Post

• Google-Apple contact tracing plan meets with public skepticism, survey shows | Wendy Davis, MediaPost 

• Markey, key senator, says tracing apps should be voluntary, limited | Reuters

• A scramble for virus apps that do no (privacy) harm | Jennier Valentino-Devries, Nathasha Singer and Aaron Krolik, New York Times

• As coronavirus surveillance escalates, personal privacy plummets | Natasha Singer & Choe Sang-Hun, New York Times 

• How Google-Apple contract tracking works | George Petras & Jennifer Borresen, USA TOday

• UPDATE: Apple-Google contract tracing is now “exposure notification” | Darrell Etherington & Natasha Lomas, TechCrunch.com

• How Apple, Google teams came together on tracing COVID-19 | Christine Farr, CNBC

• Apple, Google tweak contact-tracing specs as launch nears | Ina Fried, Axios

• Apple and Google were to have had first tracking API versions out April 28 | Darrell Etherington, TechCrunch.com

• Apple, Google pledge to shut down tracker function when pandemic ends | Russell Brandom, The Verge

• OPINION: Will consumers more willing reveal location to business, or government? | Daniel Schreiber, BusinessInsider.com

• Tracing apps viewed as unsafe if Bluetooth vulnerabilities not fixed | Eileen Yu, ZDNet

• A PRIMER: Telco data and COVID-19 | PrivacyInternational.org

COVID TRACING — WORLD

• Centralized vs. decentralized: EU’s contact-tracing privacy conundrum | Joe Duball, IAPP News blog
  Centralized Apple, Google rebuff demands by France, Germany over Covid-19 tracking | Mathieu Rosemain & Douglas Busvine, Reuters  (DIAGRAM) 

• Germany flips to Apple-Google approach on smartphone tracing | Douglas Busvine & Andreas Rinke, Reuters

• Why Britain’s National Health Service said no to Apple/Google tracing tech | Daphne Leprince-Ringuet, ZDNet 

• UK’s contact-tracing app could ask users to share location data | Natasha Lomas, Tech Crunch

• Britain’s privacy czar opines on COVID-19 and privacy | Elizabeth Denham, ICO.org.uk

• Australia, launches Singapore-designed tracing app | Laurie Sullivan, DigitalNewsDaily

• French hypocrisy alleged by fining Google and “spying” on users? | Mike Masnick, TechDirt.com

• Here are the contact-tracing apps being deployed around the world | Samantha Tsang, IAPP News blog 

Brave now says GDPR “in danger of failing” for lack of enforcement resources; issues new report

Brave Software Inc. is seeking to keep up public pressure on European Union regulators to adopt its point of view and find the current real-time-bidding advertising system violates the landmark EU privacy law, the General Data Protection Regulation (GDPR).

But now it is documenting a lack of resources that regulators might need to prove the point.

The latest salvo is a data-laden analysis by Brave’s Johnny Ryan, picked up April 27 by The New York Times which says that the only major enforcement so far has been a 50 million euro fine of Google, described in The Times report as “about one-tenth of what Google generates in sales each day.” 

Brave lodged complaints with the European Commission naming 27 EU member states has allegedly failing to provide enough staffing and resources to their national data-protection watchdogs. In a statement on Brave’s website, Ryan said the result is that GDPR “is now in danger of failing.”  The statement provides five bullet-point examples of the alleged lack of resources. (DOWNLOAD BRAVE’S REPORT)

The issue is important to Brave because its upstart browser software, which is slowly gaining market share, is focused on banning most advertisements placed by the current real-time-bidding system and substituting a networked partnership among Brave, publishers and advertisers.

GDPR ENFORCEMENT

• Brave’s Johnny Ryan implies GDPR in danger of being ineffective | Sean Hargrave, MediaPost

• EDPA publishes guidelines on COVID-19 location tracking | Judith Garrido-Fontova, Kem Little law firm

• EU parliament report: Stop data collect to stop sensational content | Laurenz Gehrke, Politico-Europe 

PERSONAL PRIVACY

• Consumers OK with tracking data for personalization but not for sale | Randy Price, Digital Content Next via NiemanLab

• The future of smart cities may mean the death of privacy | Maya Shwayder, DigitalTrends.com

• Shift to online learning ignites student privacy concerns | Joe Duball, IAPP News  blog 

BIOMETRICS, AI AND PRIVACY

• The dominance and obstinance of big tech platforms | Chris Pedigo, Digital Content Next 

• Report from Harvard’s Carr Center says biometrics incompatible with privacy | Jim Nash, BiometricUpdate.com   (READ REPORT)

• Google working on cohorts sf W3C? Planning For The Future While Your Hair Is On Fire | Alan Chappell, via AdExchanger

• FTC tips on using artificial intelligence and algorithms | Susan M. Corcoran, Data Intelligence Reporter