Browsers continuing federated login support; neutral party for ad processing; contextual ad innovation foreseen

Privacy Beat

Your weekly privacy news update.



Support for “federated” login during W3C privacy meet; lack of agreement over how to “attribute” ads that work

There was apparent agreement on one point and apparent disagreement on a second as technologists from browser companies, ad tech, and a few publishers met virtually this week as part of the World Wide Web Consortium’s  “Privacy Community Group.”  (See meeting MINUTES.)

Representatives from Apple and Verizon said they think browser software, even though sharply limiting the use of “third-party cookies” should continue to facilitate so-called “federated login” — the ability of a user to be transparently recognized at multiple independent websites without be blocked by the browser.

The consensus came during a discussion of Apple’s “IsLoggedIn” proposal, which would allow a user’s home-base site — where they have their account and identity managed — to declare them “logged in” to the browser software for other purposes. “We’d like to explore this,” said John Wilander, Apple’s point-person for technology on the Safari browser. “We/’d like to see if we can cater for federated logins.”  Google has an alternative proposal called WebID.

Conceptual and tentative disagreement arose on a second proposal, Private Click Management, another Apple effort to help advertisers to be able to confirm when an advertising view turns into a product purchase by the viewer — something made more difficult by the deprecation of third-party cookies. Here, also, Google has an alternative, “Conversion Management.” and the two can be compared.

The key debate this week was whether someone other than the advertiser and the publisher where an ad ran should be allowed by the browser software to associate the ad view with the buy.  Apple was trending no, Google says yes, in order to allow ad-tech third-parties a window into advertising effectiveness. The issue then is whether allowing third-parties to view the attribution data creates an opportunity for imposters and fraud.  The question was unresolved.


World Advertising Federation calls for neutral-third party to standardize ad-effectiveness measurement

The World Federation of Advertisers (WFA) released a framework and a technical proposal for a cross-media ad measurement framework. In a September statement, the WAF said:

The Proposal leverages a Virtual ID (VID) and differential privacy methods to preserve privacy while preventing double-counting of impressions across media. In delivering improved cross-media frequency control, consumers will also benefit by not being unintentionally targeted by the same ad across different media channels, potentially addressing one of the key motivators behind ad blocking. 

Martin Kihn, a Salesforce Inc. executive, in a Nov. 11 blog post at AdExchanger wrote that “[t]he proposal combines a user panel with census data provided by participating publishers and broadcasters, as well as a neutral third-party data processor. The technical proposal spends some time talking about various “virtual IDs” and advanced modeling processes that are loosely defined – and the goal of which is to provide a way for platforms that don’t share a common ID to piece together a version of one.”


Does your organization need customized privacy compliance solutions? ITEGA  can help.

We bring together support you need to approach compliance with CCPA, GDPR if needed, and future privacy legislation as it emerges.

Learn More


Privacy and tracking in a CPRA / GDPR world: What changes? About pseudonyms; Mactaggart’s views

Law firms continued this week to offer their analyses of the California Privacy Rights Act (CPRA), now law after approval by 56% of that state’s voters on Nov. 3. It amends the 2018 California Consumer Privacy Act, and begins to take effect Jan. 2, 2022.   Key amendments affect definitions of private data.

CPRA’s principal supporter, real-estate developer Alastair Mactaggart, spent 20 minutes in a live IAB webinar on Thursday giving his views about the impact of the new privacy law. He said it will enable users to turn over management of their privacy preferences to companies that specialize in that role, avoiding having to make judgements at every website visited.

 “We allow for the third party to intercede for you,” he said in remarks during the Interactive Advertising Bureau Policy Summit. “I think over time we will have these trusted intermediaries that will manage it for me so I don’t have to think about it . . . it can’t be up to me to find the ‘do not track’ button on every website.”

The new law expands limitations on the “sharing” of personal information to include “cross-contextual behavioral advertising” whether or not for monetary or other valuable consideration, according to an analysis by Elizabeth Harding and Alex Polishuk of the Polsinelli law firm.

 The “sharing” terminology was meant by CPRA’s supporters to illuminate behind-the-scenes sharing, tracking, and matching of user data by the ad-tech industry on behalf of publishers, advertisers and others, for the purpose of targeting ads to individuals.  Now the ad-tech industry is trying to figure out how to continue to personalize ad delivery without violating CPRA or European Union law.

One of the ad-tech industry’s challenges — is it possible to measure when an ad results in a sale if it is no longer possible to track a unique user?  A solution explored is to have user’s identified by an email address at a “home base” location, but have that ID cryptographically scrambled, or “hashed”, when it is handed out to other sites. (See: “:Ownership of “universal identity” emerging as touchy subject for ad tech’s Unified ID 2.0, report says.”)

When might such a hashed identifier be considered a “unique pseudonym” under CPRA, which would then be considered a persistent identifier that a consumer could forbid?  The distinction between pseudonymous data and “anonymous data” is made within the European Union’s General Data Protection Regulation (GDPR).  Totally anonymous data is not restricted by the GDPR so long as “re-identification” is impossible.

“I think the question is what is personal information,”  Johnny Ryan, an Irish-based privacy activist, told Privacy Beat, adding: “If ad-tech’s Unified ID 2.0 “results in a unique identifier that is not irreversibly, one-way hashed, then it’s pseudonymous data.”  Both GDPR and CPRA include pseudonymous data within the things that users can forbid to be shared or sold.

Because of it’s perceived role in measuring ad effectiveness, the function of “tracking” individual user actions is a major issue for the ad-tech industry, as asserted in a Feb. 10, 2020 report put out by the Interactive Advertising Bureau (IAB), its trade association.

The report concluded: “We find that if tracking were to end, absent a mitigating technology, there would be a shift of between $32 billion and $39 billion of advertising and ecosystem revenue away from the open web2 by 2025. From $24 billion to $29 billion of advertising revenue would be lost to the open web by 2025.”

In a related development, The World Federation of Advertisers (WFA) released a statement and a technical proposal for a cross-media measurement framework  (See story above.)

In reviewing the impact of CPRA, lawyer’s at Arnold & Porter explain another key change — adding “sharing” of their sensitive personal information to the definition of things that a consumer can order a website to stop doing.

Both Anold & Porter and the Eversheds Sutherland firm also dig into a third key change — the specific addition of  defined entities, including a “third party” to the use of data, along with “contractors” and “service providers.”   The new definitions will distinguish who must comply with a user opt-out order and when.

Paying for privacy?

In his blog report on the new law, Foley Hoag LLP attorney Ned Lemanson wrote: “Under pay-for-privacy, consumers either allow businesses to share and sell their data or pay a higher fee for the business’s service.  The CPRA does not limit these schemes, and now allows businesses to run loyalty or discount programs where, for instance, consumers who do not allow access to their data will be restricted from a certain discount on the business’s service.”


Web inventor “Sir Tim” offers first piece of effort to reverse tide of personal data control back to public

The MIT data scientist and form Swiss-based tech researcher credited with inventing the World Wide Web protocol is marking what he calls a “huge milestone” in turning around how private, ;personal data is handled.

Tim Berners-Lee announced this week four demonstration partners — three in Britain and one in Belgium — that will pilot the “Enterprise Solid Server” (ESS), from his startup company, Inrupt Inc.

Inrupt, founded in 2017 by Berners-Lee, now involves a successful tech entrepreneur and also a and prominent cryptography scientist as CEO and lead architect, respectively.  Solid is the name of an open-source project Berners-Lee began at MIT and is the code base Inrupt is working from. Solid is also a member of the Data Transfer Project (DTP), an open-source data portability project that is backed by Apple, Facebook, Google, Microsoft, and Twitter.

The concept is quite simple — invite users to store all their sensitive personal data in one or more “PODS” (Personal Online Data Store), instead of having it spread across the web within different private clouds, platforms and services. “Data generated by your things – your computer, your phone, your IoT whatever – is written to your Pod,” says Bruce Schneier, Inrupt’s chief of security architecture.

Solid defines a set of standard “vocabularies” to organize data in PODS so that it can be easily shared with the user/owner’s permission. Supporters argue this overall approach could reduce data-breach risk for companies that hold data now; but opponents also suggest putting all your data in one place means that one place has to be super secure from hackers.

In the current world, Berners-Lee says, these silos of personal date mean “users and teams can’t get the insight from connecting that data. Meanwhile, that data is exploited by the silo in question, leading to increasing, very reasonable, public skepticism about how personal data is being misused. That in turn has led to increasingly complex data regulations.”

The pilot users are the  BBC, NatWest Bank, the National Health Service (NHS) and the Flanders Government in Belgium, where the project involves giving more than 6.5 million people each their own PODS for interfacing with government services. Like birth, death and marriage certificates and health and pension data.

The idea of having a personal data store, or “wallet” for your data is not unique to Berners-Lee or Inrupt. The World Wide Web Consortium (W3C)’s Decentralized Identifier working group relies on the idea of a wallet.  “I would not be surprised if Inrupt adds support for Decentralized Identifiers, verifiable credentials and the Trust over IP stack sometime within the next year,” said Drummond Reed, one of the curators of the W3C work.




Like what you see? Then recommend to a friend.

Subscribe to Privacy Beat

“Stay tuned” for solutions advancing contextual advertising after Apple IDFA shut down and iOS14 privacy control; fewer than 15% of Apple users are OKing tracking

Executives of an ad-tech company and a tech-industry privacy think tank expressed some frustrations about Apple’s plans for requiring user permission to track on iOS14 devices during a Q-and-A organized by the International Association of Privacy Professionals (IAPP). For one thing, preliminary results show a low percentage of users are giving permission.

“We are seeing extremely low opt-in rates — sub 15 percent,” said Julia Shulman, general counsel and chief privacy officer of TripleLift, the ad-tech company.  “So it is going to have a large impact on the ecosystem because we are going to have no way of doing reporting.”  Shulman said each app running on an Apple mobile or tablet device will have to make its own request for user data.  She criticized Apple for not figuring a more streamlined approach. She also said publishers are frustrated that Apple specifies the request interface rather than them.

Co-panelist Christy Harris, tech and privacy research director at the Future of Privacy Forum, said another frustration is whether when a user “opts-out or in to data sharing on a publisher’s app, does that signal apply as well to the publisher’s other platform services?

Both panelists were asked what they think the technical, policy and practical options are for non-1-to-1 advertising that will still permit attribution and capping and be acceptable to advertisers. “I think many of us in our space see a lot of opportunity there,” replied Shulman.  “Stay tuned, there are probably going to be a lot of announcements but a lot of solutions coming out in the market. And they are all going to be probably predicated on a more contextual space.”

“Contextual” advertising is placed based on the editorial context of the page, as opposed to being targeted to a specific, identified user regardless of the page.








As EU parliamentary committees turn thumbs down on micro targeting of ads, does publishing really need them?

“As part of the preparatory work for drafting the Digital Services Act (DSA), three of the European Parliament’s specialist committees have drawn up recommendations for what should be included: those for the Internal Market and Consumer Protection, Legal Affairs, and Civil Liberties. The European Parliament’s news service has produced a good summary of what is in the three DSA reports, which have been sent to the European Commission . . . Perhaps of most interest to readers of Privacy News Online is the fact that all three committees come out strongly against the use of micro-targeted advertising, and want the DSA to address this explicitly . . . The Internal Market and Consumer Protection report says that online consumers find themselves in an “unbalanced relation to service providers and traders offering services supported by advertising revenue and advertisements that are directly targeting individual consumers, based on the information collected through big data and AI mechanisms” . . . The Legal Affairs committee takes an even stronger line. It says that it considers that the “user-targeted amplification of content based on the views or positions presented in such content is one of the most detrimental practices in the digital society” . . . it seems clear that people and lawmakers are beginning to turn against the invasive practice of “surveillance capitalism”. One important point to emphasize is that this won’t lead to the collapse of online publishing, as some have claimed. The alternative to micro-targeted advertising – contextual ads – worked perfectly well for newspapers and magazines for most of the 20th century. There is no reason why they cannot do the same for online publications in the 21st century.”


Privacy Beat is a weekly email update from the Information Trust Exchange Governing Association in service to its mission. Links and brief reports are compiled, summarized or analyzed by Bill Densmore and Eva Tucker.  Submit links and ideas for coverage to

Share Share

Tweet Tweet

Share Share

Forward Forward




Copyright © 2020 Information Trust Exchange Governing Association, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp