Support for “federated” login during W3C privacy meet; lack of agreement over how to “attribute” ads that work

There was apparent agreement on one point and apparent disagreement on a second as technologists from browser companies, ad tech, and a few publishers met virtually this week as part of the World Wide Web Consortium’s  “Privacy Community Group.”  (See meeting MINUTES.)

Representatives from Apple and Verizon said they think browser software, even though sharply limiting the use of “third-party cookies” should continue to facilitate so-called “federated login” — the ability of a user to be transparently recognized at multiple independent websites without be blocked by the browser.

The consensus came during a discussion of Apple’s “IsLoggedIn” proposal, which would allow a user’s home-base site — where they have their account and identity managed — to declare them “logged in” to the browser software for other purposes. “We’d like to explore this,” said John Wilander, Apple’s point-person for technology on the Safari browser. “We/’d like to see if we can cater for federated logins.”  Google has an alternative proposal called WebID.

Conceptual and tentative disagreement arose on a second proposal, Private Click Management, another Apple effort to help advertisers to be able to confirm when an advertising view turns into a product purchase by the viewer — something made more difficult by the deprecation of third-party cookies. Here, also, Google has an alternative, “Conversion Management.” and the two can be compared.

The key debate this week was whether someone other than the advertiser and the publisher where an ad ran should be allowed by the browser software to associate the ad view with the buy.  Apple was trending no, Google says yes, in order to allow ad-tech third-parties a window into advertising effectiveness. The issue then is whether allowing third-parties to view the attribution data creates an opportunity for imposters and fraud.  The question was unresolved.

neutral-third-party

World Advertising Federation calls for neutral-third party to standardize ad-effectiveness measurement

The World Federation of Advertisers (WFA) released a framework and a technical proposal for a cross-media ad measurement framework. In a September statement, the WAF said:

The Proposal leverages a Virtual ID (VID) and differential privacy methods to preserve privacy while preventing double-counting of impressions across media. In delivering improved cross-media frequency control, consumers will also benefit by not being unintentionally targeted by the same ad across different media channels, potentially addressing one of the key motivators behind ad blocking. 

Martin Kihn, a Salesforce Inc. executive, in a Nov. 11 blog post at AdExchanger wrote that “[t]he proposal combines a user panel with census data provided by participating publishers and broadcasters, as well as a neutral third-party data processor. The technical proposal spends some time talking about various “virtual IDs” and advanced modeling processes that are loosely defined – and the goal of which is to provide a way for platforms that don’t share a common ID to piece together a version of one.”

MORE AD TECH

• How specific can ad targeting get? | Nate Nead, ReadWrite.com
• What is sensitive personal information under the new CPRA | Deborah George, LexBlog.com
• Ad tech exec: Identity and addressability needs “people-based IDs” | Travis Clinger, Liveramp via DigiDay.com
• The next fleet of Breitbarts is already raking in your ad dollars | Nadini Jammi, Branded via Substack.com
• Nielsen to begin sharing data on 55M “connected TV” users | Ronan Shields, AdWeek.com | RELATE STORY
• Agency exec says first-party data needs third-party data with it | Feliks Malts via StreetFightMag.com
• Marketers want user data from smart TVs  — without privacy missteps | Sahil Patel, Wall Street Journal
• British ad-tech player ID5 to survey industry over “urgent” identity issues | Exchange Wire Press Box
• Analyst company offers report on global ad-tech market and players | Mark Baxter, PRNewsLeader.com

Privacy and tracking in a CPRA / GDPR world: What changes? About pseudonyms; Mactaggart’s views

Law firms continued this week to offer their analyses of the California Privacy Rights Act (CPRA), now law after approval by 56% of that state’s voters on Nov. 3. It amends the 2018 California Consumer Privacy Act, and begins to take effect Jan. 2, 2022.   Key amendments affect definitions of private data.

• Current CCPA of 2018 text in California Code 
• CPRA amended text to take effect Jan. 1, 2022

CPRA’s principal supporter, real-estate developer Alastair Mactaggart, spent 20 minutes in a live IAB webinar on Thursday giving his views about the impact of the new privacy law. He said it will enable users to turn over management of their privacy preferences to companies that specialize in that role, avoiding having to make judgements at every website visited.

 “We allow for the third party to intercede for you,” he said in remarks during the Interactive Advertising Bureau Policy Summit. “I think over time we will have these trusted intermediaries that will manage it for me so I don’t have to think about it . . . it can’t be up to me to find the ‘do not track’ button on every website.”

The new law expands limitations on the “sharing” of personal information to include “cross-contextual behavioral advertising” whether or not for monetary or other valuable consideration, according to an analysis by Elizabeth Harding and Alex Polishuk of the Polsinelli law firm.

 The “sharing” terminology was meant by CPRA’s supporters to illuminate behind-the-scenes sharing, tracking, and matching of user data by the ad-tech industry on behalf of publishers, advertisers and others, for the purpose of targeting ads to individuals.  Now the ad-tech industry is trying to figure out how to continue to personalize ad delivery without violating CPRA or European Union law.

• RELATED: IAB releases results of industry survey on CCPA compliance   | Sundeep Kapur & Alysa Hutnik | DOWNLOAD REPORT

One of the ad-tech industry’s challenges — is it possible to measure when an ad results in a sale if it is no longer possible to track a unique user?  A solution explored is to have user’s identified by an email address at a “home base” location, but have that ID cryptographically scrambled, or “hashed”, when it is handed out to other sites. (See: “:Ownership of “universal identity” emerging as touchy subject for ad tech’s Unified ID 2.0, report says.”)

When might such a hashed identifier be considered a “unique pseudonym” under CPRA, which would then be considered a persistent identifier that a consumer could forbid?  The distinction between pseudonymous data and “anonymous data” is made within the European Union’s General Data Protection Regulation (GDPR).  Totally anonymous data is not restricted by the GDPR so long as “re-identification” is impossible.

“I think the question is what is personal information,”  Johnny Ryan, an Irish-based privacy activist, told Privacy Beat, adding: “If ad-tech’s Unified ID 2.0 “results in a unique identifier that is not irreversibly, one-way hashed, then it’s pseudonymous data.”  Both GDPR and CPRA include pseudonymous data within the things that users can forbid to be shared or sold.

Because of it’s perceived role in measuring ad effectiveness, the function of “tracking” individual user actions is a major issue for the ad-tech industry, as asserted in a Feb. 10, 2020 report put out by the Interactive Advertising Bureau (IAB), its trade association.

The report concluded: “We find that if tracking were to end, absent a mitigating technology, there would be a shift of between $32 billion and $39 billion of advertising and ecosystem revenue away from the open web2 by 2025. From $24 billion to $29 billion of advertising revenue would be lost to the open web by 2025.”

In a related development, The World Federation of Advertisers (WFA) released a statement and a technical proposal for a cross-media measurement framework  (See story above.)

In reviewing the impact of CPRA, lawyer’s at Arnold & Porter explain another key change — adding “sharing” of their sensitive personal information to the definition of things that a consumer can order a website to stop doing.

Both Anold & Porter and the Eversheds Sutherland firm also dig into a third key change — the specific addition of  defined entities, including a “third party” to the use of data, along with “contractors” and “service providers.”   The new definitions will distinguish who must comply with a user opt-out order and when.

Paying for privacy?

In his blog report on the new law, Foley Hoag LLP attorney Ned Lemanson wrote: “Under pay-for-privacy, consumers either allow businesses to share and sell their data or pay a higher fee for the business’s service.  The CPRA does not limit these schemes, and now allows businesses to run loyalty or discount programs where, for instance, consumers who do not allow access to their data will be restricted from a certain discount on the business’s service.”

CPRA EXPLAINED 

• Q-AND-A: When machine learning meets data privacy | Cat Coode, via Fabiane Clemente
• OPINION: CPRA does not require consumer opt-in to collect sensitive info | David Zetoony, Greenberg Traurig
• Core principles: What marketers need to know about Prop24/CPRA  | Ronan Shields, AdWeek.com
• How CPRA new rules, definitions will affect U.S. businesses | Alexander Koskey & Matthew White, Baker Donelson
• EXPLANATION: When to post “limit use of my info” | David Z. Zetoony, Greenberg Traurig LLP
• Another summary of CPRA provisions | Christine Chong & Eva Pulliam, Arent Fox law firm
• Key differences between CCPA and CPRA detailed | Lindsey Tonsanger et al., Covington law firm
• Who’s covered by the CPRA and what data? | Michael Young & James Harvey, Alston & Bird law firm
• Summarizing next steps for CPRA implementation | Stacey Gray, et al., Future of Privacy Forum

Web inventor “Sir Tim” offers first piece of effort to reverse tide of personal data control back to public

The MIT data scientist and form Swiss-based tech researcher credited with inventing the World Wide Web protocol is marking what he calls a “huge milestone” in turning around how private, ;personal data is handled.

Tim Berners-Lee announced this week four demonstration partners — three in Britain and one in Belgium — that will pilot the “Enterprise Solid Server” (ESS), from his startup company, Inrupt Inc.

• Bruce says Solid flips data security on its head | David Pierce, Protocol.com
• Berners-Lee’s data-privacy project enters the real world | David Meyer, Fortune.com
• ‘Solid’ privacy pods: Can Tim Berners-Lee keep his dream alive? |  Richi Jennings, TechBeacon.com

Inrupt, founded in 2017 by Berners-Lee, now involves a successful tech entrepreneur and also a and prominent cryptography scientist as CEO and lead architect, respectively.  Solid is the name of an open-source project Berners-Lee began at MIT and is the code base Inrupt is working from. Solid is also a member of the Data Transfer Project (DTP), an open-source data portability project that is backed by Apple, Facebook, Google, Microsoft, and Twitter.

The concept is quite simple — invite users to store all their sensitive personal data in one or more “PODS” (Personal Online Data Store), instead of having it spread across the web within different private clouds, platforms and services. “Data generated by your things – your computer, your phone, your IoT whatever – is written to your Pod,” says Bruce Schneier, Inrupt’s chief of security architecture.

Solid defines a set of standard “vocabularies” to organize data in PODS so that it can be easily shared with the user/owner’s permission. Supporters argue this overall approach could reduce data-breach risk for companies that hold data now; but opponents also suggest putting all your data in one place means that one place has to be super secure from hackers.

In the current world, Berners-Lee says, these silos of personal date mean “users and teams can’t get the insight from connecting that data. Meanwhile, that data is exploited by the silo in question, leading to increasing, very reasonable, public skepticism about how personal data is being misused. That in turn has led to increasingly complex data regulations.”

The pilot users are the  BBC, NatWest Bank, the National Health Service (NHS) and the Flanders Government in Belgium, where the project involves giving more than 6.5 million people each their own PODS for interfacing with government services. Like birth, death and marriage certificates and health and pension data.

The idea of having a personal data store, or “wallet” for your data is not unique to Berners-Lee or Inrupt. The World Wide Web Consortium (W3C)’s Decentralized Identifier working group relies on the idea of a wallet.  “I would not be surprised if Inrupt adds support for Decentralized Identifiers, verifiable credentials and the Trust over IP stack sometime within the next year,” said Drummond Reed, one of the curators of the W3C work.

PERSONAL PRIVACY 

• Zoom to enhance security as part of proposed U.S. settlement with FTC |Susan Heavey & Nandita Bose, Reuters PLC
• FTC orders Zoom to tighten data security practices | Joseph Duball, IAPP Privacy Advisor
• FTC fails to address privacy in settlement with Zoom | EPIC.org
• First Amendment doesn’t shield Clearview on biometric privacy | Adam Schwartz & Andrew Crocker, Electronic Frontier Foundation
• Andrew Yang Backs Chrome Users In Privacy Battle Against Google | Wendy Davis, DigitalNewsDaily/MediaPost.com
• Mississippi police pilot program to live-stream Amazon Ring cameras | Matthew Guariglia, Electronic Frontier Foundation
• RJI, EFF to help journalists ‘decipher’ data privacy for consumers | Jennifer Nelson, Reynolds Journalism Institute | REGISTER 

EU PRIVACY 

• Analysis of advice for post-Schrems II EU data transfers released by EDPB | Caitlin Fennessy, IAPP Privacy Advisor
• Plans to shackle big tech face headwinds inside EU Commission | Lewis Crofts et al., mlex.com
• Do anti-encryption proposals threaten end of digital privacy? | Crystal Rose, Medium.com
• EU carriers urge rejection of bid to tighten metadata controls | Yanitsa Boyadzhieva, Mobile World Life
• EU criticized over surveillance aid in nations where privacy at risk | Euractiv.com
• Privacy rights group taking UK’s information authority to court | Open Rights Group website
• EDPB issues comprehensive Schrems II guidance, including recommended supplemental measures to protect international data transfers | Eduardo Ustaran et al., Hogan Lovells law firm
• Twitter could face its first GDPR penalty within days | Natasha Lomas, TechCrunch.com
• Maintaining GDPR compliance in wake of Schrems II | Zak Rubinstein, CPO Magazine

WORLD PRIVACY 

• China’s draft Personal Information Protection Law (“PIPL”) – why it is, and isn’t, like the GDPR | Dehao Zhang & Nancy Zhang, field fisher law firm
• China’s draft Personal Information Protection Law released for public comment | Hogans Lovell law firm
• Ecuador National Assembly set to debate draft personal data protection law | via IAPP Daily Dashboard
• Canada must regulate AI to protect privacy and human rights: watchdog | Maan Alhmidi, The Canadian Press