Graphic courtesy The Trade Desk/Getty Images

IAB ranks privacy challenge among policy priorities; Tech Lab seeks UID 2.0 identity “administration” role

The Interactive Advertising Bureau (IAB), in an online survey of its members introduced by its president, David Cohen, and distributed by email this week, appears to rank privacy as among its top priorities for 2021 and 2022.  The survey comes as the IAB Tech Lab seeks to find a role for itself in governing web identity (and hence privacy).

A listing of eight challenges/topic areas for the 650-member IAB lists first: “Privacy Now (privacy compliance, public-policy advocacy and technical solutions concerning recently enacted and potential new privacy laws.”   Other topics in descending order are The New Media Consumer, Tele://Vision, Diversity, Equity and Inclusion, Brand Disruption, News Saves Lives (supporting news and balance band safety and civic good through research and marketing efforts), The Future of Addressability and The Measurement Imperative.

In the forwarding email, Susan Hogan, IAB’s svp, research and analytics, said both IAB members and “active non-members” had received the invitation to complete the 15-minutes survey to learn about constituent priorities and get feedback on IAB’s performance.

IAB is weighing — through the survey — when members will be read to start attending F2F events as COVID restrictions ease. Meanwhile, its next virtual event is set for June 16: “State of Data Town Hall: Future of Contextual.” 

Last week, IAB Tech Lab and The Trade Desk (TTD) announced simultaneously that TTD had contributed code, ongoing maintenance and development for Unified ID 2.0 (UID 2.0) to the Tech Lab to make available under BSD-2 License, a form of “open-source.”  The code base for the federated identity service will presumably be available publicly.

Meanwhile, the Partnership for Responsible Addressable Media (PRAM), an ad-industry trade group, was quoted within The Trade Desk release as “intending to quickly finalize its technical and policy standards for Addressable Media Identifiers” and evaluate UID 2.0 for potential endorsement.

Not yet clear is what entity will have authority to sanction and remove entities from the use of UID 2.0 and for what reasons.  Roles for “Administrator” and Auditor” are not set yet, the IAB TEch Lab’s release, written over the name and photo of Alex Cone, VP, privacy and data protection, said the lab is “specifically focused on Tech Lab’s potential role as Administrator.”  Tech Lab has been working on an accountability platform.

AD TECH

• Google’s opaque practices to restrict fingerprinting create confusion among its ad tech partners | Kate Kaye, DigiDay.com
• How to turn FLoC off in newly downloaded versions of Google Chrome | Michael Crider, AndroidPolice.com | RELATED STORY
• Amid post-cookie confusion, Amazon plans to launch an identifier of its own | Max Willets, DigiDay.com
• Verizon Media Ad Formats Rely Heavily On Tech Under New Parent | Laurie Sullivan, DigitalNewsDaily/MediaPost.com
• Google says it won’t build Privacy Sandbox backdoors | S. Shah, EnGadget.com
• VENDOR VIEW:  Content No Cookies, No Problem: Harnessing the Power of Multi-Dimensional First-Party Data| Sefy Ariely, Anagog, via StreetFightMag.com
• VENDOR VIEW: Most advertisers are not ready for Apple’s iOS14 privacy rules | Alon Tvina, Hidalgo via StreetFightMag.com
• Criteo Rebrands, Reveals Roadmap for Future of Open Internet During Company’s Investor Day | ExchangeWire.com release | RELATED STORY

PUBLISHING, PLATFORMS & PRIVACY

• Twitter testing curated local weather reports as premium content? | Rob Williams, PublishingInsider/MediaPost.com
• Why is US public funding of journalism off-the-bottom of democracies’ chart? | Victor Picard & Timothy Neff, Columbia Journalism Review
• Twitter Blue — The great paid-social experiment | David Pierce, Protocol.com | TWITTER’S ANNOUNCEMENT
• The Ins and Outs of Subscription-based Pricing | Heather Reading, StreetFightMag.com
• Twitter launches its premium subscription, Twitter Blue, initially in Canada and Australia | Sarah Perez, TechCrunch.com

ANTITRUST

• Google Nears Settlement of Ad-Tech Antitrust Case in France | Sam Schechner & Keach Hagey, WSJ.COM
• Facebook facing EU Commission antitrust investigations over data handling | Oliver Scott, FinBold.com

WASHINGTON WATCH

• A U.S. privacy law seemed possible this Congress. Now, prospects are fading fast | Alexandra Levine, Politico.com | KLOBUCHAR 2019 BILL | OBAMA 2012 PRIVACY FRAMEWORK
• More user-friendly, inclusive privacy online requires funded research | Nick Merrill & Richmond Wong, TheHill.com
• Ex-Googler Sridhar Ramaswamy’s Neeva ad-free search startup sets July launch | Lara O’Reilly, BusinessInsider.com

CafeMedia studies Google FLoC — cohort-based privacy-in-the-browser; UDEX is compared

A former editor and Mozilla open-tech expert who now works for an ad-tech company is offering the first public look at the operation of “FLoC” — Goggle’s effort to control ad targeting inside its Chrome browser rather than with third-party cookies. Don Marti works for CafeMedia, which represents publishers selling their digital advertising. He’s also an advisor to the Information Trust Exchange Governing Association, sponsor of this newsletter.

• Publishers are beginning to decipher audience clues by cracking FLoC codes | Tim Peterson, DigiDay.com

“At this early stage, FLoC isn’t yet being used by advertisers to target and buy ads,” Marti  writes in a post dated May 27 on the CafeMedia website. “However, we can explore how FLoC cohorts line up to people’s actual content consumption interests, based on traffic trends across the 3,000+ sites that CafeMedia works with.”  In his blog post, Marti describes interest patterns evident in the “Origin Trial” of FLoC which Google has enabled in recent downloads of Chrome.

It takes some explaining to understand FLoC, and Marti did so as a test user in a discussion with Privacy Beat in these steps:

1. f you browse the web with Chrome on your phone or other device, Chrome logs all the pages you visit.

2. The new FLoC Javascript code lodged in the Chrome browser — which Google has made open source — analyzes just the domain names (not individual pages) and turns that history into a super long number/symbol sequence called a “CityHash”, says Marti.

3. Then, the FLoC code on the browser creates a new long string called a “SimHash” (the term is discussed in this Google white paper).

4. Once a week, the browser-based FLoC software contacts a Google server, sends it the unique SimHash and the Google server compares it to millions of other  SimHashes it has received across the web.

5. The Google server sends back to the Chrome browser a cohort number (one of thousands) that best associates the submitted SimHash with like-interest SimHashes globally — say 17001. The Washington Post’s Aram Zucker-Scharff is among those raising concerns about sensitive cohort groupings.

6. Now, when an advertising network seeks to place an ad in front of that browser’s user, it requests from the browser its latest cohort group ID (the 17001) deciding if the user of the browser is an attractive-enough target to bid on the ad position.

From an engineering point of view the approach is elegant but why does a user’s anonymized cohort assignment have to be inferred and managed by a Google-originated browser and a Google server?

• Four alternatives to cookies and device IDs for marketers  — cohorts, UIDs, on-device, context | Ionut Ciobotaru, VentureBeat.com

One alternative approach is suggested by a draft technical specification developed in the open for ITEGA three years and known as “UDEX.ORG” In the UDEX model, the end user’s home base provides information about the user’s interests — either inferred or expressed — to a server system with the user’s ID obfuscated by hashing. The interest information is used by the UDEX service to assign the anonymous user potentially to multiple interest cohorts. An advertiser (see chart) can then make a decision to serve an ad by asking UDEX for the anonymous user’s interest-cohort profile. Rather than weekly updating, the UDEX profiles could be continuously updated based on new information from the user’s identity service provider — such as a publisher.  (See related: “An advertising awards show in the browser.”)

BROWSER / PLATFORM PRIVACY

• Papers in Arizona lawsuit show Google insiders worried about location privacy | Tyler Sonnemaker, BusinessInsider.com
• Court documents show Google intentionally hid privacy controls | Michael Crider, AndroidPolice.com | RELATED STORY
• Your digital fingerprint is tracked everywhere online. Brave wants to change that | Shubham Agarwal, DigitalTrends.com
• Amazon’s turn-on of cross-device “Sidewalk” network called privacy risk | Ray Schultz, DigitalNewsDaily/MediaPost.com
• Amazon US customers have one week to opt out of mass wireless sharing | Alex Hern, TheGuardian.com
• Google toughens up on android ad tracking but won’t go as far as Apple | Hugh Langley & Ryan Joe, BusinessInsider.com
• Google Tightens ‘Limit Ad Tracking’ Policies For Android Ad ID | James Hercher, AdExchanger.com
• Apple Hasn’t Cracked Down On Fingerprinting On IOS 14 Yet, But That Other Shoe Is Gonna Drop | Allison Schiff, AdExchanger.com
• Mozilla touts privacy features of new Firefox release | Selena Deckelman, Mozilla Blog

PERSONAL PRIVACY

• King County is first in the country to ban facial recognition software | Suzanne Pham, KOMO News
• Human rights groups call for an end to digital surveillance of immigrants | Kari Paul, TheGuardian.com
• Federal appeals court Upholds $1.4B settlement in Equifax data breach | Amanda Bronstad Law.com
• Harvard researchers recommend Census not use privacy tool | Mike Schneider, Associated Press
• Searl’s new idea: The “intention byway” to fix web privacy | Doc Searls Weblog at Harvard-Berkman | MORE ABOUT ‘INTENTCASTING’
• Body Cameras Help Monitor Police But Can Invade People’s Privacy | Bruce C. Newell, Honolulu CivilBeat.org
• Prosecutors can use SMS texts without violating 14th Amendment, Mass. court says | John R. Ellement, BostonGlobe.com
• Firefox updates privacy protections in ‘all-new’ browser | Anthony Spadafora, TechRadar.com
• TECH PRIMER: How privacy-protecting databases work | Peter Wayner, VentureBeat.com
• iOS 14: All of the hidden iPhone and iPad features you need to know | Jason Cipriano, CNet.com
• Data privacy vs. innovation: The new rules of the road | Beth Magnuson, VentureBeat.com

Schrems in video, above. See QUOTE OF WEEK, below) 

Schrems turns up heat on personal-data users over cookie consent; is a reckoning coming in the EU and California?

An Austrian-based lawyer and privacy evangelist is turning up the heat on both regulators and the users of personal data on the web with his own data-driven fight over cookies.

Max Schrem reported this week that his NOYB.EU (“none of your business”) advocacy group has sent 500 “draft” complaints to websites which he says are deliberately confusing consumers so that they won’t “opt-out” of the use of their data for cross-site tracking and other purposes.

“Everybody in Europe hates cookie banners,” Schrems was quoted by DW.com as saying.  “Many people feel that cookie banners are where the GDPR went horribly wrong, but the problem is not the GDPR, it’s crazy deceptive designs . . . “Companies use every trick in the book to make you hit this accept button.

• Europe’s cookie consent reckoning is coming | Natasha Lomas, TechCrunch.com

Schrems, in a lively video, says NOYB is using technology to crawl thousands of European Union-serving websites and investigating how they present a required cookie “opt-out” choice. If sites don’t clean up their act within 30 days, he says, the draft complaints will be filed with General Data Protection Regulation (GDPR) enforcers capable of imposing billions in fines.

“Over the course of a year,  noyb will use this system to ensure compliance of up to 10,000 of the most visited websites in Europe,” NOYB says on its website. “If successful, users should see simple and clear “yes or no” options on more and more websites in the upcoming months.”

Of the 500 pages in its first batch of complaints, the BBC reported. 81% had no “reject” option on the first page, but rather hidden in a sub-page, it said. Another 73% used “deceptive colours and contrasts” to lead users into clicking “accept”, and 90% provided no easy way to withdraw consent, it said.

Thus in both California and the EU, privacy advocates are pushing regulators to enforce laws. Data users, including advertisers, are waiting to see how tough any crackdown will be and whether they can litigate their way to reduced fines. Key provisions of the California Privacy Rights Act don’t take effect Jan. 1, 2023, but groups are already seeking enforcement of its precursor, the CCPA.

EU PRIVACY

• EU Parliament turns up heat on gatekeepers’ digital power in draft changes | Lewis Crofts, mlex/Lexis-Nexis News
• EU privacy rules should encourage businesses to advertise using non-personal data, Sippel says | Matthew Newman, mlex/Lexis-Nexis News
• British ICO seeks comments on guidance on privacy-preserving practices | IAPP News
• Seven European countries begin issuing a digital Covid certificate for travel | Matina Stevis-Gridneff, New York Times
• European Commission Adopts New Standard Contractual Clauses |  David Stauss, Husch Blackwell law firm
• Is Experian’s Tapad EU shutdown related to investigation? | Allison Schiff, AdExchanger.com
• Snowden hails Euro court’s ruling on British mass surveillance | Katherine Fung, Newsweek.com
• EU justice chief: Some data privacy cases should be fast-tracked | Pieter Haeck, Politico.EU
• Europe to US: Pass new laws if you want a data-transfer deal | Mark Scott & Vincent Mannancourt, Politico.EU
• UPDATES: Four items on facial/biometric privacy in EU | IAPP News

STATEHOUSE BEAT — Lobbyist pressure

• Tech lobbyists apply pressure as state lawmakers advance privacy bills | Bobby Allyn, NPR.org
• Colorado Lawmakers Advance Data Privacy Legislation | Saja Hindi, Denver Post via GovTech.com | RELATED STORY
• Ad Groups Warn Of ‘Crushing’ Costs Of Proposed Colorado Privacy Law | Wendy Davis, DigitalNewsDaily/MediaPost.com
• Status Of Proposed CCPA-Like State Privacy Legislation As Of May 31, 2021 | David Stauss, Husch Blackwell LLP
• Will the Excelsior Pass, New York’s Vaccine Passport, Catch On? | Sharon Otterman, NYTimes.com
• CPRA Update: What is a “Contractor?” | Alysa Zeltzer Hutnik & Alex Schneider, Kelley Drye law firm

WORLD PRIVACY

• Trudeau nominates Canada privacy commissioner for new term | Government Statement
• Facebook’s WhatsApp sues to stop Indian government’s end-run of privacy encryption | Scott Ikeda, CPOMagazine.com
• WhatsApp Sues Indian Government Over New “Traceability” Rules That Require Circumvention of End-to-End Encryption | Scott Ikeda, CPOMagazine.com
• Facebook’s WhatsApp backs off privacy-ultimatum for Indian users | Andrew Hutchinson, SocialMediaToday.com