|A fundamental twist in efforts to maintain effective advertising alongside personal privacy was unveiled this week. It would take control away from browser software such as Google Chrome and Apple Safari and turn processing over to a governed cloud service. The twist came a week after Google scrapped a key idea within its “Privacy Sandbox” and proposed a new one, “TOPICS” (see links, below).
Engineers from the Mozilla Foundation and Meta’s Facebook together unveiled a server-based approach to managing user identity and profiling for advertising called “Privacy Preserving Attribution for Advertising” or “Interoperable Privacy Attribution” (IPA). It involves the use of privacy-enhancing Multi-Party Computation (MPC) servers.
In a virtual discussion on Thursday, Google representatives peppered proponents with questions, asking, for example, if the initiative would be too expensive to implement.
In a 56-slide presentation, two engineers from Meta’s Facebook and one from the Mozilla Foundation revealed details of their idea — to have web, app and TV clicks, taps or views to advertisements — and any resulting purchase attributions — be sent and logged to a common server (or two servers). But the identity of each individual user would be double-encrypted. In theory, only the logging service would be able to connect a view to an individual purchase.
EXCERPTS FROM IPA DESCRIPTION: SEE “QUOTE OF THE WEEK” BELOW
Advertisers could obtain (presumably for a price) trustworthy “conversion reports” from the service — absent any user-identifying information. “Attribution is how advertisers know if their advertising campaigns are working,” observes Mozilla’s Martin Thomson in a Feb. 8 blog post about the PPA/IPA proposal, adding: “We hope this contribution will help make privacy-preserving attribution a reality.”
Importantly, nothing appears in the proposal about who would own or control the logging and conversion-tracking service — a key trustworthiness challenge. But the important point is that advertisers would no longer have to rely upon proprietary logging or conversion services of multiple independent networks such as Google, Apple or Meta. Also unclear in the proposal is what would happen if browser makers boycotted the reporting of clicks and other events to the MPC servers. “Will they confirm they will not interfere with solutions that do not require them to make changes?” Zucker-Scharff asked in one comment thread.
After at least two years of fussing about how to eliminate third-party cookies and improve web privacy at the same time, the proposal represents somewhat of an about face. And it’s noteworthy to have it come from Facebook and Mozilla, rather than from Google, Apple or Microsoft, the dominant browser software makers.
First discussions about the PPA/IPA scheme came Feb. 9-10 (AGENDA) during the first virtual meeting (MINUTES) of a new World Wide Consortium (W3C) discussion forum, the “Privacy Advertising Technology Community Group” or PATCG. The co-chairs are Aram Zucker-Scharff of The Washington Post, and a veteran Internet Engineer Task Force (IETF) consultant, Sean Turner. The Post is owned personally by Jeff Bezos, founder of Amazon, and is fielding its own advertising management system for publishers, called Zeus.
It is more typical for W3C groups to have browser makers among group chairs, rather than a publisher. And typically few publishers or advertisers participate in a W3C group. Notably absent so far are originators of two leading efforts at network user identity management, The Trade Desk (UID2) and the Local Media Consortium (NewsPassID). Nevertheless, PATCG already has 216 member participants including:
- Advertisers/Agencies: Procter & Gamble, Omnicom Group, DPG Media, Meredith Corp., Ford Motor Company, Dentsu Group, Taboola, CafeMedia
- Publishers: The Washington Post, The New York Times, Axel Springer, British Broadcasting Corp.
- Major tech and ad-tech platforms: Google, Microsoft, Amazon, Mozilla Foundation, Twitter, Yahoo, CafeMedia, SalesForce, Facebook, Cisco, eyeo GmbH, MediaMath, AT&T, IAB Tech Lab, Duck Duck Go, Epsilon, LiveRamp, OpenX, Adobe, Salesforce, 51Degrees, Brave Software, Cloudflare, Magnite, IndexExchange, Criteo
- NGOs: News Media Alliance, Future of Privacy Forum, Digital Advertising Alliance, Information Trust Exchange Governing Association, Wesleyan University.
The group’s stated mission: “[T]o incubate web features and APIs that support advertising while acting in the interests of users, in particular providing strong privacy assurances.” It says it won’t consider “non-technical” solutions supporting privacy, which may explain why ownership and governance of the logging/attribution service were not discussed.
GOOGLE, ‘TOPICS’ & IDENTITY
GOVERNMENT AND FACIAL RECOGNITION
- Reversing Course, IRS Retreats From Facial Recognition | Wendy Davis, DigitalNewsDaily/MediaPost.com
- Facial recognition and surveillance: Should we fix it or ignore it? | Zoe Samudzi, The Daily Beast/MIC
- Treasury weighs alternatives to ID.me after privacy concerns raised | David Lawder, Reuters PLC
- ID.me privacy tension grows, here’s what’s next for IRS tax tech plans | Michaela Althouse, Technical.ly
- Government’s Use of Facial Recognition Under Scrutiny | Edward C. Baig, AARP.org
- Government agencies are tapping a facial recognition company to prove you’re you – here’s why that raises concerns about privacy, accuracy and fairness | James Hendler, Renselaear Polytechnic Institute via TheConversation.com
- How do the CPRA, CPA & VCDPA treat biometric information? | David Stauss, Malia Rogers & Mike Summers, HuschBlackwell law firm