PRIVACY BEAT: IAB Lab exec floats ideas for a neutral, ‘publicly owned’ single identifier’ for sharing user data with permission

Privacy Beat

Your weekly privacy news update.

1. IAB Lab exec floats ideas for a neutral, ‘publicly owned’ single identifier’ for sharing user data with permission

A former ad-tech industry executive who now works at the IAB Tech Lab is floating an idea for industry collaboration around a “neutral” governed “single identifier” to replace third-party cookies as a mechanism for serving targeted advertising. He says such a mechanism should be “publicly owned.” 

“We propose standardized privacy settings and consumer controls tied to a neutral, standardized identifier,” writes Jordan Mitchell, senior vice president, membership and operations at IAB Tech Lab, in a lengthy Sept. 4, blog post that summarizes the failed privacy history of third-party cookies.  His post is entitled: “The Evolution of the Internet, Identity, Privacy and Tracking – How Cookies and Tracking Exploded, and Why We Need New Standards for Consumer Privacy.”

Mitchell joined Tech Lab a couple of years ago from an ad-tech-industry association called DigiTrust which he helped form while being paid by Rubicon, an ad-tech company. DigiTrust sought to develop a single, first-party cookie, owned by the ad-tech industry, that would eliminate the need for third-party cookie matching. A goal was to reduce the dozens of third-party cookie calls to websites, slowing them down and annoying users. The idea did not catch on with publishers, and DigiTrust was acquired by IAB Tech Lab. 

Mitchell’s new proposal, as he outlines in his Sept. 4 post, acknowledges the need to find a trustworthy approach that is consistent with emerging government regulation, respects user privacy signals, and is supported by publishers as well as technology companies. He writes that standards should  “be set up as public utilities” governed jointly by the digital media and marketing industries.

“We’re calling for a centralized mechanism so that you can convey your preferences and all parties…can respect those preferences,” Mitchell wrote. CNET’s Stephen Shankland reported the technology would be jointly developed by advertisers, publishers, browser makers and privacy advocates and submitted to standards bodies. 

Mitchell’s post continues: “Eliminating cookies today without an adequate, planned transition to a new, publicly-owned mechanism for recording and honoring consumer preferences will disenfranchise millions of independent businesses, entrepreneurs, influencers, and individual communicators, and concentrate control of the internet with four or five giant technology companies.”

TechCrunch’s Anthony Ha picked up on Mitchell’s IAB post and wrote in his story, entitled, “IAB proposes a new tracking alternative to the cookie,” that Mitchell realizes a single-identifier network would have to have governed privacy standards and, Mitchell said, “these standards be set up as public utilities, subject to regulations promulgated by government entities, with the digital media and marketing industries jointly governing the standards with the browser providers.”

Ha’s story quoted Brendan Eich, CEO of ad-blocking browser company Brave, as tweeting “who’re they kidding” if the single identifier can match to an individual.  Eich suggested looking at a 2013 proposal by Mozilla — when he was CTO there — that called for a different identity hash for each website, tied to a common identity at one location. 

Mitchell told the CNET interviewer: “Who’s going to trust the [ad] industry [to] come save the day? No one. We recognize we need to show accountability and reliability to the preferences set by consumers.”

So many people have told us this newsletter is valuable.
Please support the continued work of ITEGA to foster a digital marketplace that respects privacy and identity.

Donate

2. Privacy advocates fear last-minute push by ad-tech could threaten CCPA guarantees to consumers

The Washington Post was out this week with a story by one of its veteran tech writers — Tony Romm — suggesting ad-tech and tech-platform interests are readying a last-minute lobbying push on the California Legislature to try and ease provisions of the California Consumer Privacy Act (CCPA). They have to move fast — there is a self-imposed legislative deadline of Sept. 14 for all bills to be either passed on to the governor — or dead for the session. 

Romm looked at Twitter’s ad-transparency archive site and figured one set of targetted ads, run by the Internet Association (whose members include Facebook, Google, Microsoft and Twitter) went only to 184,000 people located in California’s state capital — Sacramento.  An Internet Association spokesman said they group merely seeks amendments to make the law “easier for businesses to understand,” not weaker. 

In another story, Bloomberg Business News reported that Google and the ad-tech/marketing industry has been trying for months to get a rewrite of the CCPA on the calendar in Sacramento but with no success to date.

Groups such as the American Civil Liberties Union, Common Sense Media and the Electronic Frontier Foundation have tried and failed this legislative session to broaden the definition of “sale” of data to make it harder for ad-tech to share user data. They also want to keep the definition of “personal information” broad. But they haven’t been effective at getting their amendments moving, nor have advertising interests, really. 

The effort to rollback CCPA has been ongoing. Back in April,  Los Angeles Times business columnist Michael Hiltzik reported on Assembly Bill 1416, which is said to be backed by the California Chamber of Commerce and big Internet companies.  There is no indication the bill is moving now, however. 

The bill analysis prepared in July by Democratic staff for the Senate Judiciary Committee said AB 1416 “would dramatically erode the rights of consumers pursuant to the nascent law and allow businesses to disregard consumers’ choices to restrict the sale of their personal information or to delete it.”

The argument advanced in favor of AB 1416 is that companies which collect user data for marketing purposes would be prohibited by the CCPA from selling or giving that data to government agencies for legitimate public purposes. Privacy folks say that is an argument designed to support a bill which would relax sale and use regulations already embodied in CCPA — that that is the real concern of business.  

“It’s a massive land grab,”  said Alastair MacTaggart, the privacy activist who proposed a ballot initiative to protect consumer rights, and settled for ensuring passage of the CCPA last year. His comment was in the LA Times story in April. 

At that time, Justin Brookman of Consumer Reports, told the LA TImes: “This provision is so unfathomably broad that a company could do anything it wants. There’s no guard railing at all.”

RELATED LINK:

 

3. Competitor alleges Google’s “invisible” tracking can share and send personal data among advertisers and marketers; Meanwhile, Facebook suggests policy future

Johnny Ryan, a technologist at Brave, the ad-blocking browser maker, has filed a new complaint with data protection authorities in Ireland that describes what he asserts is an opaque Google effort to facilitate sharing of personal data to advertisers. See: “Brave Uncovers Google’s GDPR Workaround.” 

The complaint comes the same week Facebook publishes a blog post and a major white paper: “Data Portability and Privacy: Charting a Way Forward” by Erin Egan, Facebook’s Vice President and Chief Privacy Officer, Policy.

Covering Ryan’s complaint, the Financial Time’s Madhumita Murgia put it this way in the lead to her Sept. 4 story: “Google is secretly using hidden web pages that feed the personal data of its users to advertisers, undermining its own policies and circumventing EU privacy regulations that require consent and transparency, according to one of its smaller rivals.” 

In the FT account, Ryan found Google set up a “hidden” web page — one with no content — that contained an identifying tracker unique to Ryan and linked to Ryan’s browsing activity. He told the FT this could allow Google ad partners visiting the page to match their profiles of Ryan and his browsing with their own data and data from other companies — to target him with ads. 

“This practice is hidden in two ways:  The most basic way is that Google creates a page that the user never sees it’s blank, has no content, but allows…third parties to snoop on the user and the user is none the wiser,” the FT quoted Ryan as saying. “I had no idea this was happening. If I consulted my browser log, I wouldn’t have had an idea either.” 

Google told the FT it would cooperate with Irish authorities investigating the company and added, “We do not serve personalized ads or send bid requests to bidders without user consent.” 

RELATED LINKS:

Like what you see? Then recommend to a friend.

Subscribe to Privacy Beat

4. Google reaching out to university researchers to understand variance in effect of  third-party cookies

There’s an update on news from two weeks ago about a Google research experiment of keen interest to publishers. The research by Google found a more than 50% drop in revenue to publishers when cookies are “turned off” — widely different from an earlier published study.  

In May,  researchers at Carnegie Mellon, UC-Irvine and the University of Minnesota found a vastly different result — only a 6-percent drop. Now the Google researchers, say they are reaching out to trade notes on methodology. 

Google referenced its research in an Aug. 22 blog post, without linking to the full writeup. But now Google researchers wrote Aug. 27: “We believe that the difference in results may be partially attributed to the fact that their analysis was performed on a single publisher (in contrast to the larger scale of previous studies), and in part due to the inherent challenges associated with the nature of observational studies (such as the need to control for many variables, some of which may themselves be influenced by the presence of cookies). Researchers at Google are in communication with the authors to better understand their methodology and the difference in results.”

Earlier point-by-point criticism of Google’s survey came in a blog by two Princeton University computer scientists, Jonathan Mayer and Arvind Narayanan, who said cookie blocking does not undermine web privacy. “Google’s claim to the contrary is privacy gaslighting,” they wrote in a blog post, “Deconstructing Google’s excuses on tracking protection.”

The issue is important as publishers weigh whether to reduce their dependence on third-party cookie ad-tech. On the one hand, Google’s survey implies that dropping out of surveillance marketing with third-party cookies will cost a lot. But there’s another view: That failing to drop out of surveillance marketing will cause more and more users to take the opportunity block ads and cookies, and that will cost the publishers about the same amount, according to this 2017 study cited by Mozilla’s Don Marti in a blog post of Aug. 23. 

BRIEFLY NOTED:

Andreessen says crypto as micropayments could help with privacy problems and reduce ad dominance 

The Wall Street Journal tracked down insiders who participated in a San Francisco confab of Silicon Valley blockchain and crypto investors with federal and other banking regulators — apparently organized by Marc Andreessen’s venture-capital outfit.  Said the WSJ account: “Mr. Andreessen told the regulators that cryptocurrencies could solve the problem of ‘micropayments’ and improve privacy by reducing the dominant role of online ads. ‘Eighty percent of the things people hate about the internet today would not be problems,’ he said.”

EXCELLENT SUMMARY OF DATA QUAGMIRE: 

AND HOW DATA WAS USED IN POLITICS: 

POINT OF VIEW: 

ON SANDBOX — POINT / COUNTERPOINT

QUOTES OF THE WEEK

But here’s the frank talk we need to have: None of it will work, unless we work together. Four or five giant companies, each advancing its own competitive position against the others, won’t protect your privacy. Government regulators, passing conflicting laws with underfunded enforcement at the trans-regional, national, state, and local levels, won’t protect it. Self-regulatory bodies, including our own, which lack the legal authority to enforce compliance with their procedures, won’t protect it.

–  Jordan Mitchell, Senior Vice President, Membership and Operations at IAB Tech Lab, in a Sept. 4, blog post about a universal digital identifier

TIDBITS

CONSUMER PRIVACY 

Is your mental health status for sale? (Privacy International)
Mozilla’s Firefox turns on default enhanced tracking protection (Mozilla Blog)

U.S. REGULATION 

Google emerges as target of a new state attorneys general antitrust probe (Washington Post)
FTC Zeroes In On AppNexus, Oath As Part Of Its Broadband Privacy Inquiry (AdExchanger)
Is the government ready to regulate the tech industry? (Kai Ryssdal and Sean MCHenry, Marketplace.org)

EU 

EU study: ‘Blockchain and the General Data Protection Regulation – Can distributed ledgers be squared with European data?’ (GTG Advocates, Dr. Ian Gauci)
Researcher exploits GDPR to access partner’s personal data (Brodies)

Share Share

Tweet Tweet

Share Share

Forward Forward

Facebook

Twitter

Website

Copyright © 2019 Information Trust Exchange Governing Association, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp