Surveillance Ad Tech & Web Privacy

Much of Ad tech is working counterproductively to privacy regulation.

According to this highly useful resource page from the IAPP, most international privacy laws mandate that companies give their users the right to access, correct, delete, and opt-out of any personal information being collected, used, shared, or sold about them. The collective interpretation of these common ground aspects of privacy law is straightforward and unambiguous.

A one-way cyber mirror

Here’s the problem. No one can easily ask the websites they visit what information companies like Google or Facebook are collecting on them as they visit. A recent study by Ping Identity found that 72% of consumers revealed it was difficult for them to find out how their data is shared.

The business consequences of privacy opacity are harsh. The same Ping Identity survey showed a full 60% of consumers admitted they deleted their online account over privacy concerns with half of them reporting they did so more than once.

The top five third parties that access the highest number of first-party IDs and IP addresses per website are well-known multinationals Facebook, Google, Microsoft, HubSpot, and DoubleClick. But these big names are just the beginning of a very long list.

The data game is vast

Cybersecurity firm, Reflectiz, reports the average number of 3^rd and 4^th parties with access to user information from any given website is up to 66. The number of outside parties website owners give access to user information has grown over 235% in 5 years.

Our internal research on the primary websites of the Fortune 1,000, arguably the most conservatively managed websites in the world, indicates that the average number of 3^rd parties tracking users is up to 16 with the worst website in this elite group allowing 157 third parties access to their users’ information. We will be releasing more detailed reports soon.

Lots of recorders with no off button

While some websites may disclose in their privacy policies that they allow third parties to record and share information with others, very few if any give specifics as to the type of information collected.

Almost no privacy policy discloses how third parties can enhance their profile of you with the latest behavioral information they collect in order to increase the value of your information in the open market. And no policy we’ve seen allows users to opt out of this highly intrusive form of offsite third-party data processing in the first place. 

If your company has a privacy policy and functional process that offers users a preemptive opt-out of all 3rd-party data access, use, and sharing, please send it our way. We will create a follow-up piece that lists and celebrates privacy-first companies leading by example.

AdTech cookies are no longer exempt

The CA Attorney General’s office recently sent strong signals in its first wave of CCPA enforcement actions. The IAPP summarized the Top 10 Takeaways from the California AG’s CCPA enforcement case examples, and item 6 on the list disallows companies from claiming cookies that share user information with 3^rd-parties as necessary for “business purposes” or for “providing analytic services” on their privacy policies.

Seeing as most websites avoid asking users to opt-in to their more invasive AdTech cookies and trackers by inaccurately labeling them as “analytics cookies” and “necessary for business purposes,” hopefully, the days of forced AdTech cookies are truly numbered. If this news doesn’t prompt a mass privacy policy review for most companies, I’m not sure what will.

The definition of user privacy

Back in 2010, when asked what he thought user privacy meant, Steve Jobs said, “…to let (users) know precisely what you’re going to do with their data.”

Seeing as most CISOs can’t precisely explain how their cyber third parties are using their web users’ personal information, it seems safe to conclude that by Apple’s ex-founder’s definition of user privacy, there are very few if any websites that offer it.

The fundamental unfairness of the “notice-and-consent” data economy

The FTC’s Commissioner, Rebecca Kelly Slaughter, recently gave a blistering speech at the annual conference of the National Advertising Division unit of the BBB and indicated the FTC is considering a minimization framework that would effectively disable surveillance advertising as a practice.

Slaughter noted, “The pervasive nature of commercial surveillance, its substantial injuries to consumers, its unavoidable nature, and the paucity of benefits that outweigh those injuries demonstrate a fundamental unfairness at the heart of the data economy.”

MediaPost covered her speech and the implications for the ad industry in a recent article where they quoted Slaughter as adding, “…notice and choice will not address the broader surveillance practices upon which the current digital advertising economy is built.”

Surveillance advertising or spyware?

In trying to distinguish the difference, we’ll choose to examine the current Wikipedia definition of spyware: “Spyware is software with malicious behavior that aims to gather information about a person or organization and send it to another entity in a way that harms the user.”

Allowing 3^rd parties to spy on website users’ online behavior without their consent to offer them a slightly more relevant ad hardly seems like a harmless user benefit. Especially when you consider the twin global plagues of identity theft and corporate data breaches that continue to increase due in part to the personal data market the AdTech industry creates. 

The advertising industry should expunge its use of behavioral surveillance ad technology now or expect continued comparisons to the corporate spyware model.

75% – 79% of all websites are complicit

Web privacy studies like this one from Ghostery, show that 79% of websites globally are secretly tracking personal information, and this one published by Cornell University show that 75% of all websites studied track users before consent banners are displayed or after consent is expressly denied.

The conclusion: most websites are built to ID users, record their behavior, and spread the information to other entities the second they hit them.

Cookies are so 2010

Today, online users are identified through new and more invasive forms of AdTech combining first-party ID leaking, browser fingerprinting, and user ID synchronizing tech. Consent, especially the opt-in first variety which many privacy regulations require, is irrelevant to these new forms of AdTech.

But cookie consent management programs seem to have been designed to provide temporary first-party legal coverage anyway. Most AdTech companies never hoped to establish meaningful first-party relationships with anyone. Web privacy has far more to do with technical capability as it turns out than legal documentation.

Decoupling AdTech

We can come to no other conclusion that when tethered to websites, modern AdTech as an industry is one that is focused on spying on users’ online behavior for the sole purpose of selling personal user behavioral information to other entities without user consent for profit. 

This aspect of the ad industry harms people and society at large by destroying personal privacy, exposing people to identity theft, and increasing the likelihood corporations may experience privacy fines, ransomware attacks, and client-side data breaches.

There should be no argument that the ad industry in its current form is placing companies at undue risk and annoying the public at large. The AdTech industry in particular is on an inevitable collision course with privacy regulation, federal regulation, and growing public outrage.

As “cookiegeddon” approaches and as privacy law enforcement becomes more active, the decoupling of surveillance AdTech technologies from websites seems like an inevitable, positive change.

Fortunately, the AdTech industry realizes it has a problem

The first step in recovery is realizing you have a problem. One of the leading industry trade publications, MarTech.org, recently published The Real Story on MarTech: Navigating the new world of consumer privacy, an article written by Real Story Group (RSG) which took a hard look at the challenges facing the industry.

RSG accurately assessed the landscape shaping significant change.

Key change drivers like imminent cookie extinction, regulatory acceleration, consumer privacy awareness, and security vulnerabilities were discussed. Status quo changes like the decline of ad/marketing analytics based on non-consensual data use were also highlighted.

Immediate industry challenges like heightened legal and regulatory risk and lower consumer brand trust are some of the more notable drivers.

Unfortunately, the corrective measures they present are puzzling.

Inventing a new world of privacy invasion

RSG lists twelve emerging industry responses, five of which create even more serious privacy concerns: Universal ID Sharing, Contextual Targeting, Differential / Cohort Targeting, Data Exchanges & Partnerships, and Cookieless ID Graphs.

Earlier we cited two research studies that indicated 75%-79% of all websites were exfiltrating user information, IDs, IP addresses, and more within milliseconds after users hit websites. The technologies that enable this lightning-fast, fully automated privacy violation machine come from one or more of the technologies described from the five “emerging fields” listed above.

Do we really need more automated surveillance?

Sharable IDs aren’t enough. Fingerprinting methods aren’t enough. The industry knows it always needs more than Cookieless ID matching to have truly valuable data. The “data-driven” ad industry needs a fresh stream of behavioral data to match IDs to, the more personal the better.

Advertising technologies will forever be financially motivated to marry you to your most recent online activity, in high detail, no matter where that activity takes place. There will always be a strong financial motive to violate our privacy in the name of slightly more targeted advertising.

The Privacy Prime Directive: First-party with prior consent

The Ad Industry has a big decision to make. Be transparent, play by the rules, or find a new way to make money.

Consumers overwhelmingly want their privacy. Privacy laws are here and spreading over the globe fast.

Unless you are developing technologies and business models that enhance companies’ ability to develop first-party relationships with their customers while simultaneously enabling users’ prior consent controls to access, correct, delete, and opt-out of any personal information being collected on them – you are no longer bringing value to enterprises or society at large.

And AdTech, if you are listening, stop spying on us, our families, and yourselves. The world has changed, and it requires more privacy. Now.