The advertising industry and mobile operating systems try to skirt around data privacy laws

30 June 2022(Paris, France) – The data party has ended for easy internet advertising. Imagine you’re in a club and there is low lighting but it is consistent lighting and you’re able to see everyone in the club. That was what it was like under the old paradigm, when ad marketplaces enabled brands to sift through cookies on everyone’s web browsers and know everything about them: what they shopped for online, their interests, their internet viewing habits. That was the power of cookies.

NOTE: The average user may vaguely understand the concept of cookies when they clear their browser history; by erasing their previous browser sessions, the web addresses from past sessions disappear, and sometimes readers have to reenter passwords into websites because they erased the cookie that previously retained their logged-in status. Erasing the cookies also erases the tracks that marketers previously followed to, say, retarget ads or detect if people were in the market for certain products.

There is a difference, though, between a first-party cookie, meaning one the publisher implants on a reader’s browser, and a third-party cookie, which gets dropped without the reader really consenting to an unknown party keeping tabs on their whereabouts.

And so online marketing has gotten ever-more complex since cookies lost their full powers to track consumers from website to website and since device identifiers started disappearing. So to take my club analogy one step further, now you’re starting to see strobe lights which are very powerful, but they’re inconsistent, they flash, and you can see movements of people, but you can’t see them all the time. So you have to infer.

NOTE: The loss of cookies and other trackers has created a rush for brands to harvest first-party data, which has become the gold standard for marketing campaigns online. What’s so appealing about first-party data is that it theoretically comes with the direct consent of the consumer, who can be confronted with a consent option at the point of contact online or in a store. Sometimes merely filling out a form online gives the opportunity to capture their permission.

A lot of this shift comes from actions by companies such as Apple to stomp out “surveillance advertising” on iPhones. Apple has even made its pro-privacy push a foundation of its own advertising.

Cookies had been going away from most web browsers, and even Google, the biggest internet ad company, is moving away from them on Chrome. And other trackers have been going away, too, like device IDs known as the Apple “Identifier for Advertisers” (IDFA) which have been the connective tissue for apps to conduct marketing on mobile. And lately, Apple has been restricting collecting internet protocol addresses as a workaround identity data for targeting.

So I read with great interest the article “U.S. Senators Urge FTC to Investigate Apple for Transforming Online Advertising into an Intense System of Surveillance”. The article notes:

Apple and Google “knowingly facilitated harmful practices by building advertising-specific tracking IDs into their mobile operating systems,” said the letter, which was signed by U.S. Senators Ron Wyden (D-Oregon), Elizabeth Warren (D-Massachusetts), and Cory Booker (D-New Jersey), as well as U.S. Representative Sara Jacobs (D-California).

There are references to Tracking IDs, “confusing phone settings, and monitoring a user when that user visits non-Apple sites and services”.

NOTE: Players in the supply chain are banking on new kinds of online identifiers to do the connecting between ad networks and consumers. Those identifiers are rolling out with rapid speed. These IDs rely on email addresses, anonymizing them through encryption, to create profiles on web users, who could theoretically be targeted with ads without the need for matching them with now non-existent cookies on websites they visit.

But U.S. Senators … yikes! I mean you folks have had no less than 22 Congressional hearings on the advertising industry, tracking and how the internet works. A short tutorial: Surveillance yields data. Data allows ad targeting. Selling targeted ads generates money. This . is . what . the . game . is . about. Go back and re-read your hearing transcripts. Geez.

Trillion dollar companies have to generate revenue to do good deeds, make TV shows, and make hundreds of thousands of devices obsolete with a single demo. Well, that’s my view. Will something cause Apple to change? Sure. But not regulation. TikTok maybe.

And over on this side of The Pond we’re having some related fun, too.

Customers of some phone companies in Germany, including Vodafone and Deutsche Telekom, have had a slightly different browsing experience from those on other providers since this past April. Rather than seeing ads through regular third-party tracking cookies stored on devices, they’ve been part of a trial called TrustPid.

TrustPid allows mobile carriers to generate pseudo-anonymous tokens based on a user’s IP address that are administered by a company also named TrustPid. Each user is assigned a different token for each participating website they visit, and these can be used to provide personalized product recommendations – but in what TrustPid calls “a secure and privacy-friendly way.” It’s that “privacy-friendly” part that has raised critics’ hackles.

Look. The internet runs on advertising: digital ads worth a total of $189 billion were bought and sold last year, according to the Internet Advertising Bureau which is the primary source for tracking this type of information. But the ad industry’s dirty little not-so-secret is that it relies on intrusive surveillance of people’s online activities, piecing together their interests based on the websites they visit, what they post, and more.

For Vodafone, the company running the trial in Germany, TrustPid offers an alternative by allowing advertisers to gain value from customer insights while also supposedly keeping those users’ data private.

But not everyone agrees. Internet privacy experts have labeled TrustPid a “supercookie” – a piece of technology that links a crumb of data to a user’s IP address and mobile phone number – and believe the trial should be halted and commercial plans shelved. They are particularly concerned about the way network operators are co-opting what is meant to be a simple passage of communications data, which they have unique access to, to transform it into a targeted advertising platform. 

But, of course, Vodaphone insists the TrustPid service is not a supercookie. Instead, the telco refers to the technology as being “based on digital tokens which do not include any personally identifiable information.” Each token has a limited lifespan of 90 days that is specific to individual advertisers and publishers.

And the project isn’t a supercookie, they say, because it doesn’t use data interception to build up customer profiles, unlike the ad tech once used by Verizon Wireless, which in 2016 was fined $1.35 million by the U.S. Federal Communications Commission for having injected supercookies into users’ mobile browser requests for two years without consent. A 2015 investigation by digital civil rights nonprofit Access Now found that carriers across 10 different countries used supercookies dating back to 2000. Those negative headlines are why Vodafone pushes back so vehemently against the supercookie designation.

Vodafone claims TrustPid, which has each partner website generate a different token for the same user, reduces the likelihood of user data being triangulated across websites to create extensive profiles of user interests—a major concern for internet users sick of being chased around the web by targeted ads. And in the press releases they note:

“The technology has been built following a privacy-first design, and it complies with all GDPR requirements and related legislation.”

Phew. GDPR compliant. They promise. 

The TrustPid pilot came about because of the changing face of online advertising. On the one hand, you have a lot of privacy measures being looked at for being anti-competitive. Then you’ve got a lot of discussions around customer data being hemorrhaged and leaked quite openly on the internet. Vodafone believed it could tackle both issues, giving advertisers the confidence to spend money online while offering customers protection over their data.

And, they point out, the establishment of TrustPid as a separate company based in the UK means that the responsible data authority for TrustPid is the UK’s Information Commissioner’s Office (ICO). According to an ICO spokesperson, TrustPid has not yet had a conversation with the UK data protection authority about the technology.

And the German data protection authorities? Well they said:

“Only an informed and voluntary given consent is an acceptable foundation for the use of this technology. High standards must be set here, and we are skeptical that the current consent fulfills that aim”.

Cracked Labs, which is based in Vienna, Austria and which investigates the data industry – and is a great source for understanding the socio-cultural impacts of information technology and digital culture – made an initial analysis and found TrustPid to be “an abuse of their very specific trusted position as communication network providers”. I can hardly wait for the full report.

And many data protection analysts believe that TrustPid would struggle to claim it has obtained user consent to gather the data it does. Wolfie Christl, co-founder of  Cracked Labs, noted:

“I don’t know how anybody would agree to an honest statement that we can analyze all your data, who you call, where you were when you called them, and so on. I don’t know anybody who would agree to that statement—and it would have to be that explicit.

TrustPid is trying to justify its deployment with the misleading and meaningless pseudo-consent banners we have to deal with on websites every day. The project is irresponsible and outrageous and undermines trust into communication technology, and thus should be stopped immediately.”

Actually cookie banners are themselves problematic because they’re not easy enough for users to reject, and so TrustPid is trying to steer clear of using them. But Vodafone and Deutsche Telekom maintain that TrustPid’s privacy policy outlines the types of information that it collects from users and follows two key guidelines, that you can accept or reject the service easily, and that there’s a clear explanation of what data is processed and how.

Whether you call it a digital token or a supercookie, TrustPid’s bid to revolutionize online advertising has struck a nerve among digital privacy campaigners. Vodafone claims it wasn’t allowed to explain its side of the story in early coverage of the trial in German media. Said a Vodaphone spokesperson:

“There were assumptions that we were repeating some of the things that have happened elsewhere, which are in our view bad from a customer’s point of view. That early coverage set the tone for what followed. We are trying to facilitate digital advertising. There is a limited exchange of data we think is required to make that take place between a customer and a website. Some people don’t believe that should take place at all.”

A successful trial for Vodafone would involve convincing content providers – or websites wanting to sell ads against their content – that it’s an idea worth pursuing. The company also recognized it needs to win advertisers over. There probably won’t be enough scale in the pilot to say that this is redefining how things work, but there could be enough to give them some signs that it could help advertisers and publishers work. The company is also conscious of consumer feedback – and that it’s been far from positive to date. But the negative response is unsurprising. As we noted last week at Cannes Lions, many advertisers maintain an arrogant view of customers – passive individuals who don’t care about their data being used in this way. Not wise.