21 Feb 2019

Google and IAB: Knowingly enabling intrusive profiling

By Yannic Blaschke

On 28 January, EDRi member Panoptykon joined a complaint against Google and the Interactive Advertising Bureau (IAB) in Poland, after it had become clear that the advertising categories provided by these entities are enabling the processing of extremely sensitive data of European citizens. On 20 February, new evidence was published proving that the IAB was all along aware of the incompatibility of its systems with the General Data Protection Regulation (GDPR).

The background of the complaints

Besides Panoptykon’s complaint, proceedings have been launched with the national Data Protection Authorities (DPAs) in Ireland by Johnny Ryan of the browser company Brave, and in the United Kingdom by Jim Killock of EDRi member Open Rights Group (ORG), and by Michael Veale of University College London. The complainants agree that the “Real-Time Bidding” (RTB) standards that Google and the IAB define for the online advertising auction industry infringe Article 1(5)(f) of the General Data Protection Regulation (GDPR), because they broadcast highly sensitive personal data to thousands of companies. Bid requests are necessary in order to solicit bids from advertisers for the opportunity to show an ad to a person. However, the complainants argue that this can be accomplished safely with non-personal data. Instead, the IAB and Google standards permit labels such as “cancer”, “sexual health” (IAB), “substance abuse”, “eating disorder”, “right-” and “left-wing politics” (Google) to be broadcast along with unique identifiers and other personal data in bid requests. These data are protected as “special category” personal data in Article 9 of the GDPR.

IAB Europe’s response has been that it merely provides a technical standard, which might or might not be used by their members to violate privacy laws. Their statement was immediately countered by the complainants, who said that the IAB cannot claim to be a mere bystander because it organises and encourages a system through which personal data is broadcast billions of times a day without adequate security. The online tracking industry has attracted heavy criticism from civil rights groups in the past for its lobbying against privacy enhancing technologies, for instance regarding their huge influence in the ePrivacy Regulation and in the context of the implementation of the Do Not Track Signal.

The AdTech Lobby’s myths that not even they themselves believe

On 20 February, new evidence was published proving that not even the IAB is believing their public statements regarding the GDPR compliance of their RTB system. In the e-mails disclosed in a freedom of information request, a document was attached admitting that it is “technically impossible for the user to have prior information about every data controller involved in a real-time bidding (RTB) scenario” and that that would seem, “at least prima facie, to be incompatible with consent under GDPR”. Furthermore, the documents acknowledge that there is no technical way of limiting the ways in which personal data is used and shared after broadcasting it to thousands of vendors. This confession is further aggravated by the concrete technical examples of how sensitive the data shared through the system can be, and to what extent pseudonymisation (meaning data that is kept separate from identifiable elements) is lacking in daily practice.

The evidence presented comes with a surprising openness by the AdTech Industry about its likely lack of compliance with the GDPR. However, the argument that “only” organising the processing of personal data does not bring any responsibility for the subsequent uses of the system appeared grossly over-simplistic from the start, looking at European case law. Two recent decisions by the Court of Justice of the European Union (CJEU) suggest that the IAB’s counter argument will not hold: Wirtschaftsakademie and Tietosuojavaltuutettu.

Tietosuojavaltuutettu is particularly relevant to the question of Google’s and IAB’s responsibilities for the use of their RTB standards: the Court ruled that the global Jehova’s witnesses community is a joint controller of data processed solely by local member preachers, by virtue of its role as organiser and promoter of these activities. Clearly, this has an implication for the IAB and Google.

It is difficult to foresee an exact timeline for the complaint procedures, but the authorities are expected to act as soon as possible. After all, the complaint concerns the core mechanism that enables the secretive profiling of every single person that sets their foot online and the tracking of their private life.

Empowered through GDPR (and hopefully, soon, also by an ePrivacy Regulation), citizens and civil society now have the opportunity to reject the collection, broadcasting and ultimately capitalisation of the most private details of their lives. Surveillance Capitalism is starting to show signs of crumbling.

Panoptykon files complaints against Google and IAB (28.01.2019)

Complaints: Google infringes GDPR’s informed consent principle (05.12.2018)

How the online tracking industry “informs” policy makers (12.09.2018)

Five things the online tracking industry gets wrong (13.09.2017)

(Contribution by Yannic Blaschke, EDRi intern)


28 Jan 2019

Panoptykon files complaints against Google and IAB

By Panoptykon Foundation

On the International Data Protection Day, 28 January 2019, EDRi member Panoptykon filed complaints against Google and the Interactive Advertising Bureau (IAB) under the General Data Protection Regulation (GDPR) to the Polish Data Protection Authority (DPA). The complaints are related to the functioning of online behavioural advertising (OBA) ecosystem.

----------------------------------------------------------------- Support our work - make a recurrent donation! https://edri.org/supporters/ -----------------------------------------------------------------

The complaints focus on the role of Google and IAB as organisations that set standards for other actors involved in the OBA market. They should therefore be treated as data controllers responsible for GDPR infringements.

Arguments used by Panoptykon are based on complaints concerning the same issue by EDRi member Open Rights Group (ORG) and Brave, as well as on evidence provided by a report by Johnny Ryan. The key facts and observations of the complaints are:

  1. data shared by companies within the OBA ecosystem are not necessary for the purposes of serving targeting ads;
  2. companies sharing data have no control over its further use by a potentially unlimited number of other actors that have access to real-time bidding software;
  3. users have no access to their data and no tools for controlling its further use by a (potentially unlimited) number of actors;
  4. those failures are not incidental because they result from the very design of the OBA ecosystem – lack of transparency and the concept of bid request, which, by definition, leads to data “broadcasting”.

Prior to making these complaints, Panoptykon carried its own investigation of the OBA ecosystem in Poland, which confirmed allegations made by ORG and Brave in their complaints, as well as Johnny Ryan’s testimony. Between May and December 2018 Panoptykon sent a number of data access requests to various actors involved in the OBA ecosystem (including Google and leading data brokers) in order to check whether users are able to verify and correct their marketing profiles.

In most cases, companies refused to provide personal data to users based on alleged difficulty with their identification. This argument – made by key players in the OBA ecosystem – confirms that it has been designed to be obscure. Key identifiers used by data brokers to single out users and target ads are not revealed to data subjects that are concerned. It is a “catch 22” situation that cannot be reconciled with GDPR requirements (in particular the principle of transparency).

Along with its complaints, Panoptykon published a report summarising its investigation of the OBA ecosystem, which included interviews with key actors operating on the Polish market, and evidence collected by sending data access requests.

Panoptykon Foundation

Panoptykon files complaints against Google and IAB Europe (28.01.2019)

(Contribution by EDRi member Panoptykon Foundation, Poland)



13 Sep 2017

Five things the online tracking industry gets wrong

By Diego Naranjo

The Interactive Advertising Bureau (IAB) Europe, one of the loudest enemies of the e-Privacy Regulation, is the association of online tracking and adverting companies. On 7 September, IAB Europe published a report titled: “Europe Online: An experience driven by advertising”.

In the report, some of the key issues are clearly displayed, but some are hidden behind the large misleading headlines and graphics. The IAB Europe Report says:

1) “In the online world most users’ experience is predominantly free.”

The report conveys the message that online users are using services without paying for the services in cash. This is true in many cases. However, it cleverly creates a false dichotomy that the only alternative to massive, untransparent profiling and tracking is unspecified costs for users.

It is clear that they are unknowingly “paying” with their data, without any clarity about the financial value or security cost of handing over their data nor, indeed, the actual cost of providing the “free” services. In the online world, companies offering “free” services live from insights into how to manipulate their users. Often the “free” websites have no idea about (nor control over) where their visitors’ data goes, what other data it is merged with, and what uses that data are put to.

To provide the best services for their actual customers (the companies paying to place advertisements or cookies), advertisers sometimes get access to the content of your emails, track your physical movements, analyse your browsing habits, or listen to the interactions of your children with their toys.

Even though the way online tracking happens is not immediately obvious, the results of the Eurobarometer on e-Privacy show clearly what matters to people: 92% of EU citizens said that it is very important that the personal information (such as their pictures, contact lists, etc.) on their computer, smartphone, tablet or any other device is only accessed with their permission. The same percentage highlighted the importance of protecting their online communications (e-mails and online instant messaging).

2) “Nine in ten online users (92%) would stop accessing their most-used free news, content or service site or app if it switched to paid access only.”

Here again, a false dichotomy was presented to users, to generate the response requested by IAB. The approach misleads readers by implying that no innovation is possible, no solutions other than the status quo exist. However, it is not true that different business models cannot be created – we do not have to rely on a model that has created a quasi-duopoly for Google and Facebook. For example, there are successful micropayment models for quality news sources. Also, innovation around contextual advertising is increasingly successful to achieve its goals, without engaging in invasive profiling and tracking of individuals. Such innovation has the capacity to generate a level playing field, as an alternative to the current duopoly stranglehold of the online advertising market.

The statement closes the door to alternative ways of payment. Furthermore, it ignores the fact that a majority of EU citizens think it is “unacceptable to have their online activities monitored in exchange for unrestricted access to a certain website (64%) or to pay in order not to be monitored when using a website (74%)”, as shown by the Eurobarometer.

3) “Most users are either positive or neutral about online advertising.”

Another misrepresentation. Online advertising is online advertising. Advertising based on tracking and profiling is advertising based on tracking and profiling. Asking about one and suggesting that the answer is about the other is blatantly misleading. This is demonstrated when report admits that 58% of users are not happy with their browsing data being shared as the basis for advertising. Later on in its “research”, the IAB admits that 80% would not like to see their data shared with third parties for advertising purposes.

The use of ad-blockers increased up to 30% in 2016. Now 11% of internet users worldwide are using one. And yet the online advertising industry still refuses to acknowledge that innovation is even possible.

4) “Four in ten users (42%) are happy with their browsing data being shared as the basis for advertising, stating they don’t mind seeing personalised advertising based on their browsing data in exchange for free news, content or services.”

This suggests that 58% of online users do not feel comfortable with their browsing being analysed in htis way.

The Eurobarometer report on the e-Privacy Regulation says that six in ten respondents (60%) have already changed the privacy settings on their internet browser, for example, to delete browsing history or cookies. It also shows that 40% of respondents avoid certain websites because they are worried their online activities are monitored, and that 71% of them say it is unacceptable for companies to share information about them without their permission, even if it helps companies provide new services they may like.

5) “Continually approving the use of cookies as a precondition for accessing a site was the least popular and most divisive of the two options.”

Yet another false dichotomy: it has been done badly so the only option is not to do it at all. The way that the e-Privacy Directive was implemented led to the “cookie” pop-up notices that users often see. These cookie notices are sometimes intrustive, almost always demonstrably factually incorrect and therefore inefficient.However, there is no reason to believe that there is therefore no other – more efficient and informative – way to protect citizens’ privacy.

The study conducted for the IAB report gave respondents two options: that every app asks every time for consent for the use of their data, or that the apps only show how their data is being used, without asking for their consent. Obviously, most of the respondents chose the lesser of two evils. In reality, users want services to work differently: According to Eurobarometer, eight in ten (82%) said that it is important that tools for monitoring their activities online (such as cookies) can only be used with their permission, and 56% stated that this is very important to them.

The businesses that listen to consumers and hear their concerns about current tracking based models will have an advantage. They will understand the importance of earning the trust of their clients – an essential element of running a successful business – and develop towards less privacy intrusive business models. They will, as long as untransparent, trust-eroding practices are restricted by law – and this is exactly what the IAB “research” is designed to prevent.

Europe Online: An experience driven by advertising

e-Privacy Directive: Frequently Asked Questions (05.10.2016)

e-Privacy revision: Document pool (10.01.2017)

Your privacy, security and freedom online are in danger (14.09.2016)