Is the Dutch DPA investigation of YD the beginning of the end for "AdChoices”?

Opt-In Or Opt-Out? Why Do Not Track And Respect For Fundamental Rights Will Save The Web

Imagine - you walk into a shoe shop and while you are looking at some trainers someone sneaks up and sticks a notice on your back. Later you are in a café, and you see someone at the next table stare intently at your back and write something in a notebook. When you pay for your coffee, you are given a flier advertising trainers strangely similar to the ones you looked at earlier. You begin to notice that this happening in all the places you visit.

Eventually you ask one of them to explain what they are doing. “We are ensuring you get a personalised experience wherever you go”. You ask why and what this is and eventually you are told: “We put a sticker with a unique number on your back. Our operatives in other places see the number and write it down so we can keep track of all the places you visit. We know where you live, what places you like to shop and what you buy in them. By doing this we build up a profile of you so that we can get paid by anyone who wants to know who you are so they can advertise to you, nag you about products you had mistakenly decided not to buy or work out if we can charge a higher price”.

OK, so this is how the tracking works on the web, for stickers with numbers read cookies with UIDs. If this happened in the physical world you would demand it stop. If you were receiving a valuable “personalised” experience you might like it available as an option, but only if the trackers had to get your agreement first. It would be no good being told that you only had an opt-out, i.e.  you had to visit several offices where you could get special “opted-out” notices put on your back, especially as if they were written in special invisible ink so that each tracker could only see and act upon its own notice.

This is essentially what the so-called “self-regulatory” regime, put forward by parts of the behavioural advertising industry and marketed as AdChoices, does. It relies on a domain-specific opt-out cookie, meaning that by default you are assumed to be opted-in and can be tracked around the web by anyone. You have to separately identify each tracking organisation and tell them that you do not want to be tracked, and there are thousands of them[1]. Because of the standard web “same origin” policy cookies in one domain are invisible to others so, for your opt-out to work, an opt-out cookie has to be created in all the domains that organisation uses.

This is one of the reasons the CPB, the Dutch Data Protection Authority, found that YD Display Advertising violated both the Dutch Telecommunications and Data Protections Acts. Not only does the opt-out cookie mechanism not meet the legal requirement for prior user consent, it does not often even work. When a user uses the Evidon (now renamed as Ghostery Inc.) “consent” tool on their YDWorld.com site to opt-out, and click on the OFF (opt-out) button for YD World, the 2 year persistent UID value of a cookie named “tuuid” is set to “opt-out” .

Unfortunately this opt-out cookie is placed only in one domain (.254a.com), so has no effect when visiting sites like telegraaf.nl (see our scanner report on the home page here) which uses another third-party domain (ads.p161.net) for the “tuuid” UID  cookie or klm.com (scanner report here) where the same UID cookie[2] is stored in the ads.creative-serving.com domain.

The same behaviour occurs on the IAB’s youronlinechoices website, i.e. for the YD opt out the “tuuid” named cookie UID value is replaced with “opt-out”, but again only in the “254a.com” domain. This site also shows the ridiculous level of overhead required to opt-out of a set of behavioural advertising domains, or even to see a list of the sites that offer an opt-out. An attempt to opt-out of all the handful of trackers listed there for the UK (there is a different list depending on which country you select as your residence) causes 415 transactions to about 65 different servers to be executed taking over 30 seconds. Even then when we tried it on the UK site many of the transaction do not work (a message wrongly claims there may have been other network activity in progress) with Google and AOL remaining defaulted to opted-in. And of course because the opt-out cookies are not placed in all the domains in which they are used, even the servers that claim to have executed the opt-out will not honour it on these other domains.

Any solution involving domain specific opt-outs (requiring users to continually opt-out of every single data collector) will be equally clumsy, decrease transparency and be hard for users to operate. The companies that profit from behavioural advertising have a business model that relies on massive personal data collection at very low cost and as a result they do not have an incentive to make sure their opt-outs are either easy to use or in fact work. A solution that addresses the actual needs of people to have control over their privacy should be based on an explicit opt-in, or at least an easy to use opt-out that applies to all data collectors who have not obtained consent.

This was why the European Parliament voted for the e-privacy directive in 2009 (Directive 2009/136/EC amending 2002/22/EC), whose Article 5(3) laid down the requirement for user giving their consent, on being given clear and comprehensive information, before tracking cookies were used[3]. This remarkably prescient regulation based on established and fundamental rights has been subsequently misquoted and misinterpreted by apologists for surveillance marketing (and their technically challenged “useful idiot” supporters who characterised it as the “stupid EU cookie law”), but it was a result of intensive and very technically informed debate across Europe. It has been incorporated into enabling legislation in all EU member states, including Holland where it was used by the CPB as part of their legal justification in the YD investigation. But other than this recent action and some small fines levied in Spain, there has been hardly any attempt to enforce the law by other European regulators and non-consensual tracking of European citizens is the still the norm.

This has led to people attempting to take control themselves by downloading browser extension software to enforce privacy. Ad-blockers have now become the most popular downloadable browser extension with several options to choose from. They work by blocking elements on web pages that are used to deliver advertising, such as external script libraries, but often cannot stop tracking by non-script elements such as static externally hosted images. The decision of what content to block is based on downloaded curated lists, some open, some closed, but in most cases not kept up to date and which miss many real tracking elements whose urls change rapidly. Many of the lists also contain non-tracking elements such as consent tools, privacy icons, and other technologies designed to enhance the user interface or enable privacy so a blanket application to block the whole list leads to diminished privacy and web experience. This also often leads to non-tracking contextual advertisements being blocked which damages publishers who need income from these to support their operations. In addition, closed-source extensions could become a prime target for criminals or intrusive security services looking for backdoors for mass surveillance.

Also in the e-privacy directive was Recital 66[4] which further described the consent requirement and emphasised the importance of free consent given after clear information had been given in a “user-friendly” way. R66 also looked forward to a time when browsers would have the capability for users to selectively give or revoke their consent for tracking storage. Since 2011 the W3C has been debating such a capability, the so called Do Not Track standard, which gives users the ability to configure their browser to signal to web servers their general preference not to be tracked. It also defines an API that allows particular servers to obtain a data subjects consent either on a web-wide or site-specific basis.

In February 2012 a group of online advertising and internet companies signed a White House agreement to support Do Not Track, primarily as it was seen as an “opt-out” mechanism and so could head off the threat of the EU e-privacy opt-in. As a result all major browsers now support the general preference signal, although currently only Microsoft’s Internet Explorer supports the consent API. The technical part of the standard was agreed by the W3C in April and the section covering compliance is close to finalisation. The current draft of the compliance document would rule out any tracking other than by the party the user has explicitly interacted with e.g. the first-party site, not just by advertisers as some have claimed. Of course a data controller responsible for the site would also still need to comply with the e-privacy and data protection directives if they were in the EU or targeted European citizens.

             Some online advertising companies that were previously encouraged to believe the Do Not Track process would fail are now backing away from it because they fear the ability to opt-out is too easy compared to conveniently cumbersome AdChoices. The actual reason they give is that too many people would set Do Not Track in their browser, so reducing their ability to target people.

             This is compounded by some advertisers becoming wary of behavioural targeting. Increasingly they see their brands being damaged as customers associate them with the creepy feeling of being targeted. Also advertisers now realise that the availability of targeting data at zero cost has led to a race to the bottom where a large proportion of the ads they pay for are in fact not even seen by humans. The automated operation of behavioural targeting and programmatic ad space buying has attracted fraudsters who can make millions by setting up “bot farms” to simulate online human targets. As a recent US Senate study has found, criminals have been detected using this programatic buying to deliver invisible ads containing malware to browsers at an international scale, without anyone being aware.  Even the ads rendered on browsers viewed by actual people can appear off-screen or “below the fold” where they are usually ignored, but are still capable of delivering malware.

             Some targeting  companies now feel that a solution based around “behavioural advertisement friendly” ad-blockers may be a better bet because only a minority would download them, an even smaller minority would set them to block real trackers and owners of mobile devices would not be able to use them anyway But this is short sighted. There is now a well-tested base of open source code for ad-blocker extensions and if no other alternative is available many more will be built, and made available for download, thus reducing the ability of publishers to show ads, even contextual ones, and damaging the whole basis of online commerce.

Many online publishers now realise that the best outcome is for Do Not Track to become universally accepted. In Europe the e-privacy and data protection directives will act as legal backing so regulators can take action against companies that ignore it - either under the e-privacy prior consent requirement or under the right-to-object provisions of the forthcoming Data Protection Regulation. In the US the many civil society organisations and the FTC has already called for this and legislation is being discussed in Congress to support it. The US/EU trade treaty now being negotiated needs to establish common ground for online privacy and the body of EU data protection law complemented by Do Not Track could be the basis of that. Multi-brand companies can continue to use Baycloud’s CookieQ to request and register consent in one action across all their domains, now using the Do Not Track consent API to communicate consent to the third-parties that respect the signal and only use the built in tag management to selectively render any that continue to disregard it. Browser extensions like the EFF’s open-source PrivacyBadger will still be popular but need only block content from companies that ignore Do Not Track, leaving responsible publishers’ business models intact.

When people see that their wish not be tracked is being respected, with the backing of law, they will be far more likely to trust companies and enter into mutually beneficial agreements with them. Eventually, as the fundamental right to privacy becomes the accepted international norm, the tide of distrust will recede leaving a healthier and ultimately more profitable environment for online publishers and advertisers.

 

 

,



[1] The icon that appears in some online advertisements is supposed to link to a site where you can opt-out of particular trackers, but very often you are being tracked by invisible “analytics” servers that leave no visible evidence of their presence.

[2] According to the Evidon( now called GhosteryEnterprise)  site another ad-tech company Improve Digital also uses a UID cookie named “tuuid” for this purpose but the “opted-out” value is placed in yet another single domain ad.360yield.com

[3] Article 5(3): “Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.”

[4] Recital 66: “Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities.”