Good digital ad housekeeping with PETs
For more than two decades, third party cookies, device identifiers and IP addresses have been the primary methods for selection and delivery across the internet of targeted ads.
We all know the looming regulatory challenges to use of these identifiers. Regulatory concern once focussed upon concern that internet users lacked transparency and understanding as to when and how their internet interactions are being tracked. That concern could be addressed by publishers and digital advertising service providers addressing the clarity, simplicity and prominence of their notices to internet users of targeting practices and options available to users to change tracking settings.
Regulators and consumer advocates and their moving targets
The focus of many regulators has now broadened.
For example, in early 2021 the European Data Protection Supervisor (EDPS) issued an opinion stating that “given the multitude of risks associated with online targeted advertising”, the European Commission and the European Parliament should consider additional rules going beyond transparency. Such measures should include a phase-out leading to a prohibition of targeted advertising on the basis of pervasive tracking, as well as restrictions in relation to the categories of data that can be processed for targeting purposes and the categories of data that may be disclosed to advertisers or third parties to enable or facilitate targeted advertising”. This would leave use and sharing of online identifiers confined to what the Europeans call ‘strictly necessary cookies’.
Some consumer advocates argue for other transparency measures which go well beyond existing data privacy laws. Often these concerns are framed as not about compliance with data privacy law, but in more emotive terms, such as “surveillance-based advertising”, allegedly rendering consumers “vulnerable to manipulation, discrimination, misinformation and fraud”.
UNSW Law Professor Katharine Kemp recently suggested that sharing of targeting data should be unlawful unless a consumer ticks an unticked box next to a plain message, such as: “Please obtain information about my interests, needs, behaviours and/or characteristics from the following data brokers, advertising companies and/or other third-party suppliers”, with each entity named. Professor Kemp also suggests that collection should not be exempt from this rule “simply because the companies use a pseudonym or unique identifier, rather than the consumer’s given name or contact details, to link data collected by the marketplace with data about the same consumer collected by a third party”. Such restrictions would effectively preclude targeted advertising using pervasive tracking and data sharing between adtech intermediaries, unless there had been an affirmative and express consent by a consumer, and then only as between entities named in that consent.
Good housekeeping
What many of these proposals have in common is concern that good data housekeeping practices (both as to notices to consumers and internal data handling) of a publisher or primary digital advertising services provider does not of itself assure good data housekeeping practices by other entities within multiparty ad data ecosystems.
There are various ways to improve housekeeping of data sharing across multiple entities.
In this Bulletin last month, we looked at legal responsibility of entities that share consumer data with others for unlawful acts or practices of entities that they permit to use that data.
Another way of improving housekeeping by others is to make it harder for them to be bad housekeepers.
Cue in the PETs (privacy enhancing technologies).
Bringing PETs into your house
A privacy enhancing technology is any technical method that protects the privacy or confidentiality of sensitive information. They range from simple ad-blocking browser extensions to the Tor network for anonymous communication. They include what we might call traditional PETs, such as encryption schemes that secure information in transit and at rest, and de-identification techniques such as tokenisation and k-anonymity. Traditional PETs are already used in many different contexts, including health research (i.e. finding correlations of lifestyle factors and medical conditions), COVID-19 contact tracing, identifying city relocation trends and sending electronic payments.
PETs attracting the most recent attention are those newer technologies that more specifically address privacy challenges of multi-party ad data ecosystems. They include homomorphic encryption, trusted execution environments, secure multi-party computation, differential privacy, and systems for federated data processing. Each of these PETs, implemented with appropriate controls and safeguards, substantially reduce the personal information factor of payload data, potentially enabling ad targeting without one-to-one correlation between a user’s particular (individual) characteristics or actual behaviours and the ad as delivered. In other words, these PETs, appropriately implemented, may address data privacy compliance, and also address some of the other concerns stated by consumer advocates about “surveillance-based advertising”.
Challenging PETs
These new PETs will not be easy to introduce into your home, or to monitor and keep. System resources – computational loads – are significant. Technological assurance can be defeated through poor operational arrangements. Clean rooms require good human operational processes and practices, not just good data and systems architecture. Removal of one-to-one correlation between a user’s particular (individual) characteristics or actual behaviours and the ad as delivered makes reliable and verifiable attribution and measurement really challenging. And the diversity of issues identified by some regulators and consumer advocates with “surveillance-based advertising” continues to evolve. Addressing today’s and next year’s data privacy laws may not of itself enable digital advertising business models that are sustainable over time.
Stepping towards PETs
The first step towards adoption of more advanced PETs is to acknowledge that the personal information factor inherent in third party cookies, device identifiers and IP addresses is high, and therefore that their use within multi-party ad data ecosystems is unlikely to be a sustainable digital advertising business model. Alternative advertising identifiers are required, because advertising identifiers will continue to be a prerequisite for frequency capping and personalised advertising.
Advertising identifiers can be either device or user-level, depending on the type identifier.
Much discussion nowadays revolves around pseudonymous, people-based deterministic identifiers (variously called common IDs, stable IDs and universal IDs), among other terms, and pseudonymous probabilistic identifiers, including ATS-based IDLs from LiveRamp and the TradeDesk-sponsored Unified ID 2.0.
These pseudonymous identifiers promise a number of advantages over use of third party cookies, device identifiers and IP addresses. They cannot be reverse engineered to a form of identification. The UID 2.0 system also has no central storage of the mapping of UID 2.0s: there is no enduring ‘state’ to be improperly accessed or otherwise misused. The systems can be set up to facilitate greater control for users: the Unified UID 2.0 solution would allow consumers to log in, monitor and adjust settings as to how data about them is being segmented for targeted ads. This also partially addresses calls for greater transparency for consumers.
Will the ACCC pat the PETs?
Sometime within the next few weeks, we will see whether the ACCC seriously engages with such proposals. The ACCC’s Final Report on its Digital Advertising Services Inquiry is now with the Federal Treasurer, and due for release by the Treasurer within September 2021.
The ACCC’s Interim Report of February 2021 discussed the possibilities for common transaction IDs and common user IDs, and called for submissions as to the extent to which such pseudonymous identifiers could assist in addressing identified concerns with targeted advertising. Many of the 46 submissions to the inquiry advocated increased use of pseudonymous identifiers and use of other PETs to better control and safeguard ad data sharing within multiparty ad data ecosystems.
The ACCC’s Final Report can be expected to address these proposals. The digital advertising sector should be interested to hear what this regulator has to say.
Peter Leonard, Data Synergies
6 September 2021