||21st September 2019 |
How cookies and tracking exploded, and why the adtech industry now wants full identity tokens. A good technical write up of where we are at and where it all could go
article from iabtechlab.com
ICO reports on adtech snooping on, and profiling internet users without their consent
||25th June 2019 |
article from ico.org.uk
report [pdf] from ico.org.uk
In recent months we've been reviewing how personal data is used in real time bidding (RTB) in programmatic advertising, engaging with key stakeholders directly and via our fact-finding forum event to understand the views and concerns of those
We're publishing our Update report into adtech and real time bidding which
summarises our findings so far.
We have prioritised two areas: the processing of special category data, and issues caused by relying solely on contracts for data sharing across the supply chain. Under data protection law, using
people's sensitive personal data to serve adverts requires their explicit consent, which is not happening right now. Sharing people's data with potentially hundreds of companies, without properly assessing and addressing the risk of these counterparties,
raises questions around the security and retention of this data.
We recognise the importance of advertising to participants in this commercially sensitive ecosystem, and have purposely adopted a measured and iterative approach to
our review of the industry as a whole so that we can observe the market's reaction and adapt our thinking. However, we want to see change in how things are done. We'll be spending the next six months continuing to engage with the sector, which will give
the industry the chance to start making changes based on the conclusions we've come to so far.
Open Rights Group responds
25th June 2019. See
article from openrightsgroup.org
The ICO has responded to
a complaint brought by Jim Killock and Dr Michael Veale in Europe's 12 billion euro real-time bidding adtech industry. Killock and Veale are now calling on the ICO to take action against companies that are processing data unlawfully.
The ICO has agreed in substance with the complainants' points about the insecurity of adtech data sharing. In particular, the ICO states that:
Processing of non-special category data is taking place unlawfully at the point of collection
[The ICO has] little confidence that the risks associated with RTB have been fully assessed and mitigated
Individuals have no guarantees about the security of their personal data within the ecosystem
However the ICO is proceeding very cautiously and slowly, and not insisting on immediate changes, despite the massive scale of the data breach.
Jim Killock said:
conclusions are strong and very welcome but we are worried about the slow pace of action and investigation. The ICO has confirmed massive illegality on behalf of the adtech industry. They should be insisting on remedies and fast.
Dr Michael Veale said:
The ICO has clearly indicated that the sector operates outside the law, and that there is no evidence the industry will correct itself voluntarily. As long as it remains doing
so, it undermines the operation and the credibility of the GDPR in all other sectors. Action, not words, will make a difference--and the ICO needs to act now.
The ICO concludes:
Overall, in the ICO's view the adtech industry appears immature in its understanding of data protection requirements. Whilst the automated delivery of ad impressions is here to stay, we have general, systemic concerns around the
level of compliance of RTB:
- Processing of non-special category data is taking place unlawfully at the point of collection due to the perception that legitimate interests can be used for placing and/or reading a cookie or other technology (rather than
obtaining the consent PECR requires).
- Any processing of special category data is taking place unlawfully as explicit consent is not being collected (and no other condition applies). In general, processing such data
requires more protection as it brings an increased potential for harm to individuals.
- Even if an argument could be made for reliance on legitimate interests, participants within the ecosystem are unable to
demonstrate that they have properly carried out the legitimate interests tests and implemented appropriate safeguards.
- There appears to be a lack of understanding of, and potentially compliance with, the DPIA
requirements of data protection law more broadly (and specifically as regards the ICO's Article 35(4) list). We therefore have little confidence that the risks associated with RTB have been fully assessed and mitigated.
Privacy information provided to individuals lacks clarity whilst also being overly complex. The TCF and Authorized Buyers frameworks are insufficient to ensure transparency and fair processing of the personal data in question and
therefore also insufficient to provide for free and informed consent, with attendant implications for PECR compliance.
- The profiles created about individuals are extremely detailed and are repeatedly shared among
hundreds of organisations for any one bid request, all without the individuals' knowledge.
- Thousands of organisations are processing billions of bid requests in the UK each week with (at best) inconsistent
application of adequate technical and organisational measures to secure the data in transit and at rest, and with little or no consideration as to the requirements of data protection law about international transfers of personal data.
There are similar inconsistencies about the application of data minimisation and retention controls.
- Individuals have no guarantees about the security of their personal data within the
ICO and Ofcom survey public opinion on online advertising targeted from snooping on browsing history
||22nd March 2019 |
press release from ofcom.org.uk
survey [pdf] from ofcom.org.uk
The ICO has commissioned research into consumers' attitudes towards and awareness of personal data used in online advertising.
This research was commissioned by the Information Commissioner's Office. Ofcom provided advice on
the research design and analysis. The objective of this research was to understand the public's awareness and perceptions of how online advertising is served to the public based on their personal data, choices and behaviour.
Advertising technology -- known as adtech -- refers to the different types of analytics and digital tools used to direct online advertising to individual people and audiences. It relies on collecting information about how individuals use the internet, such as search and browsing histories, and personal information, such as gender and year of birth, to decide which specific adverts are presented to a particular person. Websites also use adtech to sell advertising space in real-time.
The research finds that more than half (54%) of participants would rather see relevant online adverts. But while 63% of people initially thought it acceptable for websites to display adverts, in return for the website being free
to access, this fell to 36% once it was explained how personal data might be used to target adverts.
|2nd March |
See article from privacyinternational.org
See article from
Viviane Reding told the BBC that authorities found that transparency rules have not been applied .
The policy change,
implemented on 1st March, means private data collected by one Google service can be shared with its other platforms including YouTube, Gmail and Blogger.
Google said it believed the new policy complied with EU law. It went ahead with the changes
despite warnings from the EU earlier this week.
2nd March 2012. See
article from privacyinternational.org
Google wants to be able to provide an ID card equivalent for the Internet.
...Read the full article
|6th February |
European Advertising Standards Alliance define new rules to inform web surfers that adverts they see are determined
article from independent.co.uk
When new rules governing the way companies collect and use data about our movements online come into force, a little i symbol will appear on screen to reveal adverts generated by cookies . Many internet users find these digital devices,
which are used by websites to create personal profiles based on use of the Internet, intrusive.
The data is used for Online Behavioural Advertising, allowing companies to direct their display adverts at individuals who, through the websites they
have visited, have indicated an interest in certain goods or services.
The warning system, to be introduced by the European Advertising Standards Alliance and the Internet Advertising Bureau of Europe, will allow users to opt out of all Online
like Yahoo!, have already begun using the triangle icon on a voluntary basis in Britain but from June all ad networks will be required to display the symbol or face sanctions.
|5th February |
British MPs note their concern about Google's plundering of private data
See article from
A small group of British MPs have signed up to an Early Day Motion voicing concern that Google are set to plunder user data for advert serving purposes.
The primary sponsor is Robert Halfon and the motion reads:
is concerned at reports in the Wall Street Journal that Google may now be combining nearly all the information it has on its users, which could make it harder for them to remain anonymous;
Google's new policy is planned to take effect on 1 March 2012, but that this has not been widely advertised or highlighted to Google's users and customers, who now number more than 800 million people;
and therefore concludes
that Google should make efforts to consult on these changes and that the firm should be extremely careful in the months ahead not to risk the same kind of mass privacy violations that took place under its StreetView programme, which the Australian
Minister for Communications called the largest privacy breach in history across western democracies.
The motion has been signed by
- Campbell, Gregory: Democratic Unionist Party Londonderry East
- Campbell, Ronnie: Labour Party Blyth Valley
- Caton, Martin: Labour Party Gower
- Clark, Katy: Labour Party North Ayrshire and Arran
- Connarty, Michael:
Labour Party Linlithgow and East Falkirk
- Corbyn, Jeremy; Labour Party Islington North
- Halfon, Robert; Conservative Party Harlow
- Hopkins, Kelvin; Labour Party Luton North
- McCrea, Dr William; Democratic Unionist Party
- Meale, Alan; Labour Party Mansfield
- Morris, David; Conservative Party Morecambe and Lunesdale
- Osborne, Sandra; Labour Party Ayr Carrick and Cumnock
- Rogerson, Dan; Liberal Democrats North Cornwall
- Vickers, Martin; Conservative Party Cleethorpes
- Williams, Stephen; Liberal Democrats Bristol West
|9th April |
CPS drop the case against BT over unlawful snooping during Phorm trials
article from bbc.co.uk
BT will not be prosecuted for snooping on the web browsing habits of its customers.
The Crown Prosecution Service (CPS) has dropped a request to bring charges against BT and Phorm - the firm that supplied the monitoring system. The Webwise
software used cookies to track people online and then tailored adverts to the sites they visited.
Trials were carried out in 2006 and involved more than 16,000 BT customers. When the covert trials became public they led to calls for prosecution
because BT and partner Phorm did not get the consent of customers beforehand. Snooping is an offence under the Regulation of Investigatory Powers Act which outlaws unlawful interception.
At present, the available evidence is insufficient to
provide a realistic prospect of conviction, said the CPS in a statement: We would only take such a decision if we were satisfied that the broad extent of the criminality had been determined and that we could make a fully informed assessment of the
public interest. It added that there was no evidence to suggest that anyone who unwittingly took part in the trial suffered any harm or loss.
|8th April |
Google proposes to target ads according to signals snooped from email
Based on article from
Google's GMail service has announced that it will be trawling people's email to try and extract signals that it can use to more selectively target ads.
soon: Better Ads in Gmail
- Fewer irrelevant ads
- Gmail's importance ranking applied to ads
- Offers and coupons for your local area
Bad ads tend to annoy people. We're trying to cut down on these ads, and make the ones you do see much more useful.
With features like Priority Inbox, we've been working hard to help sort out
the unimportant messages that get in your way. Soon we're going to try a similar approach to ads: using some of the same signals that help predict which messages are likely to be important to you, Gmail will better predict which ads may be useful to you.
For example, if you've recently received a lot of messages about photography or cameras, a deal from a local camera store might be interesting. On the other hand if you've reported these messages as spam, you probably don't want to see that deal.
As always, ads in Gmail are fully automated-no humans read your messages- and no messages or personally identifiable information about you is shared with advertisers.
|13th November |
Home Office responds to EU pressure to ensure Phorm/BT communications interception is more effectively banned in
Based on article from
See also Home
Office botches again: Phorm Interception consultation released in silence from openrightsgroup.org
Home Office: citizens not directly concerned by interception law from
The Home Office is scrambling to close loopholes in wiretapping law, revealed by the Phorm affair, ahead of a potentially costly court case against the European Commission.
It is proposing new powers that would punish even unintentional illegal
interception by communications providers.
Officials in Brussels are suing the government following public complaints about BT's secret trials of Phorm's web interception and profiling technology, and about the failure of British authorities to
take any action against either firm.
The government has now issued a consultation document proposing changes to the Regulation of Investigatory Powers Act (RIPA) that will mean customer consent for interception of their communications must be freely given, specific and informed
, in line with European law. RIPA currently allows interception where there is only reasonable grounds for believing consent is given.
The Home Office
consultation document has been published with an unusually short period for
public response closing 7 December.
|3rd October |
EU is suing Britain over data protection failures highlighted by the BT Phorm trials
Based on article from
The European Commission is suing the UK government over authorities' failure to take any action in response to BT's secret trials of Phorm's behavioural advertising technology.
The Commission alleges the UK is failing to meet its obligations under
the Data Protection Directive and the ePrivacy Directive.
The action follows 18 months of letters back and forth between Whitehall and Brussels. The Commssion demanded changes to UK law that have not been made, so it has now referred the case to
the European Court of Justice in Luxembourg.
Specifically, European officials firstly charge that contrary to the ePrivacy Directive there is no UK authority to regulate interception of communications by private companies.
European Commission says the Regulation of Investigatory Powers Act (RIPA), which sanctions commercial interception when a company has reasonable grounds for believing consent has been given, does not offer strong enough protection to the public.
The City of London police dropped their investigation of the Phorm trial, claiming BT had reasonable grounds to believe it had customers' consent.
European law says consent for interception must be freely given, specific and informed indication
of a person's wishes . BT did not obtain, or attempt to obtain, such consent to include customers' internet traffic in its testing.
Finally, the Commission says the provisions of RIPA that outlaw only intentional interception are also
inadequate. EU law requires Members States to prohibit and to ensure sanctions against any unlawful interception regardless of whether committed intentionally or not, it said.
If the government loses the case, it faces fines of millions of
pounds per day until it brings UK law in line with European law.
|10th September |
TalkTalk monitor their customers' website visits without informing them
on article from bbc.co.uk
ISP TalkTalk has been reprimanded by the Information Commissioner's Office (ICO) for failing to disclose enough about a trial requiring the collection of the urls of websites visited by customers.
The ICO said the ISP should have told both it and
customers about the trial.
In August the ICO received a Freedom of Information request, asking whether it had investigated the system.
It revealed that it had and in correspondence with TalkTalk, Information Commissioner Christopher Graham
said: I am concerned that the trial was undertaken without first informing those affected that it was taking place . He also revealed that TalkTalk had not told the ICO about the trials: In the light of the public reaction to BT's trial of the
proposed Webwise service I am disappointed to note that this particular trial was not mentioned to my officials during the latest of our liasion meetings .
BT's Webwise system, devised by ad firm Phorm to track user behaviour in order to serve
them more relevant advertisements, proved highly controversial.
TalkTalk defended its trial and the technology. We were simply looking at the urls accessed from our network, we weren't looking at customer behaviour so we didn't feel we were
obliged to inform customers, said Mark Schmid, TalkTalk's director of communication. It didn't cross our minds that it would be compared to Phorm, said Schmid.
Schmid explained that the system scans websites and would provide customers
with a blacklist of sites that contained malware or viruses. In its tests, some 75,000 websites were found to contain malware. TalkTalk plans to introduce the system at the end of this year.
|28th February |
CPS considering mounting a prosecution of BT for their secret phorm trials
article from theregister.co.uk
The Crown Prosecution Service has revealed that it is working with a top barrister on a potential criminal case against BT over its secret trials of Phorm's targeted advertising system.
BT had covertly intercepted and profiled the web browsing
habits of tens of thousands of its customers, the CPS told campaigners this week that it is still investigating the affair.
The Crown Prosecution Service is working hard to review the evidence in this legally and factually complex matter, a
Campaigners gave prosecutors a file of evidence, including a copy of BT's detailed internal report on a trial of Phorm's technology in 2006, obtained by The Register. The experiment monitored 18,000 broadband lines without
customers' knowledge or consent.
This week the CPS said: We are currently awaiting advice from a senior barrister which we will review before coming to a conclusion. We are giving the matter meticulous attention and will reach a proper and
considered decision as soon as it is possible for us to do so.
The main law BT is alleged to have broken is the Regulation of Investigatory Powers Act (RIPA). It restricts the interception of communications.
|8th December |
Google extends advert personalisation
Based on article from
Google is now personalizing results even when users have not logged into its web-dominating search site.
Personalization is a euphemism for a Google-controlled practice that involves tweaking your search results according to your past web
history. Mountain View was already doing this with users who had signed in to a Google account so they could use non-search services like Gmail and Google Calendar. But now it's targeting results for all users - whether they're logged in or not.
Google has always hoarded the search history of everyone visiting the site - whether they were logged in or not. But this is the first time Google has massaged results for users who haven't signed in. This is just one of the many reasons Google likes cookies.
The company's new cookie-based personalization is based on 9 months of stored data. And it's completely separate from account-based personalization.
Google does let you turn off personalization off. But it's on by default - and we all know
that most people will leave it on.
|1st November |
EU accuses Britain of failing to protect citizens from internet snooping
article from independent.co.uk
Ministers face an embarrassing showdown in court after the European Commission accused Britain of failing to protect its citizens from secret surveillance on the internet.
The legal action is being brought over the use of controversial behavioural
advertising services which were tested on BT's internet customers without their consent to gather commercial information about their web-shopping habits.
Under the programme, the UK-listed company Phorm has developed technology that allows
internet service providers (ISPs) to track what their users are doing online. ISPs can then sell that information to media companies and advertisers, who can use it to place more relevant advertisements on websites the user subsequently visits. The EU
has accused Britain of turning a blind eye to the growth in this kind of internet marketing.
Ministers were warned by the EU in April that if the Government failed to combat internet data snooping it would face charges before the European Court of
Justice. The European Commission made it clear this week that it is unhappy with the Government's response and began further legal action to force ministers to address the problem. Commissioners are disappointed that there is still no independent
national authority to supervise interception of communications.
Europe's information commissioner Viviane Reding said that the aim of the Commission was to bring about a change in UK law. People's privacy and the integrity of their personal
data in the digital world is not only an important matter: it is a fundamental right, protected by European law, she said. I therefore call on the UK authorities to change their national laws to ensure that British citizens fully benefit from the
safeguards set out in EU law concerning confidentiality of electronic communications.
The Commission said the UK had failed to comply with both the European e-Privacy Directive and the Data Protection Directive.
|3rd October |
University research finds that Phorm is out of favour in the US
Based on article from
See also the report: Americans Reject Tailored Advertising [pdf]
Americans do not want to be given tailored advertising based on monitoring of their online behaviour, according to what its authors call the first independent, academically rigorous survey of consumers' views.
Research conducted by the University
of Pennsylvania and the Berkeley Centre for Law and Technology has found that 66% of adult US citizens do not want advertising to be tailored to what advertisers think are their interests.
Publishers keen to increase advertising revenue and
advertisers have claimed that tracking that does not identify users by name is acceptable to most people, because of the benefits that accrue from being shown more relevant ads. To marketers, it is self-evident that consumers want customized
commercial messages, the academics' report says. The survey's data appear to refute that argument.
Contrary to what many marketers claim, most adult Americans (66%) do not want marketers to tailor advertisements to their interests, said
the study. We conducted this survey to determine which view Americans hold. In high%ages, they stand on the side of privacy advocates. That is the case even among young adults whom advertisers often portray as caring little about information privacy,
it said. Our survey did find that younger American adults are less likely to say no to tailored advertising than are older ones.
This survey's findings support the proposition that consumers should have a substantive right to reject
behavioural targeting and its underlying practices, said the report.
|8th July |
BT and Virgin Media signal an end to interest in phorm
Based on article from
Shares in Phorm, the controversial online advertising group that tracks consumer behaviour, plunged more than 40% after BT said it has no immediate plans to use the company's technology.
We continue to believe the interest-based advertising
category offers major benefits for consumers and publishers alike, said BT: However, given our public commitment to developing next-generation broadband and television services in the UK, we have decided to weigh up the balance of resources
devoted to other opportunities.
Phorm's software has been dogged by controversy following news that BT ran two trials using it without seeking its customers' permission in 2006 and 2007. Tim Berners-Lee, the British founder of the internet,
has also spoken out against Phorm.
Phorm said that it is now focused on its overseas business and has made strong progress in South Korea: We are engaged in more than 15 markets worldwide, including advanced negotiations with several major
internet service providers (ISPs) .
The likes of Virgin Media and Carphone Warehouse are believed to be considering working with the group. However, Virgin Media released a statement suggesting that no deal was imminent. The company believes
that interest-based advertising has some important benefits for consumers as well as website owners and ISPs but said it was a fast-changing market and had extended its review of potential opportunities.
|15th May |
Phorm create website claiming that they have been smeared by privacy campaigners
Thanks to Spiderschwein
Phorm introduce their Stop Phoul Play website:
Over the last year Phorm has been the subject of a smear campaign orchestrated by a small but dedicated band of online "privacy pirates" who appear very determined
to harm our company. Their energetic blogging and letter-writing campaigns, targeted at journalists, MPs, EU officials and regulators, distort the truth and misrepresent Phorm's technology. We have decided to expose the smears and set out the true story,
so that you can judge the facts for yourself.
|17th April |
EU challenges UK over Phorm whilst Amazon rejects the system
article from telegraph.co.uk
See also Internet privacy: Britain in the dock from
Online retailer Amazon has confirmed that it is opting out of the controversial internet advertising service, Phorm.
The company has said that it will not allow Phorm to scan its web pages in order to serve customers with targeted adverts based
on their browsing habits.
The Phorm technology, known as Webwise, has been at the centre of controversy in recent months. Last year, BT allowed a trial of Webwise to go ahead without the explicit consent of users. It has now started a new trial
of the technology on an opt-in basis only.
Although Phorm has been cleared by the Information Commissionerís Office of any concerns regarding data or privacy, the European Commission has announced that it is starting legal action against the UK
government for the way its data protection laws operate in relation to Phorm.
The EU telecoms commissioner, Viviane Reding, said : I call on the UK authorities to change their national laws and ensure that national authorities are duly
empowered and have proper sanctions at their disposal to enforce EU legislation.
The Commission has branded the technology as an interception of user data, and believes there is a legal need for more explicit seeking of consent from
users before such services can be rolled out.
And privacy lobby the Open Rights Group has also called on a number of websites, including Microsoft, Google and AOL to opt out of Phormís scheme. The group said it expected more companies to follow
Amazonís lead and opt out of the Phorm service.
|1st March |
Which? withdraw press release citing opposition to phorm after legal action
Based on article from
News articles based on a survey indicating public opposition to Phorm's web snooping and advertising system have been withdrawn after the firm made legal threats to their publishers.
The independent consumer watchdog Which? sent a press
release to newspapers earlier this week entitled Internet users say: Don't sell my surfing habits. It detailed survey findings that UK internet users are opposed to plans by BT, TalkTalk and Virgin Media to monitor and profile their browsing in
collaboration with Phorm.
The findings contradicted market research repeatedly cited, but not published, by Phorm that the majority of people want the more relevant web experience it claims its Webwise -branded technology will
The Which? survey was covered by the Press Association, Channel 4 News, The Telegraph, and The Daily Mail. The press release, however, was swiftly followed by a retraction of the press release.
The Press Association, Channel 4
News and Telegraph stories have all been removed whilst the Daily Mail has edited its story to online to remove all references to the negative survey findings.
A Phorm spokesman said that the survey had been based on inaccurate information and
that the press release itself contained inaccuracies. It repeatedly stated the Webwise system collects and sells on data which is misleading. We also wouldn't allow the creation of advertising channels on sensitive subjects such as for medical
|22nd November |
BT delete discussions of Phorm from their support forum
Based on article from
BT has banned all future discussion of Phorm and its WebWise targeted advertising product on its customer forums, and deleted all past threads about the controversy dating back to February.
Subscribers to BT's broadband packages had used
the BT Beta forums to criticise its relationship with Phorm and raise concerns about the technical implications of ISPs wiretapping their customers.
However, BT decided it had had enough and deleted the threads. A first thread on WebWise extended
to almost 200 pages, before being closed in late September when BT's third trial of the system began. It was still available to read however and a new thread was started by BT Beta moderators, which continued until yesterday. All record of either has now
|19th November |
US ad targetting eavesdropper NebuAd sued
article from blog.wired.com
Net eavesdropping firm NebuAd and its partner ISPs violated hacking and wiretapping laws when they tested advertising technology that spied on ISP customers web searches and surfing, according to a lawsuit filed in federal court.
seeks damages on behalf of thousands of subscribers to the six ISPs that are known to have worked with NebuAd. If successful, the suit could be the final blow to the company, which abandoned its eavesdropping plans this summer after powerful lawmakers
began asking if the companies and ISPs violated federal privacy law by monitoring customers to deliver targeted ads.
NebuAd paid ISPs to let it install internet monitoring machines inside their network. Those boxes eavesdropped on users' online
habits -- and altered the traffic going to users in order to track them. That data was then used to profile users in order to deliver targeted ads on other websites.
The suit alleges the ISPs and NebuAd both violated anti-wiretapping statutes by
capturing users' online communications without giving adequate notice or getting consent.
Neither WideOpenWest nor Embarq, the two largest ISPs being sued, responded to requests for comment. Knology told Congress in August it had used NebuAd in
Georgia, Florida, Tennessee and Alabama, but stopped in July after Congress started asking questions. The other named ISP defendants are Bresnan Communications, Cable One, CenturyTel, all of which admitted testing NebuAd's technology.
seeks damages as well as an injunction against any similar behavior in the future.