Even the IAB warned adtech risks EU privacy rules

A privacy complaint targeting the behavioral advertising industry has a new piece of evidence that shows the Internet Advertising Bureau (IAB) shedding doubt on whether it’s possible to obtain informed consent from web users for the programmatic ad industry’s real-time bidding (RTB) system to broadcast their personal data.

The adtech industry functions by harvesting web users’ data, packaging individual identifiers and browsing data in bid requests that are systematically shared with third parties in order to solicit and scale advertiser bids for the user’s attention.

However a series of RTB complaints — filed last fall by Jim Killock, director of the Open Rights Group; Dr Johnny Ryan of private browser Brave; and Michael Veale, a data and policy researcher at University College London — allege this causes “wide-scale and systemic breaches” of European Union data protection rules.

So far complaints have been filed with data protection agencies in Ireland, the U.K. and Poland, though the intent is for the action to expand across the EU given that behavioral advertising isn’t region specific.

Google and the IAB set the RTB specifications used by the online ad industry and are thus the main targets here, with complainants advocating for amendments to the specification to bring the system into compliance with the bloc’s data protection regime.

We’ve covered the complaint before, including an earlier submission showing the highly sensitive inferences that can be included in bid requests. But documents obtained by the complainants via freedom of information request and newly published this week show the IAB itself warned in 2017 that the RTB system risks falling foul of the bloc’s privacy rules, and specifically the rules around consent under the EU’s General Data Protection Regulation (GDPR), which came into force last May.

The complainants have published the latest evidence on a new campaign website.

At the very least the admission looks awkward for online ad industry body.

“incompatible with consent under GDPR”

In an email sent to senior personnel at the European Commission in June 2017 by Townsend Feehan, the CEO of IAB Europe — and now being used as evidence in the complaints — she writes that she wants to expand on concerns voiced at a roundtable session about the Commission’s ePrivacy proposals that she claims could “mean the end of the online advertising business model.”

Feehan attached an 18-page document to the email in which the IAB can be seen lobbying against the Commission’s ePrivacy proposal — claiming it will have “serious negative impacts on the digital advertising industry, on European media, and ultimately on European citizens’ access to information and other online content and services.”

The IAB goes on to push for specific amendments to the proposed text of the regulation. (As we’ve written before, a major lobbying effort has blown up since GDPR agreed to try to block updating the ePrivacy rules which operate alongside, covering marketing and electronic communications and cookies and other online tracking technologies.)

As it lobbies to water down ePrivacy rules, the IAB suggests it’s “technically impossible” for informed consent to function in a real-time bidding scenario — writing the following, in a segment entitled “Prior information requirement will ‘break’ programmatic trading”:

As it is technically impossible for the user to have prior information about every data controller involved in a real-time bidding (RTB) scenario, programmatic trading, the area of fastest growth in digital advertising spend, would seem, at least prima facie, to be incompatible with consent under GDPR – and, as noted above, if a future ePrivacy Regulation makes virtually all interactions with the Internet subject solely to the consent legal basis, and consent is unavailable, then there will be no legal be no basis for such processing to take place or for media to monetise their content in this way.

The notion that it’s impossible to obtain informed consent from web users for processing their personal data prior to doing so is important because the behavioral ad industry, as it currently functions, includes personal data in bid requests that it systematically broadcasts to what can be thousands of third-party companies.

Indeed, the crux of the RTB complaints are that personal data should be stripped out of these requests — and only contextual information broadcast for targeting ads, exactly because the current system is systematically breaching the rights of European web users by failing to obtain their consent for personal data to be sucked out and handed over to scores of unknown entities.

In its lobbying efforts to knock the teeth out of the ePrivacy Regulation, the IAB can here be seen making a similar point — when it writes that programmatic trading “would seem, at least prima facie, to be incompatible with consent under GDPR.” (Albeit, injecting some of its own qualifiers into the sentence.)

The IAB is certainly seeking to deploy pro-privacy arguments to try to dilute Europeans’ privacy rights.

Despite its own claimed reservations about there being no technical fix to get consent for programmatic trading under GDPR, the IAB nonetheless went on to launch a technical mechanism for managing — and, it claimed — complying with GDPR consent requirements in April 2018, when it urged the industry to use its GDPR “Consent & Transparency Framework.”

But in another piece of evidence obtained by the group of individuals behind the RTB complaints — an IAB document, dated May 2018, intended for publishers making use of this framework — the IAB also acknowledges that: “Publishers recognize there is no technical way to limit the way data is used after the data is received by a vendor for decisioning/bidding on/after delivery of an ad.”

In a section on liability, the IAB document lays out other publisher concerns that each bid request assumes “indiscriminate rights for vendors” — and that “surfacing thousands of vendors with broad rights to use data without tailoring those rights may be too many vendors/permissions.”

So again, er, awkward.

Another piece of evidence now attached to the RTB complaints shows a set of sample bid requests from the IAB and Google’s documentation for users of their systems — with annotations by the complainants showing exactly how much personal data gets packaged up and systematically shared.

This can include a person’s latitude and longitude GPS coordinates; IP address; device-specific identifiers; various ID codes; inferred interests (which could include highly sensitive personal data); and the current webpage they’re looking at.

“The fourteen sample bid requests further prove that very personal data are contained in bid requests,” the complainants argue.

They have also included an estimated breakdown of seven major ad exchanges’ daily bid requests — Index Exchange, OpenX, Rubicon Project, Oath/AOL*, AppNexus, Smaato, Google DoubleClick — showing they collectively broadcast “hundreds of billions of bid requests per day,” to illustrate the scale of data being systematically broadcast by the ad industry.

“This suggests that the New Economics Foundation’s estimate in December that bid requests broadcast data about the average U.K. internet user 164 times a day was a conservative estimate,” they add.

The IAB has responded to the new evidence by couching the complainants’ claims as “false” and “intentionally damaging to the digital advertising industry and to European digital media.”

Regarding its 2017 document, in which it wrote that it was “technically impossible” for an internet user to have prior information about every data controller involved in a RTB “scenario,” the IAB responds that “that was true at the time, but has changed since” — pointing to its Transparency & Consent framework (TCF) as the claimed fix for that, and further claiming it “demonstrates that real-time bidding is certainly not ‘incompatible with consent under GDPR.’ ”

Here are the relevant paras of IAB rebuttal on that:

The TCF provides a way to provide transparency to users about how, and by whom, their personal data is processed. It also enables users to express choices. Moreover, the TCF enables vendors engaged in programmatic advertising to know ahead of time whether their own and/or their partners’ transparency and consent status allows them to lawfully process personal data for online advertising and related purposes. IAB Europe’s submission to the European Commission in April 2017 showed that the industry needed to adapt to meet higher standards for transparency and consent under the GDPR. The TCF demonstrates how complex challenges can be overcome when industry players come together. But most importantly, the TCF demonstrates that real-time bidding is certainly not “incompatible with consent under GDPR”.

The OpenRTB protocol is a tool that can be used to determine which advertisement should be served on a given web page at a given time. Data can inform that determination. Like all technology, OpenRTB must be used in a way that complies with the law. Doing so is entirely possible and greatly facilitated by the IAB Europe Transparency & Consent Framework, whose whole raison d’être is to help ensure that the collection and processing of user data is done in full compliance with EU privacy and data protection rules.

The IAB goes on to couch the complaints as stemming from a “hypothetical possibility for personal data to be processed unlawfully in the course of programmatic advertising processes.”

“This hypothetical possibility arises because neither OpenRTB nor the TCF are capable of physically preventing companies using the protocol to unlawfully process personal data. But the law does not require them to,” the IAB claims.

However, the crux of the RTB complaint is that programmatic advertising’s processing of personal data is not adequately secure — and they have GDPR Article 5, paragraph 1, point f to point to; which requires that personal data be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss.”

So it will be down to data protection authorities to determine what “appropriate security of personal data” means in this context. And whether behavioral advertising is inherently hostile to data protection law (not forgetting that other forms of non-personal-data-based advertising remain available, e.g. contextual advertising).

Discussing the complaint with TechCrunch late last year, Brave’s Ryan likened the programmatic ad system to dumping truck-loads of briefcases in the middle of a busy railway station in “the full knowledge that… business partners will all scramble around and try and grab them” — arguing that such a dysfunctional and systematic breaching of people’s data is lurking at the core of the online ad industry.

The solution Ryan and the other complainants are advocating for is not pulling the plug on the online ad industry entirely — but rather an update to the RTB spec to strip out personal data so that it respects Internet users’ rights. Ads can still be targeted contextually and successfully without Internet users having to be surveilled 24/7 online, is the claim.

They also argue that this would lead to a much better situation for quality online publishers because it would make it harder for their high-value audiences to be arbitraged and commodified by privacy-hostile tracking technologies which — as it stands — trail internet users everywhere they go — albeit they freely concede that purveyors of low-quality clickbait might fare less well.

Update: In a further statement, the complainants have rejected the IAB’s characterization of their complaint as “false”, arguing that the ad association is misrepresenting the argument at the core of their complaint — “which is about the security of sensitive personal data in the advertising ecosystem”.

“The IAB claim that the system as it exists would only be illegal if a few bad actors chose to act outside the law. We claim that the insecurity of this system and the mass transmission of sensitive data to thousands of vendors is a feature, not a bug,” they write. “As such, the entire ecosystem is in breach of core data protection principles, and regulators have to proceed with a holistic view if they have any hope of bringing it within compliance.”

*Disclosure: TechCrunch is owned by Verizon Media Group, aka Oath/AOL. We also don’t consider ourselves to be purveyors of low-quality clickbait.