
GDPR complaint claims Google and IAB ad category lists leak intimate data - imbiased
https://techcrunch.com/2019/01/27/google-and-iab-ad-category-lists-show-massive-leakage-of-highly-intimate-data-gdpr-complaint-claims/
======
dessant
We should also be able to access our marketing categories without a Google
account, since sensitive data is collected and a profile is built even if you
don't have a Google account.

~~~
est31
How sure are they that it's one individual person that they are tracking? If
you and others use the same computer, then maybe stuff might get mixed up. If
"accessing" marketing categories includes read-access then your situation is
worse than before.

What about the legal risk for Google if you opted out of the tracking a month
ago but now google thinks you are a different person and is tracking you?

~~~
giancarlostoro
There's subtle ways to fingerprint someone, even how they move their mouse:

[https://motherboard.vice.com/en_us/article/78k8pz/how-you-
mo...](https://motherboard.vice.com/en_us/article/78k8pz/how-you-move-your-
mouse-could-help-others-track-youeven-on-tor)

------
manigandham
These categories apply to the content, not the cookie (when a cookie is even
available which it isnt in many places).

This is not personal, it's the contextual targeting everyone wants. These blog
posts never understand adtech.

~~~
JulianWasTaken
The point is that bid requests may (do) contain both an identifier and data
about that person. "Is reading a financial news article" being an attribute of
the content, sure, but broadcast such that it can be associated with the
person.

~~~
manigandham
That's just how context works. If you visit another site then there would be
different categories involved and has nothing to do with the user.

There's also no personal identity, it's just a cookie if available, used
mostly to frequency cap.

~~~
singron
Can't adtech companies associate that cookie with the category and build a
profile over multiple pages? Then they can correlate the data and identifiers
Google provides to any that they collect on their own (e.g. their own pixels
served in the ads that actually get shown). If they connect their own pixel
identifiers to data that they buy, then they are building up a decent profile.

~~~
manigandham
Those profiles would quickly become so broad as to be useless. Context in the
moment is the most important thing, which is why even Google shows ads
targeted to your actual search query.

Cookies are also not an identity and refreshed very often. Their main use is
to cap ad frequency and track conversions over the short-term (hours to days).

Google and Facebook do not provide any personal identifiers. That would be a
massive breach of their core 1st party dataset. What little data they did
provide is now gone with GDPR.

------
nopriorarrests
I'm familiar with RTB (real-time bidding protocol) details, so I can assess
this from the technical POV.

Most ironical thing here -- IAB categories applied not to user profiles but to
URL's.

So, their goal is to facilitate ads targeting not to user profile, but to page
content. This is the use case which is often discussed on HN as ethical and
"right" way of showing ads -- you get the bid request with "Nature, travel"
IAB categories and you show ad about outdoor gear. You don't need to crunch
user data to make this simple decision.

However, I have to admit this complaint has it's own merit. Bid request
usually contains not just page URL and IAB categories, but user cookie as
well. So, by data-mining bidstream, you can theoretically find people (well,
at least their unique cookies) who are looking for a cure for impotence, and
this is against GDPR, for sure.

------
ckastner
Key quotes:

> _Lack of transparency makes it impossible for users to exercise their rights
> under GDPR. There is no way to verify, correct or delete marketing
> categories that have been assigned to us, even though we are talking about
> our personal data._

and

> _Under GDPR, processing special category [medical information; political
> affiliation; religious or philosophical views; sexuality; and information
> revealing racial or ethnic origin] data generally requires explicit consent
> from users — with only very narrow exceptions, such as for protecting the
> vital interests of the data subjects_

The last quote is particularly troublesome, as Article 9 GDPR [1] is explicit
about this: processing this data is prohibited by default, and none of the
exemptions seem to apply even by a stretch of imagination.

Assigning such labels may be the norm from the Ad industry's point of view,
but that is simply no longer possible under the GDPR.

[1] [https://gdpr-info.eu/art-9-gdpr/](https://gdpr-info.eu/art-9-gdpr/)

------
seren
I am curious, if you ask for a dump of your data from Google, where do you
have to look to find your ad category ? As far I know, this is not directly
accessible from your profile or privacy settings.

Looking at the data selection to export, I am not even sure this is included
somewhere.

~~~
Maarten88
Maybe Google doesn't store it, and just uses these categories in the process
of auctioning advertisements, sending them as context?

The problem with that being, of course, that any company participating in the
bidding process can decide to store that information and build a profile that
does have this information.

~~~
m4r35n357
I think you mean "participating"

~~~
Maarten88
tnx, updated

------
Tsubasachan
Advertising and marketing is a trillion dollar industry that employs millions
of people across the globe and I want nothing to do with it.

Advertising atheism and I wouldn't be entirely surprised if in the future
people will be prosecuted for it.

------
a_imho
Google is the elephant, but it is very rare to see compliant services/sites.
The interesting question is when/if EU is going to flex its GDPR muscles.

~~~
Mirioron
Never. This is used as another tool to selectively target companies the EU
doesn't like while maintaining appearances.

~~~
detaro
Germany (well, German states actually) alone has handed out fines to 41
companies, and has hundreds of proceedings in flight (i.e. one German state is
currently investigating 50 local companies), the vast majority against locals.
The average cases just don't make headlines, especially not in english-
speaking media, because who cares?

------
mancerayder
_Here’s a few more highly sensitive labels that are being attached to web
users’ identities and shared with potentially thousands of bidding ad
companies — in this case the labels are ones which the IAB uses: Special needs
kids, endocrine and metabolic diseases, birth control, infertility, diabetes,
Islam, Judaism, disabled sports, bankruptcy._

I'm jealous that at least Europeans can complain legally.

In the U.S., we believe that the free market knows best and that's freedom and
such. Meanwhile, we're being profiled by these vile companies (FB, Google) and
our data resold. Aside from individual rights being violated (hint, individual
rights aren't just rights against government intervention), there's a huge
societal threat here: what happens when this data is used to pit us against
one another? Are we still free, then?

In the U.S. it will take a cataclysmic event to reach a GDPR-like desire by
the population. The sad reality is that the EU has its citizens' interests
generally in mind (consumer protections, GDPR), while in the U.S. Big Brother
has the interests of large corporations at heart (namely by allowing them to
run roughshod over our rights).

------
chronotis
Setting aside penalties for a moment, what is the minimum set of changes to
programmatic advertising practices that would bring it into compliance with
GDPR? Would removing the targeting categories that relate to intimate data be
sufficient? Or is something deeper, more structural in the crosshairs?

~~~
mrweasel
I by no means and expert on the subject, but I believe that the "simplest"
change would be to target based on content, rather than the individual user.

~~~
chronotis
Yes, but that's also a torpedo to the way programmatic ads are currently
bought and sold. (FWIW I am in favor of such a change, but there are a lot of
very large tech companies selling data management platforms whose core value
prop is being able to stitch together audiences from this sort of data and
precisely target them everywhere their browser cookie or device ID goes.)

~~~
donohoe
Agree. GDPR and programmatic ads are totally incompatible.

I believe this is intentional on part of the EU.

~~~
Mirioron
Basically anything that hurts American tech companies is intentional on the
part of the EU. That's why they're keeping both eyes shut on the plethora of
violations many European companies are doing.

~~~
mrweasel
You have to report the violating companies. There are no government
organizations actively looking for violations.

The American companies are simply bigger target and have the attention of more
people, so their reported more quickly.

------
w_t_payne
Not just Google though, is it?

~~~
cyborgx7
And your point is what exactly?

------
onetimemanytime
I think Google and FB have met their match, EU! Not only penalties but
crippling changes to their existing, everything goes, business model.
Penalties they can afford...

------
throw2016
It just gets creepier and creepier and to think there are hundreds of
thousands of people involved in this sordid endeavour who think nothing of and
stalking, profiling and dehumanizing others for personal gain.

More evidence there is zero moral compass in SV and given enough money people
are willing to do whatever away from public view and posture and pretend to
care about niceties like ethics in public. And these are educated folks who
are not starving and desperate.

Discussions should move from a default human base ethical position to any
discussion about ethics is posturing and empty, its only by actions that any
sense of ethics can be gleaned.

But people who behave unethically cannot then expect an ethical society or
ethical behavior from others. These others too have a right to exchange their
values for money and attempt to normalize, redefine or hand wave away their
actions.

