This is the industry standard for advertising. Even way before GDRP!
Remember when Verizon was caught "super cookie"ing all their subscribers http requests?
What did verizon do? moved the super cookie shenanigans under their subsidiary AOL. Then when AOL got a slap on the wrist too, what verizon did? bought Yahoo and moved the shenanigans there. ...When those tactics where not technically possible anymore it sold all ad subsidiaries for the purchase price.
I call that «Regulatory Condoms». It works fine for enforcement that gives warnings before fines.
I could see someone perceiving the usage of the word condom in this context as negatively connotated. Its not the word condom that is wrong in itself, its more to do with devaluing a condom and the usage of such.
See, to make a more practical example, if one has sex and uses a condom its not nice to think of it like a subsidiary company that is used to keep off the results of GDPR violations on your behalves. The usage of condoms should IMHO be viewed in a more positive light.
> Your privacy is important to us. This privacy statement explains the personal data Microsoft processes, how Microsoft processes it, and for what purposes.
When you're selling it, I'm sure it is important to you.
Exactly. The only privacy respecting feature I have ever worked on in the Ad space was because vendors (the ad industry clients) were abusing the platform and pushing expensive rich-media formats when only paying for "banners". So we prevented the banners from escaping the iframes they were served in and added measured APIs to allow richmedia ones to annoy the user outside the iframe.
it also had the benefit of cutting down spam since most spammers were scraping the webmail contacts by placing ads. lol. the early 2000s were wild.
I remember the contradictory thoughts when I first filled in my work iPhone with my personal data.
Apple had some sort of mind control that had me excited to give them my personal information.
At the same time, I was horrified that I was giving so much information to Apple.
With Apple, it felt fine, their branding made you feel special. With Microsoft, you feel extorted. I'm sure people will nitpick differences, but after PRISM, its just branding. Apple commercials make you feel better about Apple, even when they do M$ level of bad things. M$ is just so terrible at pretending to be pro-consumer, they are oblivious.
It's like when, as a European user, you go to a website that's called something like Idaho Gazette because you follow a HN link and after seven years they still block you but tell you how important you are to them.
I think if that was the case they could've just chosen to not collect any personal data from the five Euro users that show up once a year which would have taken less effort than putting that banner up
It would have taken more effort, because the data collection is not something they have the ability to selectively disable, it's so backed into their platform and business model.
> I think if that was the case they could've just chosen to not collect any personal data from the five Euro users that show up once a year which would have taken less effort than putting that banner up.
Putting the banner up is less effort than reconfiguring your web server to not include IP addresses in the logs, and reworking your tools that currently use IP address such as various abuse detectors to use something else. Note that it is not as simple as hashing the IP address because the IP4 address space is small enough that hashing is easily reversed by brute force.
You can probably justify logging IP addresses, at least if you don't keep the logs too long, under GDPR without having to ask the visitor for permission. GDPR provides several justifications for storing personal data besides consent. But it is still personal data, so if GDPR applies then there are compliance costs.
For sites that are not in the Union and have no intention of serving people in the Union a block makes sense as a way to avoid that hassle. That's because for entities that are not in the Union determining whether or not GDPR applies when they are visited by people in the Union depends greatly on intent.
Article 3, "Territorial scope", says it applies if they are offering goods or services to data subjects in the Union or they are monitoring the behavior of data subjects that takes place within the Union.
The corresponding recitals says that offering goods or services means that the site envisages such offerings. Blocking visitors from the EU would be pretty good evidence that the site does not so envisage.
Companies need to be slapped with a non-negligible percentage fine of revenue. They will learn fast to respect the law, and by extension, people's privacy.
If your aim is to keep profit expectation of violations at no more than zero, then it's also necessary to hold company _owners_ liable for more than their shares are worth. Otherwise, corporations will just play shells games (which they already do for all kinds of liability) to reduce the fines to peanuts via limited liability/bankruptcy. The chance of that reform seems very slim, so perhaps we could at least tax shell companies some percentage of both revenue and value, and not just profits - to represent the real costs of shifting liability. Not that that's likely either, but we can dream.
If the fines are meaningful, they'll primarily hurt shareholders. It's possible a corporation will try to mitigate some of the costs by downsizing, but that's no different from any other corporation with a non-working business plan.
Sparing shareholders for the costs of the choices their leadership made is a recipe for continued disinterest. Why bother appointing boards and CEO's that will avoid this stuff if they're always able to shift the costs to somebody else?
Just because a company has employees does not mean it appropriate to shield it from consequences of its actions.
> If the fines are meaningful, they'll primarily hurt shareholders.
I’m just not so sure this is true. What kind of fine would hurt shareholders more than the employees that are let go to offset said fine?
At least currently, reputation is not represented in the tech market prices. Microsoft had a major security breach in separate products every 4 months last year, and opened this year by shuttering and laying off a large number of recently acquired game studios.
They are currently one of the 2 most valuable companies in the world by market cap.
Ideally, the labor market is competitive. If a company tries to offload it's legal costs to its employees, they'll find work elsewhere, at least in aggregate. Ideally (again), shareholders do not have that option.
When a company goes under or significantly downsizes there will of course be impacts on employees. But equally, their competitors' employees may thrive.
I want to stress again that the alternative is basically lawlessness. If a company cannot be held to account merely because doing so might hurt employees, then it's in shareholder's interest to ensure the company disregards those laws whenever they get in the way of profits - which they can do by selecting boards and CEOs that are willing to take "risks" (and it seems quite unlikely that's ever likely to change). Those agents of a company might not even be in the same jurisdiction as the law, so trying to exclusively hold them to account seems like a pipe dream.
In any case, if laws try to very narrowly focus liability, you're also asking for games of musical chairs, and because it's so easy to create and destroy corporations, that's a game that will often lead to evaporation of any penalties.
Shareholders absolutely need to be held to account for the choices their companies make. Even limited liability is a protection with some problematic consequences; we definitely shouldn't make it even easier than it already is to shift burdens onto others or society at large than it already is.
I still don’t see how fines would hurt shareholders, realistically.
We need some kind of punishment, which is why we have fines, but it’s good to recognize that, at least right now, they don’t really do the job they’re meant to do.
> In any case, if laws try to very narrowly focus liability, you're also asking for games of musical chairs
Fines could be used to bolster the state's unemployment program and/or provide continuing health insurance to laid off employees. If a company can only maintain its staff size with illegal practices, then we shouldn't expect it to maintain that staff size.
"You can't punish me because I'll just punish the little guys" is an awful defense.
Better yet, get rid of patents. Patents are what prevent competitors from rising up and that are run by more ethical entrepreneurs that care about their customers.
Believing that would be most inconvenient for a rather large number of actors though.
Are there any known high-profile experiments where targetted versus content-related advertising was compared? Somehow it seems that targetted advertising works (or worked), or at least that's what all the big players believe.
As far as I understand, this is from the perspective of someone selling ad space. Plus, a lot of the problems they cite are issues with ad platforms integrating with their systems, since most of the tech that ad platforms have assumes tracking, it wasn't working with their trackerless platform.
The more interesting question is what real difference it makes to companies that buy advertising whether they buy targeted advertising versus trackerless advertising. After all, trackerless advertising was good enough for a very long time.
I mean, I don't really care if it's more effective. If the cost is my privacy, and the privacy of everyone else in the world, then I don't care if it's less profitable to not do targeted advertising.
I understand your point of view, and I'm not saying you don't have a point. But something tells me that you would take a more pragmatic approach if your livelihood or that of a close relative were directly affected by the company's poor sales as a result. Remember, everyone's job contributes to sales, whether they like it or not :)
Or perhaps, given the debatable efficiency of these ads systems, they might have been working at a different company or at a different project and actually create something useful for the end user or something that at least would work
Ultimately advertising is a zero sum game anyway. If you convince someone to buy your product then they are not going to spend that money elsewhere. Sure, they might have instead saved the money but that just means spending it later.
The only reason why anyone needs to advertise is to prevent others who do advertise from stealing all their customers. This is also why ads are becoming more intrusive and annoying over time - because you need to make your ads even more effective than the competition if everyone else already also uses ads.
Your argument about advertising being zero sum might as well be applied to any form of business (we all have a certain amount of money, and we choose where to spend it). I’m not sure how you can believe business in general is zero sum — it’s the only reason we’re now not living in caves.
I get that we’re all embittered by having annoying, low-quality adverts thrust in our faces, but there’s no need to become completely cynical about economies in general.
There are more industries that are basically parasites who don't contribute to society and instead insert themselves as middlement to extract value from others' work, yes. But no, you cannot apply this to any form of businesses. Many businesses fulfill real needs. If you'd take all agriculture away, everyone would starve. If you'd take all advertisement away then the world would not collapse. These things are not the same.
> I get that we’re all embittered by having annoying, low-quality adverts thrust in our faces, but there’s no need to become completely cynical about economies in general.
Well, maybe the adverts by themselves aren't enough, but... gestures broadly
There’s much to be dismayed by in the modern world. But — and sorry to sound like such a cliche here — what alternative would you suggest to capitalism?
Why is the choice always "capitalism" or "not capitalism"?
It seems to me that the real problem with it all is the false dichotomy that so many people seem to have bought into. It wasn't too long ago that we understood that we need to balance out both sides for a society to flourish. Capitalism is useful, yes, but unfettered capitalism slowly eats itself and everything adjacent to it.
Ironically, you’re the one assuming it’s a dichotomy. I never said anything about ‘unfettered capitalism’.
> Why is the choice always "capitalism" or "not capitalism"?
Any set A induces a partition of the universe into A and not A. You haven’t made any suggestions at all. Just the usual moaning — which is justified, but not at all helpful.
You still haven't suggested anything of any substance. Just 'capitalism eats itself' which I think might not be an original observation. Sorry if I came across as rude.
I'd imagine it's more complicated than that. If you use iOS or Android, I'd imagine there's some practice of Google or Apple that you object to, so it's not practical to do it in all cases.
In my experience, I try to avoid companies with objectionable practices, but in a lot of cases, all the vendors are varying degrees of unscrupulous. Or the vendors that are ethical have a significantly worse customer experience because they're playing fair against competitors who are playing unfair. So, I'm left to either choose the least bad vendor or face massive inconvenience from not using a competitive vendor.
Using a product is different from having your livelihood depend on the company’s sales. You’re referring to the former but I was referring to the latter, as that is the point of the comment I replied to.
You are the very reason why I use adblockers, and block a bunch of URLs and IPs on my router (to protect myself and my family), _and_ try to convince loved ones to up their security/privacy game; while at the same time I know that most people are sheep and have this exact opinion, so I own stock of MS, Apple, Google, and others, that 'feed' on the people with that mindset.
It's kinda like those Silicon Valley execs that make these (mental) poisonous products but don't let their kids use them...? So thank you for the dividends, but I will feed my family (mentally) healthy stuff and not (mental) junkfood.
All because "hey the poor ad execs need one more speedboat!". Thank you for your service :)
> You are the very reason why I use adblockers, and block a bunch of URLs and IPs on my router (to protect myself and my family), _and_ try to convince loved ones to up their security/privacy game; while at the same time I know that most people are sheep and have this exact opinion, so I own stock of MS, Apple, Google, and others, that 'feed' on the people with that mindset.
The point discussed is that the ad targeting isn't even accurate, thus being inefficient and being detrimental on the long term. It isn't hard to imagine that all the work hours put into a targeting system that doesn't even know whether you're male or female could be better spent in other projects
What do you mean? There is a huge difference between putting an ad in a magazine for rich mothers with young kids (content-related) versus putting the same ad in a game that woman plays because her targeting ID identifies her as such (targetted).
Only if the two they are equivalently effective. Advertisers believe today that direct targeting is more effective than content-based targeting. This is reflected in the much higher price they are willing to pay for direct targeting vs content-based targeting.
Can we please stop with the “eye-roll i knew this all along” comments? They’re not very constructive. Yes, there are things that are bad. Yes, we all know about it. Feigning surprise doesn’t really add much.
Yeah but this is still one entity and setting is based on cookie, per device valid up until cache gets cleared.
Browsers should handle tracking preferences in settings and it should be "deny" by default for all non-essential purposes. There are technical means but no will to respect such preferences. Tho, Global Privacy Control which is the successor to Do Not Track header managed to fine Sephora company in the US for ignoring opt-out request [1]. So, maybe there's some hope...
I have just done one just to wait for their rejection and then file a complaint to the Italian privacy authority
Furthermore, you might wanna look into adnauseam, a ublock origin fork that blocks ads while simulating a click on them so that the effectivity of ads is decreased
They answered with "Thank you for your inquiry. We take privacy seriously at Xandr and appreciate the time you’ve taken to contact us.
Our privacy center allows consumers in specified jurisdictions to take certain actions such as requesting access to, correction or deletion of personal information and to opt-out of the sale or sharing of the same. We must be able to verify your identity in order to process your request. However, because our advertising platform does not contain information that would allow us to identify an individual, such as name or email address, we will be unable to verify the identity of most requestors and therefore cannot fulfill such requests as a result. To the extent we maintain identifying information about you outside of our advertising platform, such as for business contacts in California, we will use this data to verify your request. Further, if you are submitting a request on behalf of someone else, we may ask for additional information from you in order to verify we are authorized to process the request. Additionally, all consumers may opt out of interest-based advertising using our global opt-out.
To learn more about our privacy practices, review our Platform Privacy Policy. We hope that this information is helpful. If you have any further questions, let us know.
If you are in the European Economic Area, you have the possibility of lodging a complaint with an European Data Protection Authority and of seeking a judicial remedy.
Regards,
The Xandr Privacy team
"
I'm gonna try tell them about the cookie they talk about the article, I wanna know what they're gonna say
Thank you for your inquiry. We take privacy seriously at Xandr and appreciate the time you’ve taken to contact us.
Although we are unable to confirm whether we maintain any personal data relating to you, if the identifier you provided exists in our database, we will delete it.
Regards,
The Xandr Privacy team
Proving that they ARE able to identify someone if they're provided the uuid2 identifier
i answered to the email and i received an automated email saying customer service email wasn't working anymore, so i went through the official microsoft xandr form and wrote this
"Hi, i previously made a data access request which was denied per your policy for which you even have a webpage showing the number of requests denied. i replied to the email but the customer service email was apparently shutdown and i received an email that said it wasn't working anymore. So i'm contacting you through this form. i'll paste my answer to your data access request answer here: "Hi, i'm answering to this email regarding my inquiry. Per microsoft xandr cookie policy you do use a cookie that is unique and can be associated with my datas https://about.ads.microsoft.com/en/resources/policies/digita...
that cookie is uuid2. by giving you the value of this cookie, which is unique, you should be able to identify my data. I would like to receive the data linked to that uuid2 -if existing - in a zipped format if possible. I also ask for the data with that uuid2 - if exisitng at all - to be deleted
the cookie value is [cookie value]
The RTB industry is IMO missing a trick by using properties of people for targeting rather than "info vectors" and "bloom lists".
The info vectors would be generated by a neural net based on all information known about a customer. The vectors would specifically not be usable to identify a customer, and therefore not count as PII under GDPR rules. The vectors would be trained to predict the probability of clicking an ad (the pCTR). Using that training metric, everything an advertiser cares about will end up encoded in the vector, whilst no individual private piece of info (eg. sexual orientation) is extractable with any certainty.
Notably, these vectors will be addable, allowing multiple companies to add their vectors on one visitor, creating a new vector with even greater predictive strength, but no company shares their private customer data to competitors.
The 'bloom lists' will be able to identify customers, but only probabilistically. They will encode data such as "user bob@mail.com has an account at Walmart, Lowes and Target". However, the data they hold is only right ~99% of the time, since it is implemented with a bloom filter. That allows businesses to do remarketing to specific users, for example past customers. No individual user could ever be sure they are or are not part of such a filter, and hence it again doesn't meet the EU's PII definition.
By using the above two, I believe the total CTR can be increased (since users get better targeted), whilst also giving users the privacy they expect.
No inference made on data is ever guaranteed 100% to be right. So I'd expect the legal standard in this case to be "are companies able to identify individuals from the data" and if that's possible in 99% of cases, any court will rule against you.
I think a lot of people think that bad targeting is a technology problem, but isn't it also an economic one? It doesn't matter how good your categories are if ftx.com pays for a massive ad buy across all demographics and annoys the shit out of everyone. The opposite is also true - products I might actually be interested in probably don't get enough budget for me to see an ad for them more than once.
If an ad is 'annoying' and makes a customer install an adblock or stop using a website, then the website should be compensated for all the future lost revenue.
Thats easy for an ad exchange or publisher to enforce by simply subtracting a factor from all bids from an advertiser to 'pay' for the chance of future loss of revenue caused by said annoyance. That factor would be decided based on data of past customers who stopped using a site or installed an adblocker.
There are plenty of other similar factors already in use - they're typically aggregated into a "quality factor". They also encompass ads which make a promise but don't deliver ("Everyone wins an iphone!"), or otherwise generally leave the user unhappy (which, in aggregate is quite easy to estimate using bounce rate, dwell time, conversion rate, etc)
> Previous research has shown that Xandr collects hundreds of sensitive profiles of Europeans containing information about their health, sex life or sexual orientation, political or philosophical opinions, religious beliefs or financial status. Specific segments include things like ‘french_disability’, ‘pregnant’, ‘lgbt’, ‘gender_equality’ and ‘jewishfrench’.
I don't read German (which I think the justifying article is written in) - is this linking directly to personally identifiable information? If I have an ID in a cookie that links to these groupings, it is not necessarily the same as a GDPR breach.
Would someone mind clarifying this one who's more familiar with Xandr/reading German?
> If I have an ID in a cookie that links to these groupings, it is not necessarily the same as a GDPR breach.
I guess this may be unintuitive if you're used to "letter of the law" interpretations but the GDPR is very much a "spirit of the law" directive. You don't get around its requirements with technicalities, especially not in combination with the ePrivacy directive which further fleshes out some of the implementation specifics for cookies and such (e.g. your consent modal needs to give equal weight to "reject all" and "accept all" if it does not emphasize the former and the former must be a one-click option not hidden behind a second dialog step).
The type of data mentioned in the part you cited enjoys special protection in the GDPR so you better have a watertight justification for collecting and processing that data.
To be clear:
- Assigning a unique ID to a user across requests is GDPR-relevant (i.e. you likely require consent)
- Associating that ID with demographic segments like those mentioned in TFA is GDPR-relevant (i.e. you likely require consent for tracking that data even if you infer it)
It doesn't matter whether you explicitly collect demographic data or infer it based on behavioral data you collect. There's no way to "privacy-wash" this data. All the rights defined in the GDPR still apply to that data.
If you want "clean" demographic data, you need to generate it without using any data originating from the user and you can not tie it to the user in any way (such as with an ID). So your testing environment using `faker` to generate test customer data is safe. Any production environment is not.
I keep saying this but it's best to consider all forms of PII radioactive: you want to avoid it if possible, you need special containment procedures to handle it and you need to audit where any of it came from and where it went until you destroy it.
I think Article 4, section 1 answers your question with regards to online identifiers such as cookies:
> ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
I don't think it fits the bill. If I tell you I have a cookie with ID jeeg274642, how are you going to identify me? That's different to thing like a Twitter handle that can be traced straight to a person, as some can.
Because I know where jeeg274642 belongs in the set of [gender, nationality_and_region, age_group, pregnancy_status, ...].
Just like a Social Security Number, a cookie (or whatever storage tech is used) need not contain the exact data of the individual, it only need to reference or be precise enough it for it to be a means of identifying them.
Okay, but what do you actually do to identify? A social security number is a 1:1 to a person, if I understand them correctly. It's a direct ID number which lots of relatively low-paid, bribeable people can translate into a person's identity through a government lookup. How would you translate those groups into a person? It's a woman who's pregnant, 20-30, in Belfast. Now what?
Why are you seemingly arguing that the only personally identifiable bits of information are those with a strict 1:1 relation to an individual? And what are you trying to understand exactly?
> About half of the U.S. population (132 million of 248 million or 53%) are likely to be uniquely identified by only {place, gender, date of birth}, where place is basically the city, town, or municipality in which the person resides. And even at the county level, {county, gender, date of birth} are likely to uniquely identify 18% of the U.S. population. In general, few characteristics are needed to uniquely identify a person.
> Mr. X lives in ZIP code 02138 and was born July 31, 1945. These facts about him were included in an anonymized medical record released to the public. Sounds like Mr. X is pretty anonymous, right?
Maybe it's because I just woke up, but this headline was really confusing to me. I believe it's saying the ad broker Xandr, owned by Microsoft, does not comply with GDPR, and has a 0% compliance rate with GDPR requests.
Remember when Verizon was caught "super cookie"ing all their subscribers http requests?
What did verizon do? moved the super cookie shenanigans under their subsidiary AOL. Then when AOL got a slap on the wrist too, what verizon did? bought Yahoo and moved the shenanigans there. ...When those tactics where not technically possible anymore it sold all ad subsidiaries for the purchase price.
I call that «Regulatory Condoms». It works fine for enforcement that gives warnings before fines.