DL Seminar | AdTech & Our Privacy – Dark Present, Brighter Future?
Updated: Dec 15, 2020
Individual reflections by Arven Sheinin and Yujie Shao (scroll down).
By Arven Sheinin
The marketing industry has gone through a major shift since the introduction of the World Wide Web, and especially with the prevalence of internet access. From an industry trying to create one solution fit all (i.e. heavily budgeted TV commercials, billboards etc) that appeals to as many people as possible, it moved to a personalized list of ads for each us using the internet. To achieve this, marketers use data gathered on users from their internet usage.
This enables smaller businesses to target potential customers like never before, and for customers to find out about alternative products and services, yielding higher social value for everyone. But what is the price we are paying for this benefit? Many have tried to answer this question, but the reality is that the industry is fairly convoluted and not easily understood to the average user.
So, how does it really work?
Ido Sivan-Sevilla, a post-doc at Cornell tech presents the world of advertising technology (AdTech in short) and its major players. When we visit a website, a whole operation is dedicated to presenting us the ads most likely to make us click on them and eventually spend money. First, a cookie with our data is sent to the website’s server. Then it is turned to DMP’s – the data-brokers – who gather information from a bunch of websites. Simultaneously, auctions are held on us by different marketers to win the ad slot in the website. But how do the data brokers know so much about us? Well, the cookie has an ID, that is matched with the user’s IP address, and the data brokers are smart enough to build profiles for every user. Our data is being gathered from most of the sites we are visiting to determine how long we have lingered, on what we have clicked, and that’s not all. Using analytical tools, further information is derived to establish how much we make; how healthy we are and so on. This data does not stay in one pair of hands, but is passed on to whoever pays for it.
Governments try to combat this by the passing of privacy laws; however, the latter does not appear to work effectively. For example, take The General Data Protection Regulation in the EU. Its main goal was to make users aware of their data being used, and to make website owners secure consent from their visitors. This regulation is being enforced on the member state level, and there are big differences in the styles of enforcement between states. While some are stricter than others, none is particularly effective. Ido lists a number of reasons:
First, governments do not invest enough in the entities in charge of enforcing it, compared to the revenues of the companies they are supposed to inspect. Secondly, this kind of inspection requires a high level of expertise, which is not prevalent and hard to recruit.
This is the state in which the industry is today, yet there is some light at the end of the tunnel.
There is an alternative, and it is not legislation
Robin Berjon is head of data governance at the New York Times. As one of the leading news websites in the country and indeed the world, he is stressing how vital AdTech is to the industry in which he works. He adds that when you come to think of it, AdTech is not all bad and really lets marketers get much more for the same amount of money. That being said, it also opens the door to less desirable activities such as exclusion of certain groups from seeing specific ads like housing, jobs and others, against which we already have laws in the book. The New York Times, however, took it upon themselves to change the way they use AdTech and, perhaps, become the leaders of change in the industry.
It turns out that the Times readers trust the newspaper to use their data responsibly, but not the third parties with which it works. In other words, the readers are happy to have their data used by the Times itself as a first party entity, but are against it being shared with anyone else. Robin lays out a number of operational changes that had taken place in the Times to address the issue of privacy. The most interesting and important change in their policies was to cut ties with all their data brokers and only use their own data. Robin adds that while the Times is able to do this, other smaller players cannot, and therefore a governmental regulation requiring this would be detrimental for smaller businesses relying on AdTech. Surprisingly enough, while the marketing department at the Times warned that giving up on data from third party sources would hinder their ability to recruit new subscribers, since the change the Times has gained over 2 million subscribers, from 5 to 7 million.
In summary, Robin explains that he tries to see everything from the shop-context point of view. Whatever is legitimate to do in a physical shop, should be legitimate in the AdTech arena. More importantly, whatever is illegitimate in a shop shouldn’t be legitimate elsewhere. If a shop owner can look at a potential customer and tailor his or her pitch to them, so can a website. But a shop owner would not dig into its target audience’s health history, and so a website should not do it either.
Honestly, is it that bad?
The way Ido presented the subject, we must ask ourselves: who’s the victim and what’s the harm? Yes, our data is used like sacks of potatoes, but do we really care, comparing to the value this usage yields to us? Is it so bad that users get to find out about new hair salon in their neighborhood while playing Candy Crush, for the small price of letting AdTech companies know that they looked for a barber? Moreover, Ido’s approach is to turn to the government, but we have to ask ourselves – isn’t it a classic case of “no victim no crime”?
Robin’s perspective is much more realistic. While he admits that AdTech could be used for malice as easily as they can be used to do good, he emphasizes the benefits, and proposes a market solution. His presentation of the Times’ experience of not losing subscribers after eliminating their relationship with third party data brokers could be the future of the industry.
Lastly, both failed to mention the easy solution that is already widespread and very cheap – using a VPN. By paying less than $10 a month a user can mask their information from the “web predators” and have his or her data secured. So, essentially, there is a solution to a problem that is not necessarily so severe, it just depends who you ask.
By Yujie Shao
As technologies and the access of online user data evolved, companies can now target a group of consumers and show them a more personalized list of advertisements. However, the algorithms behind these recommendations and the privacy issues brought by the usage of personalized data remain unclear. On December 2nd, the Digital Life Research Seminar welcomed Robin Berjon and Ido Sivan-Sevilla to do a joint presentation on advertising technology and its impact on our privacy.
Ido Sivan-Sevilla started with an introduction about how the users’ internet data have been constantly collected and used by the AdTech industry. Then, how the data protection authority in Europe has been trying to reinforce the privacy issues has been discussed, including their enforcement styles. Then, Robin Berjon discussed how The New York Times addresses some of the user privacy problems brought by the new form of digital advertising. Lastly, they concluded this presentation with how we can bring a brighter future for AdTech.
Online User Identification and Data Collection by AdTech
Ido Sivan-Sevilla, a postdoctoral fellow at Cornell Tech’s Digital Life Initiative, started the presentation with an introduction of how real time auction works and how a specific ads that fits us the best would filled into a website.
When the page starts loading and a slot for ads shows up, the sellers (website) and the buyers (advertising agency) would work together, or work through some intermediaries to determine the best ads to display. More specifically, the ad slots will send a request to a third party, alongside with some basic information about the user including IP address and cookie ID. After that, a bid request will be sent out to all the advertisers. With the cookie ID and the basic information of the user, the advertisers will be able to analyze the user on their online behaviors and past purchases. After the analysis, the advertisers will place a bid for the user, and the winner among all the advertisers get to display their ads.
Besides the logic behind displaying an ads, Ido Sivan-Sevilla also discussed one of the studies he has done previously about what types of data are tracked and how they are exchanged among different agencies. In the study, he pointed out that most of the data gathered by adTech companies are identified by the cookie ID, and they are shared among all the different agencies. In other words, the third parties trackers have a comprehensive information about the users even though the user is visiting different website.
Data Protection Authority and Violations of AdTech
Ido Sivan-Sevilla then discussed three clear General Data Protection Regulation (GDPR) violations of AdTech industry. First, there is no legal basis for AdTech industry to process personal information. Specifically, the users are not properly informed about how their data will be used by AdTech industries. Besides, GDPR required those third-party companies and websites to provide explicit explanation and consent from the user about how their data will be used. However, AdTech companies now either did not provide enough information, or the consent and explanations are far from explicit. Lastly, these data dos not have clear guarantees and technical controls. The risk of data leakage is very high.
Data protection authority (DPA) tried to solve the problems and helped users to protect their privacy. However, they reported a lack of sufficient support from both technical perspective and financial perspective. On one hand, DPA does not have enough financial support compared to the revenue earned by the AdTech companies. On the other, DPA lacks people with technical expertise who can fully understand the algorithms behind AdTech industries. Ido Sivan-Sevilla also discussed about different DPA enforcement styles (with different level of hierarchy and level of formalism), and how they can achieve different results on regularizing AdTech.
New York Times’s Effort To Make Ads Good
Robin Berjon, who runs data governance at The New York Times, introduced a few steps that New York Times has taken to “make Ads good”. Robin Berjon mentioned that it would be hard to eliminate some of the AdTech parts even though they can potentially bring privacy concerns. For example, getting rid of trackers and changing the target of the ads (i.e. only for those with subscriptions) are not feasible. Robin Berjon also talked about how New York Times strives to maintain the privacy of the readers. One thing he talked about is to take privacy concerns seriously, and pay attention to how they use the data. For example, The Times now becomes the only controller of any data collected on their page. Besides, New York Times also try to build trust between them and the readers. New York Times uses data in a way that is align with their readers’ expectations, and opens to explain any steps of the data usage.
After learning about AdTech and how New York Times had tried to protect data privacy of the users, one important step should be taken is to find the balance of using users’ data for advertising industries. More specifically, as Robin Berjon mentioned, some of the techniques AdTech companies used are unavoidable, even though they can violates the privacy of the users. Thus, a balance need to be found so that these techniques are still used effectively, but not violating users’ privacy. Besides, transparency and getting users’ consent is one of the key steps that governments and DPA should be taken to ensure user privacy. This will not only allow users to have a better understanding about what types of the data are collected and how they will be used, but also help them make decisions about whether they would like their data to be used in this way. Last but not least, big companies like New York Times should act first to raise public awareness of the user privacy problem, and try their best to solve the problems. New York Times has taken a few actions to solve the problem, and it has been effectively protect the data of the readers. To bring a brighter future to AdTech, more companies should take actions and help protect its users.