A Look Back on Misleading Advertising

Charities and the advertising industry: data ecosystems and privacy risks

Data makes the world go round, more often than not via advertising and its tracking mechanisms. Whether you think making money from large volumes of PII to keep the web ticking over is a good thing, or a sleazy data-grab often encouraging terrible ad practices, it’s not going to go away anytime soon. Charity advertising is an important feature of revenue generation for UK-based charitable organisations, and that’s where our focus lies in this post.

A detailed analysis of ad tracking mechanisms on popular charity websites has been released by ProPrivacy, and it explores the nuances of organisations balancing the need to stay in operation alongside ensuring personal data and privacy are top of the agenda. Unfortunately, it appears there’s still a lot of work to do in that regard.

The numbers game

Right off the bat, I think it’s important to pin down exactly what kind of numbers we’re talking about here. The report is incredibly long and detailed, and it’s quite easy to miss key points as a result. If you skimmed the report, or just glanced at bits and pieces, you might come away thinking 80,000 UK based charities are harvesting data on a grand scale. That isn’t the case.

The domains were extracted by researchers from the Charity Commissioner’s database. Once potentially unrelated sites such as publishing companies, subdomains, dead URLs and more were removed from the total, what’s left is 64k sites. That’s still a sizeable number of domains. Even so, that tally is about to drop further.

The study authors deduced that 42% of what remained used ad tracking technology. That’s around 27,000 sites. This is still a big number, but as you can see we’ve already lost a significant chunk of the original tally.

Adding shape to data

As for what kind of charity advertising lurked on those sites, I’ll stand back and let the researchers do the talking:

The majority of these trackers were related to social platforms. 33.8% of the sites analysed contained trackers belonging to: Facebook, Twitter, AddThis, YouTube, Instagram, LinkedIn, or Flickr.

DoubleClick, the Alphabet-owned programmatic advertising (RTB) platform was installed on 10,105 (15.6% of sites).

Outside of the Google advertising ecosystem, we found 330 (0.51%) charities with RTB trackers and 220 (0.34%) with data broker trackers installed.

Your mileage can (and will!) vary, but I don’t personally think people generally have issues with things like social plugins, especially when many of us use those tools daily. It’s also quite easy to find out what, exactly, those plugins do and how to avoid them if you really want to.

Some of the other elements could be cause for concern, however.

The study found that 90% of the top 100 popular charities in the UK used advertising methods via DoubleClick or similar technology. Again, Google’s DoubleClick is something you can at least find information on and make an informed decision as to whether you want your data to interact with it. With them taken out of the picture, 40% used third party elements belonging to either RTB players or data brokers.

This is where the story really kicks into gear. Before said gear can be kicked, it’s time for a brief “What is RTB” interlude.

What is Real Time Bidding (RTB)?

Back in the olden times of online advertising, ads were purchased in bulk and placed on specific websites only. It was all a bit cumbersome and not particularly sophisticated, at least compared to what’s now available. Real Time Bidding (RTB) is a system where advertisers compete in real time set against specific audiences and targets.

It’s more agile than more traditional methods of ad unit placement, and usually a bit cheaper. Instead of the old bulk methods, you can assign whatever size budget you like and only “win” the bids you’re interested in. Anything unimportant to your overall strategy won’t factor into things.

Think of it as an advertising sandwich, with the advertisers wanting to promote wares on one side, the website on the other, and the ad network filling in-between connecting the two. Within that ad network space, you’ve got the big players at the top of the…sandwich tree?…and an endless procession of ad agencies.

There are usually additional ad agencies filling the role of brokers liaising with said big guns. In amongst all of this, the rogue advertisers place their bids for impressions alongside legitimate buyers, and the real-time nature of things makes it tricky to sniff them out. Those bogus ads could be pushing malware, or redirects, or both.

That’s at the “definitely very bad” end of the scale. Elsewhere, we have simply “RTB working as intended”. That’s our sign to jump back to the story at hand.

Charity sites and RTB

According to the research, 21 charities are sharing data with brokers directly, and seven are sharing with more than one broker. As you can imagine, it’s important to comply with all relevant rules to keep site visitors safe from potential privacy intrusions. What the study found, however, was that in a lot of cases where charity advertising is concerned, organisations simply had no idea what was happening on their site.

Daisy chains of third-party requests from the initially placed tracker means visitor data could be shared with multiple companies. Who are they? What are they doing with it? Well, the charity may not know and so neither would you. If people running the ad tech don’t fully explain what’s going to take place to the charities, that leaves both site and visitors at risk.

Oh no, my cookie jar

Worse, cookie compliance is a mess. In theory, when you see one of those “Do you accept” notices, you’re supposed to be able to decide if you accept cookies / tracking or not. Everything should pause under the hood and wait for you to make an informed decision. The reality is a little bit shocking, with a whopping 92% of the top charity sites failing to pause cookie loading till a decision is made.

Going back to the data, 8 charities paused 3rd party cookie loading till a decision was made. The rest were potentially sharing data with advertisers while the site visitor decides what to do next. 30% of those in the top tier gave no consent option either way. Some form of actual control offered to visitors was granted by just 32%, with 13% ensuring their cookies are inactive, waiting for the visitor to make a move.

This is, frankly, not great.

Scenes from a charitable donation

Many of us donate to charity organisations, whether it’s one-off payments, rolling subscriptions, bags of clothing, and more. To give one example, after a house-move I passed in a lot of clothing and other items I no longer had a use for. The way it works is you fill in a few forms when you hand it over, and a few months later a letter comes through the door. It encourages me to visit the website and “See what we’ve done with your items”.

There are a few different ways this can play out:

  1. The letter will be personalised to my items, for example with a unique printed code which I input on the site. From there, the website would attempt to tie me to the items given to begin the matching of personal data and advertising profiles. Who knows if the marketing tools under the hood do anything prior to me making cookie related decisions? If they’re connected to daisy-chained advertising firms?
  2. The letter includes a code tied to your name / address. This code may or may not be used on the website to update details in case of a house move. It’s possible this will be tied to marketing profiles when first entered or updated, and then you’re back to the same situation in example 1.

Time to make a choice

In my example, the site presents me with a popup the length of the page, telling me analytical / marketing cookies are set to off by default. Essential cookies are ticked, and there are two separately placed “accept recommended settings” boxes. Is there no way to disallow the essential cookies even if the site requires them to function? If I click the “accept recommended settings” next to the currently switched off marketing cookies, will it enable them? Or is “off” the recommended setting?

Does the “accept recommended settings” box next to the essential cookies tick related to those specifically, or does it do the same thing as the recommended settings box next to marketing cookies? Where do I click to find out?

These are just a few of the questions I had in my mind as I browse the page, and I’m not entirely sure what the correct answers will be. It may well be a slightly excessive observation of the choices before me, but such observations are required to figure out exactly what we’re agreeing to. Without them, the idea of granting consent seems somewhat meaningless.

Charitable ethics

As the report notes, many charities deal with very sensitive subjects. How prepared are we to become monetised for random third parties, in order to keep our favourite charities of choice ticking over? There are no easy answers to this question. The main requirement here is to ensure people’s data is treated with the same respect the charities give the recipients of their hard work. Donators are happy to keep these organisations ticking over, and it’s definitely in the long-term interests of the charities to keep them that way.

Full report: Exposing the hidden data ecosystem of the UKs most trusted charities (Source: ProPrivacy)


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.