ICO challenges adtech to step up privacy protection
News | Privacy

ICO challenges adtech to step up privacy protection

Posted: November 26, 2021 by Pieter Arntz

The UK Information Commissioner’s Office (ICO) wants the advertising industry to come up with new initiatives that address the risks of adtech, and take account of data protection requirements from the outset.

The ICO is an independent body set up to uphold information rights. The technology that is currently in use by the advertising industry has the potential to be highly privacy intrusive. And the ICO has the right to issue, on initiative or on request, opinions to Parliament, government, other institutions or bodies, and the public, on any issue related to the protection of personal data.

The problem

The concept is simple: Advertisers want to show adverts to individuals who are likely to buy their product, and consumers prefer to see adverts that are relevant to them over those that are not. To accomplish this, the advertising industry has come up with a complex web of data processing which includes profiling, tracking, auctioning, and sharing of personal data.

That approach leads to advertisers knowing far more about people than they need to, and having to store and secure all that data.

Moves in the right direction

In recent years, the ad industry has developed several initiatives for less intrusive technology to address these privacy risks. These include proposals from Google and other market participants to phase out the use of third-party cookies, and other forms of cross-site tracking, and replace them with alternatives.

Federated Learning of Cohorts (FLoC) is one of the initiatives by Google that aims to thread the needle of offering people targeted ads while respecting their privacy. That initiative got off to a bad start when it became known that Google had quietly added millions of Chrome users to a FLoC pilot without asking them.

Other recent developments highlighted by the ICO include:

  • Proposals like FLoC, that aim to phase out third-party cookies and replace them with alternatives.
  • Increases in the transparency of online tracking, such as Apple’s App Tracking Transparency, which has had a notable impact—both in terms of the number of users exercising control over tracking, as well as the market itself.
  • Mechanisms to enable individuals to indicate their privacy preferences in simple and effective ways.
  • Developments by browser developers to include tracking prevention in their software.

As an example of the last point, Enhanced Tracking Protection in Firefox automatically blocks trackers that collect information about your browsing habits and interests. But this is not  as effective as you might hope. Blocking third-party cookies and related mechanisms does partially restrict cross-site trackers, but as long as a tracker is still being loaded in your browser, it can still track you. Not as easy as it was before, but tracking is still tracking, and the most prevalent cross-site trackers (looking at you,  Google and Facebook) are certainly still tracking you.

Google

Google’s status in the digital economy means that any proposal it puts forward has a significant impact. Not just because of the market share of its browser, but also due to the services it offers individuals and organizations, and the large role it plays in the digital advertising market.

In 2019, Google announced its vision for the Google Privacy Sandbox. The building blocks for this were essentially:

  • Most aspects of the web need money to survive, and advertising that relies on cookies is the dominant revenue stream.
  • Blocking ads or cookies can prevent advertisers from generating revenue, threatening #1.
  • If you block easily controllable methods like cookies, advertisers may turn to other techniques, like fingerprinting, that are harder for users to control.

Expectations

The ICO is attempting to insert itself into the rapidly evolving situation around adtech by means of a recently published opinion:

There is a window of opportunity for proposal developers to reflect on genuinely applying a data protection by design approach. The Commissioner therefore encourages Google and other participants to demonstrate how their proposals meet the expectations this opinion outlines.

The ICO is encouraging Google and other advertisers to demonstrate new proposals that can meet a set of expectations set out in the Opinion. It wants to see proposals to remove the use of technologies that lead to intrusive and unaccountable processing of personal data and device information, which increases the risks of harm to individuals.

The ICO says it expects any proposal to:

  • Engineer data protection requirements by default into the design of the initiative.
  • Offer users the choice of receiving adverts without tracking, profiling or targeting based on personal data.
  • Be transparent about how and why personal data is processed, and who is responsible for that processing.
  • Articulate the specific purposes for processing personal data
  • …and demonstrate how this is fair, lawful and transparent.
  • Address existing privacy risks and mitigate any new privacy risks that their proposal introduces.

As the ICO does, we are looking forward to more privacy focused ways of delivering targeted advertising.

RELATED ARTICLES

Fishing in a lake
Cybercrime

Law enforcement reels in phishing-as-a-service whopper

April 18, 2024 - A major international law enforcement effort has disrupted the notorious LabHost phishing-as-a-service platform.

CONTINUE READING 0 Comments
Cerebral logo
News | Privacy

Mental health company Cerebral failed to protect sensitive personal data, must pay $7 million

April 18, 2024 - The Federal Trade Commission (FTC) has reached a settlement with online mental health services company Cerebral after the company was charged with failing to secure and protect sensitive health data.

CONTINUE READING 0 Comments
JuicyFields investment scam
News | Scams

Cannabis investment scam JuicyFields ends in 9 arrests

April 18, 2024 - JuicyFields was an investment scam that urged victims to invest in cannabis production.

CONTINUE READING 0 Comments
A mobile phone in the hands of a young woman in a dark colored t-shirt.
Privacy

Should you share your location with your partner?

April 17, 2024 - Location sharing is popular among couples. But is it something you want in your own relationship?

CONTINUE READING 0 Comments
Giant Tiger logo
News | Personal

Giant Tiger breach sees 2.8 million records leaked

April 16, 2024 - A threat actor claims to be in possession of 2.8 million records originating from a hack at Canadian retail chain Giant Tiger

CONTINUE READING 0 Comments

ABOUT THE AUTHOR

Pieter Arntz

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.

Contributors icon

Contributors

Threat Center icon

Threat Center

Podcasts icon

Podcast

Glossary icon

Glossary

Scams icon

Scams