They say you can't have too much of a good thing. Unfortunately, this applies to ads, too, whether you think they're a good thing or not. Soon, Europe’s four biggest telecommunication companies—Germany's Deutsche Telekom (DK), France's Orange, Spain's Telefónica, and the UK's Vodafone Group—will deliver targeted ads to their millions of subscribers while also observing European privacy laws.
Back in January, the quartet of telcos filed a proposal to offer a "privacy-led, digital identification solution to support the digital marketing and advertising activities of brands and publishers."
Now, the joint venture has been approved "unconditionally" by the European Commission under the EU Merger Regulation. With the four giants merging, the commission concluded competition concerns wouldn't be raised in the European Economic Area (EEA), meaning this merger can only compete with non-EU telcos.
"The joint venture will offer a platform to support brands and publishers' digital marketing and advertising activities in France, Germany, Italy, Spain and the UK," the press release noted. "Subject to the user's consent, the joint venture will generate a unique digital code derived from the user's mobile or fixed network subscription. Such code will allow brands and publishers to recognize users on their websites or applications on a pseudonymous basis, group them under different categories and tailor their content to specific users' groups."
Although the commission cleared the joint venture, this doesn't mean the EU's data protection regulators will give this a sign-off, too, as the press release further stated: "During its investigation, the Commission has been in contact with data protection authorities. Data protection rules are fully applicable, irrespective of the merger clearance."
The still-unnamed adtech merger is set to operate in Belgium, with each of the four holding a 25 percent stake. It isn't clear when this venture will begin operation.
Subscribers must opt-in
The hundreds of millions of subscribers of the four telcos will not automatically be subjected to the ads; they have to agree to this explicitly. Because this new ad platform, which they dubbed as a "counter-design to third-party cookies", according to TechCrunch, was designed with the GDPR and ePrivacy directive in mind, the JV would have to create an opt-in mechanism for willing subscribers to submit their phone numbers to start receiving "communication from brands via publishers".
"The trial platform requires affirmative opt-in consent by the consumer to activate communications from brands via publishers," said Vodafone about the venture's platform. "The only data that is shared is a pseudo-anonymous digital token that cannot be reverse-engineered. Consumers are free to opt in or deny consent with a single click, as well as revoke any other consents given either on the brand’s or publisher's website, or via a dedicated, easily accessible privacy portal."
"The platform is specifically designed to offer consumers a step change in the control, transparency and protection of their data, which is currently collected, distributed and stored at scale by major, non-European players," the company added.
Vodafone has already conducted a platform trial on its network and DK in Germany. In France and Spain, other trials are being considered "to further develop the platform". Eventually, it is to be made available to every operator within Europe.
The JV will be outlining its vision and strategy, including plans for adopting the trial technology commercially in the future. The name of the trial platform is TrustPid.
Vodafone's Privacy Portal, TrustPid, is where users can opt out of receiving targeted ads when they decide to. (Source: Trustpid)
Privacy concerns and dark patterns
When the name TrustPid started appearing in headlines in May last year, it quickly became synonymous with "supercookie", an ad targeting technology (tracker) famously associated with American telco Verizon. What a supercookie does is track websites visited by users on a smartphone or other mobile device on its network, allowing sites to better target them with ads. The Electronic Frontier Foundation (EFF) put it this way: "It allows third-party advertisers and websites to assemble a deep, permanent profile of visitors' web browsing habits without their consent."
Only in this case, explicit consent is required. However, it is not true consent—and this is a problem.
When the German Federal Commissioner for Data Protection and Freedom of Information (BfDI) began receiving inquiries about TrustPid in June 2022, they revealed [source] [translated from the German] they flagged several "data protection problem areas" with the project, including relying on user consent for its legal basis to gather user information. As revealed in a recent study, to have true consent, the party must have (1) an understanding of corporate practices, policies, and legal protection regarding their data—something a lot of us would blindly agree to because no one reads the terms—and (2) autonomy to decide. Satisfying only one of these would make consent "illegitimate."
When TechCrunch quizzed Simon Poulter, a senior spokesperson for Vodafone, about consent, he claimed participating partners must explicitly collect consent before processing any data. However, the media outfit noted quickly that participating mobile carriers themselves never proactively asked for user consent at any point, making the source of tracking look "obfuscated by design".
"By outsourcing the gathering of consents to third party ad 'partners,' TrustPid's approach looks intended to dodge denials — but by doing that it risks running counter to key principles baked into EU law," TechCrunch added.
Poulter eventually confirmed the carriers had no intention to gather consent themselves.
A number of privacy advocates weighed in on the matter of TrustPid months ago. One of them was Aram Zucker-Scharff, the privacy engineering lead for the Washington Post:
Oh boy, it looks like Vodaphone is actively attaching unique user IDs based at the SIM-card level to subscriber network requests. https://t.co/IgGfmji0N8— Aram Zucker-Scharff | @email@example.com (@Chronotope) April 12, 2022
Participant users who don't want to be tracked anymore would have to opt out every three months since TrustPid tokens are designed to respawn every 90 days.
Mobile traffic data is generally untouched, and EU telcos have seen it as a significant fund source. Can they really allow advertising partners to collect this data even with consent?
"Companies that operate communication networks should neither track their customers nor should they help others to track them," digital rights activist Wolfie Christl was quoted saying. "I consider the project an irresponsible abuse of their very specific trusted position as communication network operators. It is a dangerous attack on the rights of millions. It appears they want to legally justify it with the misleading and meaningless pseudo-consent banners we have to deal with on websites every day, which is irresponsible and outrageous."
"The project undermines trust into communication technology and should be stopped immediately," Christl further added. "I hope that European data protection authorities quickly team up and stop the project."
We don't just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.