Duopoly by Shifty Ad Privacy

A massive role reversal is in progress.

In case you haven’t noticed, Google and Facebook substantially altered and greatly expanded their grip on our web browsing data to supply their behavioral advertising machines already built upon our personal communications. These recent changes are reflected in this duopoly’s surging control of the ad spend market (90% of growth in Q1 2016), updates to their user settings interfaces, and a deceptively clever split between what types of ad privacy disclosures occur upfront versus deep in the fine print. Meanwhile, members of the media and tech press have struggled to keep up with these changes or even make sense of them. If “elites” are challenged on these shifty product developments, then the everyday user is either feeling flummoxed or blissfully ignorant of the surveillance capitalism changing our behaviors at scale.

Folks outside of the industry don’t need to understand the crucial distinctions between 1st party data and 3rd party data, the technical concept that underpins the business model of content monetization (the ad-supported web) as instituted at the dawn of the commercial internet. The first-party’s data gets collected indicated by the website domain in the browser toolbar triggered by our deliberate action, visiting a site, hitting a link, etc.

The third-party’s data gets collected when the first-party invites others to tag along. Literally, up to hundreds of embedded tags (code snippets) call other servers on other domains hidden from our view (unless we go poking around or install something like PrivacyBadger, Disconnect.me or Ghostery). These third-parties collect our browsing histories by planting cookies, pixels, beacons, and capture browser fingerprints all for the purposes of associating our information and activity to an increasingly centralized identifier that the industry is determined to re-attach to our real identity, behind the curtain.

Adtech and its partners claim to de-identify our data (PII) upon collection but then they don’t admit that we are very likely re-identified as our data is collated, merged, and appended to an unknowable, unverifiable, unaudited data structuring regime. Adtech unabashedly boasts of its ability to match businesses to customers with unbridled accuracy. The industry uses various ad hoc techniques to mask (and hash) identifiers like email addresses when they share data with each other to target ads. I’ve been told by an adtech veteran it’s a bit like this:

Right now it works like a network of nosy neighbors comparing notes, constantly telling each other what the guy driving license plate XYZ is doing, where they are going, what they seem to be buying
“He got out of his car and he’s wearing a green shirt! Now he’s at Home Depot, buying wood!”

While they may claim that our real names may or may not be shielded across business relationships, depending on many factors, I question if it even matters whether or not we are addressed by a unique number or the name given to us by our parents. It’s safe to assume that adtech partners can match unique identifiers with 40% accuracy in many contexts. That means there’s a very good chance your unique attributes are known and targeted across devices and services. Who cares if they know your name or not? They’re rather confident they know it’s you. When Facebook and Google control these targeting transactions they will be able to guarantee to advertisers with 99.99% confidence they can target someone just like you, because it is you.

If you can parse this industry jargon, you can realize what’s really going on hidden in plain sight.
That bit.ly link is the source of the screenshot above, a LiveRamp (Acxiom) product announcement that even European data protection regulators are no match for the American marketing stack and its lobbying corps.
When a HIPAA re-identification expert from Columbia likes your tweet you know you’re on to something.

As Facebook and Google continue to swallow the advertising market from the legacy adtech industry (the Lumascape), a profound transformation is occuring beneath the surface. The duopoly is morphing into a chimeric beast that is both a first and third-party data collector. When you’re on Facebook.com or Google.com or any of their related sites, services, apps, or subsidaries, your browsing and communciations are collected and synchronized as first-party data. When you’re cruising around the web or using apps with integrated Facebook/Google modules such as sharing buttons, logins, analytics, and ad servers, then the duopoly is acting as a third-party, collecting your data. Up until recently, these were separate collections of your data, and probably remained somewhat anonymized and isolated.

As of the past few weeks, the duopoly has granted itself permission to eliminate the distinctions between our first and third-party data. Instead, both companies made the unilateral decisions to consolidate their data sources into a single, fully integrated category of data. We were informed by crafty interface updates to our account settings and company blog postings. The privacy policies also undergo routine updates it seems but unless you are tracking the changes, only data protection regulators are noticing the implications. Meanwhile, the tech press plays flip-flop games with Facebook public relations representatives as to whether or not our location is used to advertise and/or suggest friends to us, or both.

These new updates to the ad privacy settings and policies enable the duopoly to blur the boundaries between first and third-party data, rendering them completely porous and functionally irrelevant. This helps explain why it’s so difficult to get our heads around interpreting their new settings and policies, translating into the real-world impacts on our privacy given their promise to be protective of our real names.

This also explains why adtech companies that exist solely as third-party data collectors are increasingly a house of cards. As a critical mass of people boycott adtech’s tag-a-long tags planted by publishers, then blocked by consumers, it shouldn’t be long before businesses spending cash on our attention spans will give up on legacy adtech, assuming that it’s on its last legs, and can’t compete with the duopoly in terms of reach and performance without something big changing, fast.

I expect to see more publications contend with the damage of their legacy adtech monetizing technology sustaining attacks on multiple fronts: from their readers using adblockers, criminals exploiting trackers for clickfraud and malware, and the duopoly capturing all new revenue on the supply-side while Facebook throttles access to their audiences on the demand-side. We’ve only just begun to process the implications for the news business and democracy more broadly.

Endgame Turnover

In this role reversal process, publishers are quickly swapping their role in the technology stack and becoming the third-party content supplier within the most important distribution context of Facebook’s first-party news feed for the 44% of Americans who prefer it that way, especially when publishers adopt the Instant Articles format. Astonishingly, publishers are being forced to shift their position into the advertising machine rather than installing advertising machines into their own technology platforms. They are losing control of the first-party data they once enjoyed but never effectively exploited. Now it’s perhaps too late, unless the industry surprises all of us and succeeds at mounting a collective action to resist this duopoly rather than scolding its own users by fighting adblocking while fully surrendering to the news feed and the search box.

I wonder if and when the press will start activating more debate about the regulation of data privacy as a means to limit the duopoly powers that are rapidly expropriating the value out of journalism and ruining our privacy as a byproduct?

If the media decided to aggressively take Google and Facebook to task on the underlying privacy issues that go unchallenged, they would put these companies on the defensive like never before. I’m waiting patiently for the exposé, whistleblowing, or pivotal court case that affirms our grave concerns that it is possible that innocent people can be harmed by the adtech industrial complex. It’s our privacy, our lives, that becomes increasingly subsumed into a duopoly determined to subjugate our data rights under their purview, so that we may lease our privacy rights back from these services, by using their interfaces, increasingly mandated by society, subject to their ever-changing privacy policies, which authorize the sale of our all-inclusive digital footprint to third-parties in one way or another.


Funding for the stock image rights for this post furnished courtesy of:


Instinctive Inc. strives toward a more privacy-aware marketing technology strategy. From what I can tell from engaging with the leadership of this company, Instinctive wants to move the industry in a better direction. That’s why I’ve accepted their support here and their sponsorship was purchased after the article was written, limited to the cost of the image rights.