How I peeked at the personal data a billion dollar company holds about me

Turn, Inc is an internet retargeting firm. It logs online tracks and uses this information to set up auctions for the privilege of showing you advertisements. Among other techniques, it uses browser cookies and web beacons to uniquely identify your browser and, by extension, your eyeballs (a previous version of this text asserted that Turn uses canvas fingerprinting, but Turn’s lawyer has unambiguously asserted they do not, so I am correcting my statement).

The Safe Harbor agreements give the right to any EU citizen or resident to access their personal data from companies such as Turn. In April 2015, I asked Turn’s then lawyer, Max Ochoa (reachable at privacy@turn.com), to send me all the data held by Turn associated to my device identifiers (such as cookies or Apple advertising identifiers, see below). Turn initially fought against this request, but quickly caved when I started suing them. Now everyone should have an easier time asking for their data, and I provide quick instructions below.

Initial email requests

While assuring me that Turn takes consumer privacy seriously, Ochoa raised three objections in order not to comply with Turn’s legal obligations.

His first was essentially misdirection: Turn delivers tailored advertising using only non-personally identifiable information, and does not collect personally identifiable information (or PII) as part of this process. The concept of personally identifiable information comes from U.S. law, and is meant to neatly delimit what is identifying and what is not. It is also sector specific. In a sense, that term was outdated the moment it was written into law, as it gave a safe way for lawyers and tech experts to circumvent the law’s restrictions, as technology evolved: cookies are more identifying on the web than most first name/last name combinations. Of course, this concept is pure fiction from a European standpoint, as the EU privacy regulations leave the identifying method unspecified.

Ochoa’s second parry was to offer me the option of opting out of Turn’s tracking. Of course, I didn’t bite.

Finally, his third line of response was that Turn had no way of certifying the identifier was mine. I offered many ways to guarantee that I did own those devices: a picture of my face next to them, original bills, and even going to their corporate offices in Redwood City, CA, thousands of miles away (I was due to travel to the Bay Area anyways). Nothing worked.

Finally, in September 2015, I informed Ochoa that my next step would be to file a formal complaint. His response seemed pretty confident.

Paul-Olivier, It’s your right to do so. As we’ve previously explained, if a person sends us an identifier, we have no way of validating that it is from that same person’s device. It could be an identifier from another device, improperly obtained. Our policy is therefore to only consider requests from law enforcement authorities pursuant to valid subpoenas. Best regards, Max

I must admit I was a bit shocked. Ochoa was simultaneously implying that:

  • I could be a thief;
  • Turn is very happy to work for law enforcement authorities, and in no way feels obliged to provide a counterbalance to their collection capabilities, for instance through transparency efforts.

Is Turn still bound by Safe Harbor?

I filed at the end of September 2015, with the Better Business Bureau. This is a private arbitration/mediation court, mandated by Turn to resolve such complaints. The procedure is free for individuals to use (Turn pays), and the first recourse mechanism in the self-regulation framework envisioned by the Safe Harbor agreements.

On October 6th 2015, as part of a case brought forward by Austrian citizen Max Schrems, the EU Court of Justice invalidated the EU Commission decision that the Safe Harbor framework guaranteed equivalent protection to EU privacy regulations. This initially threw a wrench in the procedure I had just initiated: the Better Business Bureau seemed ready to drop the matter entirely.

In fact, on the U.S. side, the Safe Harbor framework translates into commitments the private companies take towards their customers on a yearly basis. As such, the EU decision didn’t change anything, and indeed the FTC advertised on its website the continued enforcement of the program. I pointed that out and after a few more weeks the BBB agreed to initiate proceedings.

Safe Harbor procedure against Turn

Once the procedure got going in earnest, the mediator was extremely professional. It became very clear very quickly that Turn had no leg to stand on. Turn asked if I was willing to sign a sworn affidavit confirming that I own the devices associated with the identifiers I had sent. I readily agreed (with hindsight, it would have been smarter from me to preempt this step months ago). Once Turn sent the affidavit, it became clear that Turn had slipped in an additional clause:

Pursuant to the rules of the Better Business Bureau EU Safe Harbor dispute resolution procedure administered by the Council of Better Business Bureaus, Inc., I agree to keep the existence of this affidavit and any information I receive from Turn Inc. associated with [my] identifiers confidential.

The Better Business Bureau procedure rules do not include this clause. They merely require participants to keep the procedure private while it is ongoing. I fired off a response alleging that this would violate several of my other fundamental rights (fair and public trial, etc), and simply signed off the affidavit after crossing out the additional clause. Seems to have done the trick.

After waiting a few more weeks (!), I finally got access, in January 2016, to my personal data. So??? What was the big secret? Not much, actually… Turn has contracts with at least one of Le Figaro, Huffington Post, Scout24.ch or AfriZap (the data flow between those is not clear, but I will ask Turn for additional explanations). I seem to have fallen prey to clickbait from those sites a couple times, once at work. Altogether, this is nothing earth-shattering. Nevertheless, now that I have asked Turn for my data, everyone else can do it too and should have an easier time. I encourage you to do so. Who knows, maybe one day Turn will want to follow the example of their competitor Criteo, which attempts to make such requests a lot easier.

How to ask Turn for your data

  1. Compile as many of your personal identifiers as you can: your turn.com browser cookies (not hard to do, Google some instructions for your specific browser), IDFAs for iOS (see below), Google Advertising IDs for Android (see below). Each should be a long string of alphanumeric characters.
  2. Sign and scan an affidavit confirming these identifiers are associated to devices you own (see template below).
  3. Fire off an email to privacy@turn.com, with an explicit request for the data associated to these identifiers, a scan of an ID document, and your affidavit.
  4. Wait, and if necessary after 30 days remind them of their need to comply. Wait more.
  5. Hopefully Turn has by now learned their lesson and will have complied. If not, file a complaint with either the Better Business Bureau or the Federal Trade Commission (since a pattern of non-compliance would then have been established).

Affidavit template

Affidavit of ownership of identifiers

I, XXXXXX, hereby solemnly affirm and certify under penalty of perjury as follows:

  1. I am citizen of EUROPEAN COUNTRY, and I currently reside in WHEREVER. [Just one of the two needs to be a European country, or Switzerland]
  2. I am the owner and controller of Apple mobile devices associated with the following Identifiers for Advertisers (“IDFAs”): [list them, see below]
  3. I am the owner and controller of Android mobile devices associated with the following Google Advertising IDs: [list them, see below]
  4. I am the owner and controller of computers running web browsers associated with the following “uid” cookie values set by the turn.com domain: [list them]

I solemnly affirm and certify under penalty of perjury that the foregoing is true and correct.

DATE — NAME — SIGNATURE

How to get your IDFAs (iOS)

Install an app called “The Identifiers”, and consult the section named “Advertising identifier” (Please inform me if there is a better solution).

How to get your Google Advertising ID (Android)

On your Android device, go to “Google Settings” → “Ads” → “Your advertising ID”.