Changing the world by ending personalised adverts
Words: Duncan McCann
Images: Grace Crossley
There is perhaps nothing that exemplifies the modern data economy more than the way that the Adtech industry works. Whole companies are built around the principle of relentlessly collecting as much data about internet users as possible, and monetising it. Our digital selves are now marketable products, with sites collectively broadcasting our personal data to advertising networks hundreds of billions of times every day in order to show us personalised adverts. This is a trade off — where the very meagre benefit to us of ‘increased relevance’ of the adverts we see just does not balance the massive privacy risk inherent in the way the system operates.
The power of the Adtech industry is growing all the time as it collects more and more information about us in order to provide us with relevant ads. Increasingly, they are expanding their use of these to use their extensive profiles to help make decisions about whether we should get a job interview or approve us for credit.
It is at the root of the online world’s obsession with capturing every possible data point about us as we navigate the online world. The Adtech world gathers all this data for two purposes. Firstly, thousands of separate companies gather and purchase huge volumes of data in order to create the most detailed profiles about us. Some of these companies are huge but remain largely unheard of. Acxiom, for example, holds profiles on over 700 million of us, while others, like Google or Facebook, are household names which both hold over 1 billion profiles each. Some of these profiles include thousands of data points about an individual. Acxiom admit that they think about 30% of the data in a profile is not correct — you can check your individual data profile on the Acxiom website, to see how right/wrong they’ve got you. Whereas some profiles are deep and contain thousands of data points — such as your age, gender, marital status, etc — others are just a single data point .
This collection has a purpose — they use it in order to provide us ‘personalised adverts’. Most people remain unaware of the way that just how adverts are personalised on the web. In reality, Amazingly it all happens in real time via and automated auction process run by algorithms. When you click on a webpage link, the page does not come preloaded with all the adverts on it. What happens in fact, is the website that you are on compiles a profile of you that is sent out to advertising middlemen who then organise a real time auction for the right to show you that advert.As well as relevant personal data that the site knows about you it also tries to include as many profile I.Ds that can link to bigger profiles held by third parties such as specific advertising I.Ds, unique tracking and cookie I.Ds as well as broker I.Ds. Recent calculations by the New Economics Foundation show that this is happening at least 10 billion times a day just for UK residents. When extrapolated for the global online population this rises to 700bn times every day.
This data is actively being broadcast about each and every one of us (that do not use ad blockers which prevent the profile information from being sent out) every day, every time we visit a webpage. The information can be relatively innocuous, like the page we are reading or what kind of content it is. But it, but also contains pieces of data that can be used to track us around the digital world.
Your IP address, device fingerprint or various IDs that can be used to link us to existing digital profiles are readily available, and industry rules about what types of information websites are able to broadcast about you include categories of data which are highly sensitive. Some of the attributes that the Interactive Advertising Bureau (IAB) — the Adtech industry rule setting body — list as being valid categories of information to use in the personalisation of adverts include a history of incest/abuse support, incontinence or infertility. This class of data is broadcast so widely into an uncontrolled environment.
These profile broadcasts are not meant to be recorded and held by the companies receiving them, but there is nothing that we, as users, can do to prevent this taking place. The French Information Commissioner recently caught a small operator, Vectuary, with 68 million illegal records of bid requests, which are the packets of information sent by the website containing all the information that it has on a particular person. This is likely to be the tip of the iceberg, with most of the bad practice hidden from sight.
All this seems in clear violation of our rights under GDPR. A case has already been brought by The Open Rights Group, which that is presently being considered by a number of Information Commissioners. A new piece of evidence provides even more damning evidence, if it were ever needed, from the IAB themselves, who clearly state in released internal documentation, following a freedom of information request, that real time bidding is ‘incompatible with consent under GDPR. Individual companies are coming to the same conclusion and deciding to pull out of the bidding process — at least for their EU based viewers. The New York Times did exactly this, and managed to increase its ad revenue from EU users despite not using the bid process to personalise their adverts.
This may seem like one of those intractable problems with the digital economy that seems impossible to fix — but it is not. In this case, there is an easy technical fix that helps to radically reshape the nature of the digital economy while also protecting our privacy.
In a report published in December 2018 I called for a ban on the transmission of personal information through the bid process. Under this proposed change, when a person clicks on a webpage only generic information will be sent to the bid request. Information about the page itself will still be sent along with information about approximate location, a general description of your device, and an approximate IP address. This would provide ample information to supply a relevant advert based on current browsing, but not personal information.
Changing the bid process would not only help protect our privacy but would also have a number of other benefits. It would reduce the commodification of personal data, by reducing the market for personal data and diminishing the ability of companies to monetise it. It would force tech giants to diversify their business model away from services based on constant surveillance and advertising of individuals.g. It would give power back to websites which spend time producing content and have a dedicated user base. It would fight back against ad fraud, by halting the revenue that can come from fraudulent sites.
This is something that we need to tackle now and we have people on our side. A recent poll of over 6000 people found that only 17% of people think of personalised adverts as ethical. We need to capitalise on this sentiment because our opportunity to change this before the practice is cemented in law is small. As you read this, lobbyist are hard at work ensuring that the successor to GDPR, the E-Privacy directive, contains a blanket justification for online advertising to broadcast and receive personal information.
