Challenging Data Exploitation

On the surface, online advertising sounds like a great deal for everyone: people can use websites and services for free; publishers, websites and app developers can monetise their products; and advertisers can reach their audiences.

But here is the catch: over the past decade targeted advertisement has become exponentially more invasive. To enable targeted advertisement as it is common today, massive amounts of data about individuals are collected, shared and processed. In practice, this means that most of what you do online - such as the websites you visit, the apps that you use, what you do on them, what you watch, what you buy, what you read, your location and your interests etc. – is being tracked, shared and used to profile you. And this is not a one company problem, it's an entire complex and opaque ecosystem that includes data brokers and credit reference agencies. As a result, tracking and profiling has become virtually inescapable and the ecosystem is so leaky and complex, that it has become impossible to know where your data ends up. 

 

Why it Matters

Intrusive data collection is not the only reason why the current ad tech ecosystem comes at a hidden cost to all of us. Targeted ads can be discriminatory (you might not be not shown a job because you're a woman or a loan because you live in the wrong neighbourhood), they can seek to be manipulative  (you are served tailored information to target those that are most vulnerable), and you as a user have no control over how this data is shared and repurposed (say, with data brokers and others who are selling your personal information to people outside the advertising ecosystem, including political actors). 

Finally, collecting and sharing these personal data with innumerable third parties comes with a huge and growing security risk, for instance, if data is breached or insufficiently protected. In fact, this risk is the same, regardless of whether tracking is done for advertising or for other purposes. Tracking data can be very personal and reveal intimate information (such as when the gay dating app Grindr was found to have shared people’s HIV status with two analytics companies), which puts people and communities at risk of harassment, stalking, identify thief and more.

This all maters because there is no easy way to avoid this. Even with the best intentions and motivation, it is extremely difficult if not impossible to opt-out of all the existing tracking methods. And that's without getting to the point that this should not be the default and rather an opt-in. From endless opt-out buttons to invisible tracking pixels to cross device tracking and fingerprinting techniques, it is almost impossible to make companies respect your decision not to be tracked. 

With the expansion of ad tracking into smart devices, and the ability to perform cross-device tracking, it is more important than ever to hold the online advertisement ecosystem to account so that individuals, communities and societies are protected.

On the surface, online advertising sounds like a great deal for everyone: people can use websites and services for free; publishers, websites and app developers can monetise their products; and advertisers can reach their audiences.

But here is the catch: over the past decade targeted advertisement has become exponentially more invasive. To enable targeted advertisement as it is common today, massive amounts of data about individuals are collected, shared and processed. In practice, this means that most of what you do online - such as the websites you visit, the apps that you use, what you do on them, what you watch, what you buy, what you read, your location and your interests etc. – is being tracked, shared and used to profile you. And this is not a one company problem, it's an entire complex and opaque ecosystem that includes data brokers and credit reference agencies. As a result, tracking and profiling has become virtually inescapable and the ecosystem is so leaky and complex, that it has become impossible to know where your data ends up. 

 

Why it Matters

Intrusive data collection is not the only reason why the current ad tech ecosystem comes at a hidden cost to all of us. Targeted ads can be discriminatory (you might not be not shown a job because you're a woman or a loan because you live in the wrong neighbourhood), they can seek to be manipulative  (you are served tailored information to target those that are most vulnerable), and you as a user have no control over how this data is shared and repurposed (say, with data brokers and others who are selling your personal information to people outside the advertising ecosystem, including political actors). 

Finally, collecting and sharing these personal data with innumerable third parties comes with a huge and growing security risk, for instance, if data is breached or insufficiently protected. In fact, this risk is the same, regardless of whether tracking is done for advertising or for other purposes. Tracking data can be very personal and reveal intimate information (such as when the gay dating app Grindr was found to have shared people’s HIV status with two analytics companies), which puts people and communities at risk of harassment, stalking, identify thief and more.

This all maters because there is no easy way to avoid this. Even with the best intentions and motivation, it is extremely difficult if not impossible to opt-out of all the existing tracking methods. And that's without getting to the point that this should not be the default and rather an opt-in. From endless opt-out buttons to invisible tracking pixels to cross device tracking and fingerprinting techniques, it is almost impossible to make companies respect your decision not to be tracked. 

With the expansion of ad tracking into smart devices, and the ability to perform cross-device tracking, it is more important than ever to hold the online advertisement ecosystem to account so that individuals, communities and societies are protected.

Our data reveals a lot of information about us. From our data, intelligence is gleaned about us - our habits, our health and finances, our desires and hopes - some of which may be inaccurate. Yet our technologies are now designed to generate and disclose vast amounts of data, and beyond our control. Privacy International is fighting so that our technologies work for us and do not betray us.

Increasingly everything we do generates data, whether we are in possession of a device or not. Our devices, networks, and homes generate vast amounts of data. Our transport systems, cars, payment systems, and cities also generate data through us and about us. With all this data, we may be able to make the world a fairer, better, cleaner, more sustainable, and safe place. The opposite may also apply.

We want to see a world where we are in control of information about us. From our data, intelligence is gleaned about us - our habits, our health and finances, our desires and hopes - some of which may be inaccurate.

Privacy International is fighting so that our technologies work for us and do not betray us.

Our devices and infrastructure are being designed for data exploitation. Increasingly it is beyond the ability of individuals themselves to control the ways in which data about their lives is shared and processed.

As a result, industry and government are amassing our data with impunity. They aspire for a data-driven world that frees them to grab our data, to look for patterns and similarities, to generate intelligence, and make decisions about us and the shape of our futures.

We are not ready for the future that is already being built. Our laws are not yet able to address these risks. Our technologies are insecure and leak data. In turn, we are not secure.

Revelations and scandals about how intelligence agencies and industries use our personal data give us snapshots of the future. It starts with excessive data generation and collection. Then the data feeds into their systems, which they use to understand our behaviours and then to classify us. These classifications become impossible to escape – they can even become more trusted than actual reality. Do you think you are worthy of credit? The system disagrees. You claim you are not a terrorist? The computer says otherwise.

These systems are often shrouded in secrecy. That secrecy makes it impossible for us to know where we stand or to seek redress to free ourselves. Will your actions make the system think you are a terrorist? Can the system, like all systems, be gamed by the powerful or technologically savvy?

In a democratic society, it is essential we continue to be able to watch the watchers. We must also maintain control of the data controllers. Otherwise, a future of data exploitation will chill our autonomy and diminish our dignity.

Here’s what we do to end Data Exploitation

Privacy International is investigating how our data is generated and exploited, engaging the public through awareness-raising campaigns, and exploring the necessary legal and technological frameworks to protect against data exploitation.

You might be wondering how all of this tracking and data sharing is even legal, especially under the General Data Protection Regulation (GDPR). We do too! Privacy International has spent the last years looking at how our data is exploited, this includes investigating and challenging the hidden online data ecosystem built on tracking, profiling and targeting us. Using the new standards set by GDPR, Privacy International is seeking to promote regulatory scrutiny of the industry and hold specific actors to account. In November 2018, we complained about seven companies in the hidden data ecosystem to Data Protection Authorities in Ireland, the UK, and France. As a result of our submission, the Irish Data Protection Commission (DPC) has now opened a formal probe into Quantcast’s data practices. We believe AdTech companies' practices are in breach of GDPR and want to continue to hold these companies to account.

But this alone is not enough. We believe that people should be able to understand what's at stake. To contribute to this, we have written 3 explainers to simplify concepts and topics related to online advertisement:

  • Tracking: the reality and mechanism behind AdTech tracking how it turned the internet into a surveillance machine  
  • Cookie banners and consent boxes: why they are so annoying and deceptive 
  • Real-Time Bidding (RTB): a widely spread technology used for targeted advertisement that implies the sharing of your data with hundreds of companies

In addition to this, and because we are not the only ones concerned and working on these issues, we have created a resource page presenting initiatives led by other organisations and individuals tackling AdTech as well as a timeline of complaints against AdTech. This includes examples of harms, legal actions, research and explainers, illustrating the scale of the problem and the different action taken.

 

You might be wondering how all of this tracking and data sharing is even legal, especially under the General Data Protection Regulation (GDPR). We do too! Privacy International has spent the last years looking at how our data is exploited, this includes investigating and challenging the hidden online data ecosystem built on tracking, profiling and targeting us. Using the new standards set by GDPR, Privacy International is seeking to promote regulatory scrutiny of the industry and hold specific actors to account. In November 2018, we complained about seven companies in the hidden data ecosystem to Data Protection Authorities in Ireland, the UK, and France. As a result of our submission, the Irish Data Protection Commission (DPC) has now opened a formal probe into Quantcast’s data practices. We believe AdTech companies' practices are in breach of GDPR and want to continue to hold these companies to account.

But this alone is not enough. We believe that people should be able to understand what's at stake. To contribute to this, we have written 3 explainers to simplify concepts and topics related to online advertisement:

  • Tracking: the reality and mechanism behind AdTech tracking how it turned the internet into a surveillance machine  
  • Cookie banners and consent boxes: why they are so annoying and deceptive 
  • Real-Time Bidding (RTB): a widely spread technology used for targeted advertisement that implies the sharing of your data with hundreds of companies

In addition to this, and because we are not the only ones concerned and working on these issues, we have created a resource page presenting initiatives led by other organisations and individuals tackling AdTech as well as a timeline of complaints against AdTech. This includes examples of harms, legal actions, research and explainers, illustrating the scale of the problem and the different action taken.