Google’s ad-tech infrastructure routine sticks out some pretty interesting ads based on what user’s search online and according to their behavior. Male impotence, right-wing politics, STDs, these are just some of the many things you see!This sensitive information is broadcast to third party companies via a real-time ad auction. This is the modern online advertisement system! The General Data Protection Regulation (GDPR) has launched a legal complaint against the practice.
The intensity of the situation
Lodged last fall, the complaint highlights the systematic wide-scale breach of the user data by Google and other parties that are a part of the behavioral advertising industry. The complaint argues that the advertisement industry is involved in broadcasting user information that goes beyond the information necessary for behavioral advertisements.
Invasive profiling such as this has no justification. Moreover, users filing complaints are coming up with evidence showing advertisement lists created by Google and IAB (Internet Advertising Bureau) that use up intimate information.
International parties supporting the complaint
Panoptykon foundation, a Polish anti-surveillance NGO has also notified its DPA about the GDPR infringement. The president expresses worries, saying that the ad system design is obscure and the opacity makes it harder for users to exercise rights. The lack of a mechanism to remove, verify or correct categories assigned to users makes it even creepier!
A source working with the complainants added that Panotykon’s work on the subject is an addition to the increasing focus on real-time bidding UK ICO and Irish DPC both are (RTB) working on the complaint, and we expect a Europe wide regulatory response is expected.
Supporting evidence
Three documents have useful as evidence; one that Google uses and the other that IAB uses to provide a list of ad categories to publishers. Online publishers download these lists without the presence of a system that shows how this information sells out to the highest bidders.
Sensitive data categories may seem harmless but contain the most sensitive information. Moreover, Europe considers this sensitive data special category personal data such as medical info, religious or philosophical views, and information about religion and ethnicity. And these categories have been found in the lists reviewed.
How special is “special category” data?
The use and processing of Special Category Data require special user consent with the exception that is required for the protection of the vital interests of users. During the whole RTB process, users do not authorize data transactions. Otherwise, we would see a whole lot of creepy requests piling up in browsers!
The rate of Real-time Bidding is such that the dissemination may be happening without any consent or control. Combining the data with data gathered from other sources allows the creation of extremely intimate user profiles.
Adding to the chaos
What’s scarier is that the industry is involved in the encouragement of such practices and doing nothing to ensure a safeguard to protect user integrity. What’s more is that users may be unaware about their data is available for distribution unless they’ve managed to create access requests to companies.
Even with that, it may not be clear whether the organizations comply with these requests. In the absence of regulators, industry-wide compliance isn’t ensured! According to the New Economics Foundation Estimate, an average internet user’s profile broadcast happens164 times per day and not necessarily for targeting ads!
Birth control, Islam, Judaism, diabetes is examples of some labels attached to the web user’s identity and allowing them to share it with numerous bidding companies. The V2 IAB content taxonomy lists these categories, whereas the v1 of the IAB taxonomy is evidence-including extremely disturbing information including abuse support.
The counterargument falls flat
When asked to comment, the IAB posted a statement on its website that argued that the complainants are misdirected at the IAB tech lab or IAB Europe and denied any breach of EU data protection law.
Complainants argued that as a bystander, the IAB isn't completely faultless and is promoting the system. New evidence by the IAB highlights the unreasonably intimate data shared. It highlights how the things you watch, listen to and search for, which is otherwise “special category “data in the GDPR is used against your interests.
When asked to comment a representative of Google replied that any information violating their policies should need reporting and appropriate action will follow. The main complaint against RTB refers to the inherent risk to users through their current online ad auction. A statement that talks about policies that prohibit such acts don’t come close to closing down systems that make this possible.
After reviewing the category lists, the ICO spokesperson stated that the partner authorities on the European Data Protection Board are currently engaged with Google, and will consider the concerns highlighted.
Making behavioral advertising a priority, and has noted its ability to probe into web and devices. As more devices connect to the internet, advanced tracking strategies are making the availability of information and its use more common.
We do know from the past, that Google is involved in scanning user inboxes to generate relevant ads. With increased user awareness and increased sophistication in deciphering information, let’s see what the companies settle for this time!