Latest updates: read more about the RTB complaints.
New evidence to regulators: IAB documents reveal that it knew that real-time bidding would be “incompatible with consent under GDPR”.
- Further new evidence drawn from sample bid requests in Google and IAB’s own documentation reveals the personal data in bid requests.
- Campaign website launched at fixad.tech
Privacy watchdogs in the UK and in Ireland today received evidence of the data crisis at the heart of the online advertising industry.
The new evidence, taken from Google and IAB (an industry rule setting body) documents, shows that the online ad auction system broadcasts highly sensitive data about web users. This occurs hundreds of billions of times a day. There are no technical controls to prevent thousands of receiving companies who receive these data from monitoring what every person on the web reads, watches, and listens to online.
The IAB “transparency and consent framework” has become the de facto GDPR consent system for major websites. But the new evidence also reveals that the IAB knew that real-time bidding would be “incompatible with consent under GDPR”, before it even launched the system.
The evidence also shows that the IAB had concerns that its ad auction rules, which govern the €12 Billion “real-time bidding” online ad auction industry in Europe, were incompatible with the GDPR.
The evidence has been submitted by Jim Killock, Executive Director of the Open Rights Group, Michael Veale of University College London, and Dr Johnny Ryan of Brave, a private web browser. All three are represented by Ravi Naik of ITN Solicitors. This is part of a major complaint about the online ad auctions system that is ongoing in the UK, Poland, and Ireland. See previous evidence and all filings to date at /update-rtb-ad-auction-gdpr/
The solution to all of this is simple. The IAB RTB system allows 595 different kinds of data to be included in a bid request. 4% of these should be disallowed, or truncated. The same applies to the Google system. It is an easy fix, long overdue, and will prevent the system from leaking the personal data (including location and interests) of every single person on the Web.
“We want to reform adtech, not kill it”, said Dr Johnny Ryan of Brave. “This new evidence exposes the massive data breach at the heart of the online advertising system. The IAB and Google have it in their power to fix this”.
Jim Killock of Open Rights Group said: “The ad industry needs to obey the law. Leaving advertisers including Google to breach data protection in this way makes a mockery of privacy law. But fixing the ad industry means gaining trust and consumer confidence, which will ultimately benefit everyone.”
“Big adtech has spread the myth that the current way the system operates is the only way it ever could. This is simply untrue”, said Michael Veale of University College London. “A better, more secure and less invasive system is within reach, and regulators must be at the forefront of realising it. Online infrastructure must be designed with privacy and data protection deeply at its core.”
Ravi Naik, Partner at ITN Solicitors, said “The evidence is overwhelming. The IAB’s own documents contain admissions of concerns of the infringements of the GDPR. Those concerns that the IAB had are part of those as are detailed within our clients’ complaints and evidence. That evidence shows that the infringements can occur billions of times a day. The scale is widespread and the infringements systematic. Reform is needed and we trust that the regulators will act accordingly.”
THE NEW EVIDENCE
PART 1: the IAB knew that real-time bidding would be “incompatible with consent under GDPR”, and would have no other legal basis.
“1a Townsend Feehan email 26 June 2017.pdf“, an e-mail from Townsend Feehan, CEO of IAB Europe, to senior personnel at the European Commission Directorate General for Communications Networks, Content and Technology.
Her e-mail refers to a paper attached here as “1b IAB 2017 paper.pdf“, which was an attachment to her e-mail. These documents were obtained through a freedom of information request to the European Commission. On page 3 of this document, the IAB acknowledges that “it is technically impossible for the user to have prior information about every data controller involved in a real-time bidding (RTB) scenario”. This is an incredible admission, and acknowledges the precise issue at the core of the complaint currently before European regulators.
Moreover, in the same section, the IAB acknowledges that “this would seem, at least prima facie, to be incompatible with consent under GDPR”. Despite the facts concerned by these admissions not changing, the IAB proceeded to launch a mechanism that purported to satisfy the GDPR’s consent requirement. Indeed, it was Ms. Feehan again who announced this “Consent and Transparency Framework” on 25 April 2018.
Then, in May 2018 – a month after the IAB consent mechanism is launched – the IAB again acknowledged that that “there is no technical way to limit the way data is used after the data is received by a vendor for … bidding” in “2 Publishers.json v1.0.pdf” (see highlighted text on page 5).
It also acknowledged that the bid request assumes “indiscriminate rights for vendors, … surfacing thousands of vendors with broad rights to use data without tailoring those rights may be too many vendors/permissions”.
In other words, before and after the launch of its consent mechanism, the IAB had acknowledged there was no way to control who receives what data, or what they do with those data once received.
PART 2: sensitive data about people are broadcast in the online ad auction system, hundreds of billions of times a day. This makes it possible for shadowy companies to know what every person on the web reads, watches, and listens to online.
“3 bid request examples.pdf” reproduces a set of annotated sample bid requests from the IAB and Google’s own documentation for users of their systems. The fourteen sample bid requests further prove that very personal data are contained in bid requests.
They include not only specific (sample) people’s browsing history, pseudonymous identification codes, and weighting of their interests, but also often include their GPS locations too. Clearly, this is highly sensitive stuff, and it is remarkable that these are offered as public documentation by the two rule setters of the industry as examples of what should be done.
“4 bid request scale overview” shows that the seven largest advertising exchanges handle hundreds of billions of bid requests per day. This suggests that the New Economics Foundation’s estimate in December that bid requests broadcast data about the average UK internet user 164 times a day was a conservative estimate.
Note for reporters regarding “pseudonymous data”:
Data are only pseudonymous if “kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person” according to GDPR Article 4(5). In other words, replacing “Johnny Ryan” with “sdgdsg1231241245”, and then broadcasting that ID to hundreds of companies along with their browsing history and physical location, etc. is not sufficient to be considered pseudonymous. Even if it were, GDPR Recital 26 and Recital 28 make it clear that pseudonymous data do remain personal data, and must be protected.
New evidence filed today
- 1a Townsend Feehan email 26 June 2017.pdf
- 1b IAB 2017 paper.pdf
- 2 Publishers.json v1.0.pdf
- 3 bid request examples.pdf
- 4 bid request scale overview.pdf
Complaints to date
- Filing with the Polish data protection authority against Google 1/2019 (PDF)
- Filing with the Polish data protection authority against IAB 1/2019 (PDF)
- Filing with the UK Information Commissioner against IAB Europe and Google 9/2018 (PDF)
- Filing with the Irish Data Protection Commissioner against IAB Europe and Google 9/2018 (PDF)
- Report on behavioural advertising and personal data 9/2018 (PDF)
Additional evidence filings
- IAB
Although the IAB describes the “content taxonomy v1” list as “depreciated”, this list is actually widely used, and is included in the latest version of the IAB’s ad auctioning system (OpenRTB 3.0 and AdCOM v1), which were updated in the last three months.- Excerpt of IAB’s official “content taxonomy v1” list.
See also the full document with highlighting of special category data highlighted and the original spreadsheet list from IAB.com(see tab 2). - Excerpt of IAB’s official “content taxonomy v2” list.
See also the full list with sensitive data highlighted and the original spreadsheet list from IAB.com (see tab 1).
- Excerpt of IAB’s official “content taxonomy v1” list.
Coverage to date
- Unearthed emails could be smoking gun in epic GDPR battle against Google, adtech giants, The Register, 20 February 2019
- Online advertising body accused of knowingly breaking UK & EU data laws, Sky News, 20 February 2019
- Privacy activists say online ad industry knowingly violated GDPR, Mashable, 20 February 2019
- Google accused of sharing data about intimate personal details, The Times, 2 February 2019
- Ad-tech industry: GDPR complaint is like holding road builders to account for traffic violations, The Register, 31 January 2019
- Online ad industry rejects complaints of targeting users, The Irish Times, 30 January 2019
- IAB Tech Lab And Google Criticized In EU By Privacy Advocates, MediaPost, 29 January 2019
- Tech companies ‘using sensitive personal data to target users for ads’, Irish Independent, 29 January 2019
- Google Accused Of Using Sensitive Data To Target Online Ads, Silicon UK, 29 January 2019
- Google And Ad Tech Body Are Still Not Protecting Our Data, Digital Information World, 29 January 2019
- Google and adtech body criticised over data protection, The Financial Times, 28 January 2019
- Google and IAB ad category lists show “massive leakage of highly intimate data”, GDPR complaint claims, TechCrunch, 28 January 2019
- Privacy groups claim online ads can target abuse victims, Wired, 28 January 2019
- Ad Industry Accused Of ‘Massive’ Privacy Breach, Forbes, 28 January 2019
- Google and Ad Industry Accused of “Massive” Abuse of Intimate Personal Data, Fortune, 28 January 2019
- New documents back complaints about online advertising, The Irish Times, 28 January 2019
- ‘Male impotence’: How tech firms classify what you read, Sky News, 28 January 2019
- Gripe to UK, Ireland, Poland: Ad tech industry inhales, then ‘leaks’ sensitive info on our health, politics, religion, The Register, 28 January 2019
- Google and IAB hit with fresh complaints over ‘intimate’ user profiling for adverts, City A.M., 28 January 2019
- Polish Privacy Group Celebrates Data Protection Day With A Nastygram For RTB, Ad Exchanger, 28 January 2019
- Google, online ad industry accused of abusing intimate personal data in GDPR complaint, Mashable, 28 January 2019
- GDPR complaint blasts ‘highly intimate’ Google mental health and male impotence ad labels, The Drum, 28 January 2019
- Privacy groups blast Google, IAB over data leak via ad auctions, CSO Online, 28 January 2019
- GDPR can’t stop behavioral ads, but these bitcoin-friendly browsers can help, Bitcoininist, 28 January 2019
- Privacy campaigners file new evidence to support claims that Google unlawfully profiles internet users, Computing, 28 January 2019
- Mozilla co-founder’s Brave files adtech complaint against Google, Reuters (this report also ran in The New York Times, Yahoo! News, and DailyMailOnline), 12 September 2018
- Privacy browser Brave files Adtech complaint against Google, Daily Mail, 12 September 2018
- As Brave Gears Up to Weaponize Privacy, Google Becomes Its Primary Target, Ad Week, 12 September 2018
- Ad-blocking browser Brave says Google is breaking EU privacy law, Engadget, 12 September 2018
- How Google is breaking EU privacy law, according to a new complaint, Fast Company, 12 September 2018
- Brave browser files GDPR breach complaints against Google in the EU, ZD Net, 12 September 2018
- Brave browser dumps Google search in France, Germany, C Net, 12 September 2018
- So Brave: Browser biz sics Brit watchdogs on Google’s info slurpage, The Register, 12 September 2018
- Pro-privacy company Brave files GDPR complaint against Google, TechSpot, 12 September 2018
- Privacy-focused browser Brave sues Google, claims breach of Europe’s GDPR rules, Digital Trends, 12 September 2018
- Google Responds to Allegations That It Violates GDPR, Toms Hardware, 12 September 2018
- Privacy-browser Brave launches GDPR ad tech ‘test case’ against Google, Marketing Tech News, 12 September 2018
- Brave Launches Legal Offensive on Google Ads Data Collection Practices, CoinDesk, 12 September 2018