Ryan’s testimony at International Grand Chamber: RTB data breach enables disinformation. Enforcers can be sued.

by Nov 11, 2019Brave Insights, GDPR, Policy

Speaking to members of ten nations’ parliaments, Dr Ryan of Brave described how RTB allows every voter to be profiled, and enables a business model for the bottom of the web. He also answered questions on how to ensure that regulators enforce the law.

Dr Johnny Ryan of Brave testified on 7 November 2019 at the International Grand Committee on Disinformation and “Fake News”. Representatives from the US Congress, UK Parliament, and ten other governments gathered for joint hearing on disinformation, in Dublin, Ireland. Dr Ryan’s panel included Roger McNamee, Facebook investor; Carole Cadwalladr of The Guardian; Karlin Lillington of The Irish Times; and Ben Nimmo of The Atlantic Council.

RTB and Disinformation 

Dr Ryan testified about the privacy impact of the multi-billion dollar “real-time bidding” online advertising industry. He described in his opening statement how RTB exposes every voter in every election to extensive profiling, and micro-targeted disinformation. He also described how RTB provides a business model for the bottom of the web, while undermining the businesses of worthy publishers.

Prompting enforcers to act 

At 7:20 (see video) Dr Ryan urges national parliamentarians to make sure that the Irish Data Protection Commission (DPC) is doing its job and that it has the necessary resources to do so. Over a year since his initial RTB complaint, Dr Ryan notes that the GDPR and the courts’ supervisory role means that he has the right to pursue court action against the Irish Data Protection Commission (DPC) to force regulatory action. Dr Ryan holds these rights in reserve and trusts that the DPC will take the appropriate steps in response to his complaint, so that court action will not be necessary.

The text of Dr Ryan’s opening statement, and video of all of his remarks, are presented below.

Video: Dr Ryan testimony and question and answer clips. 

Opening statement in testimony of Dr Johnny Ryan, Brave Software, at the International Grand Committee on Disinformation and “Fake News”. 

Thank you Cathaoirleach and distinguished members of the Grand Committee.

I represent Brave, the private web browser. Brave’s CEO invented JavaScript, and co-founded Firefox.

Since those early days, the Web has become grimy. Millions of people use the Brave web browser to make the Internet private and fast again.

Cathaoirleach, disinformation is possible because of what happens almost every time you load an ad-supported website. When a webpage loads, data about your interests is broadcast to tens or hundreds of companies. This lets technology companies representing advertisers compete for the opportunity to show you an ad.

Here are the kind of things about that you can be included in these broadcasts: your – inferred – sexual orientation, political views, religion, health conditions, etc.,[i] what you are reading or watching,[ii] and where you are at that moment.[iii] And they include ID codes that are as unique to you as a social security number, so that all of this data can be added to dossiers about you – whatever age you are.[iv]

Every day, this happens hundreds of billions of times[v] in the multi-billion dollar “real-time bidding” industry.[vi] This is perfect data for micro-targeted disinformation, and there is no control over what companies do with it.

In short, real-time bidding (RTB) exposes every voter, every where.

At the same time, Cathaoirleach, RTB is a cancer eating the heart of legitimate media, and a business model for the bottom of the web.

If you read about a luxury car on The Irish Times, and then later visit a less reputable website, you may see luxury car ads there. Companies that know you are a high value Irish Times reader – thanks to the RTB system – show ads to you on the less reputable website at an enormous discount. They want you because you are an Irish Times reader, but The Irish Times does not benefit. The industry calls this “audience arbitrage”.

RTB also enables massive fraud that further harms legitimate publishers. “Ad bots” masquerading as humans pretend to view and click on ads. Real advertisers are then charged real money, even though nobody really saw any ads. The estimates of the cost of this “ad fraud” range from 5.8 to 42 billion of dollars, diverted from legitimate publishers to the bottom of the web.[vii]

But, Cathaoirleach, we run an ad business, and we know that completely private ads are far more effective than Big Tech’s tracking-based ads.[viii] Privacy is smart business.

We have brought a completely advertising system to the market, and over the last six months it has proven that opt-in, private ads has far higher engagement than tracking based ads.

In closing, members of the Grand Committee from around the globe, we at Brave urge you to take one action: apply intergovernmental pressure on the two organisations that decide the rules of the global RTB industry. One is the “IAB”, the industry’s standards body, whose biggest members are Google and Facebook. The other is Google. The IAB and Google set the rules for the global RTB industry, and are therefore responsible for the biggest data breach ever known.

Brave’s evidence[ix] to regulators has triggered GDPR investigations into both of them. But regrettably, after over a year, we still wait for regulatory action.[x]

Grand Committee members, we urge you to pressure the IAB and Google to end personal data broadcasts. At a single stroke, you can starve disinformation micro-targeters of data, and the bottom of the web of cash.

Thank you.

 

Notes

[i] See Google’s RTB “Publisher Verticals” list, which is referred to in several contexts from the Google Authorized Buyers Proto (URL: https://developers.google.com/authorized-buyers/rtb/downloads/publisher-verticals); see also IAB OpenRTB “content taxonomies” list, which is referred to in several contexts in the IAB OpenRTB AdCOM API (https://www.iab.com/wp-content/uploads/2017/11/IAB_Tech_Lab_Content_Taxonomy_V2_Final_2017-11.xlsx). Note that Google claims to not allow targeting based on such things, but the “publisher verticals” list indicates what is actually permitted for use.

[ii] See “Ryan report on behavioral advertising and personal data” and “Examples of data in a bid request from IAB OpenRTB and Google Authorized Buyers’ specification documents” (URL: http://fixad.tech/wp-content/uploads/2019/02/3-bid-request-examples.pdf), evidence submitted to the Irish Data Protection Commission, and UK Information Commissioner’s Office, 12 September 2018 and 20 February 2019.

[iii] See “Object: geo” in AdCOM Specification v1.0, Beta Draft”, IAB TechLab, 24 July 2018 (URL:

https://github.com/InteractiveAdvertisingBureau/AdCOM/blob/master/AdCOM%20v1.0%20FINAL.md); and “Hyperlocal object”, “Point object”, “HyperlocalSet object” in Authorized Buyers Real-Time Bidding Proto”, Google, 23 April 2019 (URL:

https://developers.google.com/authorized-buyers/rtb/realtime-bidding-guide). The IAB system permits latitude and longitude. The Google system does not.

[iv] See “Object: user” in AdCOM Specification v1.0, Beta Draft”, IAB TechLab, 24 July 2018 (URL:

https://github.com/InteractiveAdvertisingBureau/AdCOM/blob/master/AdCOM%20v1.0%20FINAL.md); “hosted_match_data”, “google_user_id”, and “UserList object” in Authorized Buyers Real-Time Bidding Proto”, Google, 23 April 2019 (URL:

https://developers.google.com/authorized-buyers/rtb/realtime-bidding-guide).

[v]  For the scale of the data breach, see “Count of hundreds billions of bid request broadcasts”, evidence submitted to data protection authorities in UK & Ireland (URL: https://brave.com/wp-content/uploads/2019/07/Scale-billions-of-bid-requests-per-day-RAN2019061811075588.pdf).

[vi] In 2018 RTB accounted for $19.55B of advertising spending in the United States, and €5.5B in Europe. See “Programmatic ad spend in Europe 2018”, IAB Europe, September 2019 (URL: https://iabeurope.eu/wp-content/uploads/2019/09/IAB-Europe_European-Programmatic-Ad-Spend-2018-Report_Sept-2019.pdf), p. 7; and US PROGRAMMATIC AD SPENDING FORECAST 2018, eMarketer, April 2018 (URL: https://contentb-na2.emarketer.com/content3/US_Programmatic_Ad_Spending_Forecast_2018_eMarketer.pdf), p. 6.

[vii]“The impact of AI for digital advertisers”, Juniper Research, May 2019 (URL: https://www.juniperresearch.com/document-library/white-papers/the-impact-of-ai-for-digital-advertisers). In the US alone, the Association of National Advertisers estimates that at least $5.8 billion of their spend is stolen by ad fraud, in “2018-2019 Bot baseline: fraud in digital advertising”, Association of National Advertisers (URL: https://www.ana.net/getfile/25093).

[viii] Calculated by click through rate, Brave Ads average click through rate is 14%. (Brave Browser users who have opted in to ads are not rewarded for clicks, only views). Behavioural display ads average click through rate is 0.46%, according to Google. Facebook’s average click through rate is .9%. See “Brave reaches 8 million monthly active users and delivers nearly 400 privacy-preserving ad campaigns”, Brave, 16 October 2019 (URL: https://brave.com/brave-reaches-8-million-monthly-active-users-and-delivers-nearly-400-privacy-preserving-ad-campaigns/); “Average display advertising clickthrough rates”, Smart Insights, 10 September 2019 (URL: https://www.smartinsights.com/internet-advertising/internet-advertising-analytics/display-advertising-clickthrough-rates/); and “Facebook Ad Benchmarks for your industry”, WordStream, 27 August 2019 (URL: https://www.wordstream.com/blog/ws/2017/02/28/facebook-advertising-benchmarks).

[ix] See also “Regulatory complaint concerning massive, web-wide data breach by Google and other “ad tech” companies under Europe’s GDPR”, Brave Insight, September 2018 (URL: https://brave.com/adtech-data-breach-complaint/). See a sample of the evidence submitted to European data protection authorities so far at https://brave.com/rtb-evidence/.

[x] This includes Ireland and Belgian data protection authorities. See “Data Protection Commission opens statutory inquiry into Google Ireland Limited”, Data Protection Commission of Ireland, 22 may 2019 (URL: https://www.dataprotection.ie/en/news-media/press-
releases/data-protection-commission-opens-statutory-inquiry-google-ireland-limited
); and letter from Peter Van den Eynde of the Gegevensbeschermingsautoriteit to Jef Ausloos and Pierre Dewitte, 8 October 2019. The UK data protection authority has also issued a report that repeats and vindicates Brave’s report to regulators about real-time bidding.

Read Next