Critical data protection problems in the IAB’s new OpenRTB 3.0 Spec
This note outlines how “OpenRTB 3.0”, the new programmatic / behavioural ad tech specification, causes a personal data breach that exposes marketers to severe legal risk. OpenRTB 3.0 will continue to leak personal data about what virtually every Internet user reads or watches online to a large number of companies, every single time a person loads a page.
Today, Brave writes to the IAB (an ad tech trade body) in response to IAB TechLab’s request for feedback on the beta version of OpenRTB 3.0. As we show in our letter below, OpenRTB 3.0 will leak personal data about what virtually every Internet user reads or watches online to a large number of companies, every single time a person loads a page.
OpenRTB 3.0 appears to severely infringe Article 5 of the General Data Protection Regulation, and all that flows from Article 5’s principles. As a result, it will expose marketers, vendors, and publishers to acute legal hazard.
We therefore urge the IAB to reconsider the OpenRTB 3.0 specification. Brave’s letter is below.
Interactive Advertising Bureau & Tech Lab
116 East 27th Street, 7th Floor
New York, New York 10016
4 September 2018
Re: feedback on the beta OpenRTB 3.0 specification
The IAB has requested input on the beta OpenRTB 3.0 specification. This response sets out an acute concern about the lack of data protection in this specification.
The protection of personal data has been absent from previous OpenRTB specifications. It is a matter of concern to Internet users, and is also now of utmost commercial concern to marketers. This commercial concern arises from two facts.
First, as you will no doubt know, a recent ruling at the European Court of Justice, on 5 June (C‑210/16), indicates that marketersare directly exposed as “controllers” to legal risk from data protection infringements in data processing that they commission, or cause to be commissioned. The Court ruled that this applies even if the marketer never directly handles the personal data.
Second, under Article 82 (4) of the General Data Protection Regulation, a marketer may be exposed to the “entire damage” created by ad tech vendors that process personal data in the OpenRTB system, which infringes the Regulation. In other words, marketers are now liable for the misuse of personal data in the RTB system.
OpenRTB 3.0, and previous iterations of OpenRTB, causes an acute data protection problem. Every time a person loads a page on a website that uses OpenRTB 3.0 advertising, personal data about them are broadcast to tens – or hundreds -of companies in the OpenRTB bid request. These personal data include:
- Your IP address
- What you are reading or watching
- Your location
- Description of your device, and ad tech companies’ unique IDs for you. (This will allow ad tech companies to try to reidentify you the next time you are seen, so that a long-term profile can be built or consolidated with offline data about you.)
- Data broker segment ID, if available. (This could denote things like your income bracket, age and gender, habits, social media influence, ethnicity, sexual orientation, religion, political leaning, etc.)
These data are very likely to include “special categories”of personal data, since they show what the person is watching and reading, and since the OpenRTB 3.0 specification enables the inclusion of data brokers’ segment IDs.
The broadcast of these personal data under OpenRTB is referred to as an “RTB bid request”. As with previous iterations of OpenRTB, this will be generally broadcast widely, since the objective is to solicit bids from companies that might want to show an ad to the person who has just loaded the webpage. An RTB bid request is broadcast on behalf of websites by companies known as “supply side platforms” (SSPs) and by “ad exchanges”.
Personal data are broadcast in bid requests to multiple Demand Side Partners (DSPs), which then decide whether to place bids for the opportunity to show an ad to the person in question. The DSP acts on behalf of a marketer, and decides when to bid based on the profile of person that the marketer has instructed it to target. Sometimes, Data Management Platforms (DMPs), of which Cambridge Analytica is a notorious example, can perform a sync that contributes to their existing profiles of the person. It is worth noting that this sync would not be possible without the initial bid request.
RTB as presented in the OpenRTB 3.0 specification is a data protection free zone.
The overriding commercial incentive for many ad tech companies is to share as many data with as many partners as possible, and to share it with partner or parent companies that run data brokerages. Clearly, releasing personal data into such an environment has high risk.
Despite this high risk, the OpenRTB 3.0 specification establishes no control over what happens to these personal data once an SSP or ad exchange broadcasts a “bid request”. Even if bid request traffic is secure, there are no technical measures that prevent the recipient of a bid request from, for example, combining them with other data to create a profile, or from selling the data on. In other words, there is no data protection.
I note that IAB Europe’s own documentation on how such a broadcast of personal data could conform with European data protection law reveals the industry view: A company “may choose not to pass bid requests containing personal data to other vendors who do not have consent”.In other words, once DSPs receive personal data they can freely trade these personal data with business partners however they wish. The distribution of a bid request creates this data protection-free zone.
In fact, this is very likely to be a data breach. The RTB bid request, including the data specified in the OpenRTB 3.0 specification, fits within the General Data Protection Regulation’s definition of “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
This is particularly egregious since the data concerned are very likely to be “special categories” of personal data, and since I believe that the industry concerned is aware of the shortcomings of this approach, and has continued to pursue it regardless.
In summary, the OpenRTB 3.0 specification will continue to leak details about what every person is reading or watching in a constant broadcast to a large number of companies. These personal data are not protected. This breach is continuous, happening on virtually every website, every single time a person loads a page.
Unless OpenRTB 3.0 is very radically altered, so that no personal data are contained in the bid request, it appears that it will be a severe infringement of Article 5 of the General Data Protection Regulation, and on all that flows from Article 5’s principles. This will put at risk the fundamental rights of virtually every person that uses the Internet in Europe. These rights are enshrined in and protected by the Charter of Fundamental Rights of the European Union. As a result, marketers, vendors, and publishers will be exposed to acute legal hazard.
We must therefore urge that you reconsider the OpenRTB 3.0 specification. So long as the bid request is permitted to contain personal data, and so long as these personal data are widely shared, OpenRTB will be a liability. The RTB system must not be allowed to continue as a data protection “wild west”.
Appendix 1. What personal data are shared in RTB bid requests?
- The specific URL that a visitor is loading, which shows what they are reading or watching.
- An Ad Exchange’s unique personal identifier for the visitor to the website. (This may rotate, but the specification says that it “must be stable long enough to serve reasonably as the basis for frequency capping and retargeting.”)
- Advertiser’s “buyeruid”, a unique personal identifier for the data subject.
- The website visitor’s year of birth, if known.
- The website visitor’s gender, if known.
- The website visitor’s interests.
- Additional data about the website visitor, if available from a data broker.(These may include the “segment”category previously decided by the data broker, based on the broker’s previous profiling of this particular person.)
Appendix 2. Selected data tables from IAB specification documents
The following tables are copied from AdCOM specification v1, which is part of the OpenRTB 3.0 specification.Only selected tables relevant to website bid requests are included here. URLs of the specific part of the specification from where the tables are taken are presented above each table.
Investigation needed to stop anticompetitive practices that hurt publishers, restrict innovation, and limit consumer choice.read more
Brave and a coalition of more than 30 businesses and organizations urges European Governments to break the deadlock on the ePrivacy Regulation in an open letter.read more
French regulator’s decision against Vectaury confirms that IAB “Transparency & Consent Framework” does not obtain valid consent, and illustrates how even tiny adtech companies can unlawfully gather millions of people’s personal data from the online advertising “real time bidding system” (RTB).read more
Brave San Francisco
512 Second St., Floor 2
San Francisco, CA 94107
9 Appold St
London, EC2A 2AP
- $1 Million Token Giveaway
- 404 Page
- About Ad Replacement
- About Brave
- Ads User Trials
- Assets for Creators
- Be Brave and support me!
- Be Brave and support me!
- Become a Brave Rewards Creator
- Best Adblock for YouTube
- BitTorrent – Browse with integrity
- BitTorrent – Secure & Fast Browsing
- Block Ads and Trackers with Brave!
- Brave Branding Assets
- Brave Linkbubbles for Social Media & Pocket
- Brave Research
- Brave Rewards Creator
- Brave Signing Key
- Coindesk Partnership for faster, ad-free browsing
- Creator Referral Program
- Download Brave Ads Trials
- Download Brave Beta
- Download Brave Dev
- Download Browser with Adblocker for Mobile & Desktop
- Dr Johnny Ryan FRHistS
- Experience the Fastest & Safest Web Browser
- Experience the Fastest & Safest Web Browser
- Free 2-year subscription to Barron’s
- Free 2-year subscription to MarketWatch
- Frequently Asked Questions
- Join us to Change the Web Together
- Media Assets
- News on Privacy, Adblock and Browsers
- Secure, Fast & Private Web Browser with Adblocker
- See Current Stats
- Thanks for Downloading Brave
- The Brave Community
- Townsquare Media – PopCrush
- Townsquare Media – Taste Of Country
- Townsquare Media – Ultimate Classic Rock
- Townsquare Media – XXL
- Youth Involvement in Open Source Technologies
Posts by category
- Category: AMA
- Category: Announcements
- Brave Previews Opt-in Ads in Desktop Browser Developer Channel
- Brave passes 5.5 million monthly active users and features over 28,000 Verified Publishers
- Brave Rewards Update
- New BAT Tipping Banner for Brave Creators, Available with Today’s Desktop Browser Update
- Brave Software Joins AdLedger
- New Brave version now available for download for iPhones and iPads, with significant performance gains
- Brave Upgrades Users of its Desktop Browser to its Redesigned, Faster Version
- “Best of the Brave” Video Contest Winners Are Rewarded with 115K BAT
- SpeedReader: Fast and Private Reader Mode for the Web
- Brave Sponsors Cal Hacks 5.0, the World’s Largest Collegiate Hackathon
- New Brave Browser Release Available for General Download on Brave.com
- The New Brave is 22% Faster
- Beta Release of Redesigned Brave Desktop Browser is Available Today for Download and Testing
- Brave Launches 100K BAT “Best of the Brave” Video Contest for Online Creators and Publishers
- Civic to Offer Secure Identity Verification Services on the Brave Publisher Platform
- Fast and Private Brave Browser Chooses Qwant as its Default Search Engine in France and Germany
- Regulatory complaint concerning massive, web-wide data breach by Google and other “ad tech” companies under Europe’s GDPR
- Few Realize “Private Mode” Is Not Really Private
- Understanding Redirection-Based Tracking
- Brave Browser iOS App Now Offers DuckDuckGo Search in Private Tabs
- Brave Passes 3 Million Monthly Active Users and Makes Top 10 List in the Play Store in 21 Countries
- Brave Introduces Beta of Private Tabs with Tor for Enhanced Privacy while Browsing
- Brave Welcomes Dr. Johnny Ryan to its Leadership Team as Chief Policy and Industry Relations Officer
- Brave Launches User Trials for Opt-In Ads That Reward Viewers
- Brave Users Get Rewarded to Browse
- Brave Proposes a Machine Learning Approach for Ad Blocking
- New Brave Version Features Tab Improvements for Enhanced Performance
- Global Brave News — Brave Officially Opens London Office and Presents in Singapore and Korea
- Brave and Townsquare Partner to Monetize Ad-blocking Traffic and Test Blockchain-based Digital Advertising
- Brave Update: Partners, Creators, Users, and Growth – April 2018
- Dow Jones Media Group Partners With Brave Software To Offer Premium Content To Users and Test Blockchain-Based Payment Technology
- Brave Distributes Million Dollar Referral Program to Content Creators
- Brave Unveils Development Plans for Upcoming 1.0 Browser Release, Including Transition to Chromium Front-End
- Million Dollar BAT Giveaway to Brave Users Now Paid Out to Rewarded Content Creators
- Twitch Support
- Let’s Encrypt Sponsorship
- Brave Launches Million Dollar Referral Program Supporting Publishers And YouTube Creators With Crypto-Tokens
- Multi-property Support Now Live for Brave-verified Creators
- New Brave Release Available For Desktop Users With Across-the-board Improvements And Updates
- Brave-verified Publishers Double in One Week with Ongoing $1 Million Crypto-token Giveaway
- Brave Announces $1 Million Crypto-Token Giveaway
- Update: Brave Browser and BAT Achievements in 2017 and Goals for 2018
- An Inside Look at Brave Development
- Brave and DuckDuckGo Partner to Improve Privacy on the Web
- Brave Grants 300,000 Promotional Tokens to Browser Users
- Funding your Brave Wallet
- Brave expands Basic Attention Token platform to YouTube
- Tips and Tricks for Brave on Your Phone
- ETHWaterloo Hackathon: Integrating MetaMask into Brave
- BAT Mercury Launch
- Brave expands its leadership team with Ben Livshits as Chief Scientist and David Temkin as Chief Product Officer
- Unpublishing Link Bubble
- Loading Chrome Extensions in Brave
- Introducing Brave Payments
- Brave’s Response to the NAA: A Better Deal for Publishers
- Category: Brave Insights
- Brave requests European Commission antitrust examination of online ad market
- 38 businesses and organizations urge European Governments to break ePrivacy deadlock
- French regulator shows deep flaws in IAB’s consent framework and RTB
- Brave calls for a “United States GDPR” in letter to the National Telecommunications and Information Administration
- Why GDPR is Kryptonite to Google & Facebook on Anti-Trust
- Brendan Eich writes to the US Senate: we need a GDPR for the United States
- Critical data protection problems in the IAB’s new OpenRTB 3.0 Spec
- Brave Writes to All 28 EU Member States, Defending ePrivacy Regulation’s “Privacy By Design and By Default”
- Europe’s top court signals new risk for marketers from ad tech
- Category: Community
- Category: GDPR
- Category: New Features
- Category: Policy
- Category: Press
- Brave ad-blocking browser gets Chrome’s extensions with major new version
- Crypto-Funded Brave Browser Hits 10 Million Downloads in Google Play Store
- Le navigateur Brave dépasse les 10 millions de téléchargements
- Brave advances browser privacy with Tor-powered tabs
- Blockchain browser Brave starts opt-in testing of on-device ad targeting
- What’s an Online Ad Worth? Blockchain Might Help With That
- Crypto-powered Brave Browser Hits 5 Million Downloads in Google Play Store
- Ad-blocking Brave browser to give crypto-payment tokens to everyone
- Ad-blocking browser Brave signs up Dow Jones Media Group as a partner
- Category: Research
- Category: Rewards
- Category: Security & Privacy