Privacy Backlash

October 12, 2020
Michael Taylor
Facebook Twitter WhatsApp LinkedIn

I'm finding it becoming a recurring theme in my writing and consulting that there is a growing privacy backlash against the 'surveillance capitalism' that powers digital advertising. I'm finding it hard to track all the places I've seen this mentioned and I wanted one single place to link clients to that references everything important on the various related threads. Since that place didn't exist, I decided to create it! This post is broken up by major topic, and sorted in reverse chronological order (latest first). Tweet at me if you know of anything I should include: @hammer_mt

Cookies

The use of third-party tracking cookies is going away in browsers.

"It would threaten to substantially disrupt much of the infrastructure of today's internet without providing any viable alternative, and it may choke off the economic oxygen from advertising that startups and emerging companies need to survive," — Marketing Dive, Jan 2020

"we plan to phase out support for third-party cookies in Chrome. Our intention is to do this within two years" — Chromium Blog, Jan 2020

"we’ve added so many restrictions to ITP since its initial release in 2017 that we are now at a place where most third-party cookies are already blocked in Safari" — WebKit, Mar 2020

"We observedthat for the top 500 global publishers, average revenue in the treatment group decreased by 52%, with a1median per-publisher decline of 64%" — Google, Aug 2019

"Firefox will now block thousands of web trackers by default, protecting users from many websites, analytics companies, and advertisers that want to follow their paths across the web. The change should speed up the browser and keep users’ web habits more private, while nudging advertisers toward less invasive practices." — The Verge, Jun 2019

"Chrome’s upcoming cross-site cookie clampdown and fight against fingerprinting will likely be felt by marketers to varying degrees. In some cases, the effects could be significant." — Econsultancy, May 2019

ITP

Apple limiting the ability to track users within the Safari browser.

"Facebook Ads announced today it’s retiring its 28-day attribution window option. After they do, the longest remaining attribution window will be their already-existing 7-day option." — Search Engine Journal, Sep 2020

"While many non-Apple browsers like Brave and Firefox already have built-in anti-tracking features, this new update also affects the world’s most popular browser, Google’s Chrome. While Apple is still working through some kinks that have allowed third-party cookies to work in some instances when the feature is switched on, all browsers on iOS and iPad OS will have ITP switched on by the end of the year." — Digiday, Sep 2020

"CPMs for Safari users have fallen off by around 60% since ITP was introduced in 2017, according to ad tech firm Index Exchange." — Digiday, Sep 2020

"Across all iOS and iPadOS browsers, the new setting “Allow Cross-Website Tracking” is toggled off. This means that all these browsers are now implementing the full scale of WebKit’s Intelligent Tracking Prevention mechanisms." — Simo Ahava, Sept 2020

"Later this year — at a so-far unspecified date — Apple is also expected to put the kibosh on a technique some publishers and ad tech companies used as an ITP workaround. Called CNAME cloaking, the technique was a way for vendors such as Criteo and Adobe to get around Apple treating them as third-party trackers. Instead, those vendors are afforded more persistent cookies that aren’t capped by ITP to a week." — Digiday, Sep 2020

"“Cookies for cross-site resources are now blocked by default across the board. This is a significant improvement for privacy since it removes any sense of exceptions or ‘a little bit of cross-site tracking is allowed,’” Wilander notes in the announcement post on the blog for WebKit, which is Apple’s in-house browser engine that powers many of its features under the hood." — The Verge, Mar 2020

"we’ve concluded that the cumulative impact is a significant 8% loss of marketing attribution for Safari mobile searches" — Econsultancy, Jan 2020

"One result: The cost of reaching Safari users has fallen over 60% in the past two years, according to data from ad tech firm Rubicon Project." — The Information, Dec 2019

"If Safari sees that a company that it classifies as a cross-site tracker has decorated the link that a person clicks to visit another website, then it will delete all the non-cookie-based website data for that website from the person’s browser after seven days in which the person has continued to use Safari but not visited the site since clicking that link." — Digiday, Sep 2019

"Instead of decorating the link by attaching the ID data to the destination site’s URL, some companies were decorating their own URLs that get passed to the destination site as a referrer. Apple has picked up on this and will only let the destination site access the top-level domain information when checking for the referrer data. That is, instead of the destination site being able to read the full URL “http://example.com?id=1234,” the site will only receive “http://example.com.”" — Digiday, Sep 2019

"If Safari sees that a company that it classifies as a cross-site tracker has decorated the link that a person clicks to visit another website, then it will delete all the non-cookie-based website data for that website from the person’s browser after seven days in which the person has continued to use Safari but not visited the site since clicking that link." — Digiday, Sep 2019

"We find that when a user’s cookie is available publisher’s revenue increases by only about 4%" — Marotta, Abhishek, Acquisti, May 2019

"ITP 2.2 cuts the first-party cookie’s lifespan from seven days to one day. As a result, the first-party cookies that Facebook and Google have introduced in order to continue measuring site traffic and attributing ads will be deleted after 24 hours. As a result, if a person clicks on an ad for a product on Friday and decides to take the weekend to think about buying, then the cookie wouldn’t be around on Monday to register when the person returns directly to the site to buy the product." – Digiday, May 2019

"In previous filings we provided estimates of ITP’s negative impact on Criteo’s Revenueex-TAC: $1 million and $25 million in the fiscal quarters ending on September 30, 2017and December 31, 2017 respectively." — Criteo, Oct 2018

IDFA

Apple is making users opt out by default from cross-app tracking.

"But DMG’s Clarke says the move will hit his company, even if it’s small compared to the giants. “Untargeted ads are basically worthless,” he says. Clarke says he thinks the revenue his company’s iOS app users generate could drop by 75 percent, which could prompt him to abandon the app altogether and ask his readers to read the Daily Mail on the web instead." —  Recode, Sep 2020

"Notably, Facebook has declined to even show app install advertisements to the 30% of U.S. iPhone users that turned off their IDFA of their own accord — and now it is opt-in, instead of opt-out." — Stratechery, Aug 2020

"Facebook’s own ad business will be mostly fine, since your profile and activity on its apps contain data way more useful than a simple device ID. But the company says that a lot of its advertising clients will suffer.
" — The Verge, Aug 2020

"Audience Network revenue could drop as much as 50%, the company said. Facebook is considering eliminating the service altogether for iOS 14 users." — Bloomberg, Aug 2020

"my sense was that most people believed that Facebook could find a way — using its sophisticated infrastructure and massive data set — to maintain the device-centric status quo on mobile. What Facebook’s announcement last week reveals is that it can’t: it is fully embracing the SKAdNetwork measurement framework and is excising the IDFA completely from its advertising machinery." — Mobile Dev Memo, Aug 2020

"if the person who installed that app eventually signs up for an account and takes a ride share, Lyft knows where and how to attribute the results of that marketing effort, and connect it to the ad spend that initiated it. Even better, from Lyft’s perspective, it can use the IDFA to tell mobile ad networks essentially: I like users like this; go find me more. All of that is going away with iOS 14." — Forbes, Jun 2020

"Apps will basically have to:

  • Disclose in detail what type of data collection goes on.
  • Provide an opt-in mechanism to the collection of user and usage data.
  • Not put up consent walls (allow the user to access content only if they give consent to tracking).
  • Implement an opt-out mechanism as well, where if the user withdraws consent, their data should be purged." — Simo Ahava, Sept 2020

GDPR

The European privacy legislation limits the tracking of personal data.

"The ICO’s Cookie Consent Rate Dropped 90 Percent After Implementing its Own Best Practices" — Video Ad News, Nov 2019

“Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).” — Brave, Sep 2019

"“Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’); Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);” — Brave, Sep 2019

CCPA

The California privacy legislation is similar to GDPR.

"These situations may arise from instances where their “non-encrypted or non-redacted personal information” is breached, regardless of the harm done to the data. Under the CCPA, consumers can collect between $100 and $750 for each event." — Security Boulevard, Aug 2019

Adblockers

Users are fighting back by blocking ads on desktop and mobile.

"The average global adblocking rate in early 2018 was estimated at 27 percent." — Statista, Oct 2019

"The percentage of people who have switched Limit Ad Tracking (LAT) on has doubled on iPhone over the last four years in the United States." — Singular, Mar 2020

Fraud

No attribution model is perfect, they can all be manipulated.

"Every common attribution model can be easily gamed." — Admend, Nov 2017

Elections

Examples of tracking having an impact on political elections.

Facebook advertisements and targeting information gathered by Italian transparency group Openpolis found that the neo-fascist Brothers of Italy party ran a Facebook ad targeting Italian adults who are interested in the paramilitary police force, the carabinieri. — The Guardian, Mar 2019

"Surveillance capitalism’s “means of behavioral modification” at scale erodes democracy from within because, without autonomy in action and in thought, we have little capacity for the moral judgment and critical thinking necessary for a democratic society." — Shoshana Zuboff, Mar 2019

"Cambridge Analytica, the data-driven analytics firm that specialized in psychographic profiling or “PSYOPS,” was hired by the Trump campaign in June of 2016 to lead its digital ops up to the November election and has boasted they have up to 5,000 data points on every adult in the US." — Towards Data Science, Oct 2018

“We exploited Facebook to harvest millions of people’s profiles. And built models to exploit what we knew about them and target their inner demons. That was the basis the entire company was built on.” — The Guardian, Mar 2018

"The Russians were using the same techniques as some of the most successful startups in the world – tactics that I use every day and have done for a decade." — Wired, Mar 2018

"The Russians are also accused of working to suppress turnout among ethnic minority voters. They allegedly created an Instagram account posing as “Woke Blacks” and railed against the notion that African Americans should choose Clinton as “the lesser of two devils” against Trump." — The Guardian, Feb 2018

"Parscale said the Trump campaign used Facebook to reach clusters of rural voters, such as “15 people in the Florida Panhandle that I would never buy a TV commercial for”. “I started making ads that showed the bridge crumbling,” he said. “I can find the 1,500 people in one town that care about infrastructure. Now, that might be a voter that normally votes Democrat.”" — The Guardian, Oct 2017

"Canter explained how he used the AfD’s 300,000 Facebook likes to target millions of other Germans who might be receptive to the party’s message. “We took that 300,000, and Facebook created a model of them and used their lookalike audiences to find the closest 1 percent of German people to match that audience,” he said. That process generated a new group of 310,000 people who were most similar to AfD fans." — Bloomberg, Sep 2017

"The office implemented the winning message in ~125 million leaflets and nearly a billion targeted digital adverts regardless of all complaints." — The Spectator, Jan 2017

"In the official 10 week campaign we served about one billion targeted digital adverts, mostly via Facebook and strongly weighted to the period around postal voting and the last 10 days of the campaign." — Dominic Cummings, Oct 2016

"The campaign was sending more than 100,000 uniquely tweaked ads to targeted voters each day. In the end, the richest person ever elected president, whose fundraising effort was rightly ridiculed at the beginning of the year, raised more than $250 million in four months--mostly from small donors." — Forbes, Nov 2016

Brands

Examples of companies moving away from targeted ads.

"The boycott, called #StopHateForProfit by the civil rights groups that organized it, urged companies to stop paying for ads on Facebook in July to protest the platform’s handling of hate speech and misinformation. More than 1,000 advertisers publicly joined, out of a total pool of more than 9 million, while others quietly scaled back their spending." — New York Times, Aug 2020

"Rollic’s method is to chase extremely low-cost CPIs by running user acquisition campaigns against broad, largely untargeted audiences. It’s not unlike the age and demo targeting that advertisers do on traditional linear TV, said Bernard Kim, Zynga’s president of publishing." — Ad Exchanger, Aug 2020

"In January 2020, when NPO switched from tracking-based targeting to contextual targeting, revenue increased 61 per cent more than January 2019. In February, revenue increased 76 per cent over the previous year," — The Register, Jul 2020

"Procter & Gamble Co. PG 0.45% , the biggest advertising spender in the world, will move away from ads on Facebook that target specific consumers, concluding that the practice has limited effectiveness." — Wall St Journal, Aug 2016

Creepiness

Examples of the creepy things people can find out about you with tracking.

"Some 81% of the public say that the potential risks they face because of data collection by companies outweigh the benefits, and 66% say the same about government data collection." — Pew, Nov 2019

"Every time a person visits a website that uses RTB, data about them is broadcast to tens or hundreds of tracking companies, who let advertisers compete for the opportunity to show them an ad. The data can include the category of what they are reading – which can reveal their sexual orientation,[4] political views,[5] their religion,[6] and health conditions including AIDS,[7] STDs,[8] and depression.[9] It includes what the person is reading, watching, and listening to. It includes their location. And it includes unique, pseudonymous ID codes that are specific to that person,[10] so that all of this data can be tied to you, continually, over time." — Brave, Sep 2019

"Overall, a 2014 survey found that 91% of Americans “agree” or “strongly agree” that people have lost control over how personal information is collected and used by all kinds of entities. Some 80% of social media users said they were concerned about advertisers and businesses accessing the data they share on social media platforms, and 64% said the government should do more to regulate advertisers." — Pew, Mar 2019

"Another survey last year found that just 9% of social media users were “very confident” that social media companies would protect their data. About half of users were not at all or not too confident their data were in safe hands." — Pew, Mar 2019

"After plugins and plugin-provided information, we believe that the HTML5 Canvas is the single largest fingerprinting threat browsers face today. Studiesshow that the Canvas can provide an easy-access fingerprinting target: The adversary simply renders WebGL, font, and named color data to a Canvas element, extracts the image buffer, and computes a hash of that image data. Subtle differences in the video card, font packs, and even font and graphics library versions allow the adversary to produce a stable, simple, high-entropy fingerprint of a computer. In fact, the hash of the rendered image can be used almost identically to a tracking cookie by the web server." — Tor, Jun 2018

"Approximately 100 days before changing their status to “In a relationship,“ users are more likely to use the words ”love,“ “sweet,” and ”happy" in messages and publish something on the walls of their crushes — an average of 2 posts per 12 days. When publishing something, they tend toward positive news." — Brightside, Oct 2017

"We observe that the distribution of our fingerprint contains at least 18.1 bits of entropy, meaning that if we pick abrowser at random, at best we expect that only one in 286,777 otherbrowsers will share its fingerprint." — EFF, May 2010

September 26, 2020
September 26, 2020

More to read