The Hijacking of Privacy for Monopolisation


Since DPAs, most notably the ICO, announced plans examining the mechanics behind ad tech, the industry has rightfully acted at pace to engage with the regulators in discussion on the future makeup of a privacy-focused digital advertising landscape.

However, there is a danger that the argument is being hijacked by two of the digital behemoths, Google and Facebook. While projecting their voice loudly, claiming privacy brilliance, the pair are rapidly making moves to strengthen their hands, prior to any potential antitrust action.

Google: I. Fingerprints in the sandbox

In January, Google started a two-year countdown before the final end of the third-party cookie. While not quite as brutal, and immediate of a biscuit-based destruction, as Apple’s ITP, Mozilla’s ETP, and a certain editor versus a pack of shortbread, Chrome’s vast global market share and the fact it is the last remaining bastion using the third-party cookie, which much of the programmatic industry is fundamentally built upon, raises concerns over publisher monetisation, given the steep revenue declines seen when ITP was first introduced.

While Google is making all the right noises in terms of filling the proposed replacement, the Privacy Sandbox, with open standards and blocks for nefarious workarounds such as fingerprinting, the devil is in the detail. (As an aside, Google’s public ferocity against fingerprinting is intriguing given the existence of its Chrome installation identifier, which can track the state of your browser installation, your use of plugins, your IP address and other metrics determined by Google. And, of course, this identifier can only be read by Google-owned domains, and is sent to its own ad targeting services every time you interact with Chrome.)

Firstly, none of the proposed set of five Privacy Sandbox APIs are currently open for marketers and third-party tech vendors to test, and their release schedule is entirely up to Google. Should a future release from the California colossus read: “privacy sandbox APIs to be rolled out first across AdWords and DV360,” before allowing third-party vendors the chance to implement them, would anyone blame marketers for moving there first to get as much time in the sandbox before the land of advertising becomes a desert?

Commenting on the Privacy Sandbox, Sonia Pham, head of business analysis at Illuma Technology said, "It seems that how this works in practice, and perhaps more importantly, whether it will be within the regulatory frameworks of GDPR and CCPA, is still being decided. In fact, at the moment, Privacy Sandbox appears to lack much of an operational or practical framework, for example, as yet, we haven’t really heard about tech specs, milestones or timings. While the project is ‘open to all’, contributions appear to be limited to particular people and the process for this seems a little opaque.”

Even if Google releases the sandbox to everyone at once, as it should if user privacy is indeed its top priority, it could in theory give itself a helping hand by retaining user-level granularity, while offering others only aggregate data. One Privacy Sandbox API allows the allocation of a 'privacy budget', purportedly to mitigate fingerprinting. Who sets the budget for each site? Who gathers and measures the data exposed to each site? Who enforces against violations of the budget? And who sets exemptions for the budget?

Google: II. The Anti-Apple AAP Store

A second major action made by Google in the name of privacy, is the removal of the ability to verify search-to-install data for iOS app installs through independent app attribution providers (AAP) and replaced them with 'modelled' figures (i.e. non-verifiable and liable to change at Google’s whim).

Noble move by the big G to meet the public’s demands for data privacy, or an attempt to hamstring its fruit-based rival’s app store by replacing granular user-level data with vague and variable estimates? Well, as Adweek’s Ronan Shields notes, you can still use AAPs to track the performance of in-app inventory across Google Display Network and YouTube.

Facebook: release the horses!

While Facebook is not as engrained with the open RTB ecosystem as Google, the social networking giant has not shied away from using the privacy argument for its own gains, namely gobbling display budgets once destined for the coffers of premium publishers.

In vomitable virtue-signalling on par with its 'Privacy is Personal' campaign, which tugged at the heartstrings of everybody (or at least those who had somehow forgotten that it hoarded and sold-off data to Cambridge Analytica for political vote-swinging), FB launched its 'Off-Facebook Activity' tool on Data Privacy Day. Like Google, Facebook is making promising sounds. On the company’s blog, Mark Zuckerberg hails the “new level of transparency and control” the tool offers, with the ability to, clear data from your account “if you want to,” making it seem like a magic man of Oz has finally changed his tin heart to human...

...Except users cannot actually delete the data, only remove the association between it and your account itself...

When hitting the clear history button, you get told explicitly by Facebook that it will continue to, “receive your activity from the businesses and organisations you visit in the future,” and that you will still be served personalised ads on the platform. Factor in Bookface’s ability to create shadow profiles based on data it has gleaned outside of your account, and how, even once users have hit clear history, it can still tie that data back via your email address or phone number, if used on your account (which for the vast majority, it will be), then it becomes harder to see how this tool gives users any form of meaningful control.

In terms of privacy, the Off-Facebook Activity tool is not so much closing the barn door after the horse has bolted, it’s more like drawing a pretty picture of a door while all the horses run in and out of the barn at their leisure.

Facebook is now in the lives of 2.5 billion people each month, and having killed off rival content hubs through its sheer scale, and by outright lying, once third-party cookies kick the bucket, marketers could be forgiven for seeing little other option than moving budget once destined for premium publishers, with journalistic and editorial integrity, into the tin man’s garden.

Pace and dialogue

While ad tech cannot hold its head up high given its ignorance towards the rights of the user for too long, what the industry in general has shown is a willingness to change and ensure that the future programmatic ecosystem is fully aligned to the need for privacy. Many in the industry are rightfully bullish on the prospects of intelligent contextual targeting and the opportunity for publishers with their plentiful data assets.

However, the removal of hyper-granular targeting has to apply across the entire industry, and cannot be a case of taking everyone’s lunch and giving it to GAFA.

The evidence (and a certain degree of cynicism) suggests that Google and Facebook have seized upon the privacy argument and falsely cry out for it while building backdoor tracking abilities to keep the granular addressability which marketers now rely upon (and is now unavailable to those without their comprehensive end-to-end stacks). All just to add a few percentage points onto their market shares, which are already as bloated as a pre-minted Mr Creosote.

Both privacy regulators and competition authorities have shown they are open to dialogue, whether directly or through industry associations. If Google and Facebook are acting at pace, we must also work with speed to make sure regulators are made fully aware of any changes which could be used to further monopolise what should be an open and trustworthy industry, which works in the benefit of the brand, the publisher, and the user.