Privacy regulators in Poland, Ireland, and the UK urged to act against online ad auctions following new evidence about massive leakage of highly intimate data about web users.

Panoptykon Foundation filed a new complaint with the Polish Data Protection Authority today, joining the ad auction complaints already being examined in the UK and in Ireland.

New evidence submitted to UK, Ireland, and Polish data Protection Authorities today reveals how ad auction companies, including Google, unlawfully profile Internet users’ religious beliefs, ethnicities, diseases, disabilities, and sexual orientation.

Today, 28 January, is “International Data Protection Day”.

Today, Panoptykon Foundation, the Warsaw based digital rights organization, has joined in the complaints filed in the UK and Ireland in September by Jim Killock of the Open Rights Group, Michael Veale of University College London, and Dr Johnny Ryan of Brave.

Together, the complainants in Ireland, Poland, and the UK, have also filed new evidence today with the national data protection authorities of Ireland, Poland, and the United Kingdom, that reveals how ad auction companies, including Google, unlawfully profile Internet users’ religious beliefs, ethnicities, diseases, disabilities, and sexual orientation.

Every time you visit a website that uses ad auctions, personal data about you is broadcast in “bid requests” to tens or hundreds of companies. Part of this process categorizes what you watch or read or listen to. The categories can be benign, such as “Tesla motors”, “bowling”, or “gadgets”. But, as the new evidence filed today shows, they can also be extraordinarily sensitive.

For example, one category is “IAB7-28 Incest/Abuse Support”. This could enable ad auction companies to target and profile a person as an incest or abuse victim. The letters “IAB” in this category title refer to the Interactive Advertising Bureau, the organization that defines the rules of the ad auction industry.

Other IAB categories relate to sensitive and embarrassing health conditions, religious denomination, sexual orientation, etc.

Google runs its own category list, which includes equally sensitive insights such as as “eating disorders”, “left-wing politics”, or “scientology”. There are hundreds of sensitive categories in the IAB’s and Google’s lists. These lists are linked at bottom of this note.

Unnecessary data

While it is acceptable for a library to mark an area with the words “substance abuse”, it would not be acceptable for a library to mark a person who enters that section with those words too. But online, these labels about what you read, watch, and listen to online can stick to you for a long time.

This stickiness is due to the tracking IDs and other information specific to you and your device, which is routinely included in ad auction “bid requests”. Tracking IDs and other personally specific information are not strictly necessary for ad targeting, but they make it easy for companies to re-identify and profile you.

“Ad auction systems are obscure by design”, said Katarzyna Szymielewicz, President of Panoptykon Foundation. “Lack of transparency makes it impossible for users to exercise their rights under GDPR. There is no way to verify, correct or delete marketing categories that have been assigned to us, even though we are talking about our personal data. IAB and Google have to redesign their systems to fix this failure”.

Loading a single web page can trigger several bid request broadcasts. The New Economics Foundation estimates that ad auction companies broadcast intimate profiles about an average UK internet user 164 times per day.[1] These are received by thousands of companies, and there is no way of knowing what then is done with these intimate data.

Dr Johnny Ryan, Chief Policy & Industry Relations Officer of Brave, said “ad auction companies can fix this by simply excluding personal data, including their tracking IDs, from bid requests. If the industry makes some minor changes[2] then ad auctions can safely operate outside the scope of the GDPR. This would protect privacy, but would also protect marketers and publishers from very significant risk.”

Irish, UK, and Polish regulators are being urged to act on this matter, and more complaints are expected. Ravi Naik, a partner at ITN Solicitors instructed by the complainants, said “Panoptykon’s submissions add to the increasing focus on real time bidding. This new complaint builds on our work before the UK and Irish data protection authorities. We foresee a cascade of complaints to follow across Europe, and fully expect an EU-wide regulatory response”.

“Actors in this ecosystem are keen for the public to think they are dealing in anonymous, or at the very least non-sensitive data, but this simply isn’t the case”, said Michael Veale, technology policy researcher at University College London. “Hugely detailed and invasive profiles are routinely and casually built and traded as part of today’s real-time bidding system, and this practice is treated though it’s a simple fact of life online. It isn’t: and it both needs to and can stop.”

See Panoptykon Foundation’s English language statement here.

New evidence: IAB and Google category lists

Complaints to date

Contact

Dr Johnny Ryan

Phone: +353 876725770

Twitter: @johnnyryan

Email: johnny@brave.com

Press coverage

Coverage of initial filing

Notes

[1] Duncan McCann and Miranda Hall, “Blocking the data stalkers”, New Economics Foundation, December 2018 (URL: https://neweconomics.org/uploads/files/NEF_Blocking_Data_Stalkers.pdf), p. 9.

[2] See for example Sean Blanchfield, “Frequency capping and ad campaign measurement under GDPR”, PageFair, November 2017 (URL: https://pagefair.com/blog/2017/gdpr-measurement1/).