Privacy Kit

Subscribe
Archives
June 23, 2019

Adtech Wreck | The Cat Herder, Volume 2, Issue 23

'What you're doing here is illegal. If we come back in six months' time and you're still doing this i
 
June 23 · Issue #39 · View online
The Cat Herder
‘What you’re doing here is illegal. If we come back in six months’ time and you’re still doing this illegal stuff which we suspect you knew all along was illegal then we might write another report about you.‘ ¯\_(ツ)_/¯ 
😼

Jason Kint
Jason Kint
@jason_kint
The most outrageously misleading answer in any TV interview with a world leader that posted today. https://t.co/hVc5TTP0bb
5:55 AM - 17 Jun 2019
To be fair to Sundar he may be speaking relatively. The amount of data Google needs for advertising compared to the amount of data Google has acquired through various means may indeed be rather small. And as far as Google’s concerned, they’re only getting started.
In a recent interview, the team at Google Stadia mentioned that privacy will be “at the user’s control”. They did not specify, however, what the default privacy settings would be, what sorts of data the systems would be collecting and how this data would be used.
Google Stadia has kicked off a new age of gaming data harvesting | WIRED UK
www.wired.co.uk – Share
Big tech is buying into cloud gaming, opening up a lucrative new source of data for behavioural analysis and AI training
The ICO published their Update report into adtech and real time bidding. The conclusions are damning for the adtech industry as it currently functions.
  • Special categories personal data is being shared with hundreds of companies without the explicit consent of data subjects.
  • Legitimate interests is not a valid lawful basis for processing of this nature.
  • Even if legitimate interests were a lawful basis that could be relied upon, companies do not seem to have bothered carrying out legitimate interests assessments.
  • Data protection impact assessments are not being carried out.
  • Processing is not being done in a fair and transparent manner.
  • There is “little or no consideration as to the requirements of data protection law about international transfers of personal data.”
  • There’s no consistency across the industry regarding retention periods and data minimisation.
However, the ICO has decided the time for decisive action is … in six months’ time.
Following continued engagement to obtain more information, we may undertake a further industry review in six months’ time. The scope and nature of such an exercise will depend on our findings over the forthcoming months.
In the meantime, we expect data controllers in the adtech industry to reevaluate their approach to privacy notices, use of personal data, and the lawful bases they apply within the RTB ecosystem.
More:
‘Behavioural advertising is out of control, warns UK watchdog’, TechCrunch
‘“We expect to see change”: ICO warns ad tech not to flout GDPR’, Digiday
‘Adtech industry operating illegally, rules UK regulator’, FT (paywalled)
‘Complainants call on ICO to take action against adtech sector’, Open Rights Group press release
🐦 Threads:
Michael Veale (@mikarv): “The next steps in this report need to be much more firm. AdTech is illegal in its current form: letting it continue undermines the GDPR in all sectors.”
Wolfie Christl (@WolfieChristl): “there needs to be immediate EU-wide coordination, and the ICO and other DPAs must further emphasize and make very clear that there will definitely be 4% fines, soon after this deadline.”
—
The CNIL fined a translation services company €20,000 for continuing workplace surveillance despite assurances that issues highlighted by the regulator during previous audits would be resolved. In short, the company appears to have violated the principle of lawfulness, fairness and transparency by failing to provide staff with information about the presence and purpose of CCTV cameras; the principle of purpose limitation by further processing the CCTV footage to monitor staff rather than the stated purpose of concern for the safety of property and people; the principle of data minimisation by collecting more personal data than was necessary for the stated purpose; the principle of storage limitation by retaining the data for longer than was necessary and the principle of integrity and confidentiality by implementing inadequate access controls. Quite an achievement.
Original judgment, in French | Google Translate version
—
The Danish DPA has approved the use of facial recognition by football club Brøndby IF to scan the public area outside their stadium for individuals the club has banned from attending matches. The EDRi has more:
There is also no pressing public security need for using this very invasive surveillance technology. The number of arrests by the Danish police in connection with football matches is at a record low, and rather ironically the Brøndby IF press release even highlights that there has been a positive development regarding security at Danish football matches over the last ten years. This evidence must, at the very least, call into question the proportionality of using AFR, even before considering whether there are really reasons of substantial public interest involved.
It will. It probably already is.
It will. It probably already is.
A credit union experiencing a data breach that affects 2.7 million people? That could never happen here.
Bluetooth beacons tracking you as you shop? That could never happen here.
One of the world’s largest retailers selling surveillance as a consumer service? It could never happen here.
Yes they did.
Yes they did.
Bought a used Nest security cam? The previous owner can spy on you (Update: Fixed)
thenextweb.com – Share
A new report by Wirecutter finds some users who sold their Nest cam devices are able to access images from their old cameras even after performing a factory reset.
  • “It was a little over two years ago that I realized the ad-tech industry had gone too far. I was an executive at a global advertising company, watching a demo from a third-party data provider on how they could help with ad targeting. Their representative brazenly demonstrated how he could pull up his own personal record and share with us his income, his mortgage details, where he worked, what kind of car he drove, which political party he was likely to vote for, and his personal interests (craft beer, of course). It was everything, all in one place.” In Fast Company Richard Stokes explains why he left the ad industry.
  • “For all the controversies, Facebook’s profits remain strong and its user numbers remain steady. Yet it has lost something that in the long run is even more important: the trust of its community. Trust is the great enabler of human connections and commerce … Lack of trust creates a heavy debt that eventually comes due.” Kevin Werbach has an interesting take on the motivation behind Facebook’s cryptocurrency in The New York Times.
  • Also in The New York Times, Gabriel Weinberg of DuckDuckGo asks ‘What if We All Just Sold Non-Creepy Advertising?’ “This shift back to contextual advertising need not reduce profitability. A recent poll by Digiday of publishing executives found that 45 percent of them saw no significant benefit from behavioral ads, and 23 percent said they actually caused a decline in revenue.”
——
Endnotes & Credits
  • The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
  • As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
  • The image used in the header is by Krystian Tambur on Unsplash.
  • Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
  • Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.
Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.
Barring a disaster we’ll be in your inbox again next weekend.
If you know someone who might enjoy this newsletter do please forward it on to them.
Did you enjoy this issue?
In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue
Privacy Kit, Made with 💚 in Dublin, Ireland

‘What you’re doing here is illegal. If we come back in six months’ time and you’re still doing this illegal stuff which we suspect you knew all along was illegal then we might write another report about you.‘ ¯\_(ツ)_/¯ 

😼

The most outrageously misleading answer in any TV interview with a world leader that posted today. pic.twitter.com/hVc5TTP0bb

— Jason Kint (@jason_kint) June 17, 2019

To be fair to Sundar he may be speaking relatively. The amount of data Google needs for advertising compared to the amount of data Google has acquired through various means may indeed be rather small. And as far as Google’s concerned, they’re only getting started.

Big tech is buying into cloud gaming, opening up a lucrative new source of data for behavioural analysis and AI training

The ICO published their Update report into adtech and real time bidding. The conclusions are damning for the adtech industry as it currently functions.

  • Special categories personal data is being shared with hundreds of companies without the explicit consent of data subjects.
  • Legitimate interests is not a valid lawful basis for processing of this nature.
  • Even if legitimate interests were a lawful basis that could be relied upon, companies do not seem to have bothered carrying out legitimate interests assessments.
  • Data protection impact assessments are not being carried out.
  • Processing is not being done in a fair and transparent manner.
  • There is “little or no consideration as to the requirements of data protection law about international transfers of personal data.”
  • There’s no consistency across the industry regarding retention periods and data minimisation.

However, the ICO has decided the time for decisive action is … in six months’ time.

More:

‘Behavioural advertising is out of control, warns UK watchdog’, TechCrunch

‘“We expect to see change”: ICO warns ad tech not to flout GDPR’, Digiday

‘Adtech industry operating illegally, rules UK regulator’, FT (paywalled)

‘Complainants call on ICO to take action against adtech sector’, Open Rights Group press release

🐦 Threads:

Michael Veale (@mikarv): “The next steps in this report need to be much more firm. AdTech is illegal in its current form: letting it continue undermines the GDPR in all sectors.”

Wolfie Christl (@WolfieChristl): “there needs to be immediate EU-wide coordination, and the ICO and other DPAs must further emphasize and make very clear that there will definitely be 4% fines, soon after this deadline.”

—

The CNIL fined a translation services company €20,000 for continuing workplace surveillance despite assurances that issues highlighted by the regulator during previous audits would be resolved. In short, the company appears to have violated the principle of lawfulness, fairness and transparency by failing to provide staff with information about the presence and purpose of CCTV cameras; the principle of purpose limitation by further processing the CCTV footage to monitor staff rather than the stated purpose of concern for the safety of property and people; the principle of data minimisation by collecting more personal data than was necessary for the stated purpose; the principle of storage limitation by retaining the data for longer than was necessary and the principle of integrity and confidentiality by implementing inadequate access controls. Quite an achievement.

Original judgment, in French | Google Translate version

—

The Danish DPA has approved the use of facial recognition by football club Brøndby IF to scan the public area outside their stadium for individuals the club has banned from attending matches. The EDRi has more:

A credit union experiencing a data breach that affects 2.7 million people? That could never happen here.

Bluetooth beacons tracking you as you shop? That could never happen here.

One of the world’s largest retailers selling surveillance as a consumer service? It could never happen here.

A new report by Wirecutter finds some users who sold their Nest cam devices are able to access images from their old cameras even after performing a factory reset.

  • “It was a little over two years ago that I realized the ad-tech industry had gone too far. I was an executive at a global advertising company, watching a demo from a third-party data provider on how they could help with ad targeting. Their representative brazenly demonstrated how he could pull up his own personal record and share with us his income, his mortgage details, where he worked, what kind of car he drove, which political party he was likely to vote for, and his personal interests (craft beer, of course). It was everything, all in one place.” In Fast Company Richard Stokes explains why he left the ad industry.
  • “For all the controversies, Facebook’s profits remain strong and its user numbers remain steady. Yet it has lost something that in the long run is even more important: the trust of its community. Trust is the great enabler of human connections and commerce … Lack of trust creates a heavy debt that eventually comes due.” Kevin Werbach has an interesting take on the motivation behind Facebook’s cryptocurrency in The New York Times.
  • Also in The New York Times, Gabriel Weinberg of DuckDuckGo asks ‘What if We All Just Sold Non-Creepy Advertising?’ “This shift back to contextual advertising need not reduce profitability. A recent poll by Digiday of publishing executives found that 45 percent of them saw no significant benefit from behavioral ads, and 23 percent said they actually caused a decline in revenue.”

——

Endnotes & Credits

  • The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
  • As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
  • The image used in the header is by Krystian Tambur on Unsplash.
  • Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
  • Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

Barring a disaster we’ll be in your inbox again next weekend.

If you know someone who might enjoy this newsletter do please forward it on to them.

Don't miss what's next. Subscribe to Privacy Kit:
X
Powered by Buttondown, the easiest way to start and grow your newsletter.