On Monday, the Data Protection Commission (DPC) received a submission from Dr Johnny Ryan, a recent recruit to the Irish Council for Civil Liberties (ICCL) regarding a complaint he had made exactly two years earlier, concerning the online advertising process of real time bidding (RTB).
Dr Ryan asserted that RTB represents “the biggest data breach ever recorded” in the context of GDPR, and questioned why, some 24 months after he first raised the issue with the DPC, little progress had been made.
For the uninitiated, RTB can be summed up relatively simply as the process which sees you targeted with specific advertising while browsing the internet, with those ads tailored to you specifically per a ‘profile’ that has been created for you by virtue of your browsing habits and history. It all happens in real time in the background, and results from the never-ending sharing of data between websites, smartphones, ad exchanges, and data brokers.
It is also worth an absolute fortune, with Google’s ad exchange alone producing revenue totalling in the region of €20bn in just one three-month period in 2018.
Despite this, the internet giant will swear blind to you that no transaction takes place, and that it merely provides a service.
Put even more simply, your browsing behaviour sees you pigeon-holed in ways you might find surprising, and such profiling is the backbone of the internet’s data economy. However, that does not mean that it is legal.
Article Five of the EU’s General Data Protection Regulation (GDPR), the all-encompassing directive, which went live in May 2018 with the aim of giving online regulation across the bloc real teeth, states that all personal data held by other concerns must be kept secure.
Given the sheer scale of the data-sharing now taking place, it is hard to see how that can be the case when it comes to RTB.
What sort of behaviour gets profiled? Well, depending upon the sites you spend time on, you could be labelled as expecting a baby, should you have been searching for infant care products.
If you have spent time searching for antidepressants or on support forums, you could be deemed as perhaps suffering with mental health issues.
Search terms corresponding to substance abuse could see you labelled as a drug user.
Your salary and demographic is profiled, as is your reliance perhaps on pay-day loans or your debt status.
Should you be experiencing infertility and have searched for a solution, you would be a prime target for advertising of such products.
Your religion and your position on the political spectrum are all profiled from your search and browsing history, as is your sexual orientation and whether you may have an STD or even be HIV positive.
Chronic pain, sleep disorders, medical conditions — all are fair game when it comes to data profiling.
Ditto incest and abuse support and incontinence.
Most such profiling follows a template produced by the Interactive Advertising Bureau, the preeminent representative organisation for online advertisers globally.
That template can tell where you live, what age you are, how long you have lived somewhere, whether or not you are a first time homeowner, what your interests and hobbies are, if you have children, what age they are, what your pets are, the kind of news you care about, if you have a mental health disorder or an infectious disease, and whether you are religious or agnostic.
Its ‘purchase intent’ dataset meanwhile details the lifestyle you aspire to and what you wish to own, from mobile phones to maternity clothing, vegetables to contraceptives.
All told, Google’s own RTB system automatically shares the data accumulated from people’s online activity to 968 separate companies.
The scale of that activity is also massively on the rise, having grown 140% in the past two years, according to Dr Ryan, with a single ad exchange now sending in the region of 120bn RTB broadcasts in a day.
Dr Ryan’s submission dealt with one data broker, Polish-based OnAudience, which boasts of a database totalling “more than 27bn anonymous user profiles” from over 200 global markets.
Ireland is included in that figure. OnAudience’s databank is capable of targeting 1,800 people in Ireland interested in HIV as a topic, 200 people who have registered interest in incest and abuse support, and just under 3,000 people who have searched or browsed for information regarding substance abuse.
However, leaving aside the rights or wrongs of such detailed personal profiling, online advertising is also more prone to abuse than any other form of product marketing. With the prevalence of bots online, it is possible for a niche (and perhaps objectionable) site to gain a financial foothold by linking itself with browsing activity on more mainstream or socially acceptable sites.
Should it prove the case that RTB is adjudged by regulators to being the most egregious data breach in history, it will have been hiding in plain sight. In a way, this should not seem surprising. Ireland, itself home to the ‘one-stop shop’ regulator for most of the largest data-guzzling conglomerates on the planet, plays host to any number of State bodies that will claim until they are blue in the face that their processes are compliant with GDPR, when they blatantly are not.
However, Dr Ryan’s complaint puts the DPC, which is already the subject of growing impatience internationally for its slow progress in reprimanding the multinationals, firmly in the spotlight.
He says the problem of RTB auctions has grown exponentially in the two years since he first raised it while working in the private sector, but that the DPC has recently told him it will be in a position “in a month” to understand the variables of the problem.
The DPC said that it has recently met with Dr Ryan to discuss RTB. His polite response is that he does not know what meeting the commission is talking about.
That does not bode well for action on RTB in the near term. However, even if the system were deemed unlawful, an act which would be a great deal more impactful than the DPC’s signature action aimed at ending Facebook’s system of transatlantic data transfers, could online advertising really function without the transfer of personal data? Dr Ryan insists that it can.
In early 2020, Dutch publisher NPO removed all third party tracking from its websites — cookies, personal data, the lot— and sold advertising based solely on contextual targeting.
The result? Its revenues leapt to a massive extent, and even held relatively steady through the first hammer-blow months of the Covid-19 crisis.
Which begs the question: If we do not need to give away giant gamuts of personal data in order to run the internet’s business model, then why on earth are we doing it?