Targeting Websites

NSA vs. IAB – Where To Look for Privacy Threats

Posted by Bill Guild on March 26th, 2014 at 1:37 pm

Recently there have been stories in the national news about digital privacy violations: messages being intercepted by social media platforms, phone data being collected by the government, and internet users having their online behaviors tracked without consent. Due to breaches in internet privacy, U.S. legislators are calling for restrictions on data use by advertisers. It seems that the issue of privacy is not about to blow over anytime soon. As such, it may be useful to examine how we think about privacy – not what our individual positions are on privacy, but rather the process of evaluating the uses and users that cause us to define our individual positions.

When evaluating privacy, there are two questions to consider:

  1. Is the information that another party can request or acquire about me potentially harmful, if used in an unacceptable manner?
  2. Can the party that requests the information use it in an unacceptable manner or transfer it to another party that might use it in an unacceptable manner?

For example: does the National Security Agency (NSA) have or collect any information that could be used to harm someone? The answer is: they have names, addresses, and current GPS coordinates. If they wanted, they have the capability to send someone to Guantanamo based on information gathered – inappropriate “humor” or a number of suspicious followers.  Another question: does the NSA have the ability to transfer consumer information to someone else? Think FBI, LAPD, and Edward Snowden. Those names, phone numbers, and addresses are personally identifiable information (PII) and they can be used to find anyone in the physical world. All police departments, private detectives, and ex-significant-others can receive, understand, and use information connected to a person by these tags. Finally, would they ever do it?  Would a government agency or someone within a government agency ever use the information against you (think George Washington Bridge traffic).  Do you trust the NSA or your significant other?  This is a personal and complex question that only you can answer. Let’s move on to another example: the Interactive Advertising Bureau (IAB).

The IAB is a representative organization made of up over 600 media and technology companies in the industry. Since the IAB doesn’t track or engage in behavioral targeting, let’s use third party advertisers as a more accurate label for the collective group under consideration. Do third party advertisers have or collect any information that could harm you? Typically the information they keep is reasonably harmless, but let’s take a closer look. These advertisers may see that a browser has been accessing adult content (potentially embarrassing), a dating site (embarrassing depending on relationship status), or a recipe for incendiaries (rare, but potentially compromising). In light of these examples, let’s say third party advertisers do collect potentially harmful data.

Do third party advertisers have the ability to use the information in an unacceptable manner or transfer it to someone who could use it in an unacceptable manner? Collecting third party data is very difficult and it requires the cooperation of many large business entities. Third party data providers enroll the cooperation of many publishers to observe web traffic through the use of third party cookies. However, they don’t employ behavioral advertising. That is done by advertising companies, which must first synchronize their cookies with the very separate and isolated third party cookies of data providers. This is a complicated process that must be done one cookie at a time. It takes many months to synchronize the cookies of an entire audience and must be continually refreshed. This process requires the use of redirects. Browsers limit the number of redirects that are allowed, which naturally restricts the number of entities that can cooperate in this way. Those that do so are well known and under constant scrutiny.

While it is conceivable that some nefarious entity could, with great difficulty, share the data, it is unlikely that it will happen and almost guaranteed to be detected. Even if it were (by some finite chance) to happen, the end result is a cookie. The good news is that a cookie is anonymous and cannot be linked to a physical address or name or phone number. In fact, your cookie data is meaningful for showing you relevant ads, but useless for connecting you as a person with your online behaviors.  Therefore, your online behaviors, as odd or revealing as they may be, aren’t useful for much except online advertising to your device. The answer to the second critical question, therefore, is a pretty reasonable “no” in the case of online behavioral data.

There are plenty of ways that data can, intentionally or accidentally, harm you. Medical records, financial records, online logins, shopping transactions, and account information all contain personally identifiable information. Thus, all that data might be used in an unacceptable manner.  We should be taking steps to improve online privacy, no doubt, but we need to also focus these efforts on the types of data and the data collectors that matter.

2 Responses to “NSA vs. IAB – Where To Look for Privacy Threats”

  1. It seems that you are mostly dismissive of the problems with third-party data-flow, taking a "We're not nearly as bad as the NSA is" approach, all with the not-so-subtle goal of blunting government action.

    However, many of your assertions are incorrect. You say it is unlikely a nefarious entity would share the data... how does you know this? You say it would be guaranteed to be detected... that is false. And you say all that's at stake is an anonymous cookie and that it is not tied to PII... which, come on, we also know is not true. You conclude by saying that "medical records, financial records, online logins, shopping transactions, and account information" are the PII that can harm you if stolen and misused, not user tracking. You fail to consider the possibility that this information may enter the data-stream via these "harmless cookies" with poor oversight over web application development and production.

    You are going to have a tough time proving your claims.

    Site Sentinel is a data-flow audit tool that identifies third-party activities. HIPAA, GLB, COPA, FISMA, etc. compliance-bound entities are all in non-compliance if they do not use Site Sentinel to verify and confirm that no third-party is getting data from their websites. Plain and simple. Third-party data flow is a huge liability to organizations world-wide and represents huge dangers to consumers being tracked by the aggregate collection of PII information about them.

    • Bill Guild says:

      Miles is right when he points out that cookies and the data associated with them are not guaranteed to be anonymous or harmless. However, they are much less likely to cause harm than many of the other types of IDs that are personally identifiable from the beginning and associated with data that can be extremely harmful. This should be a matter of priority in which we deal with immediate and significant threats first and eventually or simultaneously deal with many of the lesser threats.

      ChoiceStream tries to be a leading practitioner of self-regulation, implementing both the established standards and the advanced guidelines. This level of protection seems to be enough for the type of data we have and the type of uses we make of it. Additional protections like those Miles sells are appropriate for other data owners in other applications. As a company that has always been focused on increasing the relevance of all content seen by users of the web, we hope that consumer control of their own data becomes a reality soon. Only when this privacy is assured and thoroughly protected – when consumers have confidence that they can safely share data – will they open up and share the data that enables truly relevant content.

Leave a comment