82 comments

[ 3.0 ms ] story [ 159 ms ] thread
It is unfortunate that my essay didn't get much attention: http://yuhongbao.blogspot.ca/2018/04/google-doubleclick-mozi...
I'm sorry but your essay didn't get much attention because it is not particularly written well. I'm not really sure what you are arguing here, except that Google is bad maybe? You aren't clearly arguing an specific thesis, and there are many non sequitur paragraphs that don't flow. Why are you talking about OpenJDK in an essay about Google Adsense? Or is the essay about Doubleclick BMP?

If the point of this essay is to provide an overview of the area, I am not sure you are well educated in this area. For example, most of doubleclick publishers dont do retargeted ads. They tend to do BMP only. You didn't mention programmatic at all. You don't talk about ad networks. Also you don't mention that Google has done a lot in the area of malware both on the web in general, and specifically has spent a lot of resources in getting malware off the ad network. This makes you seem disingenuous, because while Google isn't a fully "neutral" actor, they are overall a good citizen in the ad space. Ad targeting isn't inherently evil, a lot of ad targeting is geographically based -- in fact many people would probably argue that showing geographically inappropriate ads is even worse -- others are consumer segment (eg: women/men/age).

I would like to have a non-advertisement internet, but it appears that people are just unwilling to do so. Also we may be facing very real cognitive limits, studies on microtransaction fatigue have demonstrated that is not likely to be a successful mechanism for funding webpages -- people just can't make that many monetary decisions every day.

There are other known problems with the essay as well. For example, I mentioned storage costs but it turned out to be more complex than that. The point is not only to provide an overview though but more importantly to trace back the problems to Larry/Sergey, which is why it is so important. And yes I focus on ad tracking using cookies and nothing else. When I was writing the essay BTW, even tracing back when they began sharing the retargeting data took some time.
You're making an argument, but I think you take it for granted that everyone knows what "the problems" are. I'm still not sure what that is!

Also, why is it important to trace the problems back to Larry/Sergey? What about the early engineers who worked on adsense? The early PMs? Surely they are just as culpable for "the problems" (which ones again?) as anyone else? I guess they aren't household names?

Also, adsense/doubleclick revenue accounts for 14.9% of total company revenue as per the last 10-Q filed. So it's a misrepresentation to discuss adsense/doubleclick as anything other than an important, but not critical, part of Google. Google could, in theory, lose all that revenue and still remain in the black.

There are also Google Analytics/Urchin though. Part of the point of the essay (and one of the hardest parts for me to write) is to figure out when they merged the tracking data after the acquisition. I would consider the DoubleClick one worse than AdSense BTW, which is part of the point of the essay.
Except, you’re wrong. Ga data is never joined with other data sets.
Well later in the essay you write that google analytics is merged with ad data in an unqualified statement. That’s what I was reacting to.

Remarketing lists is a feature that would be google neutral. I could imagine such a feature working for self hosted analytics.

And I mentioned in the essay that "In many cases, advertisers managed “remarketing” lists of “anonymous” visitors that was being tracked by cookies from a central console without thinking of the privacy problems, treating visitors almost as numbers." I wonder if such a use would comply with the GDPR BTW.
> I would like to have a non-advertisement internet, but it appears that people are just unwilling to do so. Also we may be facing very real cognitive limits, studies on microtransaction fatigue have demonstrated that is not likely to be a successful mechanism for funding webpages -- people just can't make that many monetary decisions every day.

There's no reason why users would need to take all those decisions individually. Just imagine adding user agents to the existing ad-placement system. By default, offer enough to win most bids. If some ad won, prompt the user to increase their bid. And by the way, page prices here would be more like $0.10 than $1.00 or more.

I tried but this essay has a lot of problems.
Judging by the ripples it causes, it feels like GDPR is a well done piece of legislation that will actually destroy some of the most invasive business models.

Google should tread carefully there. It is the future of their cash cow that is at hand.

It is somehow comforting to see an elected body being able and willing to cause such a stir.

Is the EU Commission an elected body? I thought they were appointed.
Both the Council and Parliament had votes before adoption.
(comment deleted)
The commission is appointed and subject to the elected bodies; but afaik it can only propose legislation - it's the elected bodies that vote them into effect.

The EU isn't particularly democratic or transparent - but it is nominally democratic.

https://en.m.wikipedia.org/wiki/European_Commission#Legitima...

The commission is appointed by the member state governments. Those governments in turn are elected. Commission members are therefore rather similar to regular cabinet members in member states which usually aren't directly elected by neither populus nor parliament, but chosen by the head of government.

Personally, I think it would be better if the EU parliament chose the commission members. But it's not like the citizens of the EU had no say in who gets to be a commissioner at all: you can cast your vote differently in the next memberstate election if you don't like your government or the person it makes a commissioner.

At least Juncker was appointed president of the commission because his faction won the last EU parliamentary election.
Certainly not all EU Governments are elected. In The Netherlands, for example, you vote for Parliament. Parliamentary leaders then seek an agreement and propose a cabinet, which is formally instated by the King. When you cast your vote, you don't know who will be in government, nor do you have any say in it.

I'm a proponent of this system, just wanted to point out that governments are not necessarily elected. I think the same holds in many other EU countries, e.g., Belgium and Germany.

Uh, you may not be able to directly elect a government, but you still elect the parliament which then chooses the government. So yes, you have a say in it, by casting your vote in the parliamentary elections for the party you want to see in government.

And yes regarding Germany: Germans vote for parties in a parliamentary election; in the parliament a party or coalition of parties who can get the necessary majority votes will elect the Chancellor (head of government), who then is formally appointed by the President. The Chancellor then proposes cabinet members who are formally appointed by the President.

At least here in the UK, cabinet members are generally chosen from amongst the elected MPs, and if they're particularly terrible voters sometimes give them the boot at the next election, ending their career.
Of course, those regular cabinet members are the ones that appoint the commissioners, so it is one step further away :)0
(comment deleted)
I even mentioned the GDPR in the essay BTW.
I'm sorry, but how is this relevant?
I mentioned for example that "Notice that AdWords comply if all “personalization” features are removed for example. This included things like “remarketing”. I suspect that AdWords when it was first created in 2000 did not have these features. " and linked to https://pagefair.com/blog/2017/gdpr_risk_to_the_duopoly/
I don't think causing a stir should be a goal. Trump caused quite a stir with his early immigration policies.
Hmm, I thought that too. I assumed that all banks, cell phone operators, etc. that I use would have to ask me for consent to sell my data, track me.

But that did not happen, they just send a note with all those GDPR information what they do with my data and that they have a good news for me: I don't have to do anything, as all my "agreements" are still valid without any action from my side. They haven't given me an option to give consent for, say, calling me, but don't give consent for tracking and profiling. Looks like this is ok, unless Orange got GDPR wrongly and wants to risk fines but I don't believe that.

One of the biggest Polish news portal (wp dot pl) has figure out the fantastic idea - they show a banner with a long, long text, that says at the end that if I close that banner, clicking on X button, I am automatically give them permission to track me and do virtually whatever they want with my data. If I don't agree for their terms and I don't close the banner (which is agreement as well) I am taken to "advanced settings" page that at the end gives me only one option - to agree for tracking and all the shady stuff they want to do with my data. It is impossible to enter their portal without agreeing for everything they want.

WP dot PL is a big business owned by a big German media company, so I guess they figured out everything correctly, apparently the regulation has a lot of loopholes and anyone with smart lawyers can overcome GDPR easily.

The "agree by closing this popup" tactic is, as far as I can tell, not allowed under GDPR. Here's hoping all the companies that do that get slapped with a fine.
This forever popup unless you accept should run afoul of the language in GDPR that forbids the degradation of a service if a user does not opt in.
Likewise "by continuing to browse this website, you agree" implied consent is no longer allowed.
They won't be. They will be first be notified and then fined if they refuse to comply.
I would be curious to hear how this pattern could be considered to conform to the GDPR. From what I understand it has to be opt-in.

I don't speak polish but I went on the website you're talking about using Google translate and indeed I can't see any way to refuse to give them my info. The "if you click X you agree" bit is probably the shadiest of them all.

EDIT: Didn't realize you were referring specifically to the sneaky pop-up. Agree with you on that one.

From a brief reading of it the other day, it seems data that is necessary to provide a contracted service (like, say, providing access to a cellular network) has a specific exemption to express consent.

Check out items 1a & 1b in Article 6 of Chapter 2[1]:

"1Processing shall be lawful only if and to the extent that at least one of the following applies:

A: the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

B: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;"

[1]https://gdpr-info.eu/art-6-gdpr/

Re: your second point: cellular providers will "automatically" get to track you in real time for the purpose of cell tower hand-over etc.

They do not automatically get to keep that data forever, or sell it to a third party. According to how I read the GDPR - I'm not a lawyer ; this is not legal advice, etc.

> apparently the regulation has a lot of loopholes and anyone with smart lawyers can overcome GDPR easily

I think time will tell on that one. It's hard to say how well currently attempted loopholes actually work until they've been tested in court.

As for wp dot pl nothing stopping you from avoiding the site altogether. Yes it's frustrating they insist on tracking you and selling your data as their only business model but at least they have to tell you up-front about it now so you can avoid the site (and have them delete all data they hold on you) if you do not want them doing this.

Edit: though from re-reading your post and the replies sounds like wp dot pl aren't doing things right and need to be more up-front about what you're agreeing to.

I've had two companies do that to me. Today I've sent a request for all my data, and included a note that they appear not to be complying with the legislation. I add that I will check again in a week, and will consider reporting them to the appropriate authorities.

I doubt it will have much effect, and I'm only doing this to companies I don't mind being cut off from, but it's a start, and I hope more people start to take seriously their legitimate rights.

"I guess they figured out everything correctly"

You guess wrong. The situation you described does not comply with the GDPR. Report them to the legislative agency that handles these things in your region - if they're a big target they will be high up on the list of companies being audited.

Slate is doing this too - full page block of the site with only a single "Agree" button to click. No customization or opt out:

Slate’s Use of Your Data By clicking “Agree,” you consent to Slate’s Terms of Service and Privacy Policy and the use of technologies such as cookies by Slate and our partners to deliver relevant advertising on our site, in emails and across the Internet, personalize content and perform site analytics. Please see our Privacy Policy for more information about our use of data, your rights, and how to withdraw consent.

The terms of service is https://slate.com/terms The privacy is https://slate.com/privacy

Oh sure, there are some links like "Opt-out from data use". Which are just...mailto links to gdpr@slate.com

They MUST give you an option to retire consent at anytime, even after you gave it willingly (or not), this is an explicit requirement of the GDPR
The only problem with this Polish news portal is that they will get warning and then got punished if they dont comply so this is not "fantastic idea".

What they are doing is direct violation of GDPR and a really bad idea. There was a complaint filled this morning agains Google, Facebook, Whatsapp and Instagram doing something similar but to lesser extent.

https://noyb.eu

I just cant understand why is everyone trying to push all its intelectual power into trying to workaround GDPR instead of trying to comply, for most website it is trivial as they are in breach of GDPR just becoase they collect the data they dont need.

> I just cant understand why is everyone trying to push all its intelectual power into trying to workaround GDPR

Because they make lots of money on user-hostile practices, and they want to find a way to keep this profit source.

GDPR doesn't require consent for data processing.

Seems like they claim that they base the data processing on:

1. contract about delivering services between you and them

2. profiling is based on a legitimate interest of their administration

3. sending data to third parties based on consent

The way they write it I would call "Polish legalese", so I'm quite confident it was written very carefully by a lawyer and they know it is sketchy.

BTW I really recommend reading "Guidelines on Consent under [GDPR]" by Article 29 Working Pary, an EU body established by the previous directive. It's written in simple language with examples of what is valid consent. And how regulators think about it.

http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_...

I am sorry but you are wrong.

Legitimate interest is so wrongly understood. You can only use it if your business is not able to function without some PI and for nothing else. For example if you are having an online store, it is perfectly ok to require name and address as you cant deliver goods to the customer without it. The phone number is already fishy (if you already have another mean to communicate). Using 3rd party by default that is doing monitoring/tracking is a no go, you cant put it under the legitimate interest. And you cant force user to give you a consent by denying access as this is violating that it has to be given free. You will get a consent this way but it will be invalidated in case someone complains to ICO and then you have troubles. And I have talked to our ICO in person. And Google already got a complain. So did facebook and instagram and whatsapp.

I think that persons that were saying that analytics is ok didnt read THIS: "Article 29 Working Party, Opinion 6/2014 on the notion of legitimate interest of the data controller under Article 7" page 25. (http://ec.europa.eu/justice/article-29/documentation/opinion...): "However this does not mean that controllers would be able to rely on article 7(f) to unduly monitor..."

You can thank me later ;)

The fact is that GDPR defines 6 bases for data processing, therefore consent is not always required. But I think you just missed a part where I wrote: "they claim" ;).

And I agree with you. Something quite simple like consent is very misunderstood. Something so vague as legitimate interest is bound to be misunderstood.

I was actually looking for some analysis of "legitimate interest" because I have no idea how to apply it in practice, but I couldn't find anything. So yeah, thanks for the link :).

I wonder what the longer term consequences are.

OK, sure it's nice that right now every site or company I ever had any interaction with no longer feels like they can keep my email on file to continuously spam me.

But this state won't last right? I assume that everything I sign up for in the future will have a load of legalese to circumvent this as much as possible?

One of the nice things about the legislation is that it's quite specific about not allowing consent to be buried in legalese. While I imagine things will soften up a little as companies realise they're not going to immediately get slapped with a fine, most companies will at least be more careful since its simple for complaints to be made. Most do not want to bring the ICO's attention to themselves.
Thing is if everything puts up a big notice "YOU MUST AGREE TO BE TRACKED AND SOLD TO USE OUR SERVICE" then people will just click that.
There's provisions to make sure mandatory tracking, profiling is explicitly opt-in, and that there's a real alternative. That might be a fee (eg Gmail could let you pay x/month to disable all targeted ads - or rather; they might have an opt-in gratis/free service that had ads/tracking).
I don't think that's true; they can offer a paid version or a free version, but they can't offer a version "paid with tracking", even if there's an alternative.
That is coercive, and therefore does not comply (nor does it actually mean consent).
> then people will just click that.

I'm not certain of that. I think that GDPR's biggest effect, even before going live, was to raise awareness of what companies do with their data.

My wife is not particularly technical but has received four e-mails from a hobby magazine pleading with her, increasingly desperately, to opt-in to marketing. That has caused her to wonder why they're so desperate. Why is her information so valuable to them? What do they do with it? So she has decided not to renew her subscription.

You can't withhold service based on accepting non-essential data collection without offering alternatives, that falls under coercion and is a direct violation of the regulation. Should you ever see that report them immediately (something I already did once today).
Thank you, I did not know this.
The GDPR specifically says that EULA provisions have no effect on the validity of the regulation. Quoting from article 7 [1]:

If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.

[1] https://gdpr-info.eu/art-7-gdpr/

I wonder how many small businesses will be affected simply because every person right now has about 30 emails in their inboxes asking for GDPR permission

I deleted most of them, even though ere might be a few businesses in there whose work I genuinely appreciate

Mostly they won't be able to send mailings around.

Data portability and such are likely a much bigger hassle. Those are actual features you need to implement now if you stored PII.

I would rather have Google than the GDPR or most elected bodies.
That opinion seems ill-considered, to say the least.
The consumer surplus of search engines is like $17000 per year per person
And you wouldn't see any of it if google was elected to govern you ;)
These politicians created a new 'right' and exempted the government from it. This is bound to end well.
The government is not exempted from the GDPR, as it wasn't from the Data Protection Directive that already granted most of the rights contained in the new regulation.
Of course they are, read (16)

"This Regulation does not apply to issues of protection of fundamental rights and freedoms or the free flow of personal data related to activities which fall outside the scope of Union law, such as activities concerning national security. This Regulation does not apply to the processing of personal data by the Member States when carrying out activities in relation to the common foreign and security policy of the Union. "

I understand the confusion, as finding this involves reading the 88 pages you are defending.

I did read the GDPR. A specific exemption for national defense (and by the way, you missed the one on health) is not the same as "exempting the government". The vast majority of governmental bodies have to comply.

It's like saying that "governmental employees are allowed to pilot fighter jets" just because the army employs some pilots.

I'm surprised it had some teeth.

This shows that it's possible to change some very exploitable practices if EU wants to.

Hopefully more of this will follow.

And here I entertained the thought that for Google the legislation was a form of regulatory capture.
It would seem that having to be GDPR compliant would dis-proportionally favor large companies with a lot of lawyers and engineers to implement the needed features company-wide.

If this is not working out for Google, perhaps it's because the business is fundamentally incompatible? But I have problems believing that. The outcome would be too good :-)

Honestly I think it favors more companies who just didn't do any shadow things with user data or just had not a business model built around it. If you were not one of those and maybe were already respecting the old eu privacy directive, being gdpr compliant is extremly easy and fast
> perhaps it's because the business is fundamentally incompatible?

After having read most of the GDPR, that's my conclusion: all advertising other than 1990's style bannering now needs per publisher, per user, opt-in for anything that does tracking or is personalized, where the default should be set to 'no', denying should be as easy as consenting, and refusing access is not a valid publisher response.

That means i.m.o. that using any form of modern advertising has become illegal under GDPR, unless you get users to consent in a compliant way, and I have seen just a few sites even try. I think Google is scrambling to understand that their business is now mostly illegal in EU.

I don't think that would mean that Google's business is fundamentally incompatible. If 90's-style bannering is the only thing that is allowed/feasible now, of all companies Google is in the best position to do that profitably.
I think the GP means ads need to be served 1st party. For this, Google would be out, imho.

If Google hosted the ads, how would they not collecting your browsing habits? It's the same as with the embedded Facebook Like, which is in the same ballpark.

Yes, I meant that too. First party ads next to search results are some of the most relevant and profitable you could serve without tracking, I think.
I didn't mean ads need to be served 1st party. I think GDPR does not prevent Google or anyone from hosting ads for their customers. Maybe it's hard to imagine, but it is really simple to host ads without tracking users... Google simply has to NOT DO it. And guarantee that in writing to the publisher.

Counting impressions and clicks are no problem, as long as no personal data is collected. But storing personally identifiable data for the click/impression (such as the full ip address, or advertising id in a cookie) needs consent. Unless you need (and only use it) to prevent fraud, which is a valid legitimate interest. Using it for (Re)marketing is not.

FWIW, Google blatantly ignores the GDPR and continues to track all users from the European Economic Area unless they opt out. If you log out of Google, clear all Google cookies, and visit https://adssettings.google.com/anonymous from the EEA, you'll find that "Ads Personalization on Google Search" is enabled by default and that the default state of "Ads Personalization Across the Web" is indiscernible.
It is not illegal to track users only if they opt out, by citing legitimate interest as the ground for processing not consent. That is how all privacy policy generators and lawyers handle google analytics, facebook pixel, even self hosted solutions like piwik/matomo. We will need to sit out what legimitate interests really mean, but at least in germany there are some state privacy agencies that put forth this approach where you allow to opt out.
While I think it may be easy to argue that use of Matomo is legitimate for the purposes of improving your service (and as a corollary, this can legitimately be outsourced), I think it is a stretch to conclude that it is legitimate for the third party to assemble a dossier of an individual by tracking them across multiple sites for which analytics are outsourced to the third party.

This seems obvious since the third party is not going to expose details about the data subjects use of the other sites so it cannot be of legitimate interest to the primary controller. If they did share such data with the primary controller, the privacy violation is so egregious it cannot hope to pass a balancing test to be considered legitimate.

So while something like piwik may be allowed to be opt out, I think google may be treading on thin ice.

I agree, and Google is probably well aware that they tread on thin ice and they will probably fight their version of legimitate interst up to the European Court of Justice.
I doubt that user tracking for personalized ads is a legitimate interest, especially in the case of Google search. Tracking users without consent also contradicts Google's own privavy policy. From https://policies.google.com/privacy?hl=en#enforcement

> For example, we ask for your consent to provide you with personalized services like ads.

No, they apparently don't.

Facebook too, one can't access feed or chat unless they accept the terms including broad spectrum tracking. Meanwhile FB happily handling all the personal information associated with the account. This is without going into the problem of shadow accounts.