Johnny Ryan, profile picture
Uploaded byJohnny Ryan
PDF, PPTX822 views

Presentation to FTC technology taskforce

The document outlines the complex process of real-time bidding (RTB) in online advertising, highlighting the roles of supply-side platforms (SSP), demand-side platforms (DSP), and data management platforms (DMP). It discusses the significant volume of RTB transactions and emphasizes the issues of data leakage and GDPR compliance, particularly how personal data is processed without proper consent. Several examples illustrate the challenges and failures in adhering to privacy regulations within the RTB ecosystem.

Law

Embed presentation

Download as PDF, PPTX
1 / 111
2 / 111
3 / 111
4 / 111
5 / 111
6 / 111
7 / 111
8 / 111
9 / 111
10 / 111
11 / 111
12 / 111
13 / 111
14 / 111
15 / 111
16 / 111
17 / 111
18 / 111
19 / 111
20 / 111
21 / 111
22 / 111
23 / 111
24 / 111
25 / 111
26 / 111
27 / 111
28 / 111
29 / 111
30 / 111
31 / 111
32 / 111
33 / 111
34 / 111
35 / 111
36 / 111
37 / 111
38 / 111
39 / 111
40 / 111
41 / 111
42 / 111
43 / 111
44 / 111
45 / 111
46 / 111
47 / 111
48 / 111
49 / 111
50 / 111
51 / 111
52 / 111
53 / 111
54 / 111
55 / 111
56 / 111
57 / 111
58 / 111
59 / 111
60 / 111
61 / 111
62 / 111
63 / 111
64 / 111
65 / 111
66 / 111
67 / 111
68 / 111
69 / 111
70 / 111
71 / 111
72 / 111
73 / 111
74 / 111
75 / 111
76 / 111
77 / 111
78 / 111
79 / 111
80 / 111
81 / 111
82 / 111
83 / 111
84 / 111
85 / 111
86 / 111
87 / 111
88 / 111
89 / 111
90 / 111
91 / 111
92 / 111
93 / 111
94 / 111
95 / 111
96 / 111
97 / 111
98 / 111
99 / 111
100 / 111
101 / 111
102 / 111
103 / 111
104 / 111
105 / 111
106 / 111
107 / 111
108 / 111
109 / 111
110 / 111
111 / 111
RTB€13B in Europe $19.6B in US
“Demand side” “Supply side” $ /// VisitorSiteSupply-side platform (SSP) Demand-side platform (DSP) Data management platform (DMP) Marketer Ad Exchange
Store data “Demand side” “Supply side” $ /// VisitorSiteSupply-side platform (SSP) Demand-side platform (DSP) Data management platform (DMP) Marketer Ad Exchange
Request segment Store data “Demand side” “Supply side” $ /// VisitorSiteSupply-side platform (SSP) Demand-side platform (DSP) Data management platform (DMP) Marketer Ad Exchange
Request segment Deliver segment Store data “Demand side” “Supply side” $ /// VisitorSiteSupply-side platform (SSP) Demand-side platform (DSP) Data management platform (DMP) Marketer Ad Exchange
Request page Request segment Deliver segment Store data “Demand side” “Supply side” $ /// VisitorSiteSupply-side platform (SSP) Demand-side platform (DSP) Data management platform (DMP) Marketer Ad Exchange
Serve page Request page Request segment Deliver segment Store data “Demand side” “Supply side” $ /// VisitorSiteSupply-side platform (SSP) Demand-side platform (DSP) Data management platform (DMP) Marketer Ad Exchange
Serve page Request page Request segment Deliver segment Ad request Store data “Demand side” “Supply side” $ /// VisitorSiteSupply-side platform (SSP) Demand-side platform (DSP) Data management platform (DMP) Marketer Ad Exchange
Serve page Request page Request segment Cookie to SSP Deliver segment Ad request Store data “Demand side” “Supply side” $ /// VisitorSiteSupply-side platform (SSP) Demand-side platform (DSP) Data management platform (DMP) Marketer Ad Exchange
Serve page Request page Request segment Request bid Cookie to SSP Deliver segment Ad request Store data “Demand side” “Supply side” $ (one or many) /// VisitorSiteSupply-side platform (SSP) Demand-side platform (DSP) Data management platform (DMP) Marketer Ad Exchange
Serve page Request page Request bid Request segment Request bid Cookie to SSP Deliver segment Ad request Store data “Demand side” “Supply side” $ (one or many) (10s or 100s or 1000s?) /// VisitorSiteSupply-side platform (SSP) Demand-side platform (DSP) Data management platform (DMP) Marketer Ad Exchange
Serve page Request page Request bid Request segment Request bid Cookie to SSP Deliver ad Deliver segment Ad request Store data “Demand side” “Supply side” $ (one or many) (10s or 100s or 1000s?) /// VisitorSiteSupply-side platform (SSP) Demand-side platform (DSP) Data management platform (DMP) Marketer Ad Exchange
Serve page Request page Request bid Request segment Request bid Cookie to SSP Deliver ad Deliver segment Sync Ad request Store data “Demand side” “Supply side” $ (one or many) (10s or 100s or 1000s?) /// VisitorSiteSupply-side platform (SSP) Demand-side platform (DSP) Data management platform (DMP) Marketer Ad Exchange
Serve page Request page Request bid Request segment Request bid Cookie to SSP Deliver ad Sync Deliver segment Sync Ad request Store data “Demand side” “Supply side” $ (one or many) (10s or 100s or 1000s?) /// VisitorSiteSupply-side platform (SSP) Demand-side platform (DSP) Data management platform (DMP) Marketer Ad Exchange
The Daily Bugle
The Daily Bugle ExchangeExchange Exchange Exchange
The Daily Bugle ExchangeExchange Exchange Exchange DSP DSP DSP DSP DSP DSP DSP DSP DSPDSP DSP DSP DSP
The Daily Bugle ExchangeExchange Exchange Exchange DSP DSP DSP DSP DSP DSP DSP DSP DSPDSP DSP DSP DSP ADVERTISEMENT
? ? The Daily Bugle ExchangeExchange Exchange Exchange DSP DSP DSP DSP DSP DSP DSP DSP DSPDSP DSP DSP DSP ? ? ? ? ADVERTISEMENT ?
? ? The Daily Bugle ExchangeExchange Exchange Exchange DSP DSP DSP DSP DSP DSP DSP DSP DSPDSP DSP DSP DSP ? ? ? ? ADVERTISEMENT ?
Example Vectaury: a small DSP/DMP/ trading desk in France. €3.5M annual turnover in 2017 (though subsequently won a €20M investment). DSP
French regulator caught it with 68 million illegal RTB records. Example Vectaury: a small DSP/DMP/ trading desk in France. €3.5M annual turnover in 2017 (though subsequently won a €20M investment). DSP
Is 68 million just 30%?
Is 68 million just 30%? Then this small company was sent personal data ¼ BILLION times via RTB (in just one year)
website.com This is the current process of real-time bidding that is used in online behavioural advertising. DATA LEAKAGE IN ONLINE ADVERTISING Channel of data leakage Legend Money
Ad server website.com Ad server javascript Step 1. User requests webpage This is the current process of real-time bidding that is used in online behavioural advertising. DATA LEAKAGE IN ONLINE ADVERTISING Channel of data leakage Legend Money
Ad server SSP Step 2. Ad server selects an SSP website.com Ad server javascript SSP javascript Step 1. User requests webpage This is the current process of real-time bidding that is used in online behavioural advertising. DATA LEAKAGE IN ONLINE ADVERTISING Channel of data leakage Legend Money
Ad server SSP Step 2. Ad server selects an SSP Step 3. SSP selects an exchange website.com Ad server javascript SSP javascript Step 1. User requests webpage Ad exchange This is the current process of real-time bidding that is used in online behavioural advertising. DATA LEAKAGE IN ONLINE ADVERTISING Channel of data leakage Legend Money
Ad server SSP Step 2. Ad server selects an SSP Step 3. SSP selects an exchange MARKETERS website.com DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP Ad server javascript SSP javascript Step 1. User requests webpage Ad exchange Step 4. Exchange sends bid requests to hundreds of partners This is the current process of real-time bidding that is used in online behavioural advertising. DATA LEAKAGE IN ONLINE ADVERTISING Channel of data leakage Legend Money
Ad server SSP Step 2. Ad server selects an SSP Step 3. SSP selects an exchange MARKETERS website.com Winningbid Ad server javascript SSP javascript Step 1. User requests webpage Ad exchange Step 4. Exchange sends bid requests to hundreds of partners This is the current process of real-time bidding that is used in online behavioural advertising. DATA LEAKAGE IN ONLINE ADVERTISING Channel of data leakage Legend Money DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP
Ad server SSP Step 2. Ad server selects an SSP Step 3. SSP selects an exchange MARKETERS website.com Winningbid Ad server javascript SSP javascript DMP DMP DMP DMP DSP DSP DSP DSP DSP Step 1. User requests webpage Ad exchange Step 4. Exchange sends bid requests to hundreds of partners Step 5. Exchange lets some DMPs/ DSPs to refresh cookie sync This is the current process of real-time bidding that is used in online behavioural advertising. DATA LEAKAGE IN ONLINE ADVERTISING Channel of data leakage Legend Money DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP
Ad server SSP Step 2. Ad server selects an SSP Step 3. SSP selects an exchange MARKETERS website.com Winningbid Ad server javascript SSP javascript DMP DMP DMP DMP DSP DSP DSP DSP DSP DSP javascript Step 6. Exchange serves winning bid Winning DSP Step 1. User requests webpage Ad exchange Step 4. Exchange sends bid requests to hundreds of partners Step 5. Exchange lets some DMPs/ DSPs to refresh cookie sync This is the current process of real-time bidding that is used in online behavioural advertising. DATA LEAKAGE IN ONLINE ADVERTISING Channel of data leakage Legend Money DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP
Ad server SSP Step 2. Ad server selects an SSP Step 3. SSP selects an exchange Step 7. DSP serves agency creative MARKETERS website.com Winningbid Ad server javascript SSP javascript DMP DMP DMP DMP DSP DSP DSP DSP DSP DSP javascript Ad server javascript Step 6. Exchange serves winning bid Agency ad server Winning DSP Step 1. User requests webpage Ad exchange Step 4. Exchange sends bid requests to hundreds of partners Step 5. Exchange lets some DMPs/ DSPs to refresh cookie sync This is the current process of real-time bidding that is used in online behavioural advertising. DATA LEAKAGE IN ONLINE ADVERTISING Channel of data leakage Legend Money DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP
Ad server SSP Step 2. Ad server selects an SSP Step 3. SSP selects an exchange Step 7. DSP serves agency creative Step 8. Assets load from CDN MARKETERS website.com AD Winningbid Ad server javascript SSP javascript DMP DMP DMP DMP DSP DSP DSP DSP DSP DSP javascript Ad server javascript Step 6. Exchange serves winning bid Agency ad server Winning DSP Step 1. User requests webpage Ad exchange Step 4. Exchange sends bid requests to hundreds of partners Step 5. Exchange lets some DMPs/ DSPs to refresh cookie sync CDN This is the current process of real-time bidding that is used in online behavioural advertising. DATA LEAKAGE IN ONLINE ADVERTISING Channel of data leakage Legend Money DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP
Ad server SSP Step 2. Ad server selects an SSP Step 3. SSP selects an exchange Step 7. DSP serves agency creative Step 8. Assets load from CDN Step 9. Agency ad server loads verification vendor MARKETERS website.com AD Winningbid Ad server javascript SSP javascript DMP DMP DMP DMP DSP DSP DSP DSP DSP DSP javascript Ad server javascript Step 6. Exchange serves winning bid Verification javascript Agency ad server Verification vendor Winning DSP Step 1. User requests webpage Ad exchange Channel of data leakage Legend Step 4. Exchange sends bid requests to hundreds of partners Step 5. Exchange lets some DMPs/ DSPs to refresh cookie sync CDN Money This is the current process of real-time bidding that is used in online behavioural advertising. DATA LEAKAGE IN ONLINE ADVERTISING DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP
WHAT’S IN A BID REQUEST?
IAB OpenRTB Google Authorized Buyers
The website this specific person is currently viewing Various ID codes that identify this specific person, and can tie them to existing profiles Distinctive characteristics of this specific person This specific person’s IP address Distinctive information about this specific person’s device Distinctive information about this specific person’s device This young woman’s GPS coordinates!
HUNDREDS OF BILLIONS OF RTB BID REQUESTS, EVERY DAY. Index Exchange 50 billionii OpenX 60 billion+i Rubicon Project Claims to reach 1 billion people’s devicesiii PubMatic 70 billion+iv Oath/AOL 90 billionv AppNexus 131 billionvi Smaato 214 billionvii Google DoubleClick Unknown, but live on 8.4 million websites. i. “Tour IX’s Amsterdam and Frankfurt Data Centers”, Index Exchange, 2 July 2018 (URL: https:// www.indexexchange.com/tour-ix-amsterdam-frankfurt-data-centers/). ii. "OpenX Ad Exchange", OpenX (URL: https://www.openx.com/uk_en/products/ad-exchange/). iii. “Buyers”, Rubicon Project, (URL: https://rubiconproject.com/buyers/). iv. "How PubMatic Is Learning Machine Learning", PubMatic, 25 January 2019 (URL: https://pubmatic.com/ blog/learning-machine-learning/) v. "Maximize yield with Oath's publisher offerings", Oath, 3 April 2018 (URL: https://www.oath.com/insights/ maximize-yield-with-oath-s-publisher-offerings/) vi. 500 Billion / 29.6 = 18.6 billion impressions per day. Using AppNexus 1:11.5 ratio, this is 214 auctions per day. 500+ impressions figure cited in “Optimize your mobile strategy”, Smaato, (URL: https:// www.smaato.com/). vii. “Transacting at a peak of 11.4 billion daily impressions, our marketplace handles more traffic each day than Visa, Nasdaq, and the NYSE combined” at https://www.appnexus.com/sell. Note that in 2017, AppNexus said in “AppNexus Scales with DriveScale”, 2017, (URL: http://go.drivescale.com/rs/451-ESR-800/images/ DRV_Case_Study_AppNexus-final.v1.pdf) that 10.7 billion "impressions transacted" came as a result of running 123 billion auctions. The impressions transacted to auctions ratio appears to be roughly 1:11.5. Therefore, the 11.4 daily impressions reported in 2018 equates to 131 billion auctions per day. Leading RTB exchanges, daily bid request estimates
“broadcast”
Everybody can be profiled
GDPR, Article 5 (1) (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
WITHOUT SECURITY, TRANSPARENCY & ACCOUNTABILITY ARE IMPOSSIBLE.
EVERY ONLINE PERSON CAN BE PROFILED
Consent (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
Non-compliant GDPR consent (IAB Europe website)
[Site] and our partners set cookies and collect information from your [browser] [device] to provide you with [website] content, deliver relevant advertising and understand [web] audiences. [View partner info] We use technology such as cookies on our site to collect and use personal data to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our partners who also use technologies such as cookies to collect and use personal data to personalise content and ads, to provide social media features and to analyse our traffic on our site and across the internet. View info on our partners and their use of this data. You can always change your mind and revisit your choices. OK Manage use of your data Appears to be hard to not give consent breach of the GDPR, Article 4, paragraph 11, and Recital 42, and Recital 32 No mention of the duration for which data are stored. breach of the GDPR, Article 13, paragraph 2, a No precise description of a purpose of processing, and no notification of profiling. breach of the GDPR, Article 4, paragraph 11, and Article 13, paragraph 1, c, and paragraph 2, f, and Recital 60 Conflation of multiple purposes breach of the GDPR, Article 5, paragraph 1, b, Recital 32, and Recital 43. Non-compliant GDPR consent (IAB “Framework")
Gordon House, Barrow St, Dublin 4, Ireland Acxiom GmbH Martin Behaim Strasse 12, 63263 Neu-Isenburg, Germany Google Ltd. Viewing 2 of 251 partners Help keep Example.com profitable Learn about your data rights here. OFF Let these companies combine your browsing habits for 6 months with data they already have collected about you to improve their profile of you, including by inferring insights, to show you relevant advertising. (This profile may include your income bracket, age and gender, habits, social media influence, ethnicity, sexual orientation, religion, political leaning, etc.). Item 1 of 20 View details View details Next Purpose of processing, and notification of profiling. Article 4, paragraph 11, and Article 13, para 1, c, and para 2, f. Duration Article 13, para 2, a. Granular opt-in for several purposes Recital 32, and Article 29 Working Party Guidance November 2017 Details of rights to complain to supervisory authority, and to access, correct, and transfer data, etc. 
 Article 13, para 2, b, c, and d. Unambiguous, specific affirmative action. Not yes by default. Article 4, para 11, and Recital 32. Contact details of the data controller, and list of categories of processor. Article 13, para 1, a, and Recital 42. Compliant: an opt-in for each processing purpose
Gordon House, Barrow St, Dublin 4, Ireland Acxiom GmbH Martin Behaim Strasse 12, 63263 Neu-Isenburg, Germany Google Ltd. Viewing 2 of 251 partners Help keep Example.com profitable Learn about your data rights here. OFF Let these companies combine your browsing habits for 6 months with data they already have collected about you to improve their profile of you, including by inferring insights, to show you relevant advertising. (This profile may include your income bracket, age and gender, habits, social media influence, ethnicity, sexual orientation, religion, political leaning, etc.). Item 1 of 20 View details View details Next Purpose of processing, and notification of profiling. Article 4, paragraph 11, and Article 13, para 1, c, and para 2, f. Duration Article 13, para 2, a. Granular opt-in for several purposes Recital 32, and Article 29 Working Party Guidance November 2017 Details of rights to complain to supervisory authority, and to access, correct, and transfer data, etc. 
 Article 13, para 2, b, c, and d. Unambiguous, specific affirmative action. Not yes by default. Article 4, para 11, and Recital 32. Contact details of the data controller, and list of categories of processor. Article 13, para 1, a, and Recital 42. Compliant: an opt-in for each processing purpose
Acxiom GmbH Martin Behaim Strasse 12, 63263 Neu-Isenburg, Germany Help keep Example.com profitable Learn about your data rights here. OFF Let these companies combine your browsing habits for 6 months with data they already have collected about you to improve their profile of you, including by inferring insights, to show you relevant advertising. (This profile may include your income bracket, age and gender, habits, social media influence, ethnicity, sexual orientation, religion, political leaning, etc.). Your Rights & Safeguards Data may be processed in the United States. Data Protection Officer Dr Sachiko Scheuing datenschutz@acxiom.com +49 89 857090 Contact Back to list Item 1 of 9 Next contact details of data protection officer. 
 Article 13, para 1, b. Details of international transfers, and related safeguards and rights. 
 Article 13, para 1, f. Compliant: an opt-in for each processing purpose
Acxiom GmbH Martin Behaim Strasse 12, 63263 Neu-Isenburg, Germany Help keep Example.com profitable Learn about your data rights here. OFF Let these companies combine your browsing habits for 6 months with data they already have collected about you to improve their profile of you, including by inferring insights, to show you relevant advertising. (This profile may include your income bracket, age and gender, habits, social media influence, ethnicity, sexual orientation, religion, political leaning, etc.). Your Rights & Safeguards Data may be processed in the United States. Data Protection Officer Dr Sachiko Scheuing datenschutz@acxiom.com +49 89 857090 Contact Back to list Item 1 of 9 Next contact details of data protection officer. 
 Article 13, para 1, b. Details of international transfers, and related safeguards and rights. 
 Article 13, para 1, f. Compliant: an opt-in for each processing purpose
Help keep Example.com profitable Learn about your data rights here. Let these companies combine your browsing habits for 6 months with data they already have collected about you to improve their profile of you, including by inferring insights, to show you relevant advertising. (This profile may include your income bracket, age and gender, habits, social media influence, ethnicity, sexual orientation, religion, political leaning, etc.). Item 1 of 20 Next Gordon House, Barrow St, Dublin 4, Ireland Acxiom GmbH Martin Behaim Strasse 12, 63263 Neu-Isenburg, Germany Google Ltd. View details View details Viewing 2 of 251 partners This design requires Two tap / click / drag actions to signal consent explicitly Compliant: explicit consent for special categories of personal data OFF “Explicit consent” (to process special categories of data)
 Article 9, paragraph 2, a.
Help keep Example.com profitable Learn about your data rights here. Let these companies combine your browsing habits for 6 months with data they already have collected about you to improve their profile of you, including by inferring insights, to show you relevant advertising. (This profile may include your income bracket, age and gender, habits, social media influence, ethnicity, sexual orientation, religion, political leaning, etc.). Item 1 of 20 Next Gordon House, Barrow St, Dublin 4, Ireland Acxiom GmbH Martin Behaim Strasse 12, 63263 Neu-Isenburg, Germany Google Ltd. View details View details Viewing 2 of 251 partners This design requires Two tap / click / drag actions to signal consent explicitly Compliant: explicit consent for special categories of personal data OFF “Explicit consent” (to process special categories of data)
 Article 9, paragraph 2, a.
Help keep Example.com profitable Learn about your data rights here. Let these companies combine your browsing habits for 6 months with data they already have collected about you to improve their profile of you, including by inferring insights, to show you relevant advertising. (This profile may include your income bracket, age and gender, habits, social media influence, ethnicity, sexual orientation, religion, political leaning, etc.). Item 1 of 20 Next CONFIRM? Gordon House, Barrow St, Dublin 4, Ireland Acxiom GmbH Martin Behaim Strasse 12, 63263 Neu-Isenburg, Germany Google Ltd. View details View details Viewing 2 of 251 partners This design requires Two tap / click / drag actions to signal consent explicitly “Explicit consent” (to process special categories of data)
 Article 9, paragraph 2, a. Compliant: explicit consent for special categories of personal data
Help keep Example.com profitable Learn about your data rights here. Let these companies combine your browsing habits for 6 months with data they already have collected about you to improve their profile of you, including by inferring insights, to show you relevant advertising. (This profile may include your income bracket, age and gender, habits, social media influence, ethnicity, sexual orientation, religion, political leaning, etc.). Item 1 of 20 Next Gordon House, Barrow St, Dublin 4, Ireland Acxiom GmbH Martin Behaim Strasse 12, 63263 Neu-Isenburg, Germany Google Ltd. View details View details Viewing 2 of 251 partners This design requires Two tap / click / drag actions to signal consent explicitly “Explicit consent” (to process special categories of data)
 Article 9, paragraph 2, a.ON Compliant: explicit consent for special categories of personal data
OFF CONFIRM? Before First Action ON After First Action After Second Action click / tap click / tap Two tap / click / drag actions to signal “explicit consent” Compliant: explicit consent for special categories of personal data
Document: The EU’s proposed new cookie rules Author: IAB Europe Date: June 2017
Document: Pubvendors.json Author: IAB Tech Lab Date: May 2018 (This is the current text, live today)
Document: “Transparency & Consent Framework FAQ” Author: IAB Europe Date: 21 June 2018 (This is the current text, live today)
Document: “Authorized Buyers Program Guidelines” Author: Google Date: 22 August 2018 (This is the current text, live today)
Document: “Authorized Buyers Program Guidelines” Author: Google Date: 22 August 2018 (This is the current text, live today)
GDPR, Article 5 (1) (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
European privacy regulators are like ents: Terrifying, once awoken. European privacy regulators are like ents: Terrifying, once awoken.
MARKET CRISIS
How RTB data leakage supports untrustworthy websites The Daily Bugle /// Step 1. User “John” visits The Daily Bugle
How RTB data leakage supports untrustworthy websites The Daily Bugle /// Step 1. User “John” visits The Daily Bugle Step 2. Bid request broadcasts personal data about John
How RTB data leakage supports untrustworthy websites The Daily Bugle /// Step 3. 100s of companies in the ad auction can now re-identify John as a Daily Bugle reader Step 1. User “John” visits The Daily Bugle Step 2. Bid request broadcasts personal data about John John
Step 4. The Daily Bugle is paid €1 to show ad to John How RTB data leakage supports untrustworthy websites The Daily Bugle /// Step 3. 100s of companies in the ad auction can now re-identify John as a Daily Bugle reader Step 1. User “John” visits The Daily Bugle €1 advertisement Step 2. Bid request broadcasts personal data about John John
Step 4. The Daily Bugle is paid €1 to show ad to John How RTB data leakage supports untrustworthy websites The Daily Bugle Step 5. Later, John visits a low quality website Step 3. 100s of companies in the ad auction can now re-identify John as a Daily Bugle reader Step 1. User “John” visits The Daily Bugle €1 advertisement De5troyTru5t.com /// Step 2. Bid request broadcasts personal data about John John
Step 4. The Daily Bugle is paid €1 to show ad to John How RTB data leakage supports untrustworthy websites The Daily Bugle Step 5. Later, John visits a low quality website Step 6. Bid request announces John is here Step 3. 100s of companies in the ad auction can now re-identify John as a Daily Bugle reader Step 1. User “John” visits The Daily Bugle €1 advertisement De5troyTru5t.com /// Step 2. Bid request broadcasts personal data about John John
Step 4. The Daily Bugle is paid €1 to show ad to John Step 7. De5troyTru5t.com is paid €0.01 to show ad to John How RTB data leakage supports untrustworthy websites The Daily Bugle Step 5. Later, John visits a low quality website Step 6. Bid request announces John is here Step 3. 100s of companies in the ad auction can now re-identify John as a Daily Bugle reader Step 1. User “John” visits The Daily Bugle €1 advertisement De5troyTru5t.com €0.01 advertisement /// Step 2. Bid request broadcasts personal data about John John
Step 4. The Daily Bugle is paid €1 to show ad to John Step 7. De5troyTru5t.com is paid €0.01 to show ad to John How RTB data leakage supports untrustworthy websites The Daily Bugle Step 5. Later, John visits a low quality website Step 6. Bid request announces John is here Step 3. 100s of companies in the ad auction can now re-identify John as a Daily Bugle reader Step 1. User “John” visits The Daily Bugle €1 advertisement De5troyTru5t.com €0.01 advertisement /// Step 2. Bid request broadcasts personal data about John Worthy sites lose their unique audience, and feed a business model for the bottom of the Web. John
The Daily Bugle Step 1. A bot masquerading as a human visits The Daily Bugle /// Fake How RTB enables to steal from publishers and advertisers. fraudsters
The Daily Bugle Step 1. A bot masquerading as a human visits The Daily Bugle Step 2. Bid request broadcasts personal data about Bot/// Fake How RTB enables to steal from publishers and advertisers. fraudsters
The Daily Bugle Step 3. 100s of companies in the ad auction can now re-identify Bot as a Daily Bugle reader Step 1. A bot masquerading as a human visits The Daily Bugle Step 2. Bid request broadcasts personal data about Bot Bot /// Fake How RTB enables to steal from publishers and advertisers. fraudsters
Step 4. The Daily Bugle is paid €1 to show ad The Daily Bugle Step 3. 100s of companies in the ad auction can now re-identify Bot as a Daily Bugle reader Step 1. A bot masquerading as a human visits The Daily Bugle €1 advertisement Step 2. Bid request broadcasts personal data about Bot Bot /// Fake How RTB enables to steal from publishers and advertisers. fraudsters
Step 4. The Daily Bugle is paid €1 to show ad The Daily Bugle Step 5. Later, an untrustworthy website buts bot traffic Step 3. 100s of companies in the ad auction can now re-identify Bot as a Daily Bugle reader Step 1. A bot masquerading as a human visits The Daily Bugle €1 advertisement De5troyTru5t.com Step 2. Bid request broadcasts personal data about Bot Bot /// Fake /// Fake How RTB enables to steal from publishers and advertisers. fraudsters
Step 4. The Daily Bugle is paid €1 to show ad The Daily Bugle Step 5. Later, an untrustworthy website buts bot traffic Step 6. Bid request announces Bot is here Step 3. 100s of companies in the ad auction can now re-identify Bot as a Daily Bugle reader Step 1. A bot masquerading as a human visits The Daily Bugle €1 advertisement De5troyTru5t.com Step 2. Bid request broadcasts personal data about Bot Bot /// Fake /// Fake How RTB enables to steal from publishers and advertisers. fraudsters
Step 4. The Daily Bugle is paid €1 to show ad Step 7. De5troyTru5t.com is paid €0.01 to show ad to Bot The Daily Bugle Step 5. Later, an untrustworthy website buts bot traffic Step 6. Bid request announces Bot is here Step 3. 100s of companies in the ad auction can now re-identify Bot as a Daily Bugle reader Step 1. A bot masquerading as a human visits The Daily Bugle €1 advertisement De5troyTru5t.com €0.01 advertisement Step 2. Bid request broadcasts personal data about Bot Bot /// Fake /// Fake How RTB enables to steal from publishers and advertisers. fraudsters
THE STARVATION OF THE WORTHY PUBLISHER.
INNOVATION
Conventional “Broadcast” Behavioral
Conventional “Broadcast” Behavioral “Local” Behavioral ///
Conventional “Broadcast” Behavioral “Local” Behavioral /// Safe data “Broadcast” Behavioral
Faraday
Personal data in bid requests • What you are reading, or watching, or listening to. • Categories of the content. • Unique pseudonymous ID. • Unique ID matched to ad buyer’s existing profile of you.* • Your location (can be your exact latitude and longitude). • Granular description of your device. • Unique tracking IDs / cookie match. • Your IP address.* • Data broker segment ID* when available. *Depending on the version of “real time bidding” system
• What you are reading, or watching, or listening to. • Categories of the content. • Your approximate location. • General description of your device. • Your approximate IP address. • Impression ID for buyer transparency. Non-Personal data in bid requests Person is in Etterbeek in Brussels. Reading an article about Tesla motors on TechCrunch. Using Safari on a Mac.
This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. -GDPR, Article 2 (1)
Serve page Request page Request bid Request segment Request bid Cookie to SSP Deliver ad Sync Deliver segment Sync Ad request Store data “Demand side” “Supply side” $ (one or many) (10s or 100s or 1000s?) /// VisitorSiteSupply-side platform (SSP) Demand-side platform (DSP) Data management platform (DMP) Marketer Ad Exchange
Buyer Seller Extracts 70-55% of buyer’s media budget. Distribution Marketer $ DMP DSP Ad Exchange SSP Site Unique audience commodified and arbitraged. Untrustworthy sites business model enabled. Bot fraud boosted. 70% figure from the Guardian and Rubicon case in 2017. 55% figure from “The Programmatic Supply Chain: Deconstructing the Anatomy of a Programmatic CPM”, IAB, March 2016. MARKET OVERVIEW (NOW) PERSONAL DATA IN IAB / GOOGLE RTB Victims of massive fraud. 2019 estimates range from $5.7B (ANA) - $42B (Juniper Research).
Buyer Seller Extracts much lower % of buyer’s media budget. Distribution Unique audience become immune to commodification and arbitrage. No opportunity for untrustworthy sites. Bot fraud reduced. Bot fraud opportunity reduced. MARKET OVERVIEW (POST-FIX) NON-PERSONAL DATA IN IAB / GOOGLE RTB Marketer $ DMP DSP Ad Exchange SSP Site
N20 C02
Fossil Fuel Renewable Energy N20 C02 Regulatory incentive CLEAN INDUSTRY Regulatory disincentive DIRTY INDUSTRY
Ads (Ethical Data)Ads (Conventional Data) Regulatory incentive CLEAN INDUSTRY Regulatory disincentive DIRTY INDUSTRY Personal data Non-personal data Fossil Fuel Renewable Energy N20 C02
Ads (Ethical Data)Ads (Conventional Data) Ads (Ethical Data) Personal data (protected & lawful) // + Classic Cars + Regulatory incentive CLEAN INDUSTRY Regulatory disincentive DIRTY INDUSTRY Fossil Fuel Renewable Energy N20 C02 Personal data Non-personal data
Cascading monopolies
Ring-fenced data. Each purpose for which you use my personal data requires a separate legal basis Purpose limitation As easy to withdraw as it was to give, and can be withdrawn without detriment. Consent+ = Freedom The market of users will decide when to “break up" the companies, and when to “un-break” them up. Big tech companies “cross-use” personal user data from one part of their business to prop up others. This stifles competition and innovation. But, data protection law can be an anti-trust tool…
EXAMPLE
1. To display your posts on your Newsfeed 2. To display posts on tagged friends’ Newsfeeds 3. To display friends posts that tag you on your Newsfeed 4. To identify untagged people in your posts 5. To record your reaction to posts to refine future content for you, which may include ethnicity, politics, sexuality, etc…, to make our Newsfeed more relevant to you. 6. To record your reaction to posts to refine future content for you, which may include ethnicity, politics, sexuality, etc…, to make ads relevant to you. 7. To record your reaction to posts to refine future content for you, which may include ethnicity, politics, sexuality, etc…, for advertising fraud prevention. “Purposes” when you post on the Newsfeed
Facebook is Hal 9000. Its users are Dave. Facebook is Hal 9000. Its users are Dave.
1 General Data Protection Regulation (2016) 2 Personal Information Security Specification (2017) 3 Act on the Protection of Personal Information 3 Personal Data Protection Bill 4 General Data Protection Act (2017) 5 Personal Information Protection Act (2011) 6 Draft Data Protection Act 7 California Consumer Protection Act (2018) 21% European Union1 15% China2 6% Japan3 3% India3 3% Brazil4 2% South Korea5 Argentina6 1% GDPR emerging as defacto standard for 51% of global GDP US FIPPs EU GDPR
johnny@brave.com @johnnyryan For updates, sign up to Brave Insights, a mailing list for analysts, researchers, and regulators at https://brave.us18.list-manage.com/subscribe?u=e38d85b519352e2b40c9b899e&id=4384bd4cba

More Related Content

PDF
Discussion starter at Future of Privacy Forum in Washington, DC.
byJohnny Ryan
 
PDF
Presentation to ANFO, Norwegian Advertisers Association
byJohnny Ryan
 
PDF
Johnny Ryan, Presentation at Data Protection Leadership Day, Arthur Cox Solic...
byJohnny Ryan
 
PDF
Briefing for World Federation of Advertisers Media Buyers
byJohnny Ryan
 
PDF
Briefing on adtech, RTB, and the GDPR at dmexco Brave event.
byJohnny Ryan
 
PDF
Quick 10 minute overview of RTB problems to be fixed at ICO stakeholders' ses...
byJohnny Ryan
 
PDF
The Adtech Crisis and Disinformation
byJohnny Ryan
 
PDF
Presentation to European Political Strategy Centre at the European Commission
byJohnny Ryan
 
Discussion starter at Future of Privacy Forum in Washington, DC.
byJohnny Ryan
 
Presentation to ANFO, Norwegian Advertisers Association
byJohnny Ryan
 
Johnny Ryan, Presentation at Data Protection Leadership Day, Arthur Cox Solic...
byJohnny Ryan
 
Briefing for World Federation of Advertisers Media Buyers
byJohnny Ryan
 
Briefing on adtech, RTB, and the GDPR at dmexco Brave event.
byJohnny Ryan
 
Quick 10 minute overview of RTB problems to be fixed at ICO stakeholders' ses...
byJohnny Ryan
 
The Adtech Crisis and Disinformation
byJohnny Ryan
 
Presentation to European Political Strategy Centre at the European Commission
byJohnny Ryan
 

What's hot

PDF
Presentation at UK Direct Marketing Association Data Protection Conference 2019
byJohnny Ryan
 
PDF
See updated slidedeck at https://www.slideshare.net/JohnnyRyan/brief-for-worl...
byJohnny Ryan
 
PDF
Brief for World Federation of Advertisers Digital Executive Group, December 2018
byJohnny Ryan
 
PDF
Presentation at CPDP
byJohnny Ryan
 
PDF
Presentation to world news publishers, November 2020
byJohnny Ryan
 
PDF
Judiciary Committee Senate staffer briefing 8 September 2019
byJohnny Ryan
 
PDF
Ofcom briefing
byJohnny Ryan
 
PDF
KliKKi ASX (TM) - The Next Generation Online Display Solution
byKliKKi Group
 
PDF
Daniel Yen's Hitwise 2008 Iptv Conference in Singapore
byDanielYen
 
PDF
Understanding Programmatic Digital Ad Buying
byIpsos in North America
 
Presentation at UK Direct Marketing Association Data Protection Conference 2019
byJohnny Ryan
 
See updated slidedeck at https://www.slideshare.net/JohnnyRyan/brief-for-worl...
byJohnny Ryan
 
Brief for World Federation of Advertisers Digital Executive Group, December 2018
byJohnny Ryan
 
Presentation at CPDP
byJohnny Ryan
 
Presentation to world news publishers, November 2020
byJohnny Ryan
 
Judiciary Committee Senate staffer briefing 8 September 2019
byJohnny Ryan
 
Ofcom briefing
byJohnny Ryan
 
KliKKi ASX (TM) - The Next Generation Online Display Solution
byKliKKi Group
 
Daniel Yen's Hitwise 2008 Iptv Conference in Singapore
byDanielYen
 
Understanding Programmatic Digital Ad Buying
byIpsos in North America
 

Similar to Presentation to FTC technology taskforce

PPTX
Overview RTB ecosystem
byDheeraj Agrawal
 
PPTX
Overview RTB ecosystem
byDigital Training Courses in Noida
 
PPTX
An introduction to RTB in the UK
byRoyal Holloway, University of London
 
PDF
CIKM 2013 Tutorial: Real-time Bidding: A New Frontier of Computational Advert...
byShuai Yuan
 
PDF
Display Advertising Basics
byBidGear Inc.
 
PPT
programmatic advertising.ppt
byRaviKumar695380
 
PDF
Wsdm2015
byJun Wang
 
PPTX
What makes online advertising automated?
byAvinash Tiwary
 
PPTX
Matiro event rubicon keynote
byMatiro
 
PDF
Ethical digital marketing (Trinity College Dublin)
byJohnny Ryan
 
PPTX
Ben Barokas Presents "The Rise of RTB" at Dmexco Night Talks
byAdmeld
 
PDF
MadNet Performance Marketing
byNikolay Khokhlov
 
PDF
Invite media playbook
byAdCMO
 
PDF
Invite media playbook report
byAdCMO
 
PDF
Digital marketing strategy playbook
byAdCMO
 
PPTX
What is Real-Time Bidding (RTB)?
bySearch Laboratory
 
PDF
A Brief Introduction of Real-time Bidding Display Advertising and Evaluation ...
byJun Wang
 
PDF
Thomvest Advertising Technology overview - Sept 2014
byandrewtweed1
 
PPTX
Efficient mechanisms for mobile ads
bySandip Jalan
 
PPTX
Ad technology101 v8
bySatish Mehta
 
Overview RTB ecosystem
byDheeraj Agrawal
 
Overview RTB ecosystem
byDigital Training Courses in Noida
 
An introduction to RTB in the UK
byRoyal Holloway, University of London
 
CIKM 2013 Tutorial: Real-time Bidding: A New Frontier of Computational Advert...
byShuai Yuan
 
Display Advertising Basics
byBidGear Inc.
 
programmatic advertising.ppt
byRaviKumar695380
 
Wsdm2015
byJun Wang
 
What makes online advertising automated?
byAvinash Tiwary
 
Matiro event rubicon keynote
byMatiro
 
Ethical digital marketing (Trinity College Dublin)
byJohnny Ryan
 
Ben Barokas Presents "The Rise of RTB" at Dmexco Night Talks
byAdmeld
 
MadNet Performance Marketing
byNikolay Khokhlov
 
Invite media playbook
byAdCMO
 
Invite media playbook report
byAdCMO
 
Digital marketing strategy playbook
byAdCMO
 
What is Real-Time Bidding (RTB)?
bySearch Laboratory
 
A Brief Introduction of Real-time Bidding Display Advertising and Evaluation ...
byJun Wang
 
Thomvest Advertising Technology overview - Sept 2014
byandrewtweed1
 
Efficient mechanisms for mobile ads
bySandip Jalan
 
Ad technology101 v8
bySatish Mehta
 

More from Johnny Ryan

PDF
CPDP 2022
byJohnny Ryan
 
PDF
Brief presentation to UCD 17 December 2020
byJohnny Ryan
 
PDF
Kryptonite, neglected
byJohnny Ryan
 
PDF
Brave2020報告書:データ保護当局の執行能力
byJohnny Ryan
 
PDF
Talk at IAPP London May 2020: Competition, and why the GDPR is failing
byJohnny Ryan
 
PDF
Purpose limitation in data protection law as a protection against "cascading ...
byJohnny Ryan
 
PDF
IVIR summer school slides
byJohnny Ryan
 
PDF
Brendan Eich's letter to Senator Thune and Senator Nelson, Senate Committee o...
byJohnny Ryan
 
PDF
Talk to Norwegian CMOs about the folly of adtech
byJohnny Ryan
 
PDF
Tech stole your audience. Take it back.
byJohnny Ryan
 
PDF
Johnny Ryan PageFair slide deck from SIINDA (search industry trade body) conf...
byJohnny Ryan
 
PDF
GDPR solution for websites and apps. Digital Content Next (DCN) webinar, Apri...
byJohnny Ryan
 
PDF
Slides from PageFair presentation in Athens, GDPR for Marketers Conference, 1...
byJohnny Ryan
 
PDF
Deck at GDPR Summit at Croke Park.
byJohnny Ryan
 
CPDP 2022
byJohnny Ryan
 
Brief presentation to UCD 17 December 2020
byJohnny Ryan
 
Kryptonite, neglected
byJohnny Ryan
 
Brave2020報告書:データ保護当局の執行能力
byJohnny Ryan
 
Talk at IAPP London May 2020: Competition, and why the GDPR is failing
byJohnny Ryan
 
Purpose limitation in data protection law as a protection against "cascading ...
byJohnny Ryan
 
IVIR summer school slides
byJohnny Ryan
 
Brendan Eich's letter to Senator Thune and Senator Nelson, Senate Committee o...
byJohnny Ryan
 
Talk to Norwegian CMOs about the folly of adtech
byJohnny Ryan
 
Tech stole your audience. Take it back.
byJohnny Ryan
 
Johnny Ryan PageFair slide deck from SIINDA (search industry trade body) conf...
byJohnny Ryan
 
GDPR solution for websites and apps. Digital Content Next (DCN) webinar, Apri...
byJohnny Ryan
 
Slides from PageFair presentation in Athens, GDPR for Marketers Conference, 1...
byJohnny Ryan
 
Deck at GDPR Summit at Croke Park.
byJohnny Ryan
 

Recently uploaded

PPTX
Constitutional Law Doctrines-by Judge Nazmul Hasan.pptx
by Judge Nazmul Hasan.
 
PDF
How can I create a new user for the Rulebooks platform?
byLegal Manager
 
PDF
VIETNAM - NAVIGATING VIETNAM'S WIND POWER MARKET: LESSONS FROM THE PNE AG CAS...
byDr. Oliver Massmann
 
PDF
A brief introduction of the Rulebooks platform
byLegal Manager
 
PDF
Danielle Oliveira New Jersey - A Lifelong Learner
byDanielle Oliveira New Jersey
 
PPTX
Audio Video Analysis in Digital Forensics
byTruth labs
 
PDF
gazette_sgi_rules_260210_163157-2.pdf Gaz
bysabranghindi
 
PDF
"We’re Better Together," Message Guide for Building Public Support for Immigr...
byKatrina Sriranpong
 
PDF
Top property lawyer law firm in pune. Propdox specializes in property dispute...
bypropdox lawyer
 
PDF
Manual for users with VIEW rights in Rulebooks
byLegal Manager
 
PDF
Company Constitution vs Shareholders’ Agreement :What’s the Difference (and H...
byAdventum Legal Firm
 
PDF
VIETNAM - STRUCTURING REAL ESTATE INVESTMENT TRUSTS (REITS) IN VIETNAM: LEGAL...
byDr. Oliver Massmann
 
Constitutional Law Doctrines-by Judge Nazmul Hasan.pptx
by Judge Nazmul Hasan.
 
How can I create a new user for the Rulebooks platform?
byLegal Manager
 
VIETNAM - NAVIGATING VIETNAM'S WIND POWER MARKET: LESSONS FROM THE PNE AG CAS...
byDr. Oliver Massmann
 
A brief introduction of the Rulebooks platform
byLegal Manager
 
Danielle Oliveira New Jersey - A Lifelong Learner
byDanielle Oliveira New Jersey
 
Audio Video Analysis in Digital Forensics
byTruth labs
 
gazette_sgi_rules_260210_163157-2.pdf Gaz
bysabranghindi
 
"We’re Better Together," Message Guide for Building Public Support for Immigr...
byKatrina Sriranpong
 
Top property lawyer law firm in pune. Propdox specializes in property dispute...
bypropdox lawyer
 
Manual for users with VIEW rights in Rulebooks
byLegal Manager
 
Company Constitution vs Shareholders’ Agreement :What’s the Difference (and H...
byAdventum Legal Firm
 
VIETNAM - STRUCTURING REAL ESTATE INVESTMENT TRUSTS (REITS) IN VIETNAM: LEGAL...
byDr. Oliver Massmann
 

Presentation to FTC technology taskforce

  • 2.
  • 3.
    “Demand side” “Supplyside” $ /// VisitorSiteSupply-side platform (SSP) Demand-side platform (DSP) Data management platform (DMP) Marketer Ad Exchange
  • 4.
    Store data “Demand side”“Supply side” $ /// VisitorSiteSupply-side platform (SSP) Demand-side platform (DSP) Data management platform (DMP) Marketer Ad Exchange
  • 5.
    Request segment Store data “Demandside” “Supply side” $ /// VisitorSiteSupply-side platform (SSP) Demand-side platform (DSP) Data management platform (DMP) Marketer Ad Exchange
  • 6.
    Request segment Deliver segment Storedata “Demand side” “Supply side” $ /// VisitorSiteSupply-side platform (SSP) Demand-side platform (DSP) Data management platform (DMP) Marketer Ad Exchange
  • 7.
    Request page Request segment Deliversegment Store data “Demand side” “Supply side” $ /// VisitorSiteSupply-side platform (SSP) Demand-side platform (DSP) Data management platform (DMP) Marketer Ad Exchange
  • 8.
    Serve page Request page Requestsegment Deliver segment Store data “Demand side” “Supply side” $ /// VisitorSiteSupply-side platform (SSP) Demand-side platform (DSP) Data management platform (DMP) Marketer Ad Exchange
  • 9.
    Serve page Request page Requestsegment Deliver segment Ad request Store data “Demand side” “Supply side” $ /// VisitorSiteSupply-side platform (SSP) Demand-side platform (DSP) Data management platform (DMP) Marketer Ad Exchange
  • 10.
    Serve page Request page Requestsegment Cookie to SSP Deliver segment Ad request Store data “Demand side” “Supply side” $ /// VisitorSiteSupply-side platform (SSP) Demand-side platform (DSP) Data management platform (DMP) Marketer Ad Exchange
  • 11.
    Serve page Request page Requestsegment Request bid Cookie to SSP Deliver segment Ad request Store data “Demand side” “Supply side” $ (one or many) /// VisitorSiteSupply-side platform (SSP) Demand-side platform (DSP) Data management platform (DMP) Marketer Ad Exchange
  • 12.
    Serve page Request page Requestbid Request segment Request bid Cookie to SSP Deliver segment Ad request Store data “Demand side” “Supply side” $ (one or many) (10s or 100s or 1000s?) /// VisitorSiteSupply-side platform (SSP) Demand-side platform (DSP) Data management platform (DMP) Marketer Ad Exchange
  • 13.
    Serve page Request page Requestbid Request segment Request bid Cookie to SSP Deliver ad Deliver segment Ad request Store data “Demand side” “Supply side” $ (one or many) (10s or 100s or 1000s?) /// VisitorSiteSupply-side platform (SSP) Demand-side platform (DSP) Data management platform (DMP) Marketer Ad Exchange
  • 14.
    Serve page Request page Requestbid Request segment Request bid Cookie to SSP Deliver ad Deliver segment Sync Ad request Store data “Demand side” “Supply side” $ (one or many) (10s or 100s or 1000s?) /// VisitorSiteSupply-side platform (SSP) Demand-side platform (DSP) Data management platform (DMP) Marketer Ad Exchange
  • 15.
    Serve page Request page Requestbid Request segment Request bid Cookie to SSP Deliver ad Sync Deliver segment Sync Ad request Store data “Demand side” “Supply side” $ (one or many) (10s or 100s or 1000s?) /// VisitorSiteSupply-side platform (SSP) Demand-side platform (DSP) Data management platform (DMP) Marketer Ad Exchange
  • 16.
  • 17.
  • 18.
  • 19.
  • 20.
  • 21.
  • 22.
    Example Vectaury: a smallDSP/DMP/ trading desk in France. €3.5M annual turnover in 2017 (though subsequently won a €20M investment). DSP
  • 23.
    French regulator caughtit with 68 million illegal RTB records. Example Vectaury: a small DSP/DMP/ trading desk in France. €3.5M annual turnover in 2017 (though subsequently won a €20M investment). DSP
  • 26.
    Is 68 million just 30%?
  • 27.
    Is 68 million just 30%? Then this small company was sent personal data ¼ BILLION times via RTB (in just one year)
  • 28.
    website.com This is thecurrent process of real-time bidding that is used in online behavioural advertising. DATA LEAKAGE IN ONLINE ADVERTISING Channel of data leakage Legend Money
  • 29.
    Ad server website.com Ad server javascript Step1. User requests webpage This is the current process of real-time bidding that is used in online behavioural advertising. DATA LEAKAGE IN ONLINE ADVERTISING Channel of data leakage Legend Money
  • 30.
    Ad server SSP Step2. Ad server selects an SSP website.com Ad server javascript SSP javascript Step 1. User requests webpage This is the current process of real-time bidding that is used in online behavioural advertising. DATA LEAKAGE IN ONLINE ADVERTISING Channel of data leakage Legend Money
  • 31.
    Ad server SSP Step2. Ad server selects an SSP Step 3. SSP selects an exchange website.com Ad server javascript SSP javascript Step 1. User requests webpage Ad exchange This is the current process of real-time bidding that is used in online behavioural advertising. DATA LEAKAGE IN ONLINE ADVERTISING Channel of data leakage Legend Money
  • 32.
    Ad server SSP Step2. Ad server selects an SSP Step 3. SSP selects an exchange MARKETERS website.com DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP Ad server javascript SSP javascript Step 1. User requests webpage Ad exchange Step 4. Exchange sends bid requests to hundreds of partners This is the current process of real-time bidding that is used in online behavioural advertising. DATA LEAKAGE IN ONLINE ADVERTISING Channel of data leakage Legend Money
  • 33.
    Ad server SSP Step2. Ad server selects an SSP Step 3. SSP selects an exchange MARKETERS website.com Winningbid Ad server javascript SSP javascript Step 1. User requests webpage Ad exchange Step 4. Exchange sends bid requests to hundreds of partners This is the current process of real-time bidding that is used in online behavioural advertising. DATA LEAKAGE IN ONLINE ADVERTISING Channel of data leakage Legend Money DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP
  • 34.
    Ad server SSP Step2. Ad server selects an SSP Step 3. SSP selects an exchange MARKETERS website.com Winningbid Ad server javascript SSP javascript DMP DMP DMP DMP DSP DSP DSP DSP DSP Step 1. User requests webpage Ad exchange Step 4. Exchange sends bid requests to hundreds of partners Step 5. Exchange lets some DMPs/ DSPs to refresh cookie sync This is the current process of real-time bidding that is used in online behavioural advertising. DATA LEAKAGE IN ONLINE ADVERTISING Channel of data leakage Legend Money DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP
  • 35.
    Ad server SSP Step2. Ad server selects an SSP Step 3. SSP selects an exchange MARKETERS website.com Winningbid Ad server javascript SSP javascript DMP DMP DMP DMP DSP DSP DSP DSP DSP DSP javascript Step 6. Exchange serves winning bid Winning DSP Step 1. User requests webpage Ad exchange Step 4. Exchange sends bid requests to hundreds of partners Step 5. Exchange lets some DMPs/ DSPs to refresh cookie sync This is the current process of real-time bidding that is used in online behavioural advertising. DATA LEAKAGE IN ONLINE ADVERTISING Channel of data leakage Legend Money DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP
  • 36.
    Ad server SSP Step2. Ad server selects an SSP Step 3. SSP selects an exchange Step 7. DSP serves agency creative MARKETERS website.com Winningbid Ad server javascript SSP javascript DMP DMP DMP DMP DSP DSP DSP DSP DSP DSP javascript Ad server javascript Step 6. Exchange serves winning bid Agency ad server Winning DSP Step 1. User requests webpage Ad exchange Step 4. Exchange sends bid requests to hundreds of partners Step 5. Exchange lets some DMPs/ DSPs to refresh cookie sync This is the current process of real-time bidding that is used in online behavioural advertising. DATA LEAKAGE IN ONLINE ADVERTISING Channel of data leakage Legend Money DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP
  • 37.
    Ad server SSP Step2. Ad server selects an SSP Step 3. SSP selects an exchange Step 7. DSP serves agency creative Step 8. Assets load from CDN MARKETERS website.com AD Winningbid Ad server javascript SSP javascript DMP DMP DMP DMP DSP DSP DSP DSP DSP DSP javascript Ad server javascript Step 6. Exchange serves winning bid Agency ad server Winning DSP Step 1. User requests webpage Ad exchange Step 4. Exchange sends bid requests to hundreds of partners Step 5. Exchange lets some DMPs/ DSPs to refresh cookie sync CDN This is the current process of real-time bidding that is used in online behavioural advertising. DATA LEAKAGE IN ONLINE ADVERTISING Channel of data leakage Legend Money DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP
  • 38.
    Ad server SSP Step2. Ad server selects an SSP Step 3. SSP selects an exchange Step 7. DSP serves agency creative Step 8. Assets load from CDN Step 9. Agency ad server loads verification vendor MARKETERS website.com AD Winningbid Ad server javascript SSP javascript DMP DMP DMP DMP DSP DSP DSP DSP DSP DSP javascript Ad server javascript Step 6. Exchange serves winning bid Verification javascript Agency ad server Verification vendor Winning DSP Step 1. User requests webpage Ad exchange Channel of data leakage Legend Step 4. Exchange sends bid requests to hundreds of partners Step 5. Exchange lets some DMPs/ DSPs to refresh cookie sync CDN Money This is the current process of real-time bidding that is used in online behavioural advertising. DATA LEAKAGE IN ONLINE ADVERTISING DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP DSP
  • 39.
  • 40.
    IAB OpenRTB GoogleAuthorized Buyers
  • 43.
    The website thisspecific person is currently viewing Various ID codes that identify this specific person, and can tie them to existing profiles Distinctive characteristics of this specific person This specific person’s IP address Distinctive information about this specific person’s device Distinctive information about this specific person’s device This young woman’s GPS coordinates!
  • 45.
    HUNDREDS OF BILLIONSOF RTB BID REQUESTS, EVERY DAY. Index Exchange 50 billionii OpenX 60 billion+i Rubicon Project Claims to reach 1 billion people’s devicesiii PubMatic 70 billion+iv Oath/AOL 90 billionv AppNexus 131 billionvi Smaato 214 billionvii Google DoubleClick Unknown, but live on 8.4 million websites. i. “Tour IX’s Amsterdam and Frankfurt Data Centers”, Index Exchange, 2 July 2018 (URL: https:// www.indexexchange.com/tour-ix-amsterdam-frankfurt-data-centers/). ii. "OpenX Ad Exchange", OpenX (URL: https://www.openx.com/uk_en/products/ad-exchange/). iii. “Buyers”, Rubicon Project, (URL: https://rubiconproject.com/buyers/). iv. "How PubMatic Is Learning Machine Learning", PubMatic, 25 January 2019 (URL: https://pubmatic.com/ blog/learning-machine-learning/) v. "Maximize yield with Oath's publisher offerings", Oath, 3 April 2018 (URL: https://www.oath.com/insights/ maximize-yield-with-oath-s-publisher-offerings/) vi. 500 Billion / 29.6 = 18.6 billion impressions per day. Using AppNexus 1:11.5 ratio, this is 214 auctions per day. 500+ impressions figure cited in “Optimize your mobile strategy”, Smaato, (URL: https:// www.smaato.com/). vii. “Transacting at a peak of 11.4 billion daily impressions, our marketplace handles more traffic each day than Visa, Nasdaq, and the NYSE combined” at https://www.appnexus.com/sell. Note that in 2017, AppNexus said in “AppNexus Scales with DriveScale”, 2017, (URL: http://go.drivescale.com/rs/451-ESR-800/images/ DRV_Case_Study_AppNexus-final.v1.pdf) that 10.7 billion "impressions transacted" came as a result of running 123 billion auctions. The impressions transacted to auctions ratio appears to be roughly 1:11.5. Therefore, the 11.4 daily impressions reported in 2018 equates to 131 billion auctions per day. Leading RTB exchanges, daily bid request estimates
  • 46.
  • 47.
  • 48.
    GDPR, Article 5(1) (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
  • 49.
  • 50.
  • 51.
    Consent (a) the datasubject has given consent to the processing of his or her personal data for one or more specific purposes;
  • 52.
    Non-compliant GDPR consent(IAB Europe website)
  • 53.
    [Site] and ourpartners set cookies and collect information from your [browser] [device] to provide you with [website] content, deliver relevant advertising and understand [web] audiences. [View partner info] We use technology such as cookies on our site to collect and use personal data to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our partners who also use technologies such as cookies to collect and use personal data to personalise content and ads, to provide social media features and to analyse our traffic on our site and across the internet. View info on our partners and their use of this data. You can always change your mind and revisit your choices. OK Manage use of your data Appears to be hard to not give consent breach of the GDPR, Article 4, paragraph 11, and Recital 42, and Recital 32 No mention of the duration for which data are stored. breach of the GDPR, Article 13, paragraph 2, a No precise description of a purpose of processing, and no notification of profiling. breach of the GDPR, Article 4, paragraph 11, and Article 13, paragraph 1, c, and paragraph 2, f, and Recital 60 Conflation of multiple purposes breach of the GDPR, Article 5, paragraph 1, b, Recital 32, and Recital 43. Non-compliant GDPR consent (IAB “Framework")
  • 54.
    Gordon House, Barrow St,Dublin 4, Ireland Acxiom GmbH Martin Behaim Strasse 12, 63263 Neu-Isenburg, Germany Google Ltd. Viewing 2 of 251 partners Help keep Example.com profitable Learn about your data rights here. OFF Let these companies combine your browsing habits for 6 months with data they already have collected about you to improve their profile of you, including by inferring insights, to show you relevant advertising. (This profile may include your income bracket, age and gender, habits, social media influence, ethnicity, sexual orientation, religion, political leaning, etc.). Item 1 of 20 View details View details Next Purpose of processing, and notification of profiling. Article 4, paragraph 11, and Article 13, para 1, c, and para 2, f. Duration Article 13, para 2, a. Granular opt-in for several purposes Recital 32, and Article 29 Working Party Guidance November 2017 Details of rights to complain to supervisory authority, and to access, correct, and transfer data, etc. 
 Article 13, para 2, b, c, and d. Unambiguous, specific affirmative action. Not yes by default. Article 4, para 11, and Recital 32. Contact details of the data controller, and list of categories of processor. Article 13, para 1, a, and Recital 42. Compliant: an opt-in for each processing purpose
  • 55.
    Gordon House, Barrow St,Dublin 4, Ireland Acxiom GmbH Martin Behaim Strasse 12, 63263 Neu-Isenburg, Germany Google Ltd. Viewing 2 of 251 partners Help keep Example.com profitable Learn about your data rights here. OFF Let these companies combine your browsing habits for 6 months with data they already have collected about you to improve their profile of you, including by inferring insights, to show you relevant advertising. (This profile may include your income bracket, age and gender, habits, social media influence, ethnicity, sexual orientation, religion, political leaning, etc.). Item 1 of 20 View details View details Next Purpose of processing, and notification of profiling. Article 4, paragraph 11, and Article 13, para 1, c, and para 2, f. Duration Article 13, para 2, a. Granular opt-in for several purposes Recital 32, and Article 29 Working Party Guidance November 2017 Details of rights to complain to supervisory authority, and to access, correct, and transfer data, etc. 
 Article 13, para 2, b, c, and d. Unambiguous, specific affirmative action. Not yes by default. Article 4, para 11, and Recital 32. Contact details of the data controller, and list of categories of processor. Article 13, para 1, a, and Recital 42. Compliant: an opt-in for each processing purpose
  • 56.
    Acxiom GmbH Martin BehaimStrasse 12, 63263 Neu-Isenburg, Germany Help keep Example.com profitable Learn about your data rights here. OFF Let these companies combine your browsing habits for 6 months with data they already have collected about you to improve their profile of you, including by inferring insights, to show you relevant advertising. (This profile may include your income bracket, age and gender, habits, social media influence, ethnicity, sexual orientation, religion, political leaning, etc.). Your Rights & Safeguards Data may be processed in the United States. Data Protection Officer Dr Sachiko Scheuing datenschutz@acxiom.com +49 89 857090 Contact Back to list Item 1 of 9 Next contact details of data protection officer. 
 Article 13, para 1, b. Details of international transfers, and related safeguards and rights. 
 Article 13, para 1, f. Compliant: an opt-in for each processing purpose
  • 57.
    Acxiom GmbH Martin BehaimStrasse 12, 63263 Neu-Isenburg, Germany Help keep Example.com profitable Learn about your data rights here. OFF Let these companies combine your browsing habits for 6 months with data they already have collected about you to improve their profile of you, including by inferring insights, to show you relevant advertising. (This profile may include your income bracket, age and gender, habits, social media influence, ethnicity, sexual orientation, religion, political leaning, etc.). Your Rights & Safeguards Data may be processed in the United States. Data Protection Officer Dr Sachiko Scheuing datenschutz@acxiom.com +49 89 857090 Contact Back to list Item 1 of 9 Next contact details of data protection officer. 
 Article 13, para 1, b. Details of international transfers, and related safeguards and rights. 
 Article 13, para 1, f. Compliant: an opt-in for each processing purpose
  • 58.
    Help keep Example.comprofitable Learn about your data rights here. Let these companies combine your browsing habits for 6 months with data they already have collected about you to improve their profile of you, including by inferring insights, to show you relevant advertising. (This profile may include your income bracket, age and gender, habits, social media influence, ethnicity, sexual orientation, religion, political leaning, etc.). Item 1 of 20 Next Gordon House, Barrow St, Dublin 4, Ireland Acxiom GmbH Martin Behaim Strasse 12, 63263 Neu-Isenburg, Germany Google Ltd. View details View details Viewing 2 of 251 partners This design requires Two tap / click / drag actions to signal consent explicitly Compliant: explicit consent for special categories of personal data OFF “Explicit consent” (to process special categories of data)
 Article 9, paragraph 2, a.
  • 59.
    Help keep Example.comprofitable Learn about your data rights here. Let these companies combine your browsing habits for 6 months with data they already have collected about you to improve their profile of you, including by inferring insights, to show you relevant advertising. (This profile may include your income bracket, age and gender, habits, social media influence, ethnicity, sexual orientation, religion, political leaning, etc.). Item 1 of 20 Next Gordon House, Barrow St, Dublin 4, Ireland Acxiom GmbH Martin Behaim Strasse 12, 63263 Neu-Isenburg, Germany Google Ltd. View details View details Viewing 2 of 251 partners This design requires Two tap / click / drag actions to signal consent explicitly Compliant: explicit consent for special categories of personal data OFF “Explicit consent” (to process special categories of data)
 Article 9, paragraph 2, a.
  • 60.
    Help keep Example.comprofitable Learn about your data rights here. Let these companies combine your browsing habits for 6 months with data they already have collected about you to improve their profile of you, including by inferring insights, to show you relevant advertising. (This profile may include your income bracket, age and gender, habits, social media influence, ethnicity, sexual orientation, religion, political leaning, etc.). Item 1 of 20 Next CONFIRM? Gordon House, Barrow St, Dublin 4, Ireland Acxiom GmbH Martin Behaim Strasse 12, 63263 Neu-Isenburg, Germany Google Ltd. View details View details Viewing 2 of 251 partners This design requires Two tap / click / drag actions to signal consent explicitly “Explicit consent” (to process special categories of data)
 Article 9, paragraph 2, a. Compliant: explicit consent for special categories of personal data
  • 61.
    Help keep Example.comprofitable Learn about your data rights here. Let these companies combine your browsing habits for 6 months with data they already have collected about you to improve their profile of you, including by inferring insights, to show you relevant advertising. (This profile may include your income bracket, age and gender, habits, social media influence, ethnicity, sexual orientation, religion, political leaning, etc.). Item 1 of 20 Next Gordon House, Barrow St, Dublin 4, Ireland Acxiom GmbH Martin Behaim Strasse 12, 63263 Neu-Isenburg, Germany Google Ltd. View details View details Viewing 2 of 251 partners This design requires Two tap / click / drag actions to signal consent explicitly “Explicit consent” (to process special categories of data)
 Article 9, paragraph 2, a.ON Compliant: explicit consent for special categories of personal data
  • 62.
    OFF CONFIRM? Before FirstAction ON After First Action After Second Action click / tap click / tap Two tap / click / drag actions to signal “explicit consent” Compliant: explicit consent for special categories of personal data
  • 63.
    Document: The EU’sproposed new cookie rules Author: IAB Europe Date: June 2017
  • 64.
    Document: Pubvendors.json Author: IABTech Lab Date: May 2018 (This is the current text, live today)
  • 65.
    Document: “Transparency &Consent Framework FAQ” Author: IAB Europe Date: 21 June 2018 (This is the current text, live today)
  • 66.
    Document: “Authorized BuyersProgram Guidelines” Author: Google Date: 22 August 2018 (This is the current text, live today)
  • 67.
    Document: “Authorized BuyersProgram Guidelines” Author: Google Date: 22 August 2018 (This is the current text, live today)
  • 68.
    GDPR, Article 5(1) (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
  • 71.
    European privacy regulators arelike ents: Terrifying, once awoken. European privacy regulators are like ents: Terrifying, once awoken.
  • 72.
  • 73.
    How RTB dataleakage supports untrustworthy websites The Daily Bugle /// Step 1. User “John” visits The Daily Bugle
  • 74.
    How RTB dataleakage supports untrustworthy websites The Daily Bugle /// Step 1. User “John” visits The Daily Bugle Step 2. Bid request broadcasts personal data about John
  • 75.
    How RTB dataleakage supports untrustworthy websites The Daily Bugle /// Step 3. 100s of companies in the ad auction can now re-identify John as a Daily Bugle reader Step 1. User “John” visits The Daily Bugle Step 2. Bid request broadcasts personal data about John John
  • 76.
    Step 4. The DailyBugle is paid €1 to show ad to John How RTB data leakage supports untrustworthy websites The Daily Bugle /// Step 3. 100s of companies in the ad auction can now re-identify John as a Daily Bugle reader Step 1. User “John” visits The Daily Bugle €1 advertisement Step 2. Bid request broadcasts personal data about John John
  • 77.
    Step 4. The DailyBugle is paid €1 to show ad to John How RTB data leakage supports untrustworthy websites The Daily Bugle Step 5. Later, John visits a low quality website Step 3. 100s of companies in the ad auction can now re-identify John as a Daily Bugle reader Step 1. User “John” visits The Daily Bugle €1 advertisement De5troyTru5t.com /// Step 2. Bid request broadcasts personal data about John John
  • 78.
    Step 4. The DailyBugle is paid €1 to show ad to John How RTB data leakage supports untrustworthy websites The Daily Bugle Step 5. Later, John visits a low quality website Step 6. Bid request announces John is here Step 3. 100s of companies in the ad auction can now re-identify John as a Daily Bugle reader Step 1. User “John” visits The Daily Bugle €1 advertisement De5troyTru5t.com /// Step 2. Bid request broadcasts personal data about John John
  • 79.
    Step 4. The DailyBugle is paid €1 to show ad to John Step 7. De5troyTru5t.com is paid €0.01 to show ad to John How RTB data leakage supports untrustworthy websites The Daily Bugle Step 5. Later, John visits a low quality website Step 6. Bid request announces John is here Step 3. 100s of companies in the ad auction can now re-identify John as a Daily Bugle reader Step 1. User “John” visits The Daily Bugle €1 advertisement De5troyTru5t.com €0.01 advertisement /// Step 2. Bid request broadcasts personal data about John John
  • 80.
    Step 4. The DailyBugle is paid €1 to show ad to John Step 7. De5troyTru5t.com is paid €0.01 to show ad to John How RTB data leakage supports untrustworthy websites The Daily Bugle Step 5. Later, John visits a low quality website Step 6. Bid request announces John is here Step 3. 100s of companies in the ad auction can now re-identify John as a Daily Bugle reader Step 1. User “John” visits The Daily Bugle €1 advertisement De5troyTru5t.com €0.01 advertisement /// Step 2. Bid request broadcasts personal data about John Worthy sites lose their unique audience, and feed a business model for the bottom of the Web. John
  • 81.
    The Daily Bugle Step1. A bot masquerading as a human visits The Daily Bugle /// Fake How RTB enables to steal from publishers and advertisers. fraudsters
  • 82.
    The Daily Bugle Step1. A bot masquerading as a human visits The Daily Bugle Step 2. Bid request broadcasts personal data about Bot/// Fake How RTB enables to steal from publishers and advertisers. fraudsters
  • 83.
    The Daily Bugle Step3. 100s of companies in the ad auction can now re-identify Bot as a Daily Bugle reader Step 1. A bot masquerading as a human visits The Daily Bugle Step 2. Bid request broadcasts personal data about Bot Bot /// Fake How RTB enables to steal from publishers and advertisers. fraudsters
  • 84.
    Step 4. The DailyBugle is paid €1 to show ad The Daily Bugle Step 3. 100s of companies in the ad auction can now re-identify Bot as a Daily Bugle reader Step 1. A bot masquerading as a human visits The Daily Bugle €1 advertisement Step 2. Bid request broadcasts personal data about Bot Bot /// Fake How RTB enables to steal from publishers and advertisers. fraudsters
  • 85.
    Step 4. The DailyBugle is paid €1 to show ad The Daily Bugle Step 5. Later, an untrustworthy website buts bot traffic Step 3. 100s of companies in the ad auction can now re-identify Bot as a Daily Bugle reader Step 1. A bot masquerading as a human visits The Daily Bugle €1 advertisement De5troyTru5t.com Step 2. Bid request broadcasts personal data about Bot Bot /// Fake /// Fake How RTB enables to steal from publishers and advertisers. fraudsters
  • 86.
    Step 4. The DailyBugle is paid €1 to show ad The Daily Bugle Step 5. Later, an untrustworthy website buts bot traffic Step 6. Bid request announces Bot is here Step 3. 100s of companies in the ad auction can now re-identify Bot as a Daily Bugle reader Step 1. A bot masquerading as a human visits The Daily Bugle €1 advertisement De5troyTru5t.com Step 2. Bid request broadcasts personal data about Bot Bot /// Fake /// Fake How RTB enables to steal from publishers and advertisers. fraudsters
  • 87.
    Step 4. The DailyBugle is paid €1 to show ad Step 7. De5troyTru5t.com is paid €0.01 to show ad to Bot The Daily Bugle Step 5. Later, an untrustworthy website buts bot traffic Step 6. Bid request announces Bot is here Step 3. 100s of companies in the ad auction can now re-identify Bot as a Daily Bugle reader Step 1. A bot masquerading as a human visits The Daily Bugle €1 advertisement De5troyTru5t.com €0.01 advertisement Step 2. Bid request broadcasts personal data about Bot Bot /// Fake /// Fake How RTB enables to steal from publishers and advertisers. fraudsters
  • 88.
    THE STARVATION OF THEWORTHY PUBLISHER.
  • 89.
  • 90.
  • 91.
  • 92.
  • 93.
  • 94.
    Personal data inbid requests • What you are reading, or watching, or listening to. • Categories of the content. • Unique pseudonymous ID. • Unique ID matched to ad buyer’s existing profile of you.* • Your location (can be your exact latitude and longitude). • Granular description of your device. • Unique tracking IDs / cookie match. • Your IP address.* • Data broker segment ID* when available. *Depending on the version of “real time bidding” system
  • 95.
    • What youare reading, or watching, or listening to. • Categories of the content. • Your approximate location. • General description of your device. • Your approximate IP address. • Impression ID for buyer transparency. Non-Personal data in bid requests Person is in Etterbeek in Brussels. Reading an article about Tesla motors on TechCrunch. Using Safari on a Mac.
  • 96.
    This Regulation appliesto the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. -GDPR, Article 2 (1)
  • 97.
    Serve page Request page Requestbid Request segment Request bid Cookie to SSP Deliver ad Sync Deliver segment Sync Ad request Store data “Demand side” “Supply side” $ (one or many) (10s or 100s or 1000s?) /// VisitorSiteSupply-side platform (SSP) Demand-side platform (DSP) Data management platform (DMP) Marketer Ad Exchange
  • 98.
    Buyer Seller Extracts 70-55%of buyer’s media budget. Distribution Marketer $ DMP DSP Ad Exchange SSP Site Unique audience commodified and arbitraged. Untrustworthy sites business model enabled. Bot fraud boosted. 70% figure from the Guardian and Rubicon case in 2017. 55% figure from “The Programmatic Supply Chain: Deconstructing the Anatomy of a Programmatic CPM”, IAB, March 2016. MARKET OVERVIEW (NOW) PERSONAL DATA IN IAB / GOOGLE RTB Victims of massive fraud. 2019 estimates range from $5.7B (ANA) - $42B (Juniper Research).
  • 99.
    Buyer Seller Extracts muchlower % of buyer’s media budget. Distribution Unique audience become immune to commodification and arbitrage. No opportunity for untrustworthy sites. Bot fraud reduced. Bot fraud opportunity reduced. MARKET OVERVIEW (POST-FIX) NON-PERSONAL DATA IN IAB / GOOGLE RTB Marketer $ DMP DSP Ad Exchange SSP Site
  • 101.
  • 102.
    Fossil Fuel RenewableEnergy N20 C02 Regulatory incentive CLEAN INDUSTRY Regulatory disincentive DIRTY INDUSTRY
  • 103.
    Ads (Ethical Data)Ads(Conventional Data) Regulatory incentive CLEAN INDUSTRY Regulatory disincentive DIRTY INDUSTRY Personal data Non-personal data Fossil Fuel Renewable Energy N20 C02
  • 104.
    Ads (Ethical Data)Ads(Conventional Data) Ads (Ethical Data) Personal data (protected & lawful) // + Classic Cars + Regulatory incentive CLEAN INDUSTRY Regulatory disincentive DIRTY INDUSTRY Fossil Fuel Renewable Energy N20 C02 Personal data Non-personal data
  • 105.
  • 106.
    Ring-fenced data. Eachpurpose for which you use my personal data requires a separate legal basis Purpose limitation As easy to withdraw as it was to give, and can be withdrawn without detriment. Consent+ = Freedom The market of users will decide when to “break up" the companies, and when to “un-break” them up. Big tech companies “cross-use” personal user data from one part of their business to prop up others. This stifles competition and innovation. But, data protection law can be an anti-trust tool…
  • 107.
  • 108.
    1. To displayyour posts on your Newsfeed 2. To display posts on tagged friends’ Newsfeeds 3. To display friends posts that tag you on your Newsfeed 4. To identify untagged people in your posts 5. To record your reaction to posts to refine future content for you, which may include ethnicity, politics, sexuality, etc…, to make our Newsfeed more relevant to you. 6. To record your reaction to posts to refine future content for you, which may include ethnicity, politics, sexuality, etc…, to make ads relevant to you. 7. To record your reaction to posts to refine future content for you, which may include ethnicity, politics, sexuality, etc…, for advertising fraud prevention. “Purposes” when you post on the Newsfeed
  • 109.
    Facebook is Hal9000. Its users are Dave. Facebook is Hal 9000. Its users are Dave.
  • 110.
    1 General DataProtection Regulation (2016) 2 Personal Information Security Specification (2017) 3 Act on the Protection of Personal Information 3 Personal Data Protection Bill 4 General Data Protection Act (2017) 5 Personal Information Protection Act (2011) 6 Draft Data Protection Act 7 California Consumer Protection Act (2018) 21% European Union1 15% China2 6% Japan3 3% India3 3% Brazil4 2% South Korea5 Argentina6 1% GDPR emerging as defacto standard for 51% of global GDP US FIPPs EU GDPR
  • 111.
    johnny@brave.com @johnnyryan For updates, signup to Brave Insights, a mailing list for analysts, researchers, and regulators at https://brave.us18.list-manage.com/subscribe?u=e38d85b519352e2b40c9b899e&id=4384bd4cba