3. “Demand side” “Supply side”
$ ///
VisitorSiteSupply-side
platform (SSP)
Demand-side
platform (DSP)
Data management
platform (DMP)
Marketer Ad Exchange
4. Store data
“Demand side” “Supply side”
$ ///
VisitorSiteSupply-side
platform (SSP)
Demand-side
platform (DSP)
Data management
platform (DMP)
Marketer Ad Exchange
5. Request segment
Store data
“Demand side” “Supply side”
$ ///
VisitorSiteSupply-side
platform (SSP)
Demand-side
platform (DSP)
Data management
platform (DMP)
Marketer Ad Exchange
6. Request segment
Deliver segment
Store data
“Demand side” “Supply side”
$ ///
VisitorSiteSupply-side
platform (SSP)
Demand-side
platform (DSP)
Data management
platform (DMP)
Marketer Ad Exchange
7. Request page
Request segment
Deliver segment
Store data
“Demand side” “Supply side”
$ ///
VisitorSiteSupply-side
platform (SSP)
Demand-side
platform (DSP)
Data management
platform (DMP)
Marketer Ad Exchange
8. Serve page
Request page
Request segment
Deliver segment
Store data
“Demand side” “Supply side”
$ ///
VisitorSiteSupply-side
platform (SSP)
Demand-side
platform (DSP)
Data management
platform (DMP)
Marketer Ad Exchange
9. Serve page
Request page
Request segment
Deliver segment
Ad request
Store data
“Demand side” “Supply side”
$ ///
VisitorSiteSupply-side
platform (SSP)
Demand-side
platform (DSP)
Data management
platform (DMP)
Marketer Ad Exchange
10. Serve page
Request page
Request segment
Cookie to SSP
Deliver segment
Ad request
Store data
“Demand side” “Supply side”
$ ///
VisitorSiteSupply-side
platform (SSP)
Demand-side
platform (DSP)
Data management
platform (DMP)
Marketer Ad Exchange
11. Serve page
Request page
Request segment
Request bid
Cookie to SSP
Deliver segment
Ad request
Store data
“Demand side” “Supply side”
$
(one or many)
///
VisitorSiteSupply-side
platform (SSP)
Demand-side
platform (DSP)
Data management
platform (DMP)
Marketer Ad Exchange
12. Serve page
Request page
Request bid
Request segment
Request bid
Cookie to SSP
Deliver segment
Ad request
Store data
“Demand side” “Supply side”
$
(one or many)
(10s or 100s or 1000s?)
///
VisitorSiteSupply-side
platform (SSP)
Demand-side
platform (DSP)
Data management
platform (DMP)
Marketer Ad Exchange
13. Serve page
Request page
Request bid
Request segment
Request bid
Cookie to SSP
Deliver ad
Deliver segment
Ad request
Store data
“Demand side” “Supply side”
$
(one or many)
(10s or 100s or 1000s?)
///
VisitorSiteSupply-side
platform (SSP)
Demand-side
platform (DSP)
Data management
platform (DMP)
Marketer Ad Exchange
14. Serve page
Request page
Request bid
Request segment
Request bid
Cookie to SSP
Deliver ad
Deliver segment
Sync
Ad request
Store data
“Demand side” “Supply side”
$
(one or many)
(10s or 100s or 1000s?)
///
VisitorSiteSupply-side
platform (SSP)
Demand-side
platform (DSP)
Data management
platform (DMP)
Marketer Ad Exchange
15. Serve page
Request page
Request bid
Request segment
Request bid
Cookie to SSP
Deliver ad
Sync
Deliver segment
Sync
Ad request
Store data
“Demand side” “Supply side”
$
(one or many)
(10s or 100s or 1000s?)
///
VisitorSiteSupply-side
platform (SSP)
Demand-side
platform (DSP)
Data management
platform (DMP)
Marketer Ad Exchange
22. Example
Vectaury: a small DSP/DMP/
trading desk in France. €3.5M
annual turnover in 2017 (though
subsequently won a €20M
investment).
DSP
23. French regulator caught it with
68 million illegal RTB records.
Example
Vectaury: a small DSP/DMP/
trading desk in France. €3.5M
annual turnover in 2017 (though
subsequently won a €20M
investment).
DSP
27. Is 68 million
just 30%?
Then this small company
was sent personal data
¼ BILLION times via RTB
(in just one year)
28. website.com
This is the current process of
real-time bidding that is used
in online behavioural
advertising.
DATA LEAKAGE
IN ONLINE
ADVERTISING
Channel of data leakage
Legend
Money
29. Ad server
website.com
Ad server
javascript
Step 1.
User requests
webpage
This is the current process of
real-time bidding that is used
in online behavioural
advertising.
DATA LEAKAGE
IN ONLINE
ADVERTISING
Channel of data leakage
Legend
Money
30. Ad server SSP
Step 2.
Ad server
selects an SSP
website.com
Ad server
javascript
SSP
javascript
Step 1.
User requests
webpage
This is the current process of
real-time bidding that is used
in online behavioural
advertising.
DATA LEAKAGE
IN ONLINE
ADVERTISING
Channel of data leakage
Legend
Money
31. Ad server SSP
Step 2.
Ad server
selects an SSP
Step 3.
SSP selects an
exchange
website.com
Ad server
javascript
SSP
javascript
Step 1.
User requests
webpage
Ad exchange
This is the current process of
real-time bidding that is used
in online behavioural
advertising.
DATA LEAKAGE
IN ONLINE
ADVERTISING
Channel of data leakage
Legend
Money
32. Ad server SSP
Step 2.
Ad server
selects an SSP
Step 3.
SSP selects an
exchange
MARKETERS
website.com
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
Ad server
javascript
SSP
javascript
Step 1.
User requests
webpage
Ad exchange
Step 4.
Exchange sends
bid requests to
hundreds of
partners
This is the current process of
real-time bidding that is used
in online behavioural
advertising.
DATA LEAKAGE
IN ONLINE
ADVERTISING
Channel of data leakage
Legend
Money
33. Ad server SSP
Step 2.
Ad server
selects an SSP
Step 3.
SSP selects an
exchange
MARKETERS
website.com
Winningbid
Ad server
javascript
SSP
javascript
Step 1.
User requests
webpage
Ad exchange
Step 4.
Exchange sends
bid requests to
hundreds of
partners
This is the current process of
real-time bidding that is used
in online behavioural
advertising.
DATA LEAKAGE
IN ONLINE
ADVERTISING
Channel of data leakage
Legend
Money
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
34. Ad server SSP
Step 2.
Ad server
selects an SSP
Step 3.
SSP selects an
exchange
MARKETERS
website.com
Winningbid
Ad server
javascript
SSP
javascript
DMP
DMP
DMP DMP
DSP
DSP
DSP
DSP
DSP
Step 1.
User requests
webpage
Ad exchange
Step 4.
Exchange sends
bid requests to
hundreds of
partners
Step 5.
Exchange lets
some DMPs/
DSPs to refresh
cookie sync
This is the current process of
real-time bidding that is used
in online behavioural
advertising.
DATA LEAKAGE
IN ONLINE
ADVERTISING
Channel of data leakage
Legend
Money
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
35. Ad server SSP
Step 2.
Ad server
selects an SSP
Step 3.
SSP selects an
exchange
MARKETERS
website.com
Winningbid
Ad server
javascript
SSP
javascript
DMP
DMP
DMP DMP
DSP
DSP
DSP
DSP
DSP
DSP
javascript
Step 6.
Exchange serves
winning bid
Winning DSP
Step 1.
User requests
webpage
Ad exchange
Step 4.
Exchange sends
bid requests to
hundreds of
partners
Step 5.
Exchange lets
some DMPs/
DSPs to refresh
cookie sync
This is the current process of
real-time bidding that is used
in online behavioural
advertising.
DATA LEAKAGE
IN ONLINE
ADVERTISING
Channel of data leakage
Legend
Money
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
36. Ad server SSP
Step 2.
Ad server
selects an SSP
Step 3.
SSP selects an
exchange
Step 7.
DSP serves
agency creative
MARKETERS
website.com
Winningbid
Ad server
javascript
SSP
javascript
DMP
DMP
DMP DMP
DSP
DSP
DSP
DSP
DSP
DSP
javascript
Ad server
javascript
Step 6.
Exchange serves
winning bid
Agency
ad server
Winning DSP
Step 1.
User requests
webpage
Ad exchange
Step 4.
Exchange sends
bid requests to
hundreds of
partners
Step 5.
Exchange lets
some DMPs/
DSPs to refresh
cookie sync
This is the current process of
real-time bidding that is used
in online behavioural
advertising.
DATA LEAKAGE
IN ONLINE
ADVERTISING
Channel of data leakage
Legend
Money
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
37. Ad server SSP
Step 2.
Ad server
selects an SSP
Step 3.
SSP selects an
exchange
Step 7.
DSP serves
agency creative
Step 8.
Assets load
from CDN
MARKETERS
website.com
AD
Winningbid
Ad server
javascript
SSP
javascript
DMP
DMP
DMP DMP
DSP
DSP
DSP
DSP
DSP
DSP
javascript
Ad server
javascript
Step 6.
Exchange serves
winning bid
Agency
ad server
Winning DSP
Step 1.
User requests
webpage
Ad exchange
Step 4.
Exchange sends
bid requests to
hundreds of
partners
Step 5.
Exchange lets
some DMPs/
DSPs to refresh
cookie sync
CDN
This is the current process of
real-time bidding that is used
in online behavioural
advertising.
DATA LEAKAGE
IN ONLINE
ADVERTISING
Channel of data leakage
Legend
Money
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
38. Ad server SSP
Step 2.
Ad server
selects an SSP
Step 3.
SSP selects an
exchange
Step 7.
DSP serves
agency creative
Step 8.
Assets load
from CDN
Step 9.
Agency ad server
loads verification
vendor
MARKETERS
website.com
AD
Winningbid
Ad server
javascript
SSP
javascript
DMP
DMP
DMP DMP
DSP
DSP
DSP
DSP
DSP
DSP
javascript
Ad server
javascript
Step 6.
Exchange serves
winning bid
Verification
javascript
Agency
ad server
Verification
vendor
Winning DSP
Step 1.
User requests
webpage
Ad exchange
Channel of data leakage
Legend
Step 4.
Exchange sends
bid requests to
hundreds of
partners
Step 5.
Exchange lets
some DMPs/
DSPs to refresh
cookie sync
CDN
Money
This is the current process of
real-time bidding that is used
in online behavioural
advertising.
DATA LEAKAGE
IN ONLINE
ADVERTISING
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
DSP
43. The website this specific person is currently viewing
Various ID codes that identify this
specific person, and can tie them to
existing profiles
Distinctive characteristics of this specific person
This specific person’s IP address
Distinctive information about
this specific person’s device
Distinctive information about this specific
person’s device
This young woman’s GPS coordinates!
44.
45. HUNDREDS OF BILLIONS OF RTB
BID REQUESTS, EVERY DAY.
Index Exchange 50 billionii
OpenX 60 billion+i
Rubicon Project Claims to reach 1 billion people’s devicesiii
PubMatic 70 billion+iv
Oath/AOL 90 billionv
AppNexus 131 billionvi
Smaato 214 billionvii
Google DoubleClick Unknown, but live on 8.4 million websites.
i. “Tour IX’s Amsterdam and Frankfurt Data Centers”, Index Exchange, 2 July 2018 (URL: https://
www.indexexchange.com/tour-ix-amsterdam-frankfurt-data-centers/).
ii. "OpenX Ad Exchange", OpenX (URL: https://www.openx.com/uk_en/products/ad-exchange/).
iii. “Buyers”, Rubicon Project, (URL: https://rubiconproject.com/buyers/).
iv. "How PubMatic Is Learning Machine Learning", PubMatic, 25 January 2019 (URL: https://pubmatic.com/
blog/learning-machine-learning/)
v. "Maximize yield with Oath's publisher offerings", Oath, 3 April 2018 (URL: https://www.oath.com/insights/
maximize-yield-with-oath-s-publisher-offerings/)
vi. 500 Billion / 29.6 = 18.6 billion impressions per day. Using AppNexus 1:11.5 ratio, this is 214 auctions per
day. 500+ impressions figure cited in “Optimize your mobile strategy”, Smaato, (URL: https://
www.smaato.com/).
vii. “Transacting at a peak of 11.4 billion daily impressions, our marketplace handles more traffic each day than
Visa, Nasdaq, and the NYSE combined” at https://www.appnexus.com/sell. Note that in 2017, AppNexus said
in “AppNexus Scales with DriveScale”, 2017, (URL: http://go.drivescale.com/rs/451-ESR-800/images/
DRV_Case_Study_AppNexus-final.v1.pdf) that 10.7 billion "impressions transacted" came as a result of
running 123 billion auctions. The impressions transacted to auctions ratio appears to be roughly 1:11.5.
Therefore, the 11.4 daily impressions reported in 2018 equates to 131 billion auctions per day.
Leading RTB exchanges, daily bid request estimates
48. GDPR, Article 5 (1)
(f) processed in a manner that ensures
appropriate security of the personal data,
including protection against unauthorised or
unlawful processing and against accidental
loss, destruction or damage, using
appropriate technical or organisational
measures (‘integrity and confidentiality’).
53. [Site] and our partners set cookies and collect
information from your [browser] [device] to provide
you with [website] content, deliver relevant
advertising and understand [web] audiences. [View
partner info]
We use technology such as cookies on our site to
collect and use personal data to personalise
content and ads, to provide social media features
and to analyse our traffic. We also share
information about your use of our site with our
partners who also use technologies such as
cookies to collect and use personal data to
personalise content and ads, to provide social
media features and to analyse our traffic on our
site and across the internet. View info on our
partners and their use of this data. You can always
change your mind and revisit your choices.
OK
Manage use of
your data
Appears to be hard
to not give consent
breach of the GDPR, Article 4,
paragraph 11, and Recital 42,
and Recital 32
No mention of the
duration for which
data are stored.
breach of the GDPR, Article 13,
paragraph 2, a
No precise description of
a purpose of processing,
and no notification of
profiling.
breach of the GDPR, Article 4,
paragraph 11, and Article 13, paragraph
1, c, and paragraph 2, f, and Recital 60
Conflation of
multiple purposes
breach of the GDPR, Article
5, paragraph 1, b, Recital 32,
and Recital 43.
Non-compliant GDPR consent (IAB “Framework")
54. Gordon House, Barrow
St, Dublin 4, Ireland
Acxiom GmbH
Martin Behaim Strasse 12,
63263 Neu-Isenburg,
Germany
Google Ltd.
Viewing 2 of 251 partners
Help keep Example.com profitable
Learn about your data rights here.
OFF
Let these companies combine your browsing
habits for 6 months with data they already have
collected about you to improve their profile of
you, including by inferring insights, to show you
relevant advertising. (This profile may include
your income bracket, age and gender, habits,
social media influence, ethnicity, sexual
orientation, religion, political leaning, etc.).
Item 1 of 20
View details
View details
Next
Purpose of processing,
and notification of
profiling.
Article 4, paragraph 11, and Article
13, para 1, c, and para 2, f.
Duration
Article 13, para 2, a.
Granular opt-in for
several purposes
Recital 32, and Article 29 Working
Party Guidance November 2017
Details of rights to
complain to
supervisory authority,
and to access, correct,
and transfer data, etc.
Article 13, para 2, b, c, and d.
Unambiguous, specific
affirmative action. Not
yes by default.
Article 4, para 11, and Recital 32.
Contact details of the
data controller, and list
of categories of
processor.
Article 13, para 1, a, and Recital 42.
Compliant: an opt-in for each processing purpose
55. Gordon House, Barrow
St, Dublin 4, Ireland
Acxiom GmbH
Martin Behaim Strasse 12,
63263 Neu-Isenburg,
Germany
Google Ltd.
Viewing 2 of 251 partners
Help keep Example.com profitable
Learn about your data rights here.
OFF
Let these companies combine your browsing
habits for 6 months with data they already have
collected about you to improve their profile of
you, including by inferring insights, to show you
relevant advertising. (This profile may include
your income bracket, age and gender, habits,
social media influence, ethnicity, sexual
orientation, religion, political leaning, etc.).
Item 1 of 20
View details
View details
Next
Purpose of processing,
and notification of
profiling.
Article 4, paragraph 11, and Article
13, para 1, c, and para 2, f.
Duration
Article 13, para 2, a.
Granular opt-in for
several purposes
Recital 32, and Article 29 Working
Party Guidance November 2017
Details of rights to
complain to
supervisory authority,
and to access, correct,
and transfer data, etc.
Article 13, para 2, b, c, and d.
Unambiguous, specific
affirmative action. Not
yes by default.
Article 4, para 11, and Recital 32.
Contact details of the
data controller, and list
of categories of
processor.
Article 13, para 1, a, and Recital 42.
Compliant: an opt-in for each processing purpose
56. Acxiom GmbH
Martin Behaim Strasse 12,
63263 Neu-Isenburg,
Germany
Help keep Example.com profitable
Learn about your data rights here.
OFF
Let these companies combine your browsing
habits for 6 months with data they already have
collected about you to improve their profile of
you, including by inferring insights, to show you
relevant advertising. (This profile may include
your income bracket, age and gender, habits,
social media influence, ethnicity, sexual
orientation, religion, political leaning, etc.).
Your Rights
& Safeguards
Data may be processed in
the United States.
Data Protection Officer
Dr Sachiko Scheuing
datenschutz@acxiom.com
+49 89 857090
Contact
Back to list
Item 1 of 9 Next
contact details of data
protection officer.
Article 13, para 1, b.
Details of international
transfers, and related
safeguards and rights.
Article 13, para 1, f.
Compliant: an opt-in for each processing purpose
57. Acxiom GmbH
Martin Behaim Strasse 12,
63263 Neu-Isenburg,
Germany
Help keep Example.com profitable
Learn about your data rights here.
OFF
Let these companies combine your browsing
habits for 6 months with data they already have
collected about you to improve their profile of
you, including by inferring insights, to show you
relevant advertising. (This profile may include
your income bracket, age and gender, habits,
social media influence, ethnicity, sexual
orientation, religion, political leaning, etc.).
Your Rights
& Safeguards
Data may be processed in
the United States.
Data Protection Officer
Dr Sachiko Scheuing
datenschutz@acxiom.com
+49 89 857090
Contact
Back to list
Item 1 of 9 Next
contact details of data
protection officer.
Article 13, para 1, b.
Details of international
transfers, and related
safeguards and rights.
Article 13, para 1, f.
Compliant: an opt-in for each processing purpose
58. Help keep Example.com profitable
Learn about your data rights here.
Let these companies combine your browsing
habits for 6 months with data they already have
collected about you to improve their profile of
you, including by inferring insights, to show you
relevant advertising. (This profile may include
your income bracket, age and gender, habits,
social media influence, ethnicity, sexual
orientation, religion, political leaning, etc.).
Item 1 of 20 Next
Gordon House, Barrow
St, Dublin 4, Ireland
Acxiom GmbH
Martin Behaim Strasse 12,
63263 Neu-Isenburg,
Germany
Google Ltd. View details
View details
Viewing 2 of 251 partners
This design requires
Two tap / click / drag
actions to signal
consent explicitly
Compliant: explicit consent for special categories of personal data
OFF
“Explicit consent”
(to process special
categories of data)
Article 9, paragraph 2, a.
59. Help keep Example.com profitable
Learn about your data rights here.
Let these companies combine your browsing
habits for 6 months with data they already have
collected about you to improve their profile of
you, including by inferring insights, to show you
relevant advertising. (This profile may include
your income bracket, age and gender, habits,
social media influence, ethnicity, sexual
orientation, religion, political leaning, etc.).
Item 1 of 20 Next
Gordon House, Barrow
St, Dublin 4, Ireland
Acxiom GmbH
Martin Behaim Strasse 12,
63263 Neu-Isenburg,
Germany
Google Ltd. View details
View details
Viewing 2 of 251 partners
This design requires
Two tap / click / drag
actions to signal
consent explicitly
Compliant: explicit consent for special categories of personal data
OFF
“Explicit consent”
(to process special
categories of data)
Article 9, paragraph 2, a.
60. Help keep Example.com profitable
Learn about your data rights here.
Let these companies combine your browsing
habits for 6 months with data they already have
collected about you to improve their profile of
you, including by inferring insights, to show you
relevant advertising. (This profile may include
your income bracket, age and gender, habits,
social media influence, ethnicity, sexual
orientation, religion, political leaning, etc.).
Item 1 of 20 Next
CONFIRM?
Gordon House, Barrow
St, Dublin 4, Ireland
Acxiom GmbH
Martin Behaim Strasse 12,
63263 Neu-Isenburg,
Germany
Google Ltd. View details
View details
Viewing 2 of 251 partners
This design requires
Two tap / click / drag
actions to signal
consent explicitly
“Explicit consent”
(to process special
categories of data)
Article 9, paragraph 2, a.
Compliant: explicit consent for special categories of personal data
61. Help keep Example.com profitable
Learn about your data rights here.
Let these companies combine your browsing
habits for 6 months with data they already have
collected about you to improve their profile of
you, including by inferring insights, to show you
relevant advertising. (This profile may include
your income bracket, age and gender, habits,
social media influence, ethnicity, sexual
orientation, religion, political leaning, etc.).
Item 1 of 20 Next
Gordon House, Barrow
St, Dublin 4, Ireland
Acxiom GmbH
Martin Behaim Strasse 12,
63263 Neu-Isenburg,
Germany
Google Ltd. View details
View details
Viewing 2 of 251 partners
This design requires
Two tap / click / drag
actions to signal
consent explicitly
“Explicit consent”
(to process special
categories of data)
Article 9, paragraph 2, a.ON
Compliant: explicit consent for special categories of personal data
62. OFF CONFIRM?
Before First Action
ON
After First Action After Second Action
click / tap click / tap
Two tap / click / drag actions to signal “explicit consent”
Compliant: explicit consent for special categories of personal data
63. Document: The EU’s proposed new cookie rules
Author: IAB Europe
Date: June 2017
65. Document: “Transparency & Consent Framework FAQ”
Author: IAB Europe
Date: 21 June 2018 (This is the current text, live today)
66. Document: “Authorized Buyers Program Guidelines”
Author: Google
Date: 22 August 2018 (This is the current text, live today)
67. Document: “Authorized Buyers Program Guidelines”
Author: Google
Date: 22 August 2018 (This is the current text, live today)
68. GDPR, Article 5 (1)
(f) processed in a manner that ensures
appropriate security of the personal data,
including protection against unauthorised or
unlawful processing and against accidental
loss, destruction or damage, using
appropriate technical or organisational
measures (‘integrity and confidentiality’).
69.
70.
71. European privacy regulators
are like ents:
Terrifying, once awoken.
European privacy regulators
are like ents:
Terrifying, once awoken.
73. How RTB data leakage supports untrustworthy websites
The Daily Bugle
///
Step 1.
User “John” visits
The Daily Bugle
74. How RTB data leakage supports untrustworthy websites
The Daily Bugle
///
Step 1.
User “John” visits
The Daily Bugle
Step 2.
Bid request
broadcasts personal
data about John
75. How RTB data leakage supports untrustworthy websites
The Daily Bugle
///
Step 3.
100s of companies in the ad
auction can now re-identify
John as a Daily Bugle reader
Step 1.
User “John” visits
The Daily Bugle
Step 2.
Bid request
broadcasts personal
data about John
John
76. Step 4.
The Daily Bugle is
paid €1 to show ad
to John
How RTB data leakage supports untrustworthy websites
The Daily Bugle
///
Step 3.
100s of companies in the ad
auction can now re-identify
John as a Daily Bugle reader
Step 1.
User “John” visits
The Daily Bugle
€1 advertisement
Step 2.
Bid request
broadcasts personal
data about John
John
77. Step 4.
The Daily Bugle is
paid €1 to show ad
to John
How RTB data leakage supports untrustworthy websites
The Daily Bugle
Step 5.
Later, John visits a
low quality website
Step 3.
100s of companies in the ad
auction can now re-identify
John as a Daily Bugle reader
Step 1.
User “John” visits
The Daily Bugle
€1 advertisement
De5troyTru5t.com
///
Step 2.
Bid request
broadcasts personal
data about John
John
78. Step 4.
The Daily Bugle is
paid €1 to show ad
to John
How RTB data leakage supports untrustworthy websites
The Daily Bugle
Step 5.
Later, John visits a
low quality website
Step 6.
Bid request
announces John is
here
Step 3.
100s of companies in the ad
auction can now re-identify
John as a Daily Bugle reader
Step 1.
User “John” visits
The Daily Bugle
€1 advertisement
De5troyTru5t.com
///
Step 2.
Bid request
broadcasts personal
data about John
John
79. Step 4.
The Daily Bugle is
paid €1 to show ad
to John
Step 7.
De5troyTru5t.com is paid
€0.01 to show ad to John
How RTB data leakage supports untrustworthy websites
The Daily Bugle
Step 5.
Later, John visits a
low quality website
Step 6.
Bid request
announces John is
here
Step 3.
100s of companies in the ad
auction can now re-identify
John as a Daily Bugle reader
Step 1.
User “John” visits
The Daily Bugle
€1 advertisement
De5troyTru5t.com
€0.01 advertisement
///
Step 2.
Bid request
broadcasts personal
data about John
John
80. Step 4.
The Daily Bugle is
paid €1 to show ad
to John
Step 7.
De5troyTru5t.com is paid
€0.01 to show ad to John
How RTB data leakage supports untrustworthy websites
The Daily Bugle
Step 5.
Later, John visits a
low quality website
Step 6.
Bid request
announces John is
here
Step 3.
100s of companies in the ad
auction can now re-identify
John as a Daily Bugle reader
Step 1.
User “John” visits
The Daily Bugle
€1 advertisement
De5troyTru5t.com
€0.01 advertisement
///
Step 2.
Bid request
broadcasts personal
data about John
Worthy sites lose their unique audience, and feed
a business model for the bottom of the Web.
John
81. The Daily Bugle
Step 1.
A bot masquerading
as a human visits
The Daily Bugle ///
Fake
How RTB enables to steal from publishers and
advertisers.
fraudsters
82. The Daily Bugle
Step 1.
A bot masquerading
as a human visits
The Daily Bugle
Step 2.
Bid request
broadcasts personal
data about Bot///
Fake
How RTB enables to steal from publishers and
advertisers.
fraudsters
83. The Daily Bugle
Step 3.
100s of companies in the ad
auction can now re-identify
Bot as a Daily Bugle reader
Step 1.
A bot masquerading
as a human visits
The Daily Bugle
Step 2.
Bid request
broadcasts personal
data about Bot
Bot
///
Fake
How RTB enables to steal from publishers and
advertisers.
fraudsters
84. Step 4.
The Daily Bugle is
paid €1 to show ad
The Daily Bugle
Step 3.
100s of companies in the ad
auction can now re-identify
Bot as a Daily Bugle reader
Step 1.
A bot masquerading
as a human visits
The Daily Bugle
€1 advertisement
Step 2.
Bid request
broadcasts personal
data about Bot
Bot
///
Fake
How RTB enables to steal from publishers and
advertisers.
fraudsters
85. Step 4.
The Daily Bugle is
paid €1 to show ad
The Daily Bugle
Step 5.
Later, an
untrustworthy website
buts bot traffic
Step 3.
100s of companies in the ad
auction can now re-identify
Bot as a Daily Bugle reader
Step 1.
A bot masquerading
as a human visits
The Daily Bugle
€1 advertisement
De5troyTru5t.com
Step 2.
Bid request
broadcasts personal
data about Bot
Bot
///
Fake
///
Fake
How RTB enables to steal from publishers and
advertisers.
fraudsters
86. Step 4.
The Daily Bugle is
paid €1 to show ad
The Daily Bugle
Step 5.
Later, an
untrustworthy website
buts bot traffic
Step 6.
Bid request
announces Bot is
here
Step 3.
100s of companies in the ad
auction can now re-identify
Bot as a Daily Bugle reader
Step 1.
A bot masquerading
as a human visits
The Daily Bugle
€1 advertisement
De5troyTru5t.com
Step 2.
Bid request
broadcasts personal
data about Bot
Bot
///
Fake
///
Fake
How RTB enables to steal from publishers and
advertisers.
fraudsters
87. Step 4.
The Daily Bugle is
paid €1 to show ad
Step 7.
De5troyTru5t.com is paid
€0.01 to show ad to Bot
The Daily Bugle
Step 5.
Later, an
untrustworthy website
buts bot traffic
Step 6.
Bid request
announces Bot is
here
Step 3.
100s of companies in the ad
auction can now re-identify
Bot as a Daily Bugle reader
Step 1.
A bot masquerading
as a human visits
The Daily Bugle
€1 advertisement
De5troyTru5t.com
€0.01 advertisement
Step 2.
Bid request
broadcasts personal
data about Bot
Bot
///
Fake
///
Fake
How RTB enables to steal from publishers and
advertisers.
fraudsters
94. Personal data in bid requests
• What you are reading, or watching, or listening to.
• Categories of the content.
• Unique pseudonymous ID.
• Unique ID matched to ad buyer’s existing profile of you.*
• Your location (can be your exact latitude and longitude).
• Granular description of your device.
• Unique tracking IDs / cookie match.
• Your IP address.*
• Data broker segment ID* when available.
*Depending on the version of “real time bidding” system
95. • What you are reading, or watching, or listening to.
• Categories of the content.
• Your approximate location.
• General description of your device.
• Your approximate IP address.
• Impression ID for buyer transparency.
Non-Personal data in bid requests
Person is in Etterbeek in Brussels. Reading
an article about Tesla motors on TechCrunch.
Using Safari on a Mac.
96. This Regulation applies to the processing of
personal data wholly or partly by automated means
and to the processing other than by automated
means of personal data which form part of a filing
system or are intended to form part of a filing
system.
-GDPR, Article 2 (1)
97. Serve page
Request page
Request bid
Request segment
Request bid
Cookie to SSP
Deliver ad
Sync
Deliver segment
Sync
Ad request
Store data
“Demand side” “Supply side”
$
(one or many)
(10s or 100s or 1000s?)
///
VisitorSiteSupply-side
platform (SSP)
Demand-side
platform (DSP)
Data management
platform (DMP)
Marketer Ad Exchange
98. Buyer Seller
Extracts 70-55% of
buyer’s media budget.
Distribution
Marketer
$ DMP DSP Ad Exchange SSP
Site
Unique audience
commodified and
arbitraged.
Untrustworthy sites
business model
enabled.
Bot fraud boosted.
70% figure from the Guardian
and Rubicon case in 2017. 55%
figure from “The Programmatic
Supply Chain: Deconstructing the
Anatomy of a Programmatic
CPM”, IAB, March 2016.
MARKET OVERVIEW (NOW)
PERSONAL DATA IN IAB / GOOGLE RTB
Victims of massive
fraud.
2019 estimates range from $5.7B
(ANA) - $42B (Juniper Research).
99. Buyer Seller
Extracts much lower %
of buyer’s media budget.
Distribution
Unique audience
become immune to
commodification and
arbitrage.
No opportunity for
untrustworthy sites.
Bot fraud reduced.
Bot fraud opportunity
reduced.
MARKET OVERVIEW (POST-FIX)
NON-PERSONAL DATA IN IAB / GOOGLE RTB
Marketer
$ DMP DSP Ad Exchange SSP
Site
102. Fossil Fuel Renewable Energy
N20
C02
Regulatory incentive
CLEAN INDUSTRY
Regulatory disincentive
DIRTY INDUSTRY
103. Ads (Ethical Data)Ads (Conventional Data)
Regulatory incentive
CLEAN INDUSTRY
Regulatory disincentive
DIRTY INDUSTRY
Personal data Non-personal data
Fossil Fuel Renewable Energy
N20
C02
104. Ads (Ethical Data)Ads (Conventional Data)
Ads (Ethical Data)
Personal data
(protected & lawful)
//
+
Classic Cars
+
Regulatory incentive
CLEAN INDUSTRY
Regulatory disincentive
DIRTY INDUSTRY
Fossil Fuel Renewable Energy
N20
C02
Personal data Non-personal data
106. Ring-fenced data. Each purpose for
which you use my personal data requires a
separate legal basis
Purpose limitation
As easy to withdraw as it was
to give, and can be withdrawn
without detriment.
Consent+ = Freedom
The market of users will decide
when to “break up" the companies,
and when to “un-break” them up.
Big tech companies “cross-use” personal user
data from one part of their business to prop up
others. This stifles competition and innovation.
But, data protection law can be an anti-trust tool…
108. 1. To display your posts on your Newsfeed
2. To display posts on tagged friends’ Newsfeeds
3. To display friends posts that tag you on your Newsfeed
4. To identify untagged people in your posts
5. To record your reaction to posts to refine future content for you, which may
include ethnicity, politics, sexuality, etc…, to make our Newsfeed more
relevant to you.
6. To record your reaction to posts to refine future content for you, which may
include ethnicity, politics, sexuality, etc…, to make ads relevant to you.
7. To record your reaction to posts to refine future content for you, which may
include ethnicity, politics, sexuality, etc…, for advertising fraud prevention.
“Purposes” when you post on the Newsfeed
109. Facebook is Hal 9000.
Its users are Dave.
Facebook is Hal 9000.
Its users are Dave.
110. 1 General Data Protection Regulation (2016)
2 Personal Information Security Specification (2017)
3 Act on the Protection of Personal Information
3 Personal Data Protection Bill
4 General Data Protection Act (2017)
5 Personal Information Protection Act (2011)
6 Draft Data Protection Act
7 California Consumer Protection Act (2018)
21%
European
Union1
15%
China2
6%
Japan3
3%
India3
3%
Brazil4
2%
South
Korea5 Argentina6
1%
GDPR emerging as defacto standard for 51% of global GDP
US FIPPs
EU GDPR
111. johnny@brave.com
@johnnyryan
For updates, sign up to Brave Insights, a mailing list for analysts,
researchers, and regulators at
https://brave.us18.list-manage.com/subscribe?u=e38d85b519352e2b40c9b899e&id=4384bd4cba