Governance of privacy-preserving digital advertising systems?
Research works conducted in the previous two decades bore fruits. At many organisations or companies, privacy has become elevated in importance. One of such potentially recent developments in the discussion around the changes to the web platform that could support the work of privacy-preserving digital advertising systems, the design of which was at the center of some academic studies in the previous decade. At that time in the 2010s, privacy-preserving advertising frequently had a dedicated track on the many security and privacy conferences. No longer, the community considers this problem as “solved” and moved on.
Now, not exactly all of sudden, we have some hardware and software, mobile and web vendors interested in baking in privacy in their products and services. It’s a matter of trust: such vendors say something, and the public is expected to accept the proposals. We have seen this numerous times. We see this again in the case of a Google-touted proposal called Privacy Sandbox, an as-of-yet not finalised design stack of proposals that would promise to deliver a privacy-preserving online advertising system, so an ads systems with the support for privacy. The devil, as usual, is in the detail. And since we do not know the final proposal (the detail), refraining from final judgment seems sensible.
The reason why academic proposals for privacy-preserving online advertising systems did not deliver, was because they were not backed by anybody. An ads ecosystem is a huge construct, a work on such a monumental scale would be far from simple. I assume that ‘Privacy Sandbox’ is a proposal that might come closest to the realisation of actual privacy-preserving ads systems. It is then pertinent to think about how such a system is created, controlled, maintained, designed, and standardised. To come closer to such an understanding, I made an assessment of how standardisation ‘governance’ works in practice when it comes to web technologies. I considered how such a governance structure for ‘Privacy Sandbox’ could look like, and the paper is here.
Another interesting trend is the apparent convergence of privacy and competition. Or at least the tensions on the boundaries (1, 2). This is a complex problem set. While there are many security and privacy frameworks out there, much less is known about the technical meaning or implications of/for “competition”. It would be quite unfortunate if privacy and competition would be placed in an antagonistic fashion. Some people even claim that ‘privacy is being weaponized’. I disagree with such repulsive framing. We gradually considered that privacy should join security. That privacy should be included in the standard engineering, design, and strategy aspects. Let’s not treat privacy as a fearful feature.