Web advertising moving towards privacy - is it possible? Six issues to consider

In 2016 I argued that 2017 will be the year of privacy. It was but we did not stop there. We are still in the cycle of transforming technologies into processes with privacy in mind. This process will take time. We are far from the end. Some like it and embrace the changes. Others perhaps less so or they choose to wait. But it’s moving.

It so happens that for many years web advertising garnered significant interest, worries, and controversy due to the incurred privacy footprint. These days and in this world, to run web ads over novel technology-driven channels (like websites, mobile, TVs, etc.) requires complex infrastructures and involves the significant processing of user data. Often, the user's private data. Such an environment led to backlash. Many research works were devoted to studying the risks, harms, and issues related to web advertising. The interest of the press followed. Privacy issues in web advertising is a big topic (and a problem) but at least some of the actors involved in web advertisement might slowly be starting to realize the problems, understanding that the changes (both evolutionary and revolutionary) are imminent.

The initial drivers of the change

At first, this was about users increasingly blocking web ads. Today it’s mostly because of changes (either done or planned) in web browsers. For example, the looming demise of third-party cookies, the primary vehicle used for tracking the users across sites to link/understand the actions that the users take. It so happens that most web browsers today already block third-party cookies, with the biggest web browser vendor Chrome saying they may do the same eventually. This subtle change leads to the inability of having visibility into what the user is doing/likes to understand what they may or may not be interested in, and has many subtle consequences. Fast forward and focusing on the end-user impacts, this may mean a room for more privacy-friendly designs of ads infrastructure (subject to the choices made).

I am closely paying attention. What’s already clear is that for the first time since I’m analyzing the ecosystem (so well more than a decade!), we may be seeing serious opportunities to ameliorate the status of web privacy at a scale. With the use of the many new web browser technologies or other changes, assuming the receptive attitude of actors traditionally involved in the processing of user’s private data in the web ads ecosystem.

I was among the firsts who studied the privacy and transparency issues of Real-Time bidding (Analysis 1, Analysis 2), including having identified also their high-level risks (technological soft influence on elections). I very much understand the complex landscape and potential for misuses/abuses, or actual harms. Can we do better, though?

Below I list six points giving reasons/ideas / of why/how the changes are needed, and why they may be possible. Arriving there may not be simple. But one thing is for sure - both specialized and broad knowledge and insight may be the key to navigation.

  1. Web ads infrastructures are by many perceived as putting a heavy toll on user’s privacy in general. While one obvious option is to block it all completely, for many this might not be suitable, and the issue is still not going away anyway. Focusing on the improvement of the landscape, there still is a need for a privacy-friendly approach. These evolutions should be real, rather than limited to PR/talks.
  2. To even hope for improvement, some prerequisites need to be met. First, we need to understand the issue and its gravity. We do. Second, web browsers must be on board with an intent to do something. They are. Third, web architecture should be open for changes. It appears that it is, as evidenced also by the many interesting web specification proposals considered these days. From a pure research point of view, this is great because some old concepts may  gain traction (they always needed web architecture/browser changes, in the absence of these, many old proposals quite simply were publishable, but rather never practical enough to work in reality, for example, who would ever consider having a specialized coprocessor for this task?). From a strategic and business points of view - one must tread carefully. Assuming a desire to seek a pragmatic approach in these fluid times, who has the right lantern in the dark tunnels?
  3. Any changes must be well considered, including the technology, the business, or even the communication aspects. So many times I see badly communicated privacy changes. The odd ones include announcements done in ways that did not invite confidence, or even credibility, by the ways these are introduced. This is difficult to understand.
  4. Is Privacy by Design for web ads even possible? Privacy by Design approach is always scoped and aligned towards specific applications. So I say yes, some of this design pattern can and should be applied (in case of changes). Provided a genuine desire to transform exists, that is. Improvements are always welcome (let's put cynical plays aside?). While it is always possible to complain that “it’s not enough” (whatever the changes) or “it’s too late” (after the many years of misuses), a bit more constructive approach could appreciate the desire to transform (if there is one, that is). Both in actual ways of technical and strategic changes (do they change the landscape?), as well as how it’s being communicated (are they correctly explained to warrant trust?). In these respects, honesty, an open mind, and analysis are crucial.
  5. Actually arriving there is another story. It can’t be done with a research paper presented at an academic conference. While some publishers like the New York Times may be going in specific directions , others and the ecosystem may choose (or need to) pursue different approaches. Chances are that cookies will indeed be phased out broadly, but that they will indeed not be needed anyway.
  6. Today Real-Time Bidding (or variations like header bidding) in advertising is the norm. The catch here is that it involves a lot of user data processing. We could imagine a potential way of improving things by doing them in the browser. Not only in a decentralized fashion, but with elements of on-device processing (when targeting ads, so to never reveal the user’s profile?). Ecosystem-wise and concerning the today’s state - that would be a revolution, putting today's concepts on their head. While some similar ideas ay have been already proposed/explored many years ago (even if impractical), such approaches are today seriously considered (may they be practical?). Going in this way could transform web advertising as it is known today, but also impact on privacy issues, including harms and risks (whether it may introduce any residual risks is today another story!), as well as transparency (positively).

This goes beyond any (purported) Privacy by Design process at single places. We may be seeing the biggest changes in the web ads/economy ecosystem in more than a decade. There seem to be no viable alternatives to the (r?)evolution. But those changes need to be well considered and decisions assessed.

All this deserves a close look. I’m looking.

Did you like the assessment and analysis? Any questions, comments, complaints or maybe even offers? Feel free to reach out: me@lukaszolejnik.com