[Plura-list] UK ICO: surveillance advertising is dead

Cory Doctorow doctorow at craphound.com
Fri Nov 26 14:06:48 EST 2021

Read today's issue online at: https://pluralistic.net/2021/11/26/ico-ico/


Are you going to San Diego Comic-Con? Me too!

* I'll be signing at the Mysterious Galaxy Booth (#1325) on Sunday from 12-12:45PM

* And I'll be on a panel, The Kids Are (Kinda) All Right, on Sunday from 1:30-230PM



Today's links

* UK ICO: surveillance advertising is dead: A true consent framework would do the trick.

* This day in history: 2011, 2016

* Colophon: Recent publications, upcoming/recent appearances, current writing projects, current reading


🪢 UK ICO: surveillance advertising is dead

Here's the theory behind Europe's GDPR: if an online service wants to collect, store and/or process your personal information, it has to obtain your real, informed consent for each of those activities. In theory, this should have exterminated surveillance-based "behavioral" ads. In practice, nothing of the sort has happened...yet.

Let's look at the theory first. The ad-tech industry has long maintained that it obtains consent for all its data-processing. This is an obvious pretense. This "consent" consists of you wading through a garbage-novella of legalese and clicking "I agree." To add insult to injury, those "contracts" inevitably say something like, "These terms are subject to change without notice" and/or "You agree that you are not allowed to sue us if we violate these terms, and will have to take your case to an 'arbitrator' that we pay to decide if we're wrong."

Based on this consent-theater, ad-tech scammers claim that they can harvest your data, retain it indefinitely, and sell or give it away to anyone they want, and that this is all totally cool with you because if wasn't, you wouldn't have "consented."

Enter the GDPR. Under Europe's landmark privacy regulation, companies have to ask you a plain-language question confirming your consent to *every* piece of data they collect and *every* use they plan on making of that data. They can't punish you for refusing consent - by locking you out of a service or degrading its quality - and you can withdraw your consent at any time.

This is deliberately burdensome. It takes the position that consent is a weighty and serious thing, that personal data is genuinely valuable, and that the transactions in which data is gathered and processed should be solemnized by a thoughtful, substantial ceremony. It calls ad-tech's bluff: "If you think people are really OK with all that spying you've done, let's ask them, in depth, before you do it."

The reality is that there's no meaningful "consent" to an open-ended collection and processing of your data - the very premise does violence to the idea of consent itself. Companies that claim that you have consented to hundreds or even thousands of different uses of your data are obviously lying.

Consent-theater is the ideological and legal backstop for unfettered commercial surveillance. It means that data-collection and retention is essentially cost-free. Companies built their services accordingly, maximizing their data-collection and sloshing that data around with wild abandon.

Under the GDPR, the cost of data-collection is shifted from users - who are expected to wade through "agreements" and somehow negotiate away the terms they find odious - to companies. Now, when a product team sits down to plan a new service, they have to factor in the loss of users who bail on a consent-gathering process that consists of hundreds or thousands of dialogs against the speculative value of the data this will let them gather and process.


That value is indeed speculative. "Behavioral" ads - placed dynamically based on your browsing history and other personal information - are only very slightly more effective than "contextual" ads, based on the content of the page you're looking at.


Behavioral ads are only more profitable than context ads if all the costs of surveillance - the emotional burden of being watched; the risk of breach, identity-theft and fraud; the potential for government seizure of surveillance data - is pushed onto internet users. If companies have to bear those costs, behavioral ads are a total failure, because no one in the history of the human race would actually grant consent to all the things that gets done with our data.

That's what the Dutch public broadcaster NPO learned. As a public institution, its compliance staff decided that it would strictly adhere to the letter and spirit of the GDPR when serving ads on its site.


The broadcaster quickly realized that if could only show ads to people who gave meaningful, enthusiastic consent to surveillance, then it couldn't show any ads at all. NPO switched to serving context-based ads - which didn't involve processing any personal information, and thus didn't require a consent process - and its revenues soared. It was showing ads to a *lot* more people, and those ads were about as effective as the surveillance ads it had deprecated (and it didn't have to give 30-50% of its revenues to an ad-tech company!).

The GDPR holds out serious fines for noncompliance, the kind that could put even a globe-spanning Big Tech colossus out of business. In theory, every online service whose bank-account is within the reach of European enforcers should be following NPO's lead and switching to context ads.

In practice, Europeans have swapped one form of consent theater for a worse one. The EU's ad-tech sector has adopted a form of "malicious compliance" with the GDPR, in which users are presented with confusing, endless dialogs. Ignore these, and your consent is presumed.

Actually, this isn't even malicious compliance, because it doesn't comply with the GDPR. It's illegal conduct, as the IAB - ad-tech's industry association - has finally admitted.


Nevertheless, ad-tech has shown precious little willingness to color within the lines. It's easy to see why, once you understand the GDPR's fatal flaw: the way it allows large companies to forum-shop within EU member states.

Ireland is one of the go-to jurisdictions for corporate criminals. Early in the EU process, the country decided to become a tax-haven, establishing itself as a financial secrecy jurisdiction suitable for any corporation that wanted to hide its wealth from tax collectors in the EU and beyond. This process is documented in furious detail in "Tax Haven Ireland," a new book by Brian O'Boyle and Kieran Allen:


(O'Boyle and Allen did a great interview about the book with the The Taxcast)


The conversion of Ireland into a rogue state whose economy depends on protecting corporate criminals goes beyond its tax code. Its regulators are infamously lax, too - and that includes its Information Commissioner's Office, an organization that doesn't even bother to put on trousers in the morning - it sits around all day in its jammies, eating breakfast cereal and watching cartoons. It certainly doesn't investigate GDPR claims that are brought before it.

Since Europe's sleaziest companies all fly Irish flags of convenience, the Irish ICO's King Log routine means that companies that violate the GDPR don't have to worry about facing justice.

That defense may not last forever. The Irish Council for Civil Liberties has lodged a complaint against the IAB...in Germany, where the ICO's office is staffed with hungry, committed enforcers. Meanwhile, Max Schrems - the activist whose legal fights inspired the GDPR in the first place - is suing Google in Austria:


Now, there's some movement in the UK. The outgoing British Information Commissioner, Elizabeth Denham, has published an official opinion warning the ad-tech sector that surveillance advertising is doomed:


Denham characterizes her paper as offering "clarity" on the UK implementation of the GDPR, but that's a bit of doublespeak. In reality, all Denham is clarifying is that her successor will enforce the GDPR's plain language (finally).

Writing in Techcrunch, Natasha Lomas is justifiably cynical about this announcement. Lomas says that the ad-tech industry is already moving away from aggressive surveillance, using fancy cryptographic math to create a non-invasive form of behavioral advertising.


It's true that there's a lot of movement on this and the technical promises sound great. But as my EFF colleague Alexis Hancock wrote in her deep-dive into "Manifest V3" (the technical initiative at the heart of this movement), the reality is a lot dimmer:


Not only do these techniques fail to deliver on their privacy promises, but they also actively interfere with independent browser plugins that block online tracking. To make matters worse, ManifestV3 has significant anti-competitive implications.

Denham's parting shot highlights the post-Brexit tension in the UK over competition, privacy and fairness. Last summer, the UK Competition and Markets Authority published a landmark study of the ad-tech industry that painted a picture of a highly concentrated industry riddled with fraud and abuse:


But while much of the CMA's report is excellent, it also goes badly awry when contemplating the relation of competition to surveillance. The CMA notes that Facebook and Google have a huge advantage in the market because they can do "attribution." That's the ad-tech euphemism for spying on you - your movements, purchases and online activity - after you see an ad to determine whether you bought anything featured in the ad.

Obviously, advertisers love "attribution" and pay a premium for it, which hardens Googbook's domination of the ad-market (they alone have the surveillance tendrils in the physical and virtual world for consistent attribution). The CMA moots a solution to this: assign every British person a unique, lifelong advertising identifier that will allow other companies to spy on you, too, and thus democratize attribution.

In this, the CMA has committed a category error that's as old as competition enforcement itself. Monopolies enjoy enormous power, and that power allows them to trample human rights and commit crimes with impunity. They are often very good at this. Writing a century ago, Ida M Tarbell - whose "History of the Standard Oil Company" led to the breakup of Rockefeller's oil behemoth - called this "illegitimate greatness."


Tarbell warned readers that the goal of competition law shouldn't be to democratize the ability of smaller firms to commit crimes, but rather to extinguish those crimes by making companies weak enough that we can force them to obey the law.

In other words, we don't want competition in the field of "who can violate internet users' human rights most efficiently at scale?"


So here we are, with two UK top regulators examining the same question and coming to very different conclusions. The ICO is finally promising to extinguish mass surveillance, while the CMA wants to make it more efficient.

Meanwhile, across the Channel, the EU just rescued the Digital Markets Act by reversing a set of Big-Tech-friendly amendments and installing fierce protections for real competition and installing fresh curbs on surveillance, beyond the GDPR.


The UK only has an ICO because it was par of the EU when the GDPR was passed. Now, post-Brexit, the UK will be under no obligation to adopt the DMA or other rules that correct the defects in the GDPR. It'll be fascinating - and possibly terrible - to watch how the UK proceeds as the EU continues to attack Big Tech power and its risible fictions like consent-theater.

Facebook has threatened to leave the EU if they keep this up. That is not going to happen, of course, but it would be pretty wild if the UK made a bid for post-Brexit relevance by offering a new flag of convenience to Big Tech as the EU leans on Ireland to end its program of criminal enabling.



🪢 This day in history

#10yrsago Interrogation of Byron Sonne, Toronto G20 hacker on trumped up charges for mocking G20 security https://web.archive.org/web/20111128231050/http://toronto.openfile.ca/toronto/text/video-how-byron-sonne-blinded-us-science

#5yrsago Chestburster roast turkey https://bloody-disgusting.com/movie/3415757/aliens-inspired-chest-burster-turkey-recipe/

#5yrsago Malcolm McLaren’s son torched his punk collection to protest the 40th anniversary of punk “celebrations” https://www.bbc.com/news/uk-38120496


🪢 Colophon

Today's top sources: Slashdot (https://slashdot.org/).

Currently writing:

* Picks and Shovels, a Martin Hench noir thriller about the heroic era of the PC. Yesterday's progress: 1035 words (7548 words total).

* A Little Brother short story about remote invigilation.  PLANNING

* A Little Brother short story about DIU insulin PLANNING

* Spill, a Little Brother short story about pipeline protests. Yesterday's progress: 621 words (32894 words total) FIRST DRAFT COMPLETE

* A nonfiction book about excessive buyer-power in the arts, co-written with Rebecca Giblin, "The Shakedown."  FINAL EDITS

* A post-GND utopian novel, "The Lost Cause."  FINISHED

* A cyberpunk noir thriller novel, "Red Team Blues."  FINISHED

Currently reading: Analogia by George Dyson.

Latest podcast: Jam To-Day (https://craphound.com/news/2021/11/21/jam-to-day/)

Upcoming appearances:

* The Kids Are (Kinda) All Right (San Diego Comic-Con), Nov 28

* Redistribute the Internet (NGI Summit), Nov 30

* Internet Governance Forum (Warsaw), Dec 10

* Competition and Regulation in Disrupted Times, Dec 16

Recent appearances:

* NFTs (Upstream)

* Policy, Profit, Privacy, and Privilege: The Post-Pandemic Future of Remote Testing Technology (ACM-USTPC):

* Alternative recommender systems in the DSA:

Latest book:

* "Attack Surface": The third Little Brother novel, a standalone technothriller for adults. The *Washington Post* called it "a political cyberthriller, vigorous, bold and savvy about the limits of revolution and resistance." Order signed, personalized copies from Dark Delicacies https://www.darkdel.com/store/p1840/Available_Now%3A_Attack_Surface.html

* "How to Destroy Surveillance Capitalism": an anti-monopoly pamphlet analyzing the true harms of surveillance capitalism and proposing a solution. https://onezero.medium.com/how-to-destroy-surveillance-capitalism-8135e6744d59 (print edition: https://bookshop.org/books/how-to-destroy-surveillance-capitalism/9781736205907) (signed copies: https://www.darkdel.com/store/p2024/Available_Now%3A__How_to_Destroy_Surveillance_Capitalism.html)

* "Little Brother/Homeland": A reissue omnibus edition with a new introduction by Edward Snowden: https://us.macmillan.com/books/9781250774583; personalized/signed copies here: https://www.darkdel.com/store/p1750/July%3A__Little_Brother_%26_Homeland.html

* "Poesy the Monster Slayer" a picture book about monsters, bedtime, gender, and kicking ass. Order here: https://us.macmillan.com/books/9781626723627. Get a personalized, signed copy here: https://www.darkdel.com/store/p1562/_Poesy_the_Monster_Slayer.html.

Upcoming books:

* The Shakedown, with Rebecca Giblin, nonfiction/business/politics, Beacon Press 2022

This work licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.


Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.


🪢 How to get Pluralistic:

Blog (no ads, tracking, or data-collection):


Newsletter (no ads, tracking, or data-collection):


Mastodon (no ads, tracking, or data-collection):


Medium (no ads, paywalled):


(Latest Medium column: "Apple’s Right-to-Repair U-turn." https://medium.com/@doctorow/apples-right-to-repair-u-turn-e678cf138f74)

Twitter (mass-scale, unrestricted, third-party surveillance and advertising):


Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):


"*When life gives you SARS, you make sarsaparilla*" -Joey "Accordion Guy" DeVilla

More information about the Plura-list mailing list