New evidence to regulators: IAB documents reveal that it knew that real-time bidding would be “incompatible with consent under GDPR”.

  • Further new evidence drawn from sample bid requests in Google and IAB’s own documentation reveals the personal data in bid requests.

Dublin and London, Wednesday, 19 February 2019  

Privacy watchdogs in the UK and in Ireland today received evidence of the data crisis at the heart of the online advertising industry.

The new evidence, taken from Google and IAB (an industry rule setting body) documents, shows that the online ad auction system broadcasts highly sensitive data about web users. This occurs hundreds of billions of times a day. There are no technical controls to prevent thousands of receiving companies who receive these data from monitoring what every person on the web reads, watches, and listens to online.

The IAB “transparency and consent framework” has become the de facto GDPR consent system for major websites. But the new evidence also reveals that the IAB knew that real-time bidding would be “incompatible with consent under GDPR”, before it even launched the system.

The evidence also shows that the IAB had concerns that its ad auction rules, which govern the €12 Billion “real-time bidding” online ad auction industry in Europe, were incompatible with the GDPR.

The evidence has been submitted by Jim Killock, Executive Director of the Open Rights Group, Michael Veale of University College London, and Dr Johnny Ryan of Brave, a private web browser. All three are represented by Ravi Naik of ITN Solicitors. This is part of a major complaint about the online ad auctions system that is ongoing in the UK, Poland, and Ireland. See previous evidence and all filings to date at https://brave.com/update-rtb-ad-auction-gdpr/

The solution to all of this is simple. The IAB RTB system allows 595 different kinds of data to be included in a bid request. 4% of these should be disallowed, or truncated. The same applies to the Google system. It is an easy fix, long overdue, and will prevent the system from leaking the personal data (including location and interests) of every single person on the Web.

“We want to reform adtech, not kill it”, said Dr Johnny Ryan of Brave. “This new evidence exposes the massive data breach at the heart of the online advertising system. The IAB and Google have it in their power to fix this”.

Jim Killock of Open Rights Group said: “The ad industry needs to obey the law. Leaving advertisers including Google to breach data protection in this way makes a mockery of privacy law. But fixing the ad industry means gaining trust and consumer confidence, which will ultimately benefit everyone.”

“Big adtech has spread the myth that the current way the system operates is the only way it ever could. This is simply untrue”, said Michael Veale of University College London. “A better, more secure and less invasive system is within reach, and regulators must be at the forefront of realising it. Online infrastructure must be designed with privacy and data protection deeply at its core.”

Ravi Naik, Partner at ITN Solicitors, said “The evidence is overwhelming. The IAB’s own documents contain admissions of concerns of the infringements of the GDPR. Those concerns that the IAB had are part of those as are detailed within our clients’ complaints and evidence. That evidence shows that the infringements can occur billions of times a day. The scale is widespread and the infringements systematic. Reform is needed and we trust that the regulators will act accordingly.”

THE NEW EVIDENCE

PART 1: the IAB knew that real-time bidding would be “incompatible with consent under GDPR”, and would have no other legal basis.

1a Townsend Feehan email 26 June 2017.pdf“, an e-mail from Townsend Feehan, CEO of IAB Europe, to senior personnel at the European Commission Directorate General for Communications Networks, Content and Technology.


Email from Townsend Feehan to European Commission Directorate General for Communications Networks, Content and Technology in June 2017

Her e-mail refers to a paper attached here as “1b IAB 2017 paper.pdf“, which was an attachment to her e-mail. These documents were obtained through a freedom of information request to the European Commission. On page 3 of this document, the IAB acknowledges that “it is technically impossible for the user to have prior information about every data controller involved in a real-time bidding (RTB) scenario”. This is an incredible admission, and acknowledges the precise issue at the core of the complaint currently before European regulators.



Moreover, in the same section, the IAB acknowledges that “this would seem, at least prima facie, to be incompatible with consent under GDPR”. Despite the facts concerned by these admissions not changing, the IAB proceeded to launch a mechanism that purported to satisfy the GDPR’s consent requirement. Indeed, it was Ms. Feehan again who announced this “Consent and Transparency Framework” on 25 April 2018.

Then, in May 2018 – a month after the IAB consent mechanism is launched – the IAB again acknowledged that that “there is no technical way to limit the way data is used after the data is received by a vendor for … bidding” in “2 Pubvendors.json v1.0.pdf” (see highlighted text on page 5) .


IAB TechLab “pubvendors.json” document, from May 2018

It also acknowledged that the bid request assumes “indiscriminate rights for vendors, … surfacing thousands of vendors  with broad rights to use data without tailoring those rights may be too many vendors/permissions”.

In other words, before and after the launch of its consent mechanism, the IAB had acknowledged there was no way to control who receives what data, or what they do with those data once received.

PART 2: sensitive data about people are broadcast in the online ad auction system, hundreds of billions of times a day. This makes it possible for shadowy companies to know what every person on the web reads, watches, and listens to online.

3 bid request examples.pdf” reproduces a set of annotated sample bid requests from the IAB and Google’s own documentation for users of their systems. The fourteen sample bid requests further prove that very personal data are contained in bid requests.


Snapshot of a sample bid request, with added annotation

They include not only specific (sample) people’s browsing history, pseudonymous identification codes, and weighting of their interests, but also often include their GPS locations too. Clearly, this is highly sensitive stuff, and it is remarkable that these are offered as public documentation by the two rule setters of the industry as examples of what should be done.

4 bid request scale overview” shows that the seven largest advertising exchanges handle hundreds of billions of bid requests per day. This suggests that the New Economics Foundation’s estimate in December that bid requests broadcast data about the average UK internet user 164 times a day was a conservative estimate.

Note for reporters regarding “pseudonymous data”:

Data are only pseudonymous if “kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person” according to GDPR Article 4(5). In other words, replacing “Johnny Ryan” with “sdgdsg1231241245”, and then broadcasting that ID to hundreds of companies along with their browsing history and physical location, etc. is not sufficient to be considered pseudonymous. Even if it were, GDPR Recital 26 and Recital 28 make it clear that pseudonymous data do remain personal data, and must be protected.

New evidence filed today

Complaints to date