adtech

You are currently browsing the archive for the adtech category.

Is this the way you want your brand to look?

Digital advertising needs to sniff its own stench, instead of everybody’s digital butts.

A sample of that stench is wafting through the interwebs from  the Partnership for Responsible Addressable Media, an ad industry bullphemism for yet another way to excuse the urge to keep tracking people against their wishes (and simple good manners) all over the digital world.

This new thing is a granfalloon conjured by the Association of National Advertisers (aka the ANA) and announced today in the faux-news style of the press release (which it no doubt also is) at the first link above. It begins,

AD INDUSTRY LAUNCHES “PARTNERSHIP FOR RESPONSIBLE ADDRESSABLE MEDIA” TO ENSURE FUTURE OF DIGITAL MEDIA FOR BUSINESSES & CONSUMERS
Governing Group of Industry Leaders Includes 4A’s, ANA, IAB, IAB Tech Lab, NAI, WFA, P&G, Unilever, Ford, GM, IBM, NBCUniversal, IPG, Publicis, Adobe, LiveRamp, MediaMath, The Trade Desk

NEW YORK (August 4, 2020) — Leading trade associations and companies representing every sector of the global advertising industry today joined together to launch the Partnership for Responsible Addressable Media, an initiative to advance and protect critical functionalities like customization and analytics for digital media and advertising, while safeguarding privacy and improving the consumer experience. The governing group of the Partnership will include the most influential organizations in advertising.

I learned about this from @WendyDavis, who wrote this piece in MediaPostNiemanLab summarizes what she reports with a tweet that reads, “A new ad-industry group will lobby Google and Apple to let them track users just a wee bit more, please and thank you.”

Writes Wendy,

The group will soon reach out to browser developers and platforms, in hopes of convincing them to rethink recent decisions that will limit tracking, according to Venable attorney Stu Ingis, who will head the legal and policy working group.

“These companies are taking huge positions that impact the entire economy — the entire media ecosystem — with no real input from the media ecosystem,” Ingis says.

As if the “entire media ecosystem” doesn’t contain the billions of humans being tracked.

Well, here’s a fact: ad blocking, which was already the biggest boycott in world history five years ago, didn’t happen in a vacuum. Even though ad blockers had been available since 2004, use of them didn’t hockey-stick until 2012-13, exactly when adtech and its dependents in publishing gave the middle finger to Do Not Track, which was nothing more than a polite request, expressed by a browser, for some damn privacy while we go about our lives online. See this in Harvard Business Review:

Here’s another fact: the browser makers actually care about their users, some of whom are paying customers (for example with Apple and Microsoft). They know what we want and need, and are giving it to us. Demand and supply at work.

The GDPR and the CCPA also didn’t happen in a vacuum. Both laws were made to protect citizens from exactly what adtech (tracking based advertising) does. And, naturally, the ad biz has been working mightily to obey the letter of those laws while violating their spirit. Why else would we be urged by cookie notices everywhere to “accept” exactly what we’ve made very clear that we don’t want?

So here are some helpful questions from the world’s billions to the brands now paying to have us followed like marked animals:

Have you noticed that not a single brand known to the world has been created by tracking people and aiming ads at them—even after spending a $trillion or two on doing that?

Have you noticed that nearly all the world’s major brands became known through advertising that not only didn’t track people, but sponsored journalism as well?

Have you noticed that tracking people and directing personalized messages at them—through “addressable media”—is in fact direct marketing, which we used to call junk mail?

Didn’t think so.

Time to get the clues, ad biz. Brands too.

Start with The Cluetrain Manifesto, which says, if you only have time for one clue this year, this is the one to get…

we are not seats or eyeballs or end users or consumers.
we are human beings — and our reach exceeds your grasp.
deal with it.

That year was 1999.

If advertising and marketing had bothered to listen back then, they might not be dealing today with the GDPR, the CCPA, and the earned dislike of billions.

Next, please learn (or re-learn) the difference between real advertising and the junk message business. Find that lesson in Separating Advertising’s Wheat and Chaff. An excerpt:

See, adtech did not spring from the loins of Madison Avenue. Instead its direct ancestor is what’s called direct response marketing. Before that, it was called direct mail, or junk mail. In metrics, methods and manners, it is little different from its closest relative, spam.

Direct response marketing has always wanted to get personal, has always been data-driven, has never attracted the creative talent for which Madison Avenue has been rightly famous. Look up best ads of all time and you’ll find nothing but wheat. No direct response or adtech postings, mailings or ad placements on phones or websites.

Yes, brand advertising has always been data-driven too, but the data that mattered was how many people were exposed to an ad, not how many clicked on one — or whether you, personally, did anything.

And yes, a lot of brand advertising is annoying. But at least we know it pays for the TV programs we watch and the publications we read. Wheat-producing advertisers are called “sponsors” for a reason.

So how did direct response marketing get to be called advertising ? By looking the same. Online it’s hard to tell the difference between a wheat ad and a chaff one.

Remember the movie “Invasion of the Body Snatchers?” (Or the remake by the same name?) Same thing here. Madison Avenue fell asleep, direct response marketing ate its brain, and it woke up as an alien replica of itself.

That’s what had happened to the ANA in 2018, when it acquired what had been the Direct Marketing Association (aka DMA) and which by then called itself the Data & Marketing Association.

The Partnership for Responsible Addressable Media speaks in the voice of advertising’s alien replica. It does not “safeguard essential values in advertising as a positive economic force.” Instead it wants to keep using “addressable” advertising as the primary instrument of surveillance capitalism.

Maybe it’s too late to save advertising from its alien self. But perhaps not, if what’s left of advertising’s soul takes the writings of Bob Hoffman (@AdContrarian) to heart. That’s the only way I know for advertising to clean up its act.

 

 

There is latency to everything. Pain, for example. Nerve impulses from pain sensors travel at about two feet per second. That’s why we wait for the pain when we stub a toe. The crack of a bat on a playing field takes half a second before we hear it in the watching crowd. The sunlight we see on Earth is eight minutes old. Most of this doesn’t matter to us, or if it does we adjust to it.

Likewise with how we adjust to the inverse square law. That law is why the farther away something is, the smaller it looks or the fainter it sounds. How much smaller or fainter is something we intuit more than we calculate. What matters is that we understand the law with our bodies. In fact we understand pretty much everything with our bodies.

All our deepest, most unconscious metaphors start with our bodies. That’s why we graspcatch, toss around, or throw away an idea. It’s also why nearly all our prepositions pertain to location or movement. Over, under, around, throughwithbeside, within, alongside, on, off, above and below only make sense to us because we have experienced them with our bodies.

So::: How are we to make full sense of the Web, or the Internet, where we are hardly embodied at all?

We may say we are on the Web, because we need it to make sense to us as embodied beings. Yet we are only looking at a manifestation of it.

The “it” is the hypertext protocol (http) that Tim Berners-Lee thought up in 1990 so high energy physicists, scattered about the world, could look at documents together. That protocol ran on another one: TCP/IP. Together they were mannered talk among computers about how to show the same document across any connection over any collection of networks between any two end points, regardless of who owned or controlled those networks. In doing so, Tim rubbed a bottle of the world’s disparate networks. Out popped the genie we call the Web, ready to grant boundless wishes that only began with document sharing.

This was a miracle beyond the scale of loaves and fish: one so new and so odd that the movie Blade Runner, which imagined in 1982 that Los Angeles in 2019 would feature floating cars, off-world colonies and human replicants, failed to foresee a future when anyone could meet with anyone else, or any group, anywhere in the world, on wish-granting slabs they could put on their desks, laps, walls or hold in their hands. (Instead Blade Runner imagined there would still be pay phones and computers with vacuum tubes for screens.)

This week I attended Web Science 20 on my personal slab in California, instead of what was planned originally: in a conference at the University of Southampton in the UK. It was still a conference, but now a virtual one, comprised of many people on many slabs, all over the world, each with no sense of distance any more meaningful than those imposed by the inconvenience of time zones.

Joyce (my wife, who is also the source of much wisdom for which her husband gets the credit) says our experience on the Web is one of absent distance and gravity—and that this experience is still so new to us that we have only begun to make full sense of it as embodied creatures. We’ll adjust, she says, much as astronauts adjust to the absence of gravity; but it will take more time than we’ve had so far. We may become expert at using the likes of Zoom, but that doesn’t mean we operate in full comprehension of the new digital environment we co-occupy.

My own part in WebSci20 was talking with five good people, plus others asking questions in a chat, during the closing panel of the conference. (That’s us, at the top of this post.) The title of our session was The Future of Web Science. To prep for that session I wrote the first draft of what follows: a series of thoughts I hoped to bring up in the session, and some of which I actually did.

The first of thought is the one I just introduced: The Web, like the Net it runs on, is both new and utterly vexing toward understanding in terms we’ve developed for making sense of embodied existence.

Here are some more.

The Web is a whiteboard.

In the beginning we thought of the Web as something of a library, mostly because it was comprised of sites with addresses and pages that were authoredpublishedsyndicated, browsed and read. A universal resource locator, better known as a URL, would lead us through what an operating system calls a path or a directory, much as a card catalog did before library systems went digital. It also helped that we understood the Web as real estate, with sites and domains that one owned and others could visit.

The metaphor of the Web as a library, though useful, also misdirects our attention and understanding away from its nature as collection of temporary manifestations. Because, for all we attempt to give the Web a sense of permanence, it is evanescent, temporary, ephemeral. We write and publish there as we might on snow, sand or a whiteboard. Even the websites we are said to “own” are in fact only rented. Fail to pay the registrar and off it goes.

The Web is not what’s on it.

It is not Google, or Facebook, dot-anything or dot-anybody. It is the manifestation of documents and other non-stuff we call “content,” presented to us in browsers and whatever else we invent to see and deal with what the hypertext protocol makes possible. Here is how David Weinberger and I put it in World of Ends, more than seventeen years ago:

1. The Internet isn’t complicated
2. The Internet isn’t a thing. It’s an agreement.
3. The Internet is stupid.
4. Adding value to the Internet lowers its value.
5. All the Internet’s value grows on its edges.
6. Money moves to the suburbs.
7. The end of the world? Nah, the world of ends.
8. The Internet’s three virtues:
a. No one owns it
b. Everyone can use it
c. Anyone can improve it
9. If the Internet is so simple, why have so many been so boneheaded about it?
10. Some mistakes we can stop making already

That was a follow-up of sorts to The Cluetrain Manifesto, which we co-wrote with two other guys four years earlier. We followed up both five years ago with an appendix to Cluetrain called New Clues. While I doubt we’d say any of that stuff the same ways today, the heart of it beats the same.

The Web is free.

The online advertising industry likes to claim the “free Internet” is a grace of advertising that is “relevant,” “personalized,” “interest-based,” “interactive” and other adjectives that misdirect us away from what those forms of advertising actually do, which is track us like marked animals.

That claim, of course, is bullshit. Here’s what Harry Frankfurt says about that in his canonical work, On Bullshit (Cambridge University Press, 1988): “The realms of advertising and public relations, and the nowadays closely related realm of politics, are replete with instances of bullshit so unmitigated that they can serve among the most indisputable and classic paradigms of the concept.” Boiled down, bullshit is what Wikipedia (at the moment, itsef being evanescent) calls “speech intended to persuade without regard for truth.” Another distinction: “The liar cares about the truth and attempts to hide it; the bullshitter doesn’t care if what they say is true or false, but rather only cares whether their listener is persuaded.”

Consider for a moment Win Bigly: Persuasion in a World Where Facts Don’t Matter, a 2017 book by Scott Adams that explains, among other things, how a certain U.S. tycoon got his ass elected President. The world Scott’s talks about is the Web.

Nothing in the history of invention is more supportive of bullshit than the Web. Nor is anything more supportive of truth-telling, education and damned near everything else one can do in the civilized world. And we’re only beginning to discover and make sense of all those possibilities.

We’re all digital now

Meaning not just physical. This is what’s new, not just to human experience, but to human existence.

Marshall McLuhan calls our technologies, including our media, extensions of our bodily selves. Consider how, when you ride a bike or drive a car, those are my wheels and my brakes. Our senses extend outward to suffuse our tools and other technologies, making them parts of our larger selves. Michael Polanyi called this process indwelling.

Think about how, although we are not really on or through the Web, we do dwell in it when we read, write, speak, watch and perform there. That is what I am doing right now, while I type what I see on a screen in San Marino, California, as a machine, presumably in Cambridge, Massachusetts, records my keystrokes and presents them back to me, and now you are reading it, somewhere else in (or on, or choose your preposition) the world. Dwell may be the best verb for what each of us are doing in the non-here we all co-occupy in this novel (to the physical world) non-place and times.

McLuhan also said media revolutions are formal causes. Meaning that they form us. (He got that one from Aristotle.) In different ways we were formed and re-formed by speech, writing, printing, and radio and television broadcasting.

I submit that we are far more formed by digital technologies, and especially by the Internet and the Web, than by any other prior technical revolution. (A friend calls our current revolution “the biggest thing since oxygenation.”)

But this is hard to see because, as McLuhan puts it, every one of these major revolutions becomes a ground on which everything else dances as figures. But it is essential to recognize that the figures are not the ground. This, I suggest, is the biggest challenge for Web Science.

It’s damned hard to study ground-level formal causes such as digital tech, the Net and the Web. Because what they are technically is not what they do formally. They are rising tides that float all boats, in oblivity to the boats themselves.

I could say more, and I’m sure I will; but I want to get this much out there before the panel.

 

 

door knocker

Remember the dot com boom?

Doesn’t matter if you don’t. What does matter is that it ended. All business manias do.

That’s why we can expect the “platform economy” and “surveillance capitalism” to end. Sure, it’s hard to imagine that when we’re in the midst of the mania, but the end will come.

When it does, we can have a “privacy debate.” Meanwhile, there isn’t one. In fact there can’t be one, because we don’t have privacy in the online world.

We do have privacy in the offline world, and we’ve had it ever since we invented clothing, doors, locks and norms for signaling what’s okay and what’s not okay in respect to our personal spaces, possessions and information.

That we hardly have the equivalent in the networked world doesn’t mean we won’t. Or that we can’t. The Internet in its current form was only born in the mid-’90s. In the history of business and culture, that’s a blip.

Really, it’s still early.

So, the fact that websites, network services, phone companies, platforms, publishers, advertisers and governments violate our privacy with wanton disregard for it doesn’t mean we can’t ever stop them. It means we haven’t done it yet, because we don’t have the tech for it. (Sure, some wizards do, but muggles don’t. And most of us are muggles.)

And, since we don’t have privacy tech yet, we lack the simple norms that grow around technologies that give us ways signal our privacy preferences. We’ll get those when we have the digital equivalents of buttons, zippers, locks, shades, curtains, door knockers and bells.

This is what many of us have been working on at ProjectVRM, Customer Commons, the Me2B Alliance, MyData and other organizations whose mission is getting each of us the tech we need to operate at full agency when dealing with the companies and governments of the world.

I bring all this up as a “Yes, and” to a piece in Salon by Michael Corn (@MichaelAlanCorn), CISO of UCSD, titled We’re losing the war against surveillance capitalism because we let Big Tech frame the debate. Subtitle: “It’s too late to conserve our privacy — but to preserve what’s left, we must stop defining people as commodities.”

Indeed. And we do need the “optimism and activism” he calls for. In the activism category is code. Specifically, code that gives us the digital equivalents of buttons, zippers, locks, shades, curtains, door knockers and bells

Some of those are in the works. Others are not—yet. But they will be. Inevitably. Especially now that it’s becoming clearer every day that we’ll never get them from any system with a financial interest in violating it*. Or from laws that fail at protecting it.

If you want to help, join one or more of the efforts in the links four paragraphs up. And, if you’re a developer already on the case, let us know how we can help get your solutions into each and all of our digital hands.

For guidance, this privacy manifesto should help. Thanks.


*Especially publishers such as Salon, which Privacy Badger tells me tries to pump 20 potential trackers into my browser while I read the essay cited above. In fact, according to WhoTracksMe.com, Salon tends to run 204 tracking requests per page load, and the vast majority of those are for tracking-based advertising purposes. And Salon is hardly unique. Despite the best intentions of the GDPR and the CCPA, surveillance capitalism remains fully defaulted on the commercial Web—and will continue to remain entrenched until we have the privacy tech we’ve needed from the start.

For more on all this, see People vs. Adtech.

If the GDPR did what it promised to do, we’d be celebrating Privmas today. Because, two years after the GDPR became enforceable, privacy would now be the norm rather than the exception in the online world.

That hasn’t happened, but it’s not just because the GDPR is poorly enforced.  It’s because it’s too easy for every damn site on the Web—and every damn business with an Internet connection—to claim compliance to the letter of GDPR while violating its spirit.

Want to see how easy? Try searching for GDPR+compliance+consent:

https://www.google.com/search?q=gdpr+compliance+consent

Nearly all of the ~21,000,000 results you’ll get are from sources pitching ways to continue tracking people online, mostly by obtaining “consent” to privacy violations that almost nobody would welcome in the offline world—exactly the kind of icky practice that the GDPR was meant to stop.

Imagine if there was a way for every establishment you entered to painlessly inject a load of tracking beacons into your bloodstream without you knowing it. And that these beacons followed you everywhere and reported your activities back to parties unknown. Would you be okay with that? And how would you like it if you couldn’t even enter without recording your agreement to accept being tracked—on a ledger kept only by the establishment, so you have no way to audit their compliance to the agreement, whatever it might be?

Well, that’s what you’re saying when you click “Accept” or “Got it” when a typical GDPR-complying website presents a cookie notice that says something like this:

That notice is from Vice, by the way. Here’s how the top story on Vice’s front page looks in Belgium (though a VPN), with Privacy Badger looking for trackers:

What’s typical here is that a publication, with no sense of irony, runs a story about privacy-violating harvesting of personal data… while doing the same. (By the way, those red sliders say I’m blocking those trackers. Were it not for Privacy Badger, I’d be allowing them.)

Yes, Google says you’re anonymized somehow in both DoubleClick and Google Analytics, but it’s you they are stalking. (Look up stalk as a verb. Top result: “to pursue or approach prey, quarry, etc., stealthily.” That’s what’s going on.)

Again, let’s be clear about this: There is no way for you to know exactly how you are being tracked or what is done with information gathered about you. That’s because the instrument for that—a tool on your side—isn’t available. It probably hasn’t even been invented. You also have no record of agreeing to anything. It’s not even clear that the site or its third parties have a record of that. All you’ve got is a cookie planted deep in your browser’s bowels, designed to announce itself to other parties everywhere you go on the Web. In sum, consenting to a cookie notice leaves nothing resembling an audit trail.

So let’s go back to a simple privacy principle here: It is just as wrong to track a person like a marked animal in the online world as it is in the offline one.

The GDPR was made to thwart that kind of thing. But is has failed. Instead, it has made the experience of being tracked online a worse one.

Yes, that was not the GDPR’s intent. And yes, the GDPR has done some good. But if you are any less followed online today than you were when the GDPR became enforceable two years ago, it’s because you and the browser makers have worked to thwart at least some tracking.

And tracking remains worse than rampant: it’s defaulted practice for both advertising and site analytics. It will remain so until we have code, laws and enforcement which together stop it.

So, nothing to celebrate. Not this Privmas.

Tags: ,

We’re 19 days away from our 30th Internet Identity Workshop, by far the best Open Space unconference I know. (Okay, I’m biased, since I’m one of its parents.) For the first time since 2006, it won’t be happening at the Computer History Museum, which (as you might expect) is closed for awhile. C’est la quarantaine. Instead we’re doing it here

…where nearly all meetings happen these days. (HT to @hughcards for that portrait of the Internet.)

We’re actually excited about that, because we get to pioneer at unconferencing online in meet space, much as we did with unconferencing offline in meat space.

Since you’ll ask, we’ll be doing this with QiqoChat, an online community, meeting and event platform that is integrated with Zoom, which has been in the news lately. As you probably know by now, much of that news has been bad. (Top item this morning: US Senate tells members not to use Zoom.)

I suppose I played a part in that, with Zoom needs to clean up its privacy act (which got huge traffic) and the three posts that followed: More on Zoom and Privacy, Helping Zoom, and Zoom’s new privacy policy.

After the last of those, I spoke with Erik Yuan, Zoom’s CEO, who had reached out and seemed very receptive to my recommendations. Mostly those were around getting rid of tracking on Zoom’s home pages. This is jive that marketing likes and the privacy policy can’t help but cover—which, optically speaking, makes it look like everything Zoom does involves tracking for marketing purposes. The company hasn’t acted on those recommendations yet, but I know it’s been busy. What I read here and here from the Citizen Lab is encouraging. So, we’ll see.

Let’s also remember that Zoom isn’t the only conferencing platform. (The Guardian lists a few among many options. One not mentioned but worth considering: Jitsi, which is open source.)

Back to IIW. As it says here,

  • We will have an Opening Circle each day where we set the agenda
  • People will propose and host sessions, and sessions will be held in breakout spaces
  • After the end of sessions for the day, we’ll do a Closing Circle with Open Gifting ~ just like we always do
  • We will still hold Demo Sessions and the Tech Sandbox Fair
  • We will still publish the Book of Proceedings with notes from all the sessions
  • And, since we can’t have a celebratory cake, we’re planning on a Commemorative T-shirt for everyone, that is included with registration
  • We won’t have Rich, our favorite barista, or a snack table, but we will still have the same high-quality discussions and working sessions that make IIW a unique event

Also,

  • If you’re already registered for IIW, then you’re set. The only thing to do is cancel any travel plans.
  • If you haven’t registered yet, please do so at: https://iiw30.eventbrite.com

So help us make it happen for the first time, and better than ever thereafter.

And let’s hope this quarantine thing is over in time for our next IIW, which will be in both meat and meet space, next October, from the 20th to the 22nd.

 

Yesterday (March 29), Zoom updated its privacy policy with a major rewrite. The new language is far more clear than what it replaced, and which had caused the concerns I detailed in my previous three posts:

  1. Zoom needs to clean up its privacy act,
  2. More on Zoom and privacy, and
  3. Helping Zoom

Those concerns were shared by Consumer ReportsForbes and others as well. (Here’s Consumer Reports‘ latest on the topic.)

Mainly the changes clarify the difference between Zoom’s services (what you use to conference with other people) and its websites, zoom.us and zoom.com (which are just one site: the latter redirects to the former). As I read the policy, nothing in the services is used for marketing. Put another way, your Zoom sessions are firewalled from adtech, and you shouldn’t worry about personal information leaking to adtech (tracking based advertising) systems.

The websites are another matter. Zoom calls those websites—its home pages—”marketing websites.” This, I suppose, is so they can isolate their involvement with adtech to their marketing work.

The problem with this is an optical one: encountering a typically creepy cookie notice and opting gauntlet (which still defaults hurried users to “consenting” to being tracked through “functional” and “advertising” cookies) on Zoom’s home page still conveys the impression that these consents, and these third parties, work across everything Zoom does, and not just its home pages.

And why call one’s home on the Web a “marketing website”—even if that’s mostly what it is? Zoom is classier than that.

My advice to Zoom is to just drop the jive. There will be no need for Zoom to disambiguate services and websites if neither is involved with adtech at all. And Zoom will be in a much better position to trumpet its commitment to privacy.

That said, this privacy policy rewrite is a big help. So thank you, Zoom, for listening.

 

[This is the third of four posts. The last of those, Zoom’s new privacy policy, visits the company’s positive response to input such as mine here. So you might want to start with that post (because it’s the latest) and look at the other three, including this one, after that.]

I really don’t want to bust Zoom. No tech company on Earth is doing more to keep civilization working at a time when it could so easily fall apart. Zoom does that by providing an exceptionally solid, reliable, friendly, flexible, useful (and even fun!) way for people to be present with each other, regardless of distance. No wonder Zoom is now to conferencing what Google is to search. Meaning: it’s a verb. Case in point: between the last sentence and this one, a friend here in town sent me an email that began with this:

That’s a screen shot.

But Zoom also has problems, and I’ve spent two posts, so far, busting them for one of those problems: their apparent lack of commitment to personal privacy:

  1. Zoom needs to cleanup its privacy act
  2. More on Zoom and privacy

With this third post, I’d like to turn that around.

I’ll start with the email I got yesterday from a person at a company engaged by Zoom for (seems to me) reputation management, asking me to update my posts based on the “facts” (his word) in this statement:

Zoom takes its users’ privacy extremely seriously, and does not mine user data or sell user data of any kind to anyone. Like most software companies, we use third-party advertising service providers (like Google) for marketing purposes: to deliver tailored ads to our users about Zoom products the users may find interesting. (For example, if you visit our website, later on, depending on your cookie preferences, you may see an ad from Zoom reminding you of all the amazing features that Zoom has to offer). However, this only pertains to your activity on our Zoom.us website. The Zoom services do not contain advertising cookies. No data regarding user activity on the Zoom platform – including video, audio and chat content – is ever used for advertising purposes. If you do not want to receive targeted ads about Zoom, simply click the “Cookie Preferences” link at the bottom of any page on the zoom.us site and adjust the slider to ‘Required Cookies.’

I don’t think this squares with what Zoom says in the “Does Zoom sell Personal Data?” section of its privacy policy (which I unpacked in my first post, and that Forbes, Consumer Reports and others have also flagged as problematic)—or with the choices provided in Zoom’s cookie settings, which list 70 (by my count) third parties whose involvement you can opt into or out of (by a set of options I unpacked in my second post). The logos in the image above are just 16 of those 70 parties, some of which include more than one domain.

Also, if all the ads shown to users are just “about Zoom,” why are those other companies in the picture at all? Specifically, under “About Cookies on This Site,” the slider is defaulted to allow all “functional cookies” and “advertising cookies,” the latter of which are “used by advertising companies to serve ads that are relevant to your interests.” Wouldn’t Zoom be in a better position to know your relevant (to Zoom) interests, than all those other companies?

More questions:

  1. Are those third parties “processors” under GDPR, or “service providers by the CCPAs definition? (I’m not an authority on either, so I’m asking.)
  2. How do these third parties know what your interests are? (Presumably by tracking you, or by learning from others who do. But it would help to know more.)
  3. What data about you do those companies give to Zoom (or to each other, somehow) after you’ve been exposed to them on the Zoom site?
  4. What targeting intelligence do those companies bring with them to Zoom’s pages because you’re already carrying cookies from those companies, and those cookies can alert those companies (or others, for example through real time bidding auctions) to your presence on the Zoom site?
  5. If all Zoom wants to do is promote Zoom products to Zoom users (as that statement says), why bring in any of those companies?

Here is what I think is going on (and I welcome corrections): Because Zoom wants to comply with GDPR and CCPA, they’ve hired TrustArc to put that opt-out cookie gauntlet in front of users. They could just as easily have used Quantcast‘s system, or consentmanager‘s, or OneTrust‘s, or somebody else’s.

All those services are designed to give companies a way to obey the letter of privacy laws while violating their spirit. That spirit says stop tracking people unless they ask you to, consciously and deliberately. In other words, opting in, rather than opting out. Every time you click “Accept” to one of those cookie notices, you’ve just lost one more battle in a losing war for your privacy online.

I also assume that Zoom’s deal with TrustArc—and, by implication, all those 70 other parties listed in the cookie gauntlet—also requires that Zoom put a bunch of weasel-y jive in their privacy policy. Which looks suspicious as hell, because it is.

Zoom can fix all of this easily by just stopping it. Other companies—ones that depend on adtech (tracking-based advertising)—don’t have that luxury. But Zoom does.

If we take Zoom at its word (in that paragraph they sent me), they aren’t interested in being part of the adtech fecosystem. They just want help in aiming promotional ads for their own services, on their own site.

Three things about that:

  1. Neither the Zoom site, nor the possible uses of it, are so complicated that they need aiming help from those third parties.
  2. Zoom is the world’s leading sellers’ market right now, meaning they hardly need to advertise at all.
  3. Being in adtech’s fecosystem raises huge fears about what Zoom and those third parties might be doing where people actually use Zoom most of the time: in its app. Again, Consumer Reports, Forbes and others have assumed, as have I, that the company’s embrasure of adtech in its privacy policy means that the same privacy exposures exist in the app (where they are also easier to hide).

By severing its ties with adtech, Zoom can start restoring people’s faith in its commitment to personal privacy.

There’s a helpful model for this: Apple’s privacy policy. Zoom is in a position to have a policy like that one because, like Apple, Zoom doesn’t need to be in the advertising business. In fact, Zoom could follow Apple’s footprints out of the ad business.

And then Zoom could do Apple one better, by participating in work going on already to put people in charge of their own privacy online, at scale. In my last post. I named two organizations doing that work. Four more are the Me2B Alliance, Kantara, ProjectVRM, and MyData.

I’d be glad to help with that too. If anyone at zoom is interested, contact me directly this time. Thanks.

 

 

 

zoom with eyes

[21 April 2020—Hundreds of people are arriving here from this tweet, which calls me a “Harvard researcher” and suggests that this post and the three that follow are about “the full list of the issues, exploits, oversights, and dubious choices Zoom has made.” So, two things. First, while I run a project at Harvard’s Berkman Klein Center, and run a blog that’s hosted by Harvard, I am not a Harvard employee, and would not call myself a “Harvard researcher.” Second, this post and the ones that follow—More on Zoom and Privacy, Helping Zoom, and Zoom’s new privacy policy—are focused almost entirely on Zoom’s privacy policy and how its need to explain the (frankly, typical) tracking-based marketing tech on its home page gives misleading suggestions about the privacy of Zoom’s whole service. If you’re interested in that, read on. (I suggest by starting at the end of the series, written after Zoom changed its privacy policy, and working back.) If you want research on other privacy issues around Zoom, look elsewhere. Thanks.]


As quarantined millions gather virtually on conferencing platforms, the best of those, Zoom, is doing very well. Hats off.

But Zoom is also—correctly—taking a lot of heat for its privacy policy, which is creepily chummy with the tracking-based advertising biz (also called adtech). Two days ago, Consumer Reports, the greatest moral conscience in the history of business, published Zoom Calls Aren’t as Private as You May Think. Here’s What You Should Know: Videos and notes can be used by companies and hosts. Here are some tips to protect yourself. And there was already lots of bad PR. A few samples:

There’s too much to cover here, so I’ll narrow my inquiry down to the “Does Zoom sell Personal Data?” section of the privacy policy, which was last updated on March 18. The section runs two paragraphs, and I’ll comment on the second one, starting here:

… Zoom does use certain standard advertising tools which require Personal Data…

What they mean by that is adtech. What they’re also saying here is that Zoom is in the advertising business, and in the worst end of it: the one that lives off harvested personal data. What makes this extra creepy is that Zoom is in a position to gather plenty of personal data, some of it very intimate (for example with a shrink talking to a patient) without anyone in the conversation knowing about it. (Unless, of course, they see an ad somewhere that looks like it was informed by a private conversation on Zoom.)

A person whose personal data is being shed on Zoom doesn’t know that’s happening because Zoom doesn’t tell them. There’s no red light, like the one you see when a session is being recorded. If you were in a browser instead of an app, an extension such as Privacy Badger could tell you there are trackers sniffing your ass. And, if your browser is one that cares about privacy, such as Brave, Firefox or Safari, there’s a good chance it would be blocking trackers as well. But in the Zoom app, you can’t tell if or how your personal data is being harvested.

(think, for example, Google Ads and Google Analytics).

There’s no need to think about those, because both are widely known for compromising personal privacy. (See here. And here. Also Brett Frischmann and Evan Selinger’s Re-Engineering Humanity and Shoshana Zuboff’s In the Age of Surveillance Capitalism.)

We use these tools to help us improve your advertising experience (such as serving advertisements on our behalf across the Internet, serving personalized ads on our website, and providing analytics services).

Nobody goes to Zoom for an “advertising experience,” personalized or not. And nobody wants ads aimed at their eyeballs elsewhere on the Net by third parties using personal information leaked out through Zoom.

Sharing Personal Data with the third-party provider while using these tools may fall within the extremely broad definition of the “sale” of Personal Data under certain state laws because those companies might use Personal Data for their own business purposes, as well as Zoom’s purposes.

By “certain state laws” I assume they mean California’s new CCPA, but they also mean the GDPR. (Elsewhere in the privacy policy is a “Following the instructions of our users” section, addressing the CCPA, that’s as wordy and aversive as instructions for a zero-gravity toilet. Also, have you ever seen, anywhere near the user interface for the Zoom app, a place for you to instruct the company regarding your privacy? Didn’t think so.)

For example, Google may use this data to improve its advertising services for all companies who use their services.

May? Please. The right word is will. Why wouldn’t they?

(It is important to note advertising programs have historically operated in this manner. It is only with the recent developments in data privacy laws that such activities fall within the definition of a “sale”).

While advertising has been around since forever, tracking people’s eyeballs on the Net so they can be advertised at all over the place has only been in fashion since around 2007, which was when Do Not Track was first floated as a way to fight it. Adtech (tracking-based advertising) began to hockey-stick in 2010 (when The Wall Street Journal launched its excellent and still-missed What They Know series, which I celebrated at the time). As for history, ad blocking became the biggest boycott, ever by 2015. And, thanks to adtech, the GDPR went into force in 2018 and the CCPA 2020,. We never would have had either without “advertising programs” that “historically operated in this manner.”

By the way, “this manner” is only called advertising. In fact it’s actually a form of direct marketing, which began as junk mail. I explain the difference in Separating Advertising’s Wheat and Chaff.

If you opt out of “sale” of your info, your Personal Data that may have been used for these activities will no longer be shared with third parties.

Opt out? Where? How? I just spent a long time logged in to Zoom  https://us04web.zoom.us/), and can’t find anything about opting out of “‘sale’ of your personal info.” (Later, I did get somewhere, and that’s in the next post, More on Zoom and Privacy.)

Here’s the thing: Zoom doesn’t need to be in the advertising business, least of all in the part of it that lives like a vampire off the blood of human data. If Zoom needs more money, it should charge more for its services, or give less away for free. Zoom has an extremely valuable service, which it performs very well—better than anybody else, apparently. It also has a platform with lots of apps with just as absolute an interest in privacy. They should be concerned as well. (Unless, of course, they also want to be in the privacy-violating end of the advertising business.)

What Zoom’s current privacy policy says is worse than “You don’t have any privacy here.” It says, “We expose your virtual necks to data vampires who can do what they will with it.”

Please fix it, Zoom.

As for Zoom’s competitors, there’s a great weakness to exploit here.

Next post on the topic: More on Zoom and Privacy.

 

 

 

Journalism’s biggest problem (as I’ve said before) is what it’s best at: telling stories. That’s what Thomas B. Edsall (of Columbia and The New York Times) does in Trump’s Digital Advantage Is Freaking Out Democratic Strategists, published in today’s New York Times. He tells a story. Or, in the favored parlance of our time, a narrative, about what he sees Republicans’ superior use of modern methods for persuading voters:

Experts in the explosively growing field of political digital technologies have developed an innovative terminology to describe what they do — a lexicon that is virtually incomprehensible to ordinary voters. This language provides an inkling of the extraordinarily arcane universe politics has entered:

geofencingmass personalizationdark patternsidentity resolution technologiesdynamic prospectinggeotargeting strategieslocation analyticsgeo-behavioural segmentpolitical data cloudautomatic content recognitiondynamic creative optimization.

Geofencing and other emerging digital technologies derive from microtargeting marketing initiatives that use consumer and other demographic data to identify the interests of specific voters or very small groups of like-minded individuals to influence their thoughts or actions.

In fact the “arcane universe” he’s talking about is the direct marketing playbook, which was born offline as the junk mail business. In that business, tracking individuals and bothering them personally is a fine and fully rationalized practice. And let’s face it: political campaigning has always wanted to get personal. It’s why we have mass mailings, mass callings, mass textings and the rest of it—all to personal addresses, numbers and faces.

Coincidence: I just got this:

There is nothing new here other than (at the moment) the Trump team doing it better than any Democrat. (Except maybe Bernie.) Obama’s team was better at it in ’08 and ’12. Trump’s was better at it in ’16 and is better again in ’20.*

However, debating which candidates do the best marketing misdirects our attention away from the destruction of personal privacy by constant tracking of our asses online—including tracking of asses by politicians. This, I submit, is a bigger and badder issue than which politicians do the best direct marketing. It may even be bigger than who gets elected to what in November.

As issues go, personal privacy is soul-deep. Who gets elected, and how, are not.

As I put it here,

Surveillance of people is now the norm for nearly every website and app that harvests personal data for use by machines. Privacy, as we’ve understood it in the physical world since the invention of the loincloth and the door latch, doesn’t yet exist. Instead, all we have are the “privacy policies” of corporate entities participating in the data extraction marketplace, plus terms and conditions they compel us to sign, either of which they can change on a whim. Most of the time our only choice is to deny ourselves the convenience of these companies’ services or live our lives offline.

Worse is that these are proffered on the Taylorist model, meaning mass-produced.

There is a natural temptation to want to fix this with policy. This is a mistake for two reasons:

  1. Policy-makers are themselves part of the problem. Hell, most of their election campaigns are built on direct marketing. And law enforcement (which carries out certain forms of policy) has always regarded personal privacy as a problem to overcome rather than a solution to anything. Example.
  2. Policy-makers often screw things up. Exhibit A: the EU’s GDPR, which has done more to clutter the Web with insincere and misleading cookie notices than it has to advance personal privacy tech online. (I’ve written about this a lot. Here’s one sample.)

We need tech of our own. Terms and policies of our own. In the physical world, we have privacy tech in the forms of clothing, shelter, doors, locks and window shades. We have policies in the form of manners, courtesies, and respect for privacy signals we send to each other. We lack all of that online. Until we invent it, the most we’ll do to achieve real privacy online is talk about it, and inveigh for politicians to solve it for us. Which they won’t.

If you’re interested in solving personal privacy at the personal level, take a look at Customer Commons. If you want to join our efforts there, talk to me.

_____________
*The Trump campaign also has the enormous benefit of an already-chosen Republican ticket. The Democrats have a mess of candidates and a split in the party between young and old, socialists and moderates, and no candidate as interesting as is Trump. (Also, I’m not Joyce.)

At this point, it’s no contest. Trump is the biggest character in the biggest story of our time. (I explain this in Where Journalism Fails.) And he’s on a glide path to winning in November, just as I said he was in 2016.

Here’s the popover that greets visitors on arrival at Rolling Stone‘s website:

Our Privacy Policy has been revised as of January 1, 2020. This policy outlines how we use your information. By using our site and products, you are agreeing to the policy.

That policy is supplied by Rolling Stone’s parent (PMC) and weighs more than 10,000 words. In it the word “advertising” appears 68 times. Adjectives modifying it include “targeted,” “personalized,” “tailored,” “cookie-based,” “behavioral” and “interest-based.” All of that is made possible by, among other things—

Information we collect automatically:

Device information and identifiers such as IP address; browser type and language; operating system; platform type; device type; software and hardware attributes; and unique device, advertising, and app identifiers

Internet network and device activity data such as information about files you download, domain names, landing pages, browsing activity, content or ads viewed and clicked, dates and times of access, pages viewed, forms you complete or partially complete, search terms, uploads or downloads, the URL that referred you to our Services, the web sites you visit after this web site; if you share our content to social media platforms; and other web usage activity and data logged by our web servers, whether you open an email and your interaction with email content, access times, error logs, and other similar information. See “Cookies and Other Tracking Technologies” below for more information about how we collect and use this information.

Geolocation information such as city, state and ZIP code associated with your IP address or derived through Wi-Fi triangulation; and precise geolocation information from GPS-based functionality on your mobile devices, with your permission in accordance with your mobile device settings.

The “How We Use the Information We Collect” section says they will—

Personalize your experience to Provide the Services, for example to:

  • Customize certain features of the Services,
  • Deliver relevant content and to provide you with an enhanced experience based on your activities and interests
  • Send you personalized newsletters, surveys, and information about products, services and promotions offered by us, our partners, and other organizations with which we work
  • Customize the advertising on the Services based on your activities and interests
  • Create and update inferences about you and audience segments that can be used for targeted advertising and marketing on the Services, third party services and platforms, and mobile apps
  • Create profiles about you, including adding and combining information we obtain from third parties, which may be used for analytics, marketing, and advertising
  • Conduct cross-device tracking by using information such as IP addresses and unique mobile device identifiers to identify the same unique users across multiple browsers or devices (such as smartphones or tablets, in order to save your preferences across devices and analyze usage of the Service.
  • using inferences about your preferences and interests for any and all of the above purposes

For a look at what Rolling Stone, PMC and their third parties are up to, Privacy Badger’s browser extension “found 73 potential trackers on www.rollingstone.com:

tagan.adlightning.com
 acdn.adnxs.com
 ib.adnxs.com
 cdn.adsafeprotected.com
 static.adsafeprotected.com
 d.agkn.com
 js.agkn.com
 c.amazon-adsystem.com
 z-na.amazon-adsystem.com
 display.apester.com
 events.apester.com
 static.apester.com
 as-sec.casalemedia.com
 ping.chartbeat.net
 static.chartbeat.com
 quantcast.mgr.consensu.org
 script.crazyegg.com
 dc8xl0ndzn2cb.cloudfront.net
cdn.digitru.st
 ad.doubleclick.net
 securepubads.g.doubleclick.net
 hbint.emxdgt.com
 connect.facebook.net
 adservice.google.com
 pagead2.googlesyndication.com
 www.googletagmanager.com
 www.gstatic.com
 static.hotjar.com
 imasdk.googleapis.com
 js-sec.indexww.com
 load.instinctiveads.com
 ssl.p.jwpcdn.com
 content.jwplatform.com
 ping-meta-prd.jwpltx.com
 prd.jwpltx.com
 assets-jpcust.jwpsrv.com
 g.jwpsrv.com
pixel.keywee.co
 beacon.krxd.net
 cdn.krxd.net
 consumer.krxd.net
 www.lightboxcdn.com
 widgets.outbrain.com
 cdn.permutive.com
 assets.pinterest.com
 openbid.pubmatic.com
 secure.quantserve.com
 cdn.roiq.ranker.com
 eus.rubiconproject.com
 fastlane.rubiconproject.com
 s3.amazonaws.com
 sb.scorecardresearch.com
 p.skimresources.com
 r.skimresources.com
 s.skimresources.com
 t.skimresources.com
launcher.spot.im
recirculation.spot.im
 js.spotx.tv
 search.spotxchange.com
 sync.search.spotxchange.com
 cc.swiftype.com
 s.swiftypecdn.com
 jwplayer.eb.tremorhub.com
 pbs.twimg.com
 cdn.syndication.twimg.com
 platform.twitter.com
 syndication.twitter.com
 mrb.upapi.net
 pixel.wp.com
 stats.wp.com
 www.youtube.com
 s.ytimg.com

This kind of shit is why we have the EU’s GDPR (General Data Protection Regulation) and California’s CCPA (California Consumer Privacy Act). (No, it’s not just because Google and Facebook.) If publishers and the adtech industry (those third parties) hadn’t turned the commercial Web into a target-rich environment for suckage by data vampires, we’d never have had either law. (In fact, both laws are still new: the GDPR went into effect in May 2018 and the CCPA a few days ago.)

I’m in California, where the CCPA gives me the right to shake down the vampiretariat for all the information about me they’re harvesting, sharing, selling or giving away to or through those third parties.* But apparently Rolling Stone and PMC don’t care about that.

Others do, and I’ll visit some of those in later posts. Meanwhile I’ll let Rolling Stone and PMC stand as examples of bad acting by publishers that remains rampant, unstopped and almost entirely unpunished, even under these new laws.

I also suggest following and getting involved with the fight against the plague of data vampirism in the publishing world. These will help:

  1. Reading Don Marti’s blog, where he shares expert analysis and advice on the CCPA and related matters. Also People vs. Adtech, a compilation of my own writings on the topic, going back to 2008.
  2. Following what the browser makers are doing with tracking protection (alas, differently†). Shortcuts: Brave, Google’s Chrome, Ghostery’s Cliqz, Microsoft’s Edge, Epic, Mozilla’s Firefox.
  3. Following or joining communities working to introduce safe forms of nourishment for publishers and better habits for advertisers and their agencies. Those include Customer CommonsMe2B AllianceMyData Global and ProjectVRM.

______________

*The bill (AB 375), begins,

The California Constitution grants a right of privacy. Existing law provides for the confidentiality of personal information in various contexts and requires a business or person that suffers a breach of security of computerized data that includes personal information, as defined, to disclose that breach, as specified.

This bill would enact the California Consumer Privacy Act of 2018. Beginning January 1, 2020, the bill would grant a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of 3rd parties with which the information is shared. The bill would require a business to make disclosures about the information and the purposes for which it is used. The bill would grant a consumer the right to request deletion of personal information and would require the business to delete upon receipt of a verified request, as specified. The bill would grant a consumer a right to request that a business that sells the consumer’s personal information, or discloses it for a business purpose, disclose the categories of information that it collects and categories of information and the identity of 3rd parties to which the information was sold or disclosed…

Don Marti has a draft letter one might submit to the brokers and advertisers who use all that personal data. (He also tweets a caution here.)

†This will be the subject of my next post.

« Older entries