Privacy purge: EU mega lawsuit against IAB, Xandr aims to end behavioural targeting, real time ad bidding worldwide in three years: Dr Johnny Ryan
Dr Johnny Ryan is well-known in the ad tech world, namely, for wanting to bring a large portion of it down – or force it to reform, depending on who you ask. A former exec at The Irish Times, Chief Policy Officer at web browser Brave and PageFair's former Head of Ecosystem, the privacy advocate has now launched landmark legal action against digital ad standards setter, IAB Tech Lab, and AT&T's adtech unit Xandr. Ryan wants no less than to end real time bidding and user tracking under powerful GDPR laws that would force wholesale and widespread reform of the entire digital ad industry. If successful, the global impact will be profound.
What you need to know:
- A leading privacy campaigner, former adtech insider turned whistleblower Dr Johnny Ryan, has filed a lawsuit under Europe’s GDPR laws alleging the IAB is behind the “world’s largest data breach”.
- Ryan has launched action against IAB Tech Lab, Xandr and a German publisher in order to stop Real Time Bidding (RTB), or the programmatic digital advertising auction system that he says harvests data illegally and will have international reverberations.
- The case will play out over about two or three years with appeals, Ryan estimates. If successful, it could force a complete overhaul of programmatic buying in Europe but would kill much of how circa $330bn in digital advertising is traded globally.
- Stockmarket-style real time bidding of digital ads amounts to a “cancer feasting on the decaying body of the legitimate media. The objective is to force this dirty, dirty industry to reform," says Ryan on today's Mi3 podcast. "The industry which I’ve worked in, and which everyone listening probably works in, is reckless, irresponsible, and immature. It follows short term profit with no interest in long term sustainability."
- The IAB Tech Lab’s audience taxonomy documents, Ryan argues, segment individuals by location, income, religion, political views, sexual orientation and even whether someone is the parent of a child with special needs, breaching GDPR rules which hitherto have not been enforced.
- Xandr, one of the defendants in the lawsuit, says it shares data in the RTB process with 1,600 other companies – this violates GDPR’s strict data protection rules, Ryan says.
- Ryan suggests while Google, Facebook and Apple have their own questions to answer over data practices, adtech firms complaining about moves to restrict data sharing arrangements are like “back alley surgeons” moaning that it is “impossible to continue to hack people's limbs off with a bloody saw”.
- The IAB locally says gaps in GDPR enforcement are allowing legal challenges enabling "false narratives" that RTB is inherently incapable of being conducted under GDPR.
- The legal battle over privacy will prove crucial for international privacy precedents and the underpinnings of the current digital advertising system worldwide.
The objective is to force this dirty, dirty industry to reform. The industry which I’ve worked in, and which everyone listening probably works in, is reckless, irresponsible, and immature. It follows short term profit with no interest in long term sustainability.
The lawsuit against everyone
A stopwatch somewhere in Europe has started: the adtech industry has three years to completely reform its high-speed online ad auction practices known as Real Time Bidding (RTB) or face industry-crunching legal consequences, a top privacy campaigner has warned.
Dr Johnny Ryan, a former adtech insider who is now a Senior Fellow at the Irish Council for Civil Liberties, is taking the Interactive Advertising Bureau (IAB) Tech Lab to court in Hamburg, Germany, for violations of Europe’s General Data Protection Regulation (GDPR) in what he calls “the world’s largest data breach”.
He says the lawsuit targets Google, Facebook, Amazon, Twitter, Verizon, AT&T, and the entire behavioural targeting and tracking industry, by challenging the industry-wide guidelines set by the New York-based IAB Tech Lab.
Ryan, who testified before a US Senate Judiciary Committee over programmatic ad buying and its privacy implications, says RTB amounts to a “cancer feasting on the decaying body of the legitimate media”.
“The objective is to force this dirty, dirty industry to reform. The industry which I’ve worked in, and which everyone listening probably works in, is reckless, irresponsible, and immature. It follows short term profit with no interest in long term sustainability,” he says.
“I would be shocked if the Hamburg court did not give us the ruling we want and fully expect. It’ll take at least a year… we’re talking several years of litigation.”
In response, the IAB Tech Lab said it has not received any documents related to the case:
"IAB Tech Lab will continue to deliver on its mission to drive global technology standards that enable growth and trust in the digital media ecosystem. This mission has never been more timely or important," a spokesperson told Mi3.
"At this time, we have not been served with any documents in the case. We will review the allegations in conjunction with our legal advisers and, if appropriate, will respond in due course."
The defendants must stand accused of maintaining illegal and insecure data processing and operating it intensively as a business model.
The allegations behind the lawsuit
At the heart of Ryan's legal case is Real Time Bidding – the auction process that takes place in milliseconds to match an advertiser with a user as a website page is loading.
In an English translation of the legal documents filed with the Hamburg District Court, Ryan and his legal team use an example to illustrate the process.
On 25 March this year, Ryan went on the website www.onlinemarketing.de to read an article about himself.
Within 268 milliseconds, according to his evidence, his IP address, user ID, sex, date of birth, geolocation, place of residence, content taxonomy categories, audience taxonomy categories, his specific device’s information, and more, were shared with “an unspecified number of purchasing platforms.”
The case is against IAB Tech Lab, the first defendant, as well as adtech firm Xandr and the online marketing publication. It's technical but demonstrative of how complex and unregulated the digital advertising economy is.
“By providing tools for checking whether the personal data in a bid request are processed correctly, [IAB Tech Lab] facilitates and enables the processing of the Plaintiff’s personal data which is the subject of the dispute,” Ryan alleges.
“The defendants must stand accused of maintaining illegal and insecure data processing and operating it intensively as a business model.”
The personal data contained in a bid request allows anyone who receives it to build a long-term dossier of intimate behaviors and characteristics of the website visitor, including movement profile, political views, religion, sexuality, and health status.
All three parties, his lawyers argue, should refrain from processing his personal data without proper security measures, transparency, legal standing or appropriate safeguards. Without these, RTB violates Article 5 of the GDPR, which describes how personal data must be collected, processed and stored.
Ryan says there are several components to the case. One is the OpenRTB protocols, the rules that define what can be shared about an individual or groups of people.
The second element is the IAB Tech Lab’s Audience Taxonomy, the agreed set of audience segments that are compatible across different ad tech providers. Likewise, the IAB Tech Lab’s Content Taxonomy, which segments page content into categories.
Version 1.0 of the IAB Tech Lab’s Audience Taxonomy included codes to determine a user’s income, political views, parents of special needs children, mental health conditions and religion.
“The personal data contained in a bid request allows anyone who receives it to build a long-term dossier of intimate behaviors and characteristics of the website visitor, including movement profile, political views, religion, sexuality, and health status,” Ryan says in his legal pleadings.
He lists data shared by IndexExchange, PubMatic, OpenX and Google as evidence for billions of requests for ads every day.
“Thus, it becomes clear that personal data is disseminated hundreds of billions of times a day through OpenRTB. This means that hundreds of trillions of bid requests are processed annually by an unknown number of companies."
Put simply, Ryan says the practices of the adtech industry, and those used for RTB, are in breach of GDPR rules. No amount of consent or pop-up information boxes, he argues, can adequately prepare a user for their data to be shared with 1,600 partners, as Xandr publicly discloses, who may then share the data with other companies.
[RTB] is feeding the bottom of the web, it’s creating a business model for that stuff, and it’s a cancer feasting on the decaying body of the legitimate media. It’s a huge issue.
Cookie alternatives "nonsense"
For three years, GDPR enforcers have failed to act, Ryan says. They have “awesome powers” but, despite receiving evidence of repeated alleged data breaches, they have not taken any steps towards action.
“They haven’t done a damn thing with that evidence,” he says.
It's a question of willpower and manpower. Across the entire European Union’s suite of regulators, the ICCL has found 305 people focused on investigating and enforcing the laws that cover Big Tech.
“That’s nothing. A very thin red line facing tech companies. Split up in more than 40 agencies. In Germany there are 19 agencies,” he says.
“We’re talking about several years of litigation. But the facts will be obvious and uncontestable 12 months from now. The facts are uncontestable now.”
He also takes aim at alternatives to third-party cookies, which are due to be removed in late 2023 from Google’s Chrome browser. The current arms race to build out universal ID solutions are equally futile, Ryan argues.
“Any industry player that has been hoping it can scramble by, all of this nonsense about Unified ID 2.0, PRAM (Partnership for Responsible Addressable Media) in the United States – this case is partly to say to the US [Association of National Advertisers], IAB: don’t bother. You must change. You must change. This fight is obviously over. We’ve landed and taken Okinawa, let’s not fight you on the beaches of Japan here.
When Donald Trump was coming into office, he said he was going to build a Muslim list. Amnesty International went and bought Muslim lists to show this guy doesn’t actually need to build a state apparatus to create a Muslim list. You can buy them on the market in the United States.
Do people care?
There has been plenty of discussion about whether users care about data privacy. While many say they do in surveys, few quit Facebook, Google’s Chrome browser, or other widely-used applications that harvest data for advertising purposes. Apple’s opt-in for its App Tracking Transparency features have demonstrated the majority of Australian users would rather not be tracked across apps, but it’s unclear to what extent privacy features change buying patterns.
In this case, however, Ryan says “the individual is not relied on to care”.
“Any behavioural economist will tell you that people put off pension decisions until very often it's almost too late, even though their parents are telling them start your pension now,” he says.
“When these things don't have an immediate consequence, you ignore them. It doesn’t matter what you think might happen to the data…. It’s the unforeseeable thing that is often the challenge.
“When data brokers inferred that people were Muslim based on their shopping habits, what food they bought or viewing habits, maybe this was intended to help people sell products to Muslims.
“But it still meant when Donald Trump was coming into office, he said he was going to build a Muslim list. Amnesty International went and bought Muslim lists to show this guy doesn’t actually need to build a state apparatus to create a Muslim list. You can buy them on the market in the United States.”
Ryan’s is not the only ongoing court case related to RTB. In March, two US residents filed a lawsuit against Google over its RTB practice, which they allege “actively sells and shares consumers’ personal information with thousands of entities”.
Ryan's case also links RTB concerns to a recent Wall Street Journal article in which a bipartisan group of US senators wrote to major ad auction companies asking them about how the data of US citizens is used after the ad is sold.
How RTB hits publishers
Ryan, a former Chief Innovation Officer at The Irish Times newspaper, says RTB is a bad deal for premium publishers.
"Unfortunately, when the publisher decides to use real time bidding to show ads to you, what they are doing is they are telling a whole lot of intermediary companies [that] this person... is a high end auto intender," he says.
"All of those intermediaries are then in a position to re-identify you when you go to conspiracytheory.au or bikinibabes.au... [and] show you the car or ad at what appears to be an enormous discount. But the advertiser, of course, doesn't know what the discount was, they don't necessarily know where the ad ended up, and and the person who is making out like a bandit is the adtech intermediary because they can charge whatever they want - provided they give some form of discount.
"Now, what that does is it means the high end publisher who invests in investigative work to make sure politics is clean or something like that. That publisher can no longer charge the same amount tomorrow as it charged today for your attention.
“It creates a business model for the bottom of the web, for conspiracy theories dot A-U. Those guys can arbitrage the legitimate publishers’ audiences. That’s a problem. It’s feeding the bottom of the web, it’s creating a business model for that stuff, and it’s a cancer feasting on the decaying body of the legitimate media. It’s a huge issue.”
You can't have an internal data free for all. So we need to stop the external data free-for-all and we need to stop the internal data free-for-all inside these big companies.
Internal data sharing "free for all" also in the crosshairs
Ryan says he is working on litigation against Google and Facebook, too, in an attempt to end the "data free-for-all" that exists within the walled gardens. Purpose limitation, which is legislative limits to how data can be used, must be enforced, he says.
"You can't have an internal data free for all. So we need to stop the external data free-for-all and we need to stop the internal data free-for-all inside these big companies," he says.
"Google and Facebook, they just take data out of one area business to prop up other areas of business, too, and they cascade their monopolies."
Despite those data issues, Ryan is blunt about adtech’s competition complaints around Google and Apple not allowing access to user data.
“They're moaning and saying, ‘oh, those guys are turning off the tap of illegal data to us in our data free for all’ – that actually isn't a competition issue. And here's why,” he says.
“That's like the back-alley surgeon moaning that they're supposed to keep their instruments sterile. Oh, boo hoo. Those guys have gone and set up clinics with electric lighting and sterile instruments. And they've made it impossible for us to continue to hack people's limbs off with bloody saws. Tough shit. We're moving to a new clean age. Get with the program. It's time for industry to become a clean one.”
No more audience arbitrage, far less fraud, the publisher can sell the publisher’s own audience. Catastrophically bad news for the adtech companies, great news for the publisher.
What does a better adtech industry look like?
A few months after the IAB Tech Lab released its Audience Taxonomy 1.0, it released an updated version 1.1 that removed some of the more controversial categories. Is there any form of the IAB Tech Lab’s audience taxonomy that Ryan believes would be acceptable under GDPR?
“I have no idea,” Ryan says.
“Version 1.1 removes some of the dangerous categories, but not all… The fact they have removed a few things that they think can look particularly bad, I mean, maybe that’s a step in the right direction. But they’ve included a large number of other things.”
Speaking of alternatives to current RTB practices, Ryan says there are examples out there for those that look hard enough. Nederlandse Publieke Omroep (NPO), a public broadcaster in the Netherlands, announced it would remove all third party cookies and “stop doing all the bad stuff”.
“Their revenue went up 55 per cent… when Covid hit, their revenue still went up year-on-year in double digits,” he says.
“No more audience arbitrage, far less fraud, the publisher can sell the publisher’s own audience. Catastrophically bad news for the adtech companies, great news for the publisher."
He adds: "I think there may be a bright future, but not for everyone."
Mi3 will in the coming weeks assemble industry views on the claims in Dr Ryan's legal case. IAB Australia CEO Gai Le Roy issued this statement last night:
"Digital advertising in Australia generates over $9.5bn per annum subsidising digital news, entertainment, information and services for Australians. Programmatic advertising has enabled inventory from publishers, large and small, to be made available to a much wider range of advertisers.
"Although IAB Australia is not in a position to comment directly on the latest case raised by the Irish Council for Civil Liberties (ICCL), the IAB has always helped the industry to operate by developing standards, guidelines, taxonomies and frameworks that suit the legal requirements of different markets, enable marketers to grow their businesses by reaching consumers and increasingly providing data transparency and control for users. Our work is open, collaborative and iterative.
"Gaps in GDPR enforcement are creating an opening for legal challenges that do not reflect reality and are enabling the false narrative that RTB is inherently incapable of being conducted in a GDPR-compliant way. This is fundamentally wrong. As we have seen from directives from the ICO in the UK the industry should expect more scrutiny and audits on compliance – we welcome these measures to ensure the players are held to account and as an industry we continue to find ways to improve consumer experience and trust.
"The industry, through the IAB, is investing a lot of time and effort with thousands of companies in doing the right things for the industry and for consumers, as well as helping maintain a free and open web."
Mi3 Special Report: Australia Post-Cookies, Post-Privacy
- How brands including ANZ, CommBank, Adore Beauty, Little Birdie, Menulog and Westpac are racing for new privacy-compliant ways to market to customers as platform and regulatory changes bite.
- Report covers all of Australia‘s major publishers, their strategies.
- All major alternative IDs covered.
- Plus marketing consultancies, tech provider and agency insights.
- Independent Mi3 report, based on 35-plus interviews, supported by MiQ and Resolution Digital.
How brands including CommBank, Adore Beauty, Little Birdie, Menulog and more are racing for new privacy-compliant ways to market to customers as platform and regulatory changes bite.Get ahead of the curve. DOWNLOAD THE REPORT HERE DOWNLOAD your 67-page report here.
Personalisation smashed Christmas sales records. But the average retailer uses 44 systems to manage CX: Why you need a digital HQ in 2022
Personalised comms helped retailers drive the holiday shopping surge in 2021, per Salesforce data. The problem is, retailers are using dozens of systems to manage their customer experience (CX) data, losing huge opportunities between the cracks. Jo Gaines says a digital HQ – with staff that know how to use it – must be retailers’ top priority.