Cookie targeting sucks, so how did the priest get outed as gay?

Few people have been around long enough in digital advertising to remember the chart below from Nielsen in 2011 which showed that only 5% of ads were properly targeted. Of course that page has since been removed, because it would have been a terribly inconvenient truth about the effectiveness of cookie-based ad targeting. or lack thereof. But here's the page archived by WayBackMachine - https://web.archive.org/web/20130311091812/https://www.nielsen.com/us/en/newswire/2011/for-online-advertising-big-impression-counts-dont-mean-high-audience-reach.html

Academics have also shown that cookie based targeting and the inferences about the users derived from website visitation patterns are equally bad or worse. For example, for just 1 parameter -- gender -- the accuracy of inferred data was 42% -- i.e. "worse than random." That means an advertiser using a "spray and pray" approach would have targeted more males than if they paid for expensive targeting data and audience segments. Of course, that is another inconvenient truth that adtech vendors selling targeting don't want advertisers to know.

Adtech vendors that sell "ID solutions" or cookie-based targeting services have worked extremely hard to convince advertisers they can serve "the right ad to the right person at the right time, regardless of what site or app they happen to be using." They claim they can help advertisers target ads down to the cookie. Many advertisers seem to believe this; they even cite examples like the priest being outed as gay because his data was tracked and sold, as just how precise -- and invasive -- the data for targeting must be. They also cite the example of secret military bases being revealed by personnel using fitness tracking apps. These real-life examples happened. But does that mean adtech targeting data using cookies is accurate? No. Why?

The rest of the article answers the following question -- How can adtech data be so precise that it invades folks' privacy but at the same time, so poor in quality that it makes cookie-based targeting laughably useless?

Precise location data is privacy invasive, but not used in most adtech targeting

Note in each of the cases mentioned above, it's the precise location data that caused the privacy violations. For example, [NBC, 2021] the priest used the gay dating app Grindr. His location was tracked by the app and he was seen repeatedly going between the church rectory (place where priests live) and a local gay bar. This data was sold through a data broker and an activist group used the data to out the priest. The second example [The Guardian, 2018] was simple -- military personnel using fitness tracking apps while on base had their locations leaked, thus revealing the location of the secret military base. Again this has to do with precise location data that mobile apps that have GPS permissions can collect, and send to the servers of the app maker, and then shared/sold to data brokers for profit.

But the javascript code used to serve most programmatic ads do not have access to the GPS sensors of the mobile device. It can only approximate the location from the IP address. Even mobile apps like keyboard apps, flashlight apps, alarm block apps, and kids' color-by-number apps don't have GPS or live geolocation; if your kid's coloring app asked for precise GPS location, you should be highly skeptical of why. So geolocation is approximate at best and precise locations are not used in most adtech targeting; only broad locations -- like the country and state -- are used to ensure ads are served in the right country. This is different from the Starbucks app needing real-time, precise GPS location so it can tell you the nearest Starbucks to pick up your drink.

"Who they are and what they like" are inferred

Let's talk about adtech targeting and why it is so bad. Ever since programmatic media buying took off, data management platforms have grown too. These are the vendors that harvest data about people from a variety of sources, and use that to derive or infer "who they are and what they like." They have to do this because most humans are NOT logged in when reading content on a public website like news websites. This is entirely different than "walled gardens" like Google or Facebook where humans are logged in all day long to Gmail and Instagram. Google and Facebook know who those users are AND those users voluntarily volunteered demographic information like age, gender, etc. and their behaviours, likes, shares, friends, etc can all be observed by Google and Facebook, all of which make targeting of ads better, in those walled gardens.

Cookie match rates suck too

On top of how bad the inferred data about cookies is, cookie match rates also suck. What's a "cookie match?" When advertisers don't have all the cookies of the users they want to target, or when data brokers don't have that, they have to match cookies with some other party that does. A common use case is an advertiser uploading deterministic identifiers that they have -- like email addresses or 1st party cookies of their own users -- to a data broker like LiveRamp. A vendor like LiveRamp performs the service of matching cookies from different cookie pools, sometimes using their own identifier as an intermediary for matching. This is not an article about the technicalities of cookie matching and syncing, so I won't go into it here. But the matching process is widely known to be inaccurate and incomplete. Many studies have been done on just how bad cookie match rates are, but this recent summary is useful for ballparking -- "Fifty-five percent of study respondents see cookie matching succeed less than 45% of the time." Source: https://www.adexchanger.com/content-studio/study-cookies-low-match-rates-cost-ad-tech-millions-moving-off-cookies-may-be-the-answer/ This simply means that in most cases, the chances of finding a match for a cookie that you have is about 1 in 2. Not good. And certainly not precise enough to support the notion of "the right ad to the right person at the right time" as claimed by adtech vendors selling that data and those services.

The impact of bots/fraud on cookie targeting

Further, advertisers should consider the impact of bots and fraudsters on the accuracy of cookies and audience segments. On the open web where most users don't log in to a site just to read an article, only cookies are available to the sites, ad networks, and data brokers. These cookies are anonymous representations of persons. By looking at the list of sites that each cookie visits, the data brokers attempt to derive who they are and what they like. For example, if the users visited ESPN, playboy, maxim, sportsillustrated, etc. the data broker might deduce the user was male. Beyond these simplistic, and sexist, examples, it gets infinitely harder to get it right, even for gender. What do you derive about the anonymous cookie that visits Walmart .com? Right, the data sellers might try their best, but most of it is just "make sh** up." And advertisers buy it.

Bots and fraudsters know this too. So they send their bots to automotive sites first, so those cookies appear to be "auto-intenders." That's why we saw hilarious examples like "330 million auto-intenders in the U.S." when there was only 350 million people in the U.S. Bots also visit medical journal sites, so their website visitation pattern makes them appear to be doctors. Large pharma advertisers love to pay insane CPMs thinking they were targeting high value doctors. Bots even look at oncology articles to pretend to be even more valuable oncologists. Did you know that bots dump cookies when they are caught and get new ones?That means there's much higher, if not constant, cookie turnover with bot traffic. Humans don't delete cookies deliberately too often, but cookie rotation among bots is how they avoid detection and get more ad impressions per bot. Oh, and one more thing, bad guys operating fake sites that use bot traffic will simply substitute a cookie in when there was none, because the presence of a cookie in the bid request always gets more bids and higher CPMs than bid requests that lack a targeting cookie (think iOS, Safari, Firefox and Brave, all of which are used by humans).

All of the above said, as an advertiser, how sure are you that you're targeting real oncologists instead of bots pretending to be oncologists? It's bad. And yeah, I have the data in case you want to see.

Did I sufficiently answer the question: "How can adtech data be so precise that it invades folks' privacy but at the same time, so poor in quality that it makes cookie-based targeting laughably useless?"

So what?

Let's wrap this article by recapping a few points:

1. cookie targeting is bad, because inferred interests are very inaccurate
2. cookie targeting is bad, because finding a matching cookie that correctly identifies the person you are trying to target works less than half of the time.
3. cookie targeting is bad, because bots can trick data brokers into thinking they are doctors or oncologists (just by visiting a collection of sites) and then selling them as part of "high value audiences" to gullible advertisers for insane CPMs
4. cookie targeting is bad, because it's just bad. (don't trust me; just run your own damn experiments.)

Moving on from cookies can't happen soon enough. If you are a savvy advertiser, you should drive the move to cookieless yourself, sooner. Cookie targeting has never worked well, and the priest and military base examples dont apply here. Cookie sync and match problems make it even worse -- i.e. are you targeting the right cookie and does that cookie actually represent the right person? Run your own experiments, if you don't believe me. Turn off JUST the targeting, leave your campaigns on, and note if there's ANY change to the rate of outcomes. You won't see any; if you do, let me know, so I can retract all of the above. (I see you, haters, and I probably won't). ;-)

Here's a great example of an agency ( Brunner and Ivan Tafur Luca Pugliano ) that has "moved on" from a dependence on cookies and have helped their clients do the same. They are heavily targeting iPhones, which don't have 3rd party cookies for tracking and targeting, and getting WAY better business results for clients, compared to before, when using cookie-based targeting.

Further reading: COOKIELESS and CLICKLESS attribution with FouAnalytics