National Security Risks from Online Ads, Google's Cookie Phase-Out, and EDPB's New Cookie Guidelines

By Robert Bateman and Privado.ai

In this week’s Privacy Corner Newsletter:

• The shocking threat to national security posed by the online advertising industry.
• Google begins its phase-out of third-party cookies, for real this time (honestly, they promise).
• The EDPB has issued new guidelines on the cookie bits of the ePrivacy Directive, which passed well over a decade ago.
• What we’re reading: Our picks for privacy and privacy-adjacent content this week.

Adtech Report Reveals Europe’s ‘Hidden Security Crisis’

The Irish Council for Civil Liberties (ICCL) has published research showing how highly sensitive data about military and intelligence personnel can be shared with foreign state actors via the “real-time bidding” (RTB) adtech system.

• The report, authored by privacy advocates Wolfi Christl and Johnny Ryan, describes how data used for ad targeting creates national security risks.
• The researchers claim that information about the identities of government and military personnel can be combined with data about issues such as drug and gambling addiction, creating a risk that high-ranking officials could be blackmailed.
• The report also reveals how sensitive data adtech data ends up in China and Russia.

How serious is this?

The ICCL’s report, Europe’s Hidden Security Crisis, describes some seriously alarming research.

The authors have long campaigned against the RTB process, which facilitates the buying and selling of personal data and online advertising space—and which is described by Johnny Ryan as the “biggest data breach in history”.

Ryan has challenged the Interactive Advertising Bureau Europe’s (IAB EU) role in the scheme (the case is currently at the Court of Justice of the European Union) and has lodged a related complaint against Google, the main RTB player.

The report reiterates some well-established concerns about RTB, including how it exposes data about people’s “location and movements over time, what they are reading or watching or listening to, sexual interests, and personal problems” at least “71 trillion times a year”.

But the main focus of the report is RTB’s implications for security and defense.

What are RTB’s implications for security and defense?

Here are the main arguments:

• Online advertising involves the collection and sharing of vast amounts of personal data, and the inferring of individuals’ characteristics. Advertisers use this data to target ads to specific types of people.
• Internet users are assigned an identifier and labeled according to the sorts of people they are likely to be, based on inferences derived from data about their internet activity, physical location, shopping habits, and other factors.
• For the purposes of this report, some of the relevant labels include:“Intelligence and Counterterrorism”“Government — Legislative Branch”“Government — Public Policy”“Government — National Security and International”“Military — Army”“Aerospace and Defence”“Defence Industry”
• Adtech companies also label people according to their presumed habits or personal characteristics. Some of the more sensitive labels include:“Depression”“Anxiety”“Gambling — High Spender”“Mental Health”“Substance Abuse”
• The researchers argue that the existence of these commercially available data sets creates a risk of blackmail and surveillance of people working in the military, government, and judiciary.
• While some steps are taken to “pseudonymize” advertising data, some companies offer services to derive people’s names, addresses, movements, and family members from the data.
• While the data is only initially accessible within Europe, the report shows that it frequently ends up in states such as China and Russia.

Have any government or military personnel actually been targeted via this data?

The report does not cite any instances of RTB data actually being used to this effect. The focus is on explaining the risks.

However, individuals have been identified and surveilled via commercially available advertising data. In 2022, a Catholic priest was outed as gay after a conservative group purchased RTB data regarding his location and use of Grindr.

This incident illustrates how individuals can be identified and potentially blackmailed via RTB data.

What does the ICCL recommend we do about this?

The report provides some practical recommendations to mitigate the security issues associated with RTB.

• The European Commission should request that the European Data Protection Board (EDPB) investigate the issue.
• The EU’s Data Protection Authorities (DPAs) should order the IAB and Google to apply stricter security measures to the RTB system.
• The EU Agency for Cybersecurity (ENISA) should warn people and institutions about the risks of surveillance via RTB.
• ENISA and other bodies should assess the security risks of RTB.
• If necessary, the European Commission should consider introducing legislation to help tackle the issue across EU member states.

Ryan and others have already made progress in tackling the data protection, privacy, and security issues inherent to RTB. This report might force EU institutions to take the matter more seriously.

Google’s Third-Party Cookie Phase-Out Officially Begins

Google has given notice to developers confirming its plans to deprecate third-party cookies from the first quarter of 2024.

• The deprecation of third-party cookies is part of Google’s Privacy Sandbox project, which will radically reform how Google delivers targeted advertising to users of its Chrome browser.
• Initiatives in the Privacy Sandbox project include Topics, a cohort-based ad-targeting method, and Privacy Budget, which aims to tackle fingerprinting.
• Google’s reforms have been heavily delayed, partly due to concerns among antitrust regulators such as the UK Competition and Markets Authority (CMA).

Is this actually happening?

Google began its Privacy Sandbox project in 2019 but has repeatedly pushed back the project’s implementation date due to practical and legal issues.

But in a post for developers on Monday, Google’s goal of phasing out third-party cookies appears much closer to becoming a reality.

Initially, Google will switch off third-party cookies by default for just 1% of users.

Just 1%?

Google is treading carefully, partly to avoid creating widespread technical issues. And 1% of around 3 billion Chrome users is still a lot of people. 30 million, in fact.

Most other browsers, including Safari, Firefox, and Brave, already block third-party cookies by default. But Google would likely bankrupt itself if it turned off third-party cookies without establishing an alternative advertising infrastructure.

Is this good for privacy?

Third-party cookies are generally considered to be bad for privacy, so turning them off must be good for privacy. Right?

Arguably, yes. But many privacy fans take issue with Google’s replacement advertising model, known as Topics, which will sort Chrome users into groups according to their inferred preferences and characteristics based on their browsing history.

Topics will likely make it harder to single out or fingerprint individual users—and give Google more control over who can access people’s data. This has raised serious competition concerns—which are partly to blame for the slow pace of Google’s changes.

And, speaking of cookies…

European Data Protection Board Releases Draft Cookies Guidance

The EDPB has issued draft guidance on the “technical scope” of Article 5 (3) of the ePrivacy Directive, which regulates the use of cookies and similar technologies.

• The draft document, Guidelines 2/2023 on the Technical Scope of Art. 5 (3) of ePrivacy Directive, is open to public consultation until December 28, 2023.
• The guidelines provide an interpretation of the ePrivacy Directive’s rules on accessing and storing information on a person’s device, which includes setting cookies, pixels, and other trackers.
• The EDPB also addresses various practical “use cases”, including URL tracking, local processing of data, and Internet of Things (IoT) processing.

Didn’t this law pass in 2002?

Yes, the EDPB has just provided its interpretation of a more-than-two-decades-old law. Although to be fair, the relevant sections were amended a mere 14 years ago, having passed in 2009.

Why is the EDPB doing this?

Despite its age, the ePrivacy Directive is widely flouted and frequently misunderstood. The EDPB also wishes to address upcoming changes to digital advertising and service providers providing “cookieless” tracking solutions.

Why is the ePrivacy Directly so widely violated?

The ePrivacy Directive is really quite strict.

The general rule is that you cannot access or store information on a person’s device unless it is strictly necessary to provide a service the person has requested or to facilitate network communication.

This means that, across the European Economic Area (EEA) and the UK, you need consent for almost all analytics and advertising technology, including cookies.

Some DPAs have interpreted the rules a little more liberally and will allow, for example, privacy-centric first-party analytics.

Does the EDPB say anything new?

The EDPB’s position on the ePrivacy Directive mostly echoes the views of its predecessor group, the Article 29 Working Party, which published guidelines on the ePrivacy Directive’s consent rules back in 2012.

However, the EDPB does provide some insights on how the law applies in different contexts, a process that mostly consists of shooting down several European tech startups:

• Client-side processing: Some solutions attempt to escape the ePrivacy Directive by processing data on the user’s device. However, if any of that data gets sent over a network, the ePrivacy Directive applies.
• IP tracking: Do you need to get consent to track users based purely on IP addresses, rather than cookie data? Yes, says the EDPB—unless you can be sure that the IP address did not come from the user’s device (including their router).
• Unique IDs: What about creating a unique ID by hashing data provided by the user on the user’s device? No dice, says the EDPB, as the ID is still temporarily stored on—and collected from—the user’s device.

The internet has not adapted to the ePrivacy Directive, and its successor law, the ePrivacy Regulation, has been delayed for many, many years.?

There are rumors that the Commission is planning to withdraw the ePrivacy Regulation proposal and wait for the review of the GDPR set for next year. The UK is also proposing to remove the requirement to obtain consent for analytics in its upcoming reforms.

But without changes to the law, it’s questionable whether the EDPB’s guidelines will have much effect on non-consensual online tracking—which has become an integral part of a billion-dollar industry.

What We’re Reading

Take a look at these three privacy-related reads published this week:

• The Shifting Privacy Left Podcast: Debra J Farber discusses how to embed ethics into your systems development lifecycle (SDLC), with Mathew Mytka and Alja Isakovi? co-founders of Tethix.
• Data Brokerage, the Sale of Individuals’ Data, and Risks to Americans’ Privacy,? Personal Safety, and National Security: In light of this week’s shocking ICCL report (outlined above), read this US House Committee testimony about data brokers and national security, delivered by Justin Sherman in April.
• California Privacy Protection Agency (CPPA): Revised Draft Cybersecurity Audit Regulations: The CPPA has amended the first draft of its all-important cybersecurity audit rules.