Even the IAB warned adtech risks EU privacy rules

A privacy complaint targeting the behavioral advertising industry has a new piece of evidence that shows the Internet Advertising Bureau (IAB) shedding doubt on whether it’s possible to obtain informed consent from web users for the programmatic ad industry’s real-time bidding (RTB) system to broadcast their personal data.

The adtech industry functions by harvesting web users’ data, packaging individual identifiers and browsing data in bid requests that are systematically shared with third parties in order to solicit and scale advertiser bids for the user’s attention.

However a series of RTB complaints — filed last fall by Jim Killock, director of the Open Rights Group; Dr Johnny Ryan of private browser Brave; and Michael Veale, a data and policy researcher at University College London — allege this causes “wide-scale and systemic breaches” of European Union data protection rules.

So far complaints have been filed with data protection agencies in Ireland, the UK and Poland, though the intent is for the action to expand across the EU given that behavioral advertising isn’t region specific.

Google and the IAB set the RTB specifications used by the online ad industry and are thus the main targets here, with complainants advocating for amendments to the specification to bring the system into compliance with the bloc’s data protection regime.

We’ve covered the complaint before, including an earlier submission showing the highly sensitive inferences that can be included in bid requests. But documents obtained by the complainants via freedom of information request and newly published this week show the IAB itself warned in 2017 that the RTB system risks falling foul of the bloc’s privacy rules, and specifically the rules around consent under the EU’s General Data Protection Regulation (GDPR), which came into force last May.

The complainants have published the latest evidence on a new campaign website.

At the very least the admission looks awkward for online ad industry body.

“incompatible with consent under GDPR “

In an email sent to senior personnel at the European Commission in June 2017 by Townsend Feehan, the CEO of IAB Europe — and now being used as evidence in the complaints — she writes that she wants to expand on concerns voiced at a roundtable session about the Commission’s ePrivacy proposals that she claims could “mean the end of the online advertising business model”.

Feehan attached an 18-page document to the email in which the IAB can be seen lobbying against the Commission’s ePrivacy proposal — claiming it will have “serious negative impacts on the digital advertising industry, on European media, and ultimately on European citizens’ access to information and other online content and services”.

The IAB goes on to push for specific amendments to the proposed text of the regulation. (As we’ve written before a major lobbying effort has blow up since GDPR was agreed to try to block updating the ePrivacy rules which operate alongside, covering marketing and electronic communications and cookies and other online tracking technologies.)

As it lobbies to water down ePrivacy rules, the IAB suggests it’s “technically impossible” for informed consent to function in a real-time bidding scenario — writing the following, in a segment entitled ‘Prior information requirement will “break” programmatic trading’:

As it is technically impossible for the user to have prior information about every data controller involved in a real-time bidding (RTB) scenario, programmatic trading, the area of fastest growth in digital advertising spend, would seem, at least prima facie, to be incompatible with consent under GDPR – and, as noted above, if a future ePrivacy Regulation makes virtually all interactions with the Internet subject solely to the consent legal basis, and consent is unavailable, then there will be no legal be no basis for such processing to take place or for media to monetise their content in this way.

The notion that it’s impossible to obtain informed consent from web users for processing their personal data prior to doing so is important because the behavioral ad industry, as it currently functions, includes personal data in bid requests that it systematically broadcasts to what can be thousands of third party companies.

Indeed, the crux of the RTB complaints are that personal data should be stripped out of these requests — and only contextual information broadcast for targeting ads, exactly because the current system is systematically breaching the rights of European web users by failing to obtain their consent for personal data to be sucked out and handed over to scores of unknown entities.

In its lobbying efforts to knock the teeth out of the ePrivacy Regulation the IAB can here be seen making a similar point — when it writes that programmatic trading “would seem, at least prima facie, to be incompatible with consent under GDPR”. (Albeit, injecting some of its own qualifiers into the sentence.)

The IAB is certainly seeking to deploy pro-privacy arguments to try to dilute Europeans’ privacy rights.

Despite it’s own claimed reservations about there being no technical fix to get consent for programmatic trading under GDPR the IAB nonetheless went on to launch a technical mechanism for managing — and, it claimed — complying with GDPR consent requirements in April 2018, when it urged the industry to use its GDPR “Consent & Transparency Framework”.

But in another piece of evidence obtained by the group of individuals behind the RTB complaints — an IAB document, dated May 2018, intended for publishers making use of this framework — the IAB also acknowledges that: “Publishers recognize there is no technical way to limit the way data is used after the data is received by a vendor for decisioning/bidding on/after delivery of an ad”.

In a section on liability, the IAB document lays out other publisher concerns that each bid request assumes “indiscriminate rights for vendors” — and that “surfacing thousands of vendors with broad rights to use data without tailoring those rights may be too many vendors/permissions”.

So again, er, awkward.

Another piece of evidence now attached to the RTB complaints shows a set of sample bid requests from the IAB and Google’s documentation for users of their systems — with annotations by the complainants showing exactly how much personal data gets packaged up and systematically shared.

This can include a person’s latitude and longitude GPS coordinates; IP address; device specific identifiers; various ID codes; inferred interests (which could include highly sensitive personal data); and the current webpage they’re looking at;

“The fourteen sample bid requests further prove that very personal data are contained in bid requests,” the complainants argue.

They have also included an estimated breakdown of seven major ad exchanges’ daily bid requests — Index Exchange, OpenX, Rubicon Project, Oath/AOL*, AppNexus, Smaato, Google DoubleClick — showing they collectively broadcast “hundreds of billions of bid requests per day”, to illustrate the scale of data being systematically broadcast by the ad industry.

“This suggests that the New Economics Foundation’s estimate in December that bid requests broadcast data about the average UK internet user 164 times a day was a conservative estimate,” they add.

The IAB has responded to the new evidence by couching the complainants’ claims as “false” and “intentionally damaging to the digital advertising industry and to European digital media”.

Regarding its 2017 document, in which it wrote that it was “technically impossible” for an Internet user to have prior information about every data controller involved in a RTB “scenario”, the IAB responds that “that was true at the time, but has changed since” — pointing to its Transparency & Consent framework (TCF) as the claimed fix for that, and further claiming it “demonstrates that real-time bidding is certainly not ‘incompatible with consent under GDPR'”.

Here are the relevant paras of IAB rebuttal on that:

The TCF provides a way to provide transparency to users about how, and by whom, their personal data is processed. It also enables users to express choices. Moreover, the TCF enables vendors engaged in programmatic advertising to know ahead of time whether their own and/or their partners’ transparency and consent status allows them to lawfully process personal data for online advertising and related purposes. IAB Europe’s submission to the European Commission in April 2017 showed that the industry needed to adapt to meet higher standards for transparency and consent under the GDPR. The TCF demonstrates how complex challenges can be overcome when industry players come together. But most importantly, the TCF demonstrates that real-time bidding is certainly not “incompatible with consent under GDPR”.

The OpenRTB protocol is a tool that can be used to determine which advertisement should be served on a given web page at a given time. Data can inform that determination. Like all technology, OpenRTB must be used in a way that complies with the law. Doing so is entirely possible and greatly facilitated by the IAB Europe Transparency & Consent Framework, whose whole raison d’être is to help ensure that the collection and processing of user data is done in full compliance with EU privacy and data protection rules.

The IAB goes on to couch the complaints as stemming from a “hypothetical possibility for personal data to be processed unlawfully in the course of programmatic advertising processes”.

“This hypothetical possibility arises because neither OpenRTB nor the TCF are capable of physically preventing companies using the protocol to unlawfully process personal data. But the law does not require them to,” the IAB claims.

However the crux of the RTB complaint is that programmatic advertising’s processing of personal data is not adequately secure — and they have GDPR Article 5, paragraph 1, point f to point to; which requires that personal data be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss”.

So it will be down to data protection authorities to determine what “appropriate security of personal data” means in this context. And whether behavioral advertising is inherently hostile to data protection law (not forgetting that other forms of non-personal-data-based advertising remain available, e.g. contextual advertising).

Discussing the complaint with TechCrunch late last year, Brave’s Ryan likened the programmatic ad system to dumping truck-loads of briefcases in the middle of a busy railway station in “the full knowledge that… business partners will all scramble around and try and grab them” — arguing that such a dysfunctional and systematic breaching of people’s data is lurking at the core of the online ad industry.

The solution Ryan and the other complainants are advocating for is not pulling the plug on the online ad industry entirely — but rather an update to the RTB spec to strip out personal data so that it respects Internet users’ rights. Ads can still be targeted contextually and successfully without Internet users having to be surveilled 24/7 online, is the claim.

They also argue that this would lead to a much better situation for quality online publishers because it would make it harder for their high value audiences to be arbitraged and commodified by privacy-hostile tracking technologies which — as it stands — trail Internet users everywhere they go. Albeit they freely concede that purveyors of low quality clickbait might fair less well.

*Disclosure: TechCrunch is owned by Verizon Media Group, aka Oath/AOL . We also don’t consider ourselves to be purveyors of low quality clickbait  

Legal Capsule: Angel Tax by Economic Laws Practice

DPIIT issues notification to revise exemptions for start-ups under Section 56(2)(viib) Given its direct impact on availability of capital, taxation of start-ups on account of issuance of shares at a premium above the fair market value under Section 56(2)(viib) of the Income-tax Act, 1961 (“IT Act”) – also referred to as Angel Tax – has been an issue of concern for the start-up sector for

Global smartphone growth stalled in Q4, up just 1.2% for the full year: Gartner

Gartner’s smartphone marketshare data for the just gone holiday quarter highlights the challenge for device makers going into the world’s biggest mobile trade show which kicks off in Barcelona next week: The analyst’s data shows global smartphone sales stalled in Q4 2018, with growth of just 0.1 per cent over 2017’s holiday quarter, and 408.4 million units shipped.

tl;dr: high end handset buyers decided not to bother upgrading their shiny slabs of touch-sensitive glass.

Gartner says Apple recorded its worst quarterly decline (11.8 per cent) since Q1 2016, though the iPhone maker retained its second place position with 15.8 per cent marketshare behind market leader Samsung (17.3 per cent). Last month the company warned investors to expect reduced revenue for its fiscal Q1 — and went on to report iPhone sales down 15 per cent year over year.

The South Korean mobile maker also lost share year over year (declining around 5 per cent), with Gartner noting that high end devices such as the Galaxy S9, S9+ and Note9 struggled to drive growth, even as Chinese rivals ate into its mid-tier share.

Huawei was one of the Android rivals causing a headache for Samsung. It bucked the declining share trend of major vendors to close the gap on Apple from its third placed slot — selling more than 60 million smartphones in the holiday quarter and expanding its share from 10.8 per cent in Q4 2017 to 14.8 per cent.

Gartner has dubbed 2018 “the year of Huawei”, saying it achieved the top growth of the top five global smartphone vendors and grew throughout the year.

This growth was not just in Huawei “strongholds” of China and Europe but also in Asia/Pacific, Latin America and the Middle East, via continued investment in those regions, the analyst noted. While its expanded mid-tier Honor series helped the company exploit growth opportunities in the second half of the year “especially in emerging markets”.

By contrast Apple’s double-digit decline made it the worst performer of the holiday quarter among the top five global smartphone vendors, with Gartner saying iPhone demand weakened in most regions, except North America and mature Asia/Pacific.

It said iPhone sales declined most in Greater China, where it found Apple’s market share dropped to 8.8 percent in Q4 (down from 14.6 percent in the corresponding quarter of 2017). For 2018 as a whole iPhone sales were down 2.7 percent, to just over 209 million units, it added.

“Apple has to deal not only with buyers delaying upgrades as they wait for more innovative smartphones. It also continues to face compelling high-price and midprice smartphone alternatives from Chinese vendors. Both these challenges limit Apple’s unit sales growth prospects,” said Gartner’s Anshul Gupta, senior research director, in a statement.

“Demand for entry-level and midprice smartphones remained strong across markets, but demand for high-end smartphones continued to slow in the fourth quarter of 2018. Slowing incremental innovation at the high end, coupled with price increases, deterred replacement decisions for high-end smartphones,” he added.

Further down the smartphone leaderboard, Chinese OEM, Oppo, grew its global smartphone market share in Q4 to bump Chinese upstart, Xiaomi, and bag fourth place — taking 7.7 per cent vs Xiaomi’s 6.8 per cent for the holiday quarter.

The latter had a generally flat Q4, with just a slight decline in units shipped, according to Gartner’s data — underlining Xiaomi’s motivations for teasing a dual folding smartphone.

Because, well, with eye-catching innovation stalled among the usual suspects (who’re nontheless raising high end handset prices), there’s at least an opportunity for buccaneering underdogs to smash through, grab attention and poach bored consumers.

Or that’s the theory. Consumer interest in ‘foldables’ very much remains to be tested.

In 2018 as a whole, the analyst says global sales of smartphones to end users grew by 1.2 percent year over year, with 1.6 billion units shipped.

The worst declines of the year were in North America, mature Asia/Pacific and Greater China (6.8 percent, 3.4 percent and 3.0 percent, respectively), it added.

“In mature markets, demand for smartphones largely relies on the appeal of flagship smartphones from the top three brands — Samsung, Apple and Huawei — and two of them recorded declines in 2018,” noted Gupta.

Overall, smartphone market leader Samsung took 19.0 percent marketshare in 2018, down from 20.9 per cent in 2017; second placed Apple took 13.4 per cent (down from 14.0 per cent in 2017); third placed Huawei took 13.0 per cent (up from 9.8 per cent the year before); while Xiaomi, in fourth, took a 7.9 per cent share (up from 5.8 per cent); and Oppo came in fifth with 7.6 per cent (up from 7.3 per cent).

JD.com’s drones take flight to Japan in partnership with Rakuten

Chinese e-commerce company JD.com is taking its drone delivery system to Japan.

Rakuten, the Japanese e-commerce giant, just announced a partnership with JD that will see its drones and unmanned vehicles become a part of Rakuten’s own unmanned delivery service efforts.

JD has been operating drones in its native China for a number of years, and it has wider expansion plans having recently gained a regional-level operating license. Its other human-less tech includes self-operating trucks, automated warehouses and unmanned stores, and it recently picked Indonesia for its first overseas drone pilot.

Rakuten has been offering drone delivery in Japan since 2016 and unmanned vehicle trials since 2018. It said that working with JD — which claims to have racked up 400,000 minutes of delivery flight time — will “accelerate the development and commercialization” of its human-free last mile delivery efforts.

JD.com’s drones take flight to Japan in partnership with Rakuten

Chinese e-commerce company JD.com is taking its drone delivery system to Japan.

Rakuten, the Japanese e-commerce giant, just announced a partnership with JD that will see its drones and unmanned vehicles become a part of Rakuten’s own unmanned delivery service efforts.

JD has been operating drones in its native China for a number of years, and it has wider expansion plans having recently gained a regional-level operating license. Its other human-less tech includes self-operating trucks, automated warehouses and unmanned stores, and it recently picked Indonesia for its first overseas drone pilot.

Rakuten has been offering drone delivery in Japan since 2016 and unmanned vehicle trials since 2018. It said that working with JD — which claims to have racked up 400,000 minutes of delivery flight time — will “accelerate the development and commercialization” of its human-free last mile delivery efforts.

Clutter confirms SoftBank-led $200M investment for its on-demand storage service

There’s plenty of speculation right now around apparently disgruntled investors in SoftBank’s Vision Fund, but the drum continues to beat and the checks continue to be written. The latest deal for the $100 billion mega-fund is Clutter, an on-demand storage company that pulled in $200 million in new financing for growth.

Eagled-eyed viewers will recall that TechCrunch broke news of an impending SoftBank-led round of that size back in January, and now it is official.

The startup is one of a number of companies that provide storage options for consumers who don’t want to part with items but equally don’t have the capacity to keep it where they live. The service is based around an app that is used to summon Clutter staff to pack up, take away, store and (later) return possessions, but it can also be used for regular house moving, too. Competitors in the space include MakeSpaceOmniTroveLivible, and Closetbox.

Joining SoftBank in the deal are existing Clutter investors Sequoia, Atomico, GV, Fifth Wall and Four Rivers who fronted the company’s last round, a $64 million raise nearly two years ago. This new capital means that Clutter has raised $297 million from investors to date.

There’s no confirmation of a valuation for the startup, but our well-placed sources previously told us that this round would value Clutter at between $400 million and $500 million. One thing that is confirmed, however, is that SoftBank’s Justin Wilson will join the board.

The money will go towards expansion in the U.S. as Clutter explained in an announcement, but there are hints that it harbors overseas ambitions, too:

This funding will accelerate the company’s expansion into new markets in 2019, including Philadelphia, Portland and Sacramento. It’s also doubling down in its existing markets in the greater areas of New York, San Francisco, Los Angeles, Chicago, Seattle, San Diego, Orange County and northern New Jersey, as it marches toward a goal of operating in America’s largest 50 cities and expanding internationally.

“We believe that storage is a vast and traditional market with huge potential for disruption, and Clutter’s technology and superior customer proposition will help facilitate future growth in expanding urban communities where space is at a premium,” said SoftBank’s Wilson in a statement.

Companies including Nestle, Epic and reportedly Disney suspend YouTube ads over child exploitation concerns

Days after a YouTube creator accused the platform of enabling a “soft-core pedophilia ring,” several companies have suspended advertising on the platform, including Nestle, Epic, and reportedly Disney and McDonald’s.

Nestle told CNBC that all of its companies in the U.S. have paused advertising on YouTube, while a spokesperson for Epic, maker of the massively popular game Fortnite, said it has suspended all pre-roll advertising. Other companies that confirmed publicly they are pausing YouTube advertising include Purina, GNC, Fairlife, Canada Goose, and Vitacost. Bloomberg and the Wall Street Journal report that Walt Disney Co. and McDonald’s, respectively, have pulled advertising, too.

Other advertisers, including Peloton and Grammarly, said they are calling on YouTube to resolve the issue.

The latest scandal over YouTube’s content moderation problems took off on Sunday when YouTube creator Matt Watson posted a video and in-depth Reddit post describing how pedophiles are able to manipulate the platform’s recommendation algorithm to redirect a search for “bikini haul” videos, featuring adult women, to exploitative clips of children. Some otherwise innocuous videos also had inappropriate comments, including some with timestamps that captured children in compromising positions.

A YouTube spokesperson sent a statement to TechCrunch that said “Any content – including comments – that endangers minors is abhorrent and we have clear policies prohibiting this on YouTube. We took immediate action by deleting accounts and channels, reporting illegal activity to authorities and disabling comments on tens of millions of videos that include minors. There’s more to be done, and we continue to work to improve and catch abuse more quickly.”

The platform has also reported comments to the National Center for Missing and Exploited Children and is taking further steps against child exploitation, including hiring more experts.

Watson’s report, however, highlights that YouTube continues to struggle with content that violates its own policies, even after a series of reports two years ago led to what creators dubbed the “adpocalpyse.” In an effort to appease advertisers, YouTube gave them more control over what videos their ads would appear before and also enacted more stringent policies for creators. Many YouTubers, however, have complained that the policies are unevenly enforced with little transparency, dramatically lowering their revenue but giving them little recourse to fix issues or appeal the platform’s decisions, even as objectionable content remains on the platform.