Facebook’s Cambridge Analytica problems are nothing compared to what’s coming for all of online publishing

Let’s start with Facebook’s Surveillance Machine, by Zeynep Tufekci in last Monday’s New York Times. Among other things (all correct), Zeynep explains that “Facebook makes money, in other words, by profiling us and then selling our attention to advertisers, political actors and others. These are Facebook’s true customers, whom it works hard to please.”

Giant Irony Alert: the same is true for the Times, along with every other publication that lives off adtech: surveillance-based advertising. These pubs don’t just open the kimonos of their readers. They treat them as naked beings whose necks are bared to vampires ravenous for the blood of personal data, all ostensibly so those persons can be served with “interest-based” advertising.

With no control by readers (beyond tracking protection which relatively few know how to use), and damn little care or control by the publishers who bare those readers’ necks to the vampires,

knows what the hell actually happens to the data? No one entity, that’s for sure.

For one among many views of what’s going on, here’s a screen shot of what RedMorph, a privacy monitoring and protection extention in Chrome showed going on behind Zeynep’s op-ed in the Times: And that’s just one small wedge of a much wider view. And here’s more irony: a screen shot of RedMorph’s home page:

That quote is from Free Tools to Keep Those Creepy Online Ads From Watching You, by Brian X. Chen and Natasha Singer, and published on 17 February 2016 in the Times.

By the way, I want to make clear that Zeynep, Brian and Natasha are all innocents here, thanks to the “Chinese wall” between the editorial and publishing functions of the Times. In fact same irony applies to countless other correct and important reporting on the Facebook/Cambridge Analytica mess by other writers and pubs. Take, for example, Cambridge Analytica, Facebook, and the Revelations of Open Secrets, by Sue Halpern in yesterday’s New Yorker. Here’s what RedMorph shows going on behind that piece:

Note that I have the data leak toward Facebook.net blocked by default.

Here’s a view through RedMorph’s controller pop-down:

And here’s what happens when I turn off “Block Trackers and Content”:

What will happen when the Times, the New Yorker and other pubs own up to the simple fact that they are just as guilty as Facebook of leaking its readers data to countless parties unknown, for—in many if not most cases—for God knows what purposes besides “interest-based” advertising? And what happens when the EU comes down on them too? That’s possible after 25 May, when the EU can start fining violators of the General Data Protection Regulation (GDPR)? Note that the regulation protects the data blood of EU citizens wherever they risk having it sucked in the digital world.

To explain more about how this works, here is the (lightly edited) text of a tweet thread this morning, posted by @JohnnyRyan of PageFair:

Facebook left its API wide open, and had no control over personal data once those data left Facebook.

But there is a wider story coming: (thread…)

Every single big website in the world is leaking data in a similar way, through “RTB bid requests” for online behavioural advertising #adtech.

Every time an ad loads on a website, the site sends the visitor’s IP address (indicating physical location), the URL they are looking at, and details about their device, to hundreds -often thousands- of companies. Here is a graphic that shows the process.

The website does this to let these companies “bid” to show their ad to this visitor. Here is a video of how the system works. In Europe this accounts for about a quarter of publishers’ gross revenue.

Once these personal data leave the publisher, via “bid request”, the publisher has no control over what happens next. I repeat that: personal data are routinely sent, every time a page loads, to hundreds/thousands of companies, with no control over what happens to them.

This means that every person, and what they look at online, is routinely profiled by companies that receive these data from the websites they visit. Where possible, these data and combined with offline data. These profiles are built up in “DMPs”.

Many of these DMPs (data management platforms) are owned by data brokers. (Side note: The FTC’s 2014 report on data brokers is shocking. See https://www.ftc.gov/reports/data-brokers-call-transparency-accountability-report-federal-trade-commission-may-2014. There is no functional difference between an #adtech DMP and Cambridge Analytica.

Terrell McSweeny, Julie Brill and EDPS

None of this will be legal under the #GDPR. (See one reason why at https://t.co/HXOQ5gb4dL). Publishers and brands need to take care to stop using personal data in the RTB system. Data connections to sites (and apps) have to be carefully controlled by publishers.

So far, #adtech’s trade body has been content to cover over this wholesale personal data leakage with meaningless gestures that purport to address the #GDPR (see my note on @IABEurope current actions here https://t.co/FDKBjVxqBs). It is time for a more practical position.

And advertisers, who pay for all of this, must start to demand that safe, non-personal data take over in online RTB targeting. RTB works without personal data. Brands need to demand this to protect themselves – and all Internet users too. @dwheld @stephan_lo @BobLiodice

Websites need to control
1. which data they release in to the RTB system
2. whether ads render directly in visitors’ browsers (where DSPs JavaScript can drop trackers)
3. what 3rd parties get to be on their page
@jason_kint @epc_angela @vincentpeyregne @earljwilkinson 11/12

Lets work together to fix this. 12/12

This is all good, but it assumes high levels of agency everywhere other than the individual reader. If publishers get right with their readers, they can forget all that shit, and just publish the kind of high-value brand advertising they’ve run since forever in the physical world, which is actually worth a helluva lot more than adtech, because it actually sponsors the publisher, rather than using the publisher as place where vampires can suck readers’ data blood so the reader’s eyeballs can get shot with ads anywhere else on the Web.

This is the easiest fix in the world, but ut so far it’s nearly unthinkable because we’ve been defaulted to an asymmetric power relationship between people and publishers called client-server. I’ve been told that client-server was chosen as the name for the relationship because “slave-master” didn’t sound so good; but I think the best way to visualize it is calf-cow:

As I put it at that link (way back in 2012), “Client-server, by design, subordinates visitors to websites. It does this by putting nearly all responsibility on the server side, so visitors are just users or consumers, rather than participants with equal power and shared responsibility in a truly two-way relationship between equals.”

It doesn’t have to be that way. Beneath the Web, the Net’s TCP/IP-based architecture—the gravity that holds us all together in cyberspace—remains no less peer-to-peer and end-to-end than it was in the first place.

Meaning we don’t need to be slaves or cattle. We can be human. In legal terms, we can operate, as first parties rather than second ones. In other words, the sites of the world can agree to our terms, rather than the other way around.

Customer Commons is working on exactly those terms. The first publication to agree to readers terms is Linux Journal, where I am now the editor-in-chief. In Help Us Cure Online Publishing of Its Addiction to Personal Data, I explain how we’ll model the way advertising ought to be done: at the grace of its readers, with no spying. And no risk of violating any privacy laws. Because every pub will have a contract with its readers. This is totally do-able. Read that last link to see how.

As I say there, we can use help. Linux Journal still has a small staff, and Customer Commons (a California-based 501(c)(3) nonprofit) so far consists of five board members. What it aims to be is a worldwide organization of customers, as well as the place where terms we proffer can live, much as Creative Commons is where personal copyright licenses live. (Customer Commons is modeled on Creative Commons. Hats off to the Berkman Klein Center for helping bring both into the world.)

I’m also hoping other publishers, once they realize that they are no less a part of the surveillance economy than Facebook and Cambridge Analytica, will help out too.

I look forward to talking about this in a few minutes (1pm Pacific time) on the Gillmor Gang (the chat is here).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.