Banning Surveillance-Based Advertising

The Norwegian Consumer Council just published a fantastic new report: “Time to Ban Surveillance-Based Advertising.” From the Introduction:

The challenges caused and entrenched by surveillance-based advertising include, but are not limited to:

privacy and data protection infringements
opaque business models
manipulation and discrimination at scale
fraud and other criminal activity
serious security risks

In the following chapters, we describe various aspects of these challenges and point out how today’s dominant model of online advertising is a threat to consumers, democratic societies, the media, and even to advertisers themselves. These issues are significant and serious enough that we believe that it is time to ban these detrimental practices.

A ban on surveillance-based practices should be complemented by stronger enforcement of existing legislation, including the General Data Protection Regulation, competition regulation, and the Unfair Commercial Practices Directive. However, enforcement currently consumes significant time and resources, and usually happens after the damage has already been done. Banning surveillance-based advertising in general will force structural changes to the advertising industry and alleviate a number of significant harms to consumers and to society at large.

A ban on surveillance-based advertising does not mean that one can no longer finance digital content using advertising. To illustrate this, we describe some possible ways forward for advertising-funded digital content, and point to alternative advertising technologies that may contribute to a safer and healthier digital economy for both consumers and businesses.

Press release. Press coverage.

I signed their open letter.

Tags: marketing, privacy, reports, surveillance

Posted on June 24, 2021 at 9:44 AM • 23 Comments

Comments

Clive Robinson • June 24, 2021 12:07 PM

@ All,

The Norwegian Consumer Council just published a fantastic new report:

I hope they push the idea through to law.

Norway is not a big country, and technically it’s relationship with the EU is “interesting”.

However, we need a “domino” effect if we “the citizens” of the World are going to get even a tiny amount of personal privacy back from Intetnational Corporates and foreign Governments.

I Know the first likely result people would think about and fear would be a “strike” whereby the Major Corps blocked Norway off.

But would they?

Norway is not a poor country and it’s not a tyrany / dictatorship / police state (ay least not the last tine I was there 😉 And we know Alphabet/Google, Apple and others have Kow-towed to Tyrants, Dictators and fascist leaders “to do buisness”

So the chanvrs are “money will talk” and Silicon Valley will give ground. Which will make it easier for the next country and so on.

Oh and eventially the US as well, becsuse at some point it won’t be finacially viable to carry on, and ultimately that is how you stop such activities you “Change the incentives”.

But… there is one question I’ve yet to see be answered by this “targeted advertising” usually consumer surveys show that people are very much against “targeted advertising” by more than 8 in 10, has there ever actually been any evidence “targeted advertising” makes a profit for those “actually selling goods” as opposed to the rip off / con artists called Data Brokers who take so much of the money, you seriously have to ask if they are fraudsters or crooks?

I don’t buy on line and have no intention of doing so, but if I did have need of something I could not get through living in a large metropolitan area, then I would go do my own research, it’s what I do for non-everyday items already anyway. And I know I’m a bit of a “barnacle” from time to time, I’ve found sometimes after doing research I actually “do not buy” even though it was and probably is still something I want, I find the research tells me it’s not yet “Market ready” from my point of view, for sometimes what some “Marketers” would consider quite odd reasons.

For instance I do not have a TV currently, and I would like one, but all those I’m interested in “Have to be Internet connected” without good reason, which is a fairly sure indicator that “data collection” of Private information is going on one way or another… So I don’t buy no matter what “Bells and Whistles” such connectivity apparently gives. It appears to upset sales people when I ask if Internet is necessary, and then say “because I don’t have it and don’t want it”, then “So I’ll only buy on the condition no Internet is required” and If I find it is “it’s comming straight back for a full refund without any re-stocking fee”…

ADFGVX • June 24, 2021 2:37 PM

@ O.P.

I really can’t disagree with the stated goal of banning surveillance-based advertising, but it needs to be acknowledged that the surveillance and collection of the consumer intelligence data in the first place is illegal and must be stopped at government as well as corporate levels.

The NSA — with the unauthorized collection, storage, and release of top secret raw intelligence on U.S. persons of interest to local cops at “fusion centers” — is definitely breaking the law with respect to the Fourth Amendment and due process.

According to the L.A. Times from 4 years ago, “There’s more than the CIA and FBI: The 17 agencies that make up the U.S. intelligence community.”

Inasmuch as a self-confessed corporate-government (or fascist) military industrial complex “intelligence community” exists within the United States, it is very much a Communist-Party-style commissariat under the control of a vicious politburo which dictates various “policies” on technical matters to be enforced ruthlessly with or without the law or the constitution, which is seen only as a dead corpus of text to cite in favor of certain “approved” or “established” political stances.

To “ban” something, we’re in the realm of forcing people to do certain things against their will, while restraining them, also against their will, from doing other things, which they would ordinarily have the freedom to do.

SpaceLifeForm • June 24, 2021 3:08 PM

@ Clive

re: smart TVs

In my experience, you can avoid the internet requirement after initial setup.

It would be an interesting research project to put a logging firewall behind the TV and capture the traffic.

My question is this: Can a regular user open up the TV and find a hidden cell modem?

Maybe you need a large Faraday Cage where you can sit comfortably inside.

JonKnowsNothing • June 24, 2021 4:27 PM

@SpaceLifeForm, Clive, All

re:TV Right To Repair or Right to Alter

In the dust bowl area of California where I am, we still have “over the air” transmission but it is now all Digital.

Although the USA has many “channels” the free over the air transmission only carries a few: the 3 or 4 major news channels (not CNN and not Fox but the local affiliates) and a few old-old rerun channels showing TV dramas from 1960s.

The prominent channels are only carried by cable, satellite etc and they require a connection fee just to get the above basic channels plus extra fees for any special channels (sports, BBC, history etc).

The FCC divides Telephony and Cable into 2 divisions and the Cable division has a requirement for “fixed packages” for additional services. Both sections have similar requirements but for different services. One of the Cable versions prohibits “smorgasbord” program selection.

eg: If you want Car Sports and BBC you have to purchase 2 different tiers of packages. Each tier might have 5 items in it, although you only want one item in the tier, you have to buy the others too.
You do get 99 channels of Shopping Mania and Max Your Debt for free.

The digital parts for over the air costs @$100 USD to convert the standard TV and uses the ye olde famous Rabbit Ears for tuning.

My TV started to bite the dust a while back and I don’t fire it up unless necessary as it’s the only external source of information I have, in case of internet outage or computer failure (both likely and probable).

I do not have the right to repair the TV, nor do I have the right to open it up and replace the failing component. If you had one of the new I(di)OT TVs, you would void the warranty by doing that and the software drivers would likely bork if they didn’t get the ACK-NAK from the telemetry transmission.

I don’t know if you can fake-out the system by re-directing the destination via the HOSTS file or Router doing a Self-MITM redirection.

If I had been tasked with such a program I would probably set a Fail-Connect-Flag and shutdown. But then… today’s programmers don’t consider that sort of thing, so maybe they just off-load the whole telemetry enchilada on any connection ACK.

Frank Wilhoit • June 24, 2021 5:49 PM

“Time to Ban ……………. Advertising.”

TIFIFT

echo • June 24, 2021 6:10 PM

Norway is a founder member of the European Council and subject to the European Court of Human Rights (ECHR). While not a member of the EU (which requires membership of the European Convention) Norway has an impact on ECHR judgments and “margin of appreciation”. This has a ripple effect throughout other countries subject to the ECHR. Via horizontal law this also has an impact on the EU’s European Court of Justice (ECJ) which rules over EU law.

As for surveillance advertising it’s not anywhere as near as glamorous as flicking through a glossy magazine or swanning into a shop and have the staff discretely fall over themselves is it, nor as amusing as watching the manager have a near heart attack if, as you catch their eye, they realise they have run out of your favourite eyeliner. Not that Boots is anywhere near this but I can dream.

I do like shopping online when I have too and it really is quite a marvel but I’m quite resistant to advertising and tend only to shop for things I need so between advert blockers and being a tightwad am not a surveillance advertising goldmine by any means.

SpaceLifeForm • June 24, 2021 6:15 PM

@ Frank Wilhoit, JonKnowsNothing, Clive

Consider that Ad Money == Money Laundering

Bundling. You get to pay for channels you never watch, yet you are subsidizing them.

You are subsidizing propaganda channels. The channel really does not care if you watch as long as they get their money.

Sone advertisers are being taken to the bank.

Some advertisers are part of the plot. See the MyPillow dude.

lurker • June 24, 2021 9:20 PM

Or, to use phrase which may indicate how long I’ve been lurking:

It’s all about the Benjamins.

So today I opened the carrier’s app to check my data usage on this el-cheapo plan, and I noticed a prominent link, which I may have noticed before and ignored , so they moved/enhanced it to catch my eye:

Free Social Data

As an abhorrent of social media this shouldn’t interest me, but for science I followed the link to be told inter alia that

‘Free Social Data’ includes free data use on Facebook, Instagram, TikTok, Snapchat, Twitter and Pinterest. Some functions will still use your plan data.

NB, this is only for the official app sanctioned for each platform, and does not include “lite” versions.
“Some functions” huh? What functions? Scroll, scroll, scroll …
Apparently Free Social Data does not include

Advertisements and advertisement links that are displayed within apps
Analytics
Apps using features on your device. For example, your calendar may have permission to access data in the background or use location services.
External links and navigation to other websites, apps, news, blogs, walls, maps, app stores
GIF library
Maps and location services
Podcasts
RSS feeds
Software/application updates happening at the same time
Video and content hosted from other sites featured that can be played in the app

Why bother?

Clive Robinson • June 24, 2021 10:36 PM

@ lurker,

Apparently Free Social Data does not include

A long list but most not under your control.

And the one I realy hate,

Advertisements and advertisement links that are displayed

It’s bad enough people push paper/card/plastic through your door and you have to sort through it into the various re-cycling bins…

But to have some scum bag stealing the data plan you pay for… Now I realy do regard that as theft, and importantly quantifiable as such.

I wonder if those in the US with movile data plans have ever considered a class action law suit for it?

I’ve tried a few experiments with another mobile and turning java script on and off. Many sites run three to six times faster with javascript off. Adds do not come down.

Vut more interestingly many sites have crap page building content managment systems that use javascript. Bloomberg is one, they do such things as not download photographs if javascript is off or load very poor quality infills.

Which is fine by me it’s rare for me to want anything other than the text anyway. So yet more savings on the data stolen by others…

Many years ago now back whe dialup charges still applied you used to get services that would “download” resources and email them to you, usefull if you wanted to download programs off of mirror sites as everything would get buffered at your ISP thus download at maximum speed. But one such service used to pull HTML pages down without images.

I was realy surprised looking back through old email archives on CD at how often I used it and for what sites and content… All technical stuff and often “postscript” files. Back then that was the way academic “pre-prints” were made available and text How-To’s…

I never was a fluffy kitten or dancing hamsters fan (which I guess shows how old/mature I am 😉

lurker • June 24, 2021 11:58 PM

@Clive

But to have some scum bag stealing the data plan you pay for…

It’s worse, it’s double dipping: the Carrier/ISP has sold the user’s browsing history to the admen, then clips the ticket when the unwanted ads are served.

The war between AdBlockers and the Man is long and bitter. My browser allows me to separately blacklist unwanted sites. But as you say, with javascript they can watch what you’re watching. There’s something unfair in that…

Robin • June 25, 2021 2:12 AM

France seems to be moving in the opposite direction. “La publicité segmentée” (use that term if you want to search for recent news) is coming out of the closet and McDo have just finished a trial targetting people who use their TVs for only short periods.

The sector is set to grow, although the stated targets (as of today) are modest – 150 million euros is a figure being bandied about.

The targetting can be done at a household level via location, number of people living in the dwelling, socio-economic group, viewing habits.

In theory people must agree to participate and consent to their data being used, but I very seriously doubt that it will be easy to opt out. In fact I bet the small print of the ISP contract will have weasel words to permit everything. At some point perhaps the European Commission will catch up and impose some damn nuisance requiring consent before watching TV.

What I don’t know at all – because I wasn’t even aware of the pilot, or the laws introduced to allow it – is the backstory of how this came about, where the pressure comes from, who is in favour, etc. Apparently a majority of French people are against, but who takes any notice of that?

wiredog • June 25, 2021 5:27 AM

“the surveillance and collection of the consumer intelligence data in the first place is illegal ”
No, not in the US and EU it isn’t. At least, not by private individuals and corporations. Now, governments may have to find ways to sidestep the law to get the data, but private corporations can gather all sorts of data and sell it to each other all day long.

On the one hand I’m not convinced that targeted advertising really works. On the other hand, when my camera bag began to fall apart the options for replacing it were legion. Advertising brought Think Tank Photo’s stuff (and a few others) to my attention and after doing some research I bought a new bag (the photocross 10) from them. So the advertising worked to narrow down the options for me. Now the question is, how much did they spend on advertising to sell me a $110 bag?

Of course, after I bought the bag a thousand other companies’ ads got targeted at me just in case I needed a dozen more. Since I don’t, those ads just make sure that other ads that might catch my eye don’t get through. So the algorithms need some work still.

Winter • June 25, 2021 5:36 AM

@wiredog
““the surveillance and collection of the consumer intelligence data in the first place is illegal ”
No, not in the US and EU it isn’t. At least, not by private individuals and corporations.”

The European GDPR prohibits the storage and processing of any data that could be used to identify a natural person without the express permission of the person.

The data protection authorities have not yet been able to cover all the abuses due to lack of employees. But NGOs are slowly working through the issues and courts.

Keith Douglas • June 25, 2021 9:49 AM

I’m not a European so I’ve not paid enough attention to GDPR, but I might do so as my country, Canada, steps up in that way – or fails to. One of the things I’ve always wondered about is: suppose you can identify a person with X% probability (I am assuming a model of identification where probabilistic identification is sensible and that X < 100)? Is that running afoul of the GDPR? If not, can the corporations detune to 1-e for some small e and then be ok? If, on the other hand, it does fall afoul of it, what is the magic number set, and why? I am somewhat involved in a related matter where I work and many people have gotten very confused (better: Socratic perplexity induced) by this problem – despite our familiarity with probability and statistics!

Winter • June 25, 2021 10:28 AM

@Keith
“suppose you can identify a person with X% probability (I am assuming a model of identification where probabilistic identification is sensible and that X < 100)? Is that running afoul of the GDPR?"

Yes. The bar is very high.

Although the wording of the GDPR sounds ambiguous, the courts have ruled consistently in favor of more stringent privacy protection in cases of ambiguity. If you obtain data from an individual and can re-identify this person in any way use additional information, that requires you to to ask for permission.

echo • June 25, 2021 12:19 PM

Although the wording of the GDPR sounds ambiguous, the courts have ruled consistently in favor of more stringent privacy protection in cases of ambiguity. If you obtain data from an individual and can re-identify this person in any way use additional information, that requires you to to ask for permission.

All things being equal the EHRC will rule in favour of protecting someone’s rights hence the way the courts will treat GDPR.

There’s still a lot of organisations who don’t seem to have read or comprehended the GDPR or the EHRC. This kind of behaviour is a bad habit of some organisations and some “certified professionals” especially. Lawyers can be slow too and their advice can run along the lines of protecting the job title not protecting the public interest which only adds to the problem.

I have another meeting with a lawyer arranged. This topic area is an area of interest. I haven’t planned things out yet so have no idea what the details of the discussion will be. I’ve also been building up a catalogue of science to dig behind why people make the decisions they make and why different organisations and professions differ in their response as well as other legal and economic consequences. It’s fairly interesting from a judicial point of view as perspectives and biases in this area can effect law in practice and lead to judicial blindspots and areas of undeveloped law. Some of the consequences can be very damaging and take years even decades to correct especially in a slow as treacle parliamentary and common law jurisdiction. In that respect the EHRC is a very useful corrective mechanism and demonstrates how considering human rights early on in a process leads to benefits that might not otherwise be realised.

One of the benefits for the UK state in blunt one size fits all hammers and secrecy and having a state warchest where they can draw on lawyers at the drop of the hat is it enables them to assert “legally arguable” positions. On the one hand it enables a degree of security for the state. On the other hand you can see how citizens rights may continue to be underdeveloped. There has been at least one case revealing state security over “rules of engagement” had no foundation in practice so the secrecy was unecessary and actually led to an abuse of human rights for no gain. The results of court cases rendering a lot of GCHQ shenanigans unlawful is well known as are concerns over the more recent “shoot to kill” security services policy initiative.

Secrecy is good in the sense it keeps the “enemy” guessing and keeps things cheap. At the same time it can lead to human rights abuses and shift the costs so is a false economy.

The appearance of neutrality can hide many sins which is why it is unlawful under European human rights law.

lurker • June 25, 2021 1:16 PM

@wiredog

Of course, after I bought the bag a thousand other companies’ ads got targeted at me just in case I needed a dozen more.

To a curmudgeon like myself this seems a) a waste of effort since I’ve already got the goods, and b) an annoyance likely to cause negative recommendations for all those others. Indeed, the algorithms still need more work. Unfortunately those peddling them must be doing alright thankyou without that work.

Eric • June 25, 2021 7:06 PM

I just recently ripped the Wifi/Bluetooth module out of a 2020 model year LG TV to cripple it. It was pretty easily identifiable, not unlike the removable Wifi modules in older laptops. (This still leaves the ethernet port, but there are solutions for that.)

I’ve yet to see a cellular module in any TV but it wouldn’t surprise me if one of the manufacturers tries this soon. Sim cards are pretty easy to spot so it shouldn’t be hard to identify.

SpaceLifeForm • June 26, 2021 3:29 PM

@ Eric, Clive

Thank you for the report.

Unfortunately, no SIM is required.

The telcos can just allow the traffic via allow-listed IMEI.

You need no SIM for emergency calls.

There are vendors that pay a telco to have nailed-up cell connections 24X7 sans SIM. The vendor tells the telco the IMEI of the device. Expected to be low traffic, but still.

So, finding the radio is a bit more work. Look for an antenna trace on a PCB, and work backwords from there.

See the links I posted above. In one of the videos, Hash pointed out where the attenna trace was on the PCB used in the Smart Electric Meter.

Clive Robinson • June 27, 2021 1:52 AM

@ SpaceLifeForm, Eric,

There are vendors that pay a telco to have nailed-up cell connections 24X7 sans SIM. The vendor tells the telco the IMEI of the device. Expected to be low traffic, but still.

It was known that Apple were investigating “software only SIMs” at one point they were doing “tied in only deals” with network providers.

It’s also been suggested more than once that Intel’s Managment Engine Chip Set contail not just a, 2G/3G/4G RF front end but Firmware front end for various “entities”.

Whilst it’s more than technically possible so should not be ruled out it would involve collaboration of the motherboard designers for the antenna…

Now antennas used to be fairly easily understood not so long ago. They consisted of one of two things,

1, A resonate length.
2, A long terminated transmission line that was designed to radiate half the power.

The three typically taught antennas were,

1, Halfwave dipole.
2, Quaterwave above a ground plane
3, Rhombic antenna.

Understanding the first gave you the necessary background to understand the other two (and if you make a properly designed rhombic at microwaves it can give an impressive forward gain and bandwidth even though a chunk of the power goes into the terminating load).

Thus spotting antennas on PCB’s was not dificult, they were often “folded L” antennas, where a quaterwave antenna gets “folded” through ninty degrees and run parallel to the PCB ground plane, often at the edge of the PCB.

But there are two other types of antenna…

1, Slot Antennas.
2, Fractal Antennas.

Put overly simply if you design a conventional metalic element antenna such as a halfwave dipole, you can “flip it” too become a slot radiator. That is a long thin gap in a ground plane if fed across the slot, radiates just like a conventional dipole does, only it’s radiation polarisation is turned ninty degrees also. Thus a horizontal slot radiates like a vertical radiator… These are harder to spot on PCB’s especially when you talk of “Skeleton Slots”.

Generally slot antennas have the same failings as their wire equivalents such as narrow bandwidth and similar.

But just when you thought you could keep up… Have a think about those Yagi TV antennas, how would you make one out of slots? Well this is where we start “caramelizing your mind”… A slot is an “air dielectric” what if you used a different dielectric? Yup you can stack plastic plates between expanded foam disks and get an “all plastic” Antenna…

Then when is a dielectric not a dielectric but a conductor? When you turn it into a plasma, you can via a couple of cute tricks take a fluorescent tube light, “ionize” the gas and it shows resonant radiator properties… I’ve actually built a “transmission line” antrnna equivalent and it works but is just plain weird.

And just for fun, when you thought you could get your head around all of that, somebody back in the 1980’s said “What about them fractal thingy-ma-bobs?” This are regularly used in mobile phones and broadband dongles and those tiny WiFi dongles.

So would you recognize an antenna?

Maybe, maybe not.

Eric • June 28, 2021 5:11 PM

Well that’s just great. If it becomes impractical to prove that a device isn’t secretly connecting to a cell network (and/or impractical to prevent it), things are bleaker still.

For now we can take small comfort in assuming device makers aren’t doing this for fear of getting caught, but I wouldn’t expect this to last. The world at large, and the U.S. in particular, have become adept at “consent theater,” and we largely encourage it through our actions, so the notion of meaningfully consenting to such activity is fairly rapidly evaporating.

One solution is to prize the gear that we can know doesn’t do such things and make this equipment last.

Water Industry Person • June 30, 2021 8:07 AM

One of my American coworkers recently told me he hasn’t had a separate physical SIM card in years in his employer-supplied iPhones – current and previous if I remember right, possibly longer back, but he’s careful with his gear, so that’s a few years even if it were only the phone he has now.

So eSIMs have been around for awhile, at least in the US. After a quick internet search, it is (or can be) a separate module, so if you take apart your device, you could probably figure out which doohickey it is. No idea how easy it would be to excise it, though.

Chris Drake • July 15, 2021 9:16 AM

Google reads emails I send my customers, and uses that to sell and display advertising from my competitors to my gmail users right alongside my communications.

No matter how hard I complained, they refused to stop.

It’s a criminal offence to open paper mail, but why not email?

Schneier on Security

Banning Surveillance-Based Advertising

Comments

Leave a comment Cancel reply