Every Breath You Take?
Privacy is coming to the internet and cookies are going away. This is long overdue - but we don’t know what happens next, we don’t have much consensus on what online privacy actually means, and most of what’s on the table conflicts fundamentally with competition.
02 September 2021 · Issue #923 · View online
The consumer internet industry spent two decades building a huge, complex, chaotic pile of tools and systems to track and analyse what people do on the internet, and we’ve spent the last half-decade arguing about that, sometimes for very good reasons, and sometimes with strong doses of panic and opportunism.
Now that’s mostly going to change, between unilateral decisions by some big tech platforms and waves of regulation from all around the world. But we don’t have any clarity on what that would mean, or even quite what we’re trying to achieve, and there are lots of unresolved questions.
We are confused.
Ads, privacy and confusion
First, can we achieve the underlying economic aims of online advertising in a private way? Advertisers don’t necessarily want (or at least need) to know who you are as an individual.
As Tim O’Reilly put it, data is sand, not oil - all this personal data actually only has value in the aggregate of millions. Advertisers don’t really want to know who you are - they want to show diaper ads to people who have babies, not to show them to people who don’t, and to have some sense of which ads drove half a million sales and which ads drove a million sales.
Targeting ads per se doesn’t seem fundamentally evil, unless you think putting car ads in car magazines is also evil. But the internet became able to show car ads to people who read about cars yesterday, somewhere else - to target based on the user rather than the context.
This is both exactly the same and completely different.
In practice, ‘showing car ads to people who read about cars’ led the adtech industry to build vast piles of semi-random personal data, aggregated, disaggregated, traded, passed around and sometimes just lost, partly because it could and partly because that appeared to be the only way to do it.
After half a decade of backlash, there are now a bunch of projects trying to get to the same underlying advertiser aims - to show ads that are relevant, and get some measure of ad effectiveness - while keeping the private data private. This is the theory behind Google’s FLoC and Apple’s rather similar tracking and ad-targeting system - do the analysis and tracking on the device, show relevant ads but don’t give advertisers or publishers the underlying personal data.
However, even if the tech works and the industry can get to some kind of consensus behind any such project (both very big questions), would this really be private?And what does it do to competition?
This takes me to a second question - what counts as ‘private’, and how can you build ‘private’ systems if we don’t know?
Apple has pursued a very clear theory that analysis and tracking is private if it happens on your device and is not private if leaves your device or happens in the cloud. Hence, it’s built a complex system of tracking and analysis on your iPhone, but is adamant that this is private because the data stays on the device.
People have seemed to accept this (so far), but acting on the same theory Apple also created a CSAM scanning system that it thought was entirely private - ‘it only happens your device!’ - that created a huge privacy backlash, because a bunch of other people think that if your phone is scanning your photos, that isn’t ‘private’ at all.
So is ‘on device’ private or not? What’s the rule?
What if Apple tried the same model for ‘private’ ads in Safari? How will the public take FLoC?
I don’t think we know.
Benedict EvansPhoto credit: Lianhao Qu on Unsplash