Worried about the use of tracking cookies that follow you around the Web and serve you targeted ads? No need to fret anymore since those cookies are now so passé! There is now something new to keep you up at night: cross-device tracking.
Cross-device tracking allows marketing companies to
surreptitiously follow your online behaviour over various devices
(including phones, tablets, televisions and computers) through the
use of inaudible, high-frequency sounds. Users are generally
unaware of it and the kinds of data being collected about them
through this process.
Concerns relating to this issue are gaining traction south of the
border. In its an October letter/submission to the United States
Federal Trade Commission, the Center for Democracy &
Technology, a digital human rights and privacy organization, said
at the high level, cross-device tracking works by determining which
user is using a device, assigning the user/device a unique
identifier, and then storing these identifiers in a table.
As individuals often use several devices during a day (phones,
computers, tablets, wearable health device, RFID fobs, etc.),
marketers can combine all their data streams by linking them to the
same individuals, enhancing the granularity of what they know about
the person, and creating detailed profiles of individual users.
Thus identifying recognition of long-term behavioural/shopping
patterns.
Advertisers generally employ cross-device tracking in two
ways.
"Deterministic tracking" occurs when users log into their
online accounts. The owner then tracks and records their actions
and if the user is signed into the platform on different devices,
the company can track him or her across devices. The value of this
data is limited since it is only available to the platform owners
themselves (and any other third parties that they sell or otherwise
provide the information to).
Without logins, marketers can use "probabilistic
tracking," which relies on aggregated information from
multiple devices, including IP addresses, device type, web browser,
and other setting to create digital fingerprints that links one
individuals across devices.
Marketers can also determine user's identities through
"browser fingerprinting": making inferences through
users' browser customizations, in addition to tracking their
web movements, to (eventually) create a unique signal that web
sites can use to uniquely identify the user (and which is virtually
impossible to opt out of).
However, the most interesting/scary cross-device tracking method
reported by the CDT is the use of inaudible ultrasonic sound
beacons, led by a company called SilverPush.
When a user encounters a SilverPush advertiser on the Internet, the
advertiser drops a cookie on the user's computer while playing
an ultrasonic audio through the device's speakers. The other
smart device recognizes the inaudible code because of the software
development kit installed on it.
SilverPush technology can also embed audio beacon signals into
television commercials that are silently picked up by an app
installed on the user's device, completely unknown to the user.
The audio beacon allows a tracker to know which ads the user saw,
how long the user watched the ad before changing the channel, which
kind of smart devices the individual uses, along with other
information that adds to the profile of each user linked across the
various devices.
The device owner/user is oblivious to the beacon, but if the device
has a SilverPush-based app on it, once the beacon is detected, the
device is recognized as being used by the same individual (you). So
as the Atlantic recently quipped, your phone is literally listening
to your TV, all in the name of serving you more targeted ads.
Yikes!
Currently, there is no way to opt out of this kind of cross-device
tracking and only distance hinders the receipt of an audio beacon.
The CDT's letter noted that as of April 2015, SilverPush's
software was being used by six or seven apps and the company
monitored 18 million smartphones.
Not surprising, this level of detailed surveillance and tracking
has raised considerable privacy concerns, not the least that some
companies will be able to combine information from different
devices to create highly intrusive profiles of persons that may or
may not even be accurate.
In response to growing concerns and to get more input, the FTC held a workshop Nov. 16 as first step to
examine the privacy issues around these types of tracking and
marketing activities.
While the FTC did not issue any formal guidance as a result,
chairwoman Edith Ramirez emphasized that regardless of the
technology, companies should continue working to address issues of
transparency, notice, and choice in this area.
She also highlighted the self-regulatory efforts of the advertising
industry on cross-device tracking, including the Digital
Advertising Alliance and the Network Advertising Initiative.
Maneesha Mithal, the associate director of the FTC's division
of privacy and identity protection, identified the five key
takeaways from the workshop:
(1) the benefits of cross-device tracking, including maintaining
state, frequency capping, and seamless user experiences across
devices;
(2) the need to provide greater transparency, choices, and
education for consumers;
(3) the need to consider the consumer experience;
(4) that there is room for industry innovation in this space;
and
(5) that companies should be mindful of their representations in
this space and adhere to those representations.
The public comment period for the workshop is open until Dec.
16.
Interestingly, on the same the day the FTC held this workshop, the
DAA, a powerful industry group whose policies are often
contractually adopted by advertisers, ad agencies, ad networks, and
publishers, released a guidance document entitled "Application
of the Self-Regulatory Principles of Transparency and Control to
Data Used Across Devices," confirming its existing principles
for tracking online behaviour and and other new tech standards
apply to multi-site and cross-app data collection.
Marketers that collect cross-device data must include notices on
their web sites that that data collected from a particular browser
or device may be used with another computer or device linked to the
browser or device on which such data was collected, or transferred
to a non-affiliate for such purposes. Additionally, marketers must
provide a device-specific consumer opt-out.
It's fair to say in Canada our privacy regulators would likely
not be impressed with the surreptitious nature of current
cross-device tracking practices. The federal Office of the Privacy
Commissioner of Canada recently reiterated and confirmed its
position in the "Online Behavioural Advertising (OBA) Follow
Up Research Project" published in June 2015.
In 2011, the OPC issued guidelines to help various organizations
involved in OBA to ensure that their practices are fair,
transparent, and in accordance with PIPEDA. One of the foundations
of the guidelines is that OBA involves the collection of highly
personal and personalized information.
The guidelines stated that opt-out consent for OBA could be
considered reasonable under PIPEDA provided it is carried out under
certain parameters:
(i) Individuals are made aware of the purposes for the practice in
a manner that is clear and understandable – the purposes must
be made obvious and cannot be buried in a privacy policy.
Organizations should be transparent about their practices and
consider how to effectively inform individuals of their online
behavioural advertising practices, by using a variety of
communication methods, such as online banners, layered approaches,
and interactive tools;
(2) Individuals are informed of these purposes at or before the
time of collection and provided with information about the various
parties involved in online behavioural advertising;
(3) Individuals are able to easily opt-out of the practice -
ideally at or before the time the information is collected;
(4) The opt-out takes effect immediately and is persistent;
(5) The information collected and used is limited, to the extent
practicable, to non-sensitive information (avoiding sensitive
information such as medical or health information); and
(6) Information collected and used is destroyed as soon as possible
or effectively de-identified.
In addition, the OPC stipulated two restrictions:
(i) Any collection or use of an individual's web browsing
activity must be done with that person's knowledge and consent.
Therefore, if an individual is not able to decline the tracking and
targeting using an opt-out mechanism because there is no viable
possibility for them to exert control over the technology used, or
if doing so renders a service unusable, then organizations should
not be employing that type of technology for online behavioural
advertising purposes.
(2) As PIPEDA requires meaningful consent for the collection, use
and disclosure of personal information, it is difficult to ensure
meaningful consent from children to online behavioural advertising
practices. Therefore, as a best practice, organizations should
avoid tracking children and tracking on websites aimed at
children.
If these conditions and restrictions are not met, and an
organization wishes to continue to use OBA, then explicit consent
is required.
The OPC also noted in its Guidelines on Privacy and Behavioural
Advertising that any collection or use of an individual's
web browsing activity must be done with that person's knowledge
and consent and "If an individual is not able to decline the
tracking and targeting using an opt-out mechanism because there is
no viable possibility for them to exert control over the technology
used, or if doing so renders a service unusable, then organizations
should not be employing that type of technology for online
behavioural advertising purposes."
It is not clear how many Canadian companies are currently using
cross-device tracking, but they will be expected to comply with
existing Canadian privacy requirements relating to transparency and
opt-out capability.
However, it is difficult to see how the use of inaudible ultrasonic
audio beacon signal tracking technology will easily allow
individuals to "exert control over the technology used"
from a practical perspective or how to avoid tracking children
while using this technology.
I will continue to report on developments in this area as they
arise.
On a personal note, I wish all of my faithful readers happy
holidays and a healthy New Year!
Originally published by Canadian Lawyer Online - IT Girl Column
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.