Monday, December 10, 2012
One of the ad industry's main arguments against tougher privacy
regulation has often been the claim that they are not really
targeting people but the devices they use.
The argument goes that a user profile is based on a cookie
placed in a particular browser - and therefore the ads you see are
not so much personal to you, but to the browser, and by extension
the device you are using to access the web. Therefore if the
same device is used by different people - it is an aggregate
This has long been a weak argument, not least because many users
on shared computers have separate login identities, which creates
unique browser profiles for each person. Now, the emergence
of a new business claiming to be able to connect profiles across
devices has really destroyed it.
Drawbridge is a US based company which says
it has developed the ability to pair up a tracking profile
collected from a mobile device with one built up on a desktop,
using unique cookie-based identifiers, without the use of any
additional personally identifiable information (PII) - like a name,
address or email.
Central to their business model is giving advertisers the
ability to reliably target an individual across either device they
might be using.
This is highly invasive, not least because it suddenly becomes
much harder for ordinary people to prevent this kind of
tracking. Once two (or more) devices have been paired for the
first time, it becomes relatively easy to create mechanisms to
circumvent user privacy actions like deleting the cookies on one of
There is no suggestion that Drawbridge is doing this, and they
go so far as to state that they can honour a Do Not Track request on both connected
devices. However, once that kind of cross-device connection
has been made - it may be technologically possible for someone else
to do it. And even if no-one is doing that now - it is likely
to be only a matter of time.
So if you can target someone with a particular advert, across
any number of internet devices they may have - that profile may not
technically be deemed personal data in the eyes of the law, but the
experience will seem very personal indeed. I for one would
not like it to be happening to me without being able to have some
control over the collection and use of such data.
At least some EU regulators agree on this score. One proposed
version of the new EU Data Protection Regulation that I have seen
includes defining the kind of unique cookie identifier that makes
this possible as personal data, which would therefore require
explicit user consent.
There are other interests arguing that unique identifiers are
not personal data, because they contain no information about the
individual. However, what this new approach to tracking
demonstrates very clearly is that it is possible to use identifiers
to connect data together from multiple sources. When you do
that, you can collect ever more data, and it becomes more
If it is not only possible, but probable that this will happen,
then surely the individual identifier itself, which is the only bit
of the data chain that the end user could be in control of, should
also be classified as personal data.
Given that technology always moves faster than regulation, and
that EU regulators are trying to create legislation that will have
a long life span, it would seem important for any new legislation
to draw some kind of line in the sand about this now, otherwise new
technology developments could leave consumer's online privacy no
better protected than under the current rules, which are widely
acknowledged to be out of date.