PART 1 : LACK OF OPENNESS AND TRANSPARENCY BY AD TECH COMPANIES TOWARDS DATA SUBJECTS FACING DATA PRIVACY VIOLATIONS WITH A FOCUS ON RE-IDENTIFICATION
LACK OF OPENNESS AND TRANSPARENCY BY AD TECH COMPANIES TOWARDS DATA SUBJECTS FACING DATA PRIVACY VIOLATIONS WITH A FOCUS ON RE-IDENTIFICATION
I. INTRODUCTION
Daily, data subjects’ information is pumped into cyberspace, thereby creating an avenue for more data privacy breaches. Mobile phones and laptops are tools used to input data online, particularly through social media apps and from access to the world wide web. Social media houses millions of data in the form of photos, texts, likes, retweets, reshares, and posts.
Data is gold for commercial entities via Advertising Technologies (or Adtech) companies who use the data to understand customer behavior and target advertising. Social Media platforms either use the data retrieved from their customers for their businesses or sell it to other companies or third-party brokers.[1] While these tech companies collecting data from users claim the data is de-identified[2] before selling to others, this is usually not enough to anonymize the data, as re-identification can occur by matching the de-identified data with publicly available information, or auxiliary data, to discover the individual to which the data belong, thus potentially ruining lives.
Even if the data is anonymized once infringers have access to pools of anonymized data, it can easily be reidentified (pseudonymization and anonymization). The fact that we are easily identified by very little information further exacerbates this problem of data privacy. Thus, there is a limit to the amount of anonymity a company can provide, and the privacy data subject must come to understand and accept this reality and yet, expect the highest form of data protection from these companies.
For this paper, Adtech companies refer to any kind of company that utilizes advertisement technologies to carry out advertisements to their audience, including search, display, video, mobile and social, with functions for targeting, design, bid management, analytics, optimization, and automation of digital advertising.[3] Such companies include Meta, Amazon, Apple, Google, iClick Interactive, Moloco, Mintegral, BYYD and Post click to name a few.
II. THE CONCEPT OF RE-IDENTIFICATION
Data re-identification occurs, when personally identifiable information is discovered from anonymized (de-identified) data.[4] The re-identification of a scrubbed data set causes direct or indirect identifiers to become known and the individual can be identified. While direct identifiers reveal the identity of the data subject, indirect identifiers often provide more information about the person's preferences and habits. The three ways scrubbed data can be re-identified are insufficient de-identification, pseudonym reversal, or combining data sets[5]. As mentioned earlier, one of the ways re-identifications occurs is through insufficient de-identification. this happens when a direct or indirect identifier inadvertently remains in a data set that is made available to the public.
An example of insufficiently de-identified structured data is the Massachusetts record of state employees summarizing every state employee's hospital visit. After the then-governor of Massachusetts, William Weld assured the public that the data had been properly scrubbed, Latanya Sweeney proved him wrong. The data still had hundreds of unscrubbed attributes. Sweeney obtained the data and used the Governors’s zip code, birthday, and gender to identify his medical history, diagnosis, and prescription.
There are lessons to learn from Weld's example. Just as Weld promised the people of Massachusetts that the data would be properly anonymized, adtech companies make similar promises that fail by data re-identification. What happens when ad tech companies make promises of data protection of their data subjects only for re-identification to occur? And how does this affect data subjects' behavior moving forward?
A. WHY IS RE-IDENTIFICATION A BIG DEAL?
Re-identification is an issue because the data subjects believe their personal information to be safe, relying on the duty of ad tech companies to honor their promise of data protection. Instead, the "anonymized" data is easily unraveled and exploited, used to commit fraud, etc. This perceived deception creates a lack of trust and lack of trust hinders data subjects to consent to the use of their data.
According to Lubarsky, consent and notification measures required by regulation in the U.S. are not enough to equip data subjects with the requisite knowledge of data breaches they are subject to.[6] Rather, a purposeful campaign of information on how re-identification occurs is vital. The reason is that the average reasonable man who uses the internet is not fully conversant with how his data is being exploited and or infringed on. Typically, it is only when it is too late, and the matter is before the court that he realizes that he gave his consent. Worse, a company might have promised to protect your data, and the data subject believes them but is unaware of the possibility of reidentification. Better awareness of data rights infringement will cause a data subject to make better choices, thus giving informed consent and fewer data privacy violations. As it stands, the average internet user is not properly equipped to make an informed decision regarding consent for their data.
III. COOKIES: A TOOL FOR ADVERTISERS
Cookies are a major tool used by adtech companies for data collection, particularly when used for content recommendation and targeted advertising.[7] Cookies are small files of information that a website generates which are stored within a web browser that the website can retrieve later.[8] They tell the server that the user has returned to a particular website and provide information that allows the site to display selected settings and targeted content. In addition, cookies store information such as shopping cart contents, login details, and user preferences so that when a user revisits a website, any information that was provided in a previous session or any set preferences can be easily retrieved. Advertisers use cookies to track user activity across sites so they can better target ads.
While proponents of adtech claim that the purpose is to enhance personalized user experience, as well as improve revenue for products being advertised, there are many privacy implications.[9] For instance, Facebook utilizes cookies that allow advertisers to choose specific groups of users. Subsequently, Facebook shows your web address to web users whose behavioral profiles match the advertiser's selections. The website's algorithms pick the ads you are most likely to click on based on your online activity.[10] Chris Yiu argues that there are more important things to worry about than cookies being able to constantly track a person, but I disagree. The power of a person to use this tool and retrieve personal information about a person online is unsettling. Ad tech companies share data in exchange for money and with cookies, your data could be continually sold and re-sold between hundreds of online players across several continents. What’s worse is that with re-identification, these players, armed with a personal profile about you, can know exactly who and where you are.
[1]Dvorak. C., What Data Does Facebook Collect? Reviews.org, https://www.reviews.org/internet-service/what-data-does-facebook-collect/ (Last visited Nov. 13, 2022).
[2] Bradbury D., De-identify, Re-identify: Anonymized data's dirty little secret. The Register., https://www.theregister.com/2021/09/16/anonymising_data_feature/ (last visited Nov. 13, 2022).
[3] What is AdTech and why is it important? Amazon Ads ., https://advertising.amazon.com/library/guides/what-is-adtech (last visited Nov. 12, 2022).
[5] Id. at page 209.
[6] Id. at page 213
[7] James Grimmelmann, Internet Law: Cases & Problems (12d ed. 2022).
[8] Cookies, https://www.trendmicro.com/vinfo/us/security/definition/cookies, (Last visited Dec. 16, 2022).
[9] Id.
[10] Grimmelmann, Supra 276.
Comments
Post a Comment