https://techcrunch.com/2022/06/24/trustpid/
Uh oh! European carriers are trying to get into 'personalized' ad targeting
Natasha Lomas@riptari / 7:15 PM GMT+2•June 24, 2022
Comment
Image Credits: Ana Maria Serrano (opens in a new window)/ Getty Images
As Google works on reconfiguring its adtech stack to move away from cookie-based ad targeting to something else that's not yet fixed but which it claims will be better for individual web users' privacy — and after Apple's move last year to lock down third-party tracking of app users on iOS, also on a claim its better for user privacy — a number of telcos in Europe are sniffing opportunity to press in the polar opposite direction.
In recent months it's emerged that several telcos in the region are testing what they describe as a "cross-operator infrastructure for digital advertising and digital marketing" — aka TrustPid, as they're branding the ad targeting initiative — although, as is customary with respawning adtech, they're claiming their approach is "secure and privacy-friendly."
Users of mobile networks — who pay their hard-earned money to get cellular connectivity, not to be clobbered with (yet) more consent pop-up spam and/or be ad-stalked around the internet — may well take a very different view, as they wonder how many times they're going to have to keep slaying the tracking zombie.
EU privacy regulators are also on early alert, having fielded complaints and/or raised concerns over the telcos' approach — which suggests regulatory intervention could follow if carriers decide to move ahead with a full launch.
The carriers are dubbing their plan a "counter-design to third-party cookies" — and say it involves the creation of "pseudo-anonymous tokens" that are linked to the mobile device user's IP and mobile phone number (which is classified as personal data under EU law).
The 'twist,' if you can call it that, is that different tokens are generated for each ad partner — which they claim "limits" the merging of data from different ad partners to create profiles on customers. But individual level ad targeting is still individual level ad targeting. (And consent spam may still be unlawfully attention sapping.)
The telcos involved in TrustPid are proposing to manage — and presumably monetize — advertisers' access to this network-based infrastructure.
Technical details of how the tracking-based targeting is intended to work in practice are not immediately clear — but here's how Vodafone, which is leading the initiative — explains the approach online:
- Your mobile number and IP address will be used by your network provider, e.g. Vodafone or Deutsche Telekom, to generate a pseudonymous network identifier based on which we generate your pseudonymous unique token ("TrustPid"). The IP address is considered traffic data. Traffic data is personal data processed while delivering a telecommunications service.
- We use this TrustPid to create additional marketing tokens for the websites of advertisers and publishers you visit ("website specific tokens"). Advertisers and publishers aren't able to identify you as a person via the website specific tokens. Where you have provided consent, advertisers and publishers will use the website specific tokens to provide you with personalised online marketing or conduct analytics.
- We will keep a list of advertisers and publishers that you have consented to provide you with personalised online marketing or conduct analytics based on your TrustPid in order to show you this list via our Privacy Portal so you can manage your consent for those parties at any time.
As noted above, the proposal by European telcos to embed themselves into the ad-tracking game has quickly attracted plenty of the wrong kinds of attention — with regulators and data protection experts querying the legal basis for the processing — as well as, more broadly — questioning the ethics of repurposing mobile network traffic for ad tracking.
News of the proposal to fire up individual-level ad-targeting at the carrier level in Europe made it into German press late last month where it was reported that Vodafone and Deutsche Telekom were testing TrustPid locally — with the German publisher Bild/Springer initially signed up (another local publisher, NTV/RTL Group, has since also been reported to have joined the tests).
A report in Spiegel called the TrustPid trial "the return of the supercookie" — a reference to a deeply unpopular tracking technique used by U.S. carrier Verizon about a decade ago (which also attracted FCC sanction).
"Cellular providers like Vodafone and Deutsche Telekom are in a unique position. Even if the browser routinely deletes cookies or even changes the IP address, the provider can still link the data traffic to the respective cell phone number," Spiegel wrote in the report [translated from German with machine translation]. "Advertisers don't want access to names or real mobile phone numbers, only to a pseudonymous identifier. However, this can quickly be reassigned to a specific user profile, for example when shopping in an online shop or logging in to an e-mail provider."
The newspaper went on to quote a spokesperson for the data protection authority in North Rhine-Westphalia — raising questions about the appropriateness of TrustPid's stated reliance on user consent for its legal basis. The DPA's spokesperson added that the authority would be taking a closer look at the initiative's compliance with EU data protection law.
Media attention to the TrustPid trial in Germany was quickly followed by an announcement by the country's federal data protection authority, the BfDI — presumably getting a lot of alarmed inbound from citizens of the famously privacy-loving country at that point — admitting that the project was presented to it in 2021. But it emphasized it had not given any kind of sign-off on lawfulness of the approach.
Indeed, on the contrary, the federal authority said it had flagged a number of "data protection issues" vis-a-vis the proposal, including its focus on relying on consent for its legal basis.
"At that time, we pointed out various data protection problem areas, in particular the requirements for effective consent. However, we have NOT made any final project assessment or given any kind of approval. It was only agreed that there will be further consultations with the relevant telecommunications service providers in the future," the authority wrote [in German; we've used machine translation] at the end of May.
Nonetheless, Vodafone et al. appear to have pressed on with their tests — which, earlier this month, were reported to have spread to Spain, via local carriers Movistar and Orange.
Asked about the legal basis being relied upon for the experimental tracking system, Simon Poulter, a senior spokesman for Vodafone, denied that TrustPid is akin to a 'supercookie.'
"What we're trialling in Germany is a system based on digital tokens which do not include any directly identifiable information. Participation in the trial is only possible after having previously given voluntary and explicit consent (so-called opt-in)," he told TechCrunch.
"For a single user, the token generated will be different for each different partner. This limits the merging of data from different parties to create extensive profiles on customers — one of the big drawbacks for consumers in the way digital advertising works today. The tokens are expired after 90 days providing consumers with further protection. The telecommunications providers do not enhance the tokens with any customer, traffic or location data nor is this provided by the service in any other way. Neither the partners, nor TrustPid itself, can identify an individual by means of the tokens created by TrustPid."
In further remarks, Vodafone's spokesman also claimed:
The service doesn't intercept or alter the data flows between a user and a website in any way, contrary to how other technologies sometimes called supercookies work" — and went on to dub it a "win-win" for users who he also claimed can "take control over their online privacy and decide who can show them personalized content and advertising."
While there are some technical differences between assigning a permanent, fixed ad identifier per mobile device and linking single-use pseudo-anonymous tokens to target ads per device, at bottom both are setting out to repurpose mobile network infrastructure for tracking. And many mobile users would say that sums to the same kind of creepy.
In TrustPid's case, telcos banding together with select publishers to erect a whole new attention-sapping vector targeting mobile users — which requires them to keep denying consent to ad-tracking as they go about their business on the mobile web as they're faced with yet another unfamiliar-sounding 'partner' in the laundry list of cookie pop-up consent demanding data processors — does not sound like the kind of 'control' most people would prize.
It also pays to remember that a large chunk of current online advertising was recently found in breach of EU data protection rules — after the IAB Europe and its TCF framework were deemed to be delivering compliance theatre (rather than lawful compliance), exactly because of bogus reliance on non-compliant consent spam.
The IAB was given a few months to come up with a reformed approach. So a bunch of European carriers proposing a new wave of consent-based tracking of regional mobile users looks ill-thought through, to put it mildly.