“Verizon made a number of statements suggesting that there was no privacy risk here and that the header couldn’t be used for tracking users – or, at least, wouldn’t be,” Mayer told AdExchanger. “But this is a new way of tracking people. It’s more permanent than the others, it’s less detectable – oh, and by the way, you can’t turn it off.”
In December, Mayer, a Ph.D. candidate focused on government surveillance issues, went “Verizon zombie hunting.” He decided to try and spot companies that were obviously and actively engaged in using Verizon’s header for tracking purposes by resetting his cookies and examining the requests for specific behaviors.
Turning Up The Heat
In short order, he found what he was looking for: Turn. The DMP-DSP hybrid seemed to be using Verizon’s header to resurrect deleted tracking cookies.
According to an industry source with knowledge of the matter, RUN uses the Verizon header “the way it was meant to be used” – as a device identifier – and has never tied the UIDH to cookies for targeting purposes.
In terms of what BrightRoll’s up to, the company declined to offer more than this prepared statement: “BrightRoll and Yahoo are committed to our users’ privacy and offer users transparency and controls built in. We do not employ any method to resurrect previously deleted cookies.”
Mayer’s discovery flies in the face of Verizon’s previously stated claims – that third parties wouldn’t use its UIDH to collect data and establish user identity. On the FAQ page about its UIDH, Verizon claims that it is:
“...unlikely that sites and ad entities will attempt to build customer profiles for online advertising or any other purpose using the UIDH for two reasons. First, the UIDH changes frequently. Second, other permanent and longer-term identifiers are already widely available in the wireless area and could be used to build customer profiles. For ad tech entities that have a presence on many websites, the UIDH does not provide any information beyond what those entities have by virtue of these and other already existing IDs.”
In other words, everything will probably be OK – but it doesn’t matter because others out there are doing the same or more.
Precision Market Insights VP Colson Hillier put it like this to AdExchanger during a previous interview: “Our PrecisionID changes every seven days – and it can change if a customer calls us and opts out of a particular program. Then bam, it’s gone. Even if one of our strategic partners is running a campaign and tries to say, ‘The next time I see this PrecisionID, I’ll remember that it was in a certain segment’ – it doesn’t exist anymore. It’s vanished. It’s not a persistent cookie that raises privacy concerns.”
But Mayer isn’t buying it.
Verizon itself didn’t have much to offer in the way of response other than this canned quote: “The intent of the UIDH is to be used as part of our advertising programs, which have robust privacy protections, not as described in recent media reports. We are evaluating how third parties are using the UIDH in this evolving ecosystem and considering any appropriate response.”
But as it stands now, the crux of the issue remains: Even when consumers opt out of receiving targeted ads, it doesn’t stop them from being tracked. Today, most opt-out policies are a bit like “privacy theater,” Mayer said. Opt-out pages are often difficult to navigate – or to even locate in the first place.
“Regrettably, it’s very common for opt-out policies to not actually curtail tracking, which is where I think Turn was coming from, and it’s the way the entire industry has evolved,” he said. “We know, based on the technical evidence, that almost no one uses the opt-out pages and they’re not even designed to be easy to use.”
But although Turn is the ad tech scapegoat, it didn’t singlehandedly create the digital ad ecosystem.
“One of the reasons why the zombie cookie issue continues to look really bad for the industry is that it emphasizes a fundamental error in not letting people control tracking,” Mayer said.
It’s a sentiment that Avi Spivack, senior director of product commercialization at data co-op Adroit Digital – a business that relies on the smooth flow of consumer data – can get behind.
“We owe it to the industry to maintain the evolution towards a more open environment in terms of a dialogue with consumers and Internet users so they don’t feel like something nefarious is going on,” Spivack said. “If somebody wants to opt out, we need to honor that. The minute we start to make the consumer suspicious, there’s going to be a backlash. So, let’s be above board about it as much as we can, because the end goal is the same: a digital marketing ecosystem with an open exchange of information where consumers are more willing to share.”
But that ecosystem won’t be achieved without a more “honest debate” around defaults, said Mayer, noting that most consumers are automatically opted in for tracking. Such is the case with Verizon’s PrecisionID.
“There’s been an uptick in cookie-blocking features, but if they’re not turned on by default, they’re not used,” he said. “What we should be thinking about is giving consumers privacy by default instead of having the advertising industry and the self-regulatory bodies focus on opt-outs that people never use.”
Rather than pushing things like consumer education or AdChoices, which haven’t proven to be all that effective yet – a study conducted by Parks Associates last January found that, three years after its release, only 6% of consumers were aware of what the DAA’s little blue opt-out icon even meant – Mayer called on the industry to stop kidding itself.
“Those are just a distraction from the real issue,” Mayer said. “When self-reg insists on focusing on policies that we know have failed, it suggests that self-reg has also failed.”
But now it's Ochoa's turn to be a bit skeptical – especially on the privacy by default front.
“There are people who feel that privacy should be the default, but why should they feel like that about the Internet as opposed to every other medium that has ever been developed by society to communicate messages, all of which are not opt out – everything from magazines and newspapers to television, radio or the town crier," he said. "The only way to opt out of a TV ad is to turn off the TV, but for some reason that’s not clear to me, people want the Internet to somehow be different.”
One response to that could be that the Internet is different. The Internet isn't any one thing – it's a combination of intent, purchase data, browsing behavior and PII all rolled into one. Ochoa wouldn't bite.
“That might be true to some extent, but if you’re a magazine subscriber, we know where you are and we target you," he said. "If you use a loyalty card in any grocery store, we know exactly what you buy and that information is shared with credit card companies and marketers.”