Worried about the use of tracking cookies that follow you around the Web and serve you targeted ads? No need to fret anymore since those cookies are now so passé! There is now something new to keep you up at night: cross-device tracking.
Cross-device tracking allows marketing companies to surreptitiously follow your online behaviour over various devices (including phones, tablets, televisions and computers) through the use of inaudible, high-frequency sounds. Users are generally unaware of it and the kinds of data being collected about them through this process.
Concerns relating to this issue are gaining traction south of the border. In its an October letter/submission to the United States Federal Trade Commission, the Center for Democracy & Technology, a digital human rights and privacy organization, said at the high level, cross-device tracking works by determining which user is using a device, assigning the user/device a unique identifier, and then storing these identifiers in a table.
As individuals often use several devices during a day (phones, computers, tablets, wearable health device, RFID fobs, etc.), marketers can combine all their data streams by linking them to the same individuals, enhancing the granularity of what they know about the person, and creating detailed profiles of individual users. Thus identifying recognition of long-term behavioural/shopping patterns.
Advertisers generally employ cross-device tracking in two ways.
“Deterministic tracking” occurs when users log into their online accounts. The owner then tracks and records their actions and if the user is signed into the platform on different devices, the company can track him or her across devices. The value of this data is limited since it is only available to the platform owners themselves (and any other third parties that they sell or otherwise provide the information to).
Without logins, marketers can use “probabilistic tracking,” which relies on aggregated information from multiple devices, including IP addresses, device type, web browser, and other setting to create digital fingerprints that links one individuals across devices.
Marketers can also determine user’s identities through “browser fingerprinting”: making inferences through users’ browser customizations, in addition to tracking their web movements, to (eventually) create a unique signal that web sites can use to uniquely identify the user (and which is virtually impossible to opt out of).
However, the most interesting/scary cross-device tracking method reported by the CDT is the use of inaudible ultrasonic sound beacons, led by a company called SilverPush.
When a user encounters a SilverPush advertiser on the Internet, the advertiser drops a cookie on the user’s computer while playing an ultrasonic audio through the device’s speakers. The other smart device recognizes the inaudible code because of the software development kit installed on it.
SilverPush technology can also embed audio beacon signals into television commercials that are silently picked up by an app installed on the user’s device, completely unknown to the user. The audio beacon allows a tracker to know which ads the user saw, how long the user watched the ad before changing the channel, which kind of smart devices the individual uses, along with other information that adds to the profile of each user linked across the various devices.
The device owner/user is oblivious to the beacon, but if the device has a SilverPush-based app on it, once the beacon is detected, the device is recognized as being used by the same individual (you). So as the Atlantic recently quipped, your phone is literally listening to your TV, all in the name of serving you more targeted ads. Yikes!
Currently, there is no way to opt out of this kind of cross-device tracking and only distance hinders the receipt of an audio beacon. The CDT’s letter noted that as of April 2015, SilverPush’s software was being used by six or seven apps and the company monitored 18 million smartphones.
Not surprising, this level of detailed surveillance and tracking has raised considerable privacy concerns, not the least that some companies will be able to combine information from different devices to create highly intrusive profiles of persons that may or may not even be accurate.
In response to growing concerns and to get more input, the FTC held a workshop Nov. 16 as first step to examine the privacy issues around these types of tracking and marketing activities.
While the FTC did not issue any formal guidance as a result, chairwoman Edith Ramirez emphasized that regardless of the technology, companies should continue working to address issues of transparency, notice, and choice in this area.
She also highlighted the self-regulatory efforts of the advertising industry on cross-device tracking, including the Digital Advertising Alliance and the Network Advertising Initiative.
Maneesha Mithal, the associate director of the FTC’s division of privacy and identity protection, identified the five key takeaways from the workshop:
(1) the benefits of cross-device tracking, including maintaining state, frequency capping, and seamless user experiences across devices;
(2) the need to provide greater transparency, choices, and education for consumers;
(3) the need to consider the consumer experience;
(4) that there is room for industry innovation in this space; and
(5) that companies should be mindful of their representations in this space and adhere to those representations.
The public comment period for the workshop is open until Dec. 16.
Interestingly, on the same the day the FTC held this workshop, the DAA, a powerful industry group whose policies are often contractually adopted by advertisers, ad agencies, ad networks, and publishers, released a entitled “Application of the Self-Regulatory Principles of Transparency and Control to Data Used Across Devices,” confirming its existing principles for tracking online behaviour and and other new tech standards apply to multi-site and cross-app data collection.
Marketers that collect cross-device data must include notices on their web sites that that data collected from a particular browser or device may be used with another computer or device linked to the browser or device on which such data was collected, or transferred to a non-affiliate for such purposes. Additionally, marketers must provide a device-specific consumer opt-out.
It’s fair to say in Canada our privacy regulators would likely not be impressed with the surreptitious nature of current cross-device tracking practices. The federal Office of the Privacy Commissioner of Canada recently reiterated and confirmed its position in the “Online Behavioural Advertising (OBA) Follow Up Research Project” published in June 2015.
In 2011, the OPC issued guidelines to help various organizations involved in OBA to ensure that their practices are fair, transparent, and in accordance with PIPEDA. One of the foundations of the guidelines is that OBA involves the collection of highly personal and personalized information.
The guidelines stated that opt-out consent for OBA could be considered reasonable under PIPEDA provided it is carried out under certain parameters:
(2) Individuals are informed of these purposes at or before the time of collection and provided with information about the various parties involved in online behavioural advertising;
(3) Individuals are able to easily opt-out of the practice - ideally at or before the time the information is collected;
(4) The opt-out takes effect immediately and is persistent;
(5) The information collected and used is limited, to the extent practicable, to non-sensitive information (avoiding sensitive information such as medical or health information); and
(6) Information collected and used is destroyed as soon as possible or effectively de-identified.
In addition, the OPC stipulated two restrictions:
(i) Any collection or use of an individual’s web browsing activity must be done with that person’s knowledge and consent. Therefore, if an individual is not able to decline the tracking and targeting using an opt-out mechanism because there is no viable possibility for them to exert control over the technology used, or if doing so renders a service unusable, then organizations should not be employing that type of technology for online behavioural advertising purposes.
(2) As PIPEDA requires meaningful consent for the collection, use and disclosure of personal information, it is difficult to ensure meaningful consent from children to online behavioural advertising practices. Therefore, as a best practice, organizations should avoid tracking children and tracking on websites aimed at children.
If these conditions and restrictions are not met, and an organization wishes to continue to use OBA, then explicit consent is required.
The OPC also noted in its Guidelines on Privacy and Behavioural Advertising that any collection or use of an individual’s web browsing activity must be done with that person’s knowledge and consent and “If an individual is not able to decline the tracking and targeting using an opt-out mechanism because there is no viable possibility for them to exert control over the technology used, or if doing so renders a service unusable, then organizations should not be employing that type of technology for online behavioural advertising purposes.”
It is not clear how many Canadian companies are currently using cross-device tracking, but they will be expected to comply with existing Canadian privacy requirements relating to transparency and opt-out capability.
However, it is difficult to see how the use of inaudible ultrasonic audio beacon signal tracking technology will easily allow individuals to “exert control over the technology used” from a practical perspective or how to avoid tracking children while using this technology.
I will continue to report on developments in this area as they arise.
On a personal note, I wish all of my faithful readers happy holidays and a healthy New Year!