Adtech vendors still tracking EU users who deny consent via IAB’s TCF, study suggests

N

Natasha Lomas

Guest
New research examining what happens after Internet users in Europe land on an ad-supported website and express their “privacy choices” — using a flagship ad industry consent management platform which is supposed to allow them to control the types of ads they receive (i.e. non-tracking vs “personalized”) — has raised fresh questions over the IAB Europe’s self-styled Transparency and Consent Framework (TCF).

The TCF is already in hot water with privacy regulators.

Last month the IAB Europe announced that it’s expecting to be found in breach of the EU’s General Data Protection Regulation (GDPR) — and that the framework will also be found in breach. Although the IAB sought to suggest that a few tweaks will suffice to fix problems identified by the Belgian data protection authority (DPA).


We’re still waiting for publication of the final decision of the Belgian authority. But its preliminary findings — last year — highlighted a litany of GDPR failures.



Despite all that, the IAB has continued to argue the TCF is working as intending for the close to 800 adtech vendors who are thought to participate in the system, loudly rejecting criticism of it. Its CEO, Townsend Feehan, for example, pooh-poohed criticism earlier this month — telling Engadget that “none of this [tracking] happens if the user says no”.

However the new study throws doubt on the claim that if a user says ‘no’ to tracking/behavioral ads via the IAB’s TCF, the adtech industry respectfully falls into line.


A key piece of this research examined how the adtech ecosystem responds to user signals that request only basic, i.e. non-tracking-based ads, to examine how ad vendors respond when users say no to “personalized” ads.

Here the researchers found evidence to suggest that many adtech vendors continue to track and profile Internet users when they have explicitly said they don’t want tracking-based ads.

While a number of earlier studies have found problems with how publishers in the EU have implemented cookie consents, such as tracking cookies being dropped prior to asking a site visitor for their permission, this new research, carried out by adtech researcher, Adalytics, aims to zero in on the TCF framework itself — by examining instances where ad-supported websites have faithfully reported users’ ad choices.

Problematic data flows after that implicate the adtech industry itself — and the claims it makes for the TCF as a flagship compliance tool — because it suggests the framework fails to accurately reflect and actually respect users’ “privacy choices” once they are passed to ad “partners”.

Listing a series of takeaways, Adalytics writes that the findings suggest:

  1. Many major ad tech vendors continue to track and profile EU users, even when an EU user has explicitly objected
  2. The TCF strings that were designed by IAB Europe do not appear to be honored or parsed correctly by many ad tech vendors
  3. Some ad tech vendors may not be able demonstrate they obtained user data with user consent, which may expose them to contractual compliance, investor/shareholder disclosure, and regulatory risks
  4. In many instances, it is impossible for users to support media creators by allowing “basic ads” whilst disallowing tracking and behavioral profiling to protect their own privacy

Although it’s important to note there are limits to what the researchers were able to observe via Chrome Developer Tools — given that any processing being done on adtech companies’ own servers isn’t verifiable by such external research.

Understanding the full picture of what’s done with people’s data once the adtech ecosystem gets its hands on it is difficult. But that also cuts to the heart of surveillance-based advertising’s problem with complying with the GDPR — which also requires, accountability, transparency and security when processing personal data.

Setting those major overarching problems aside, just the fact of tracking cookies being dropped and user data being passed around when a person has explicitly said it should not be looks, well, awkward for the IAB’s TCF.

To study data activity at the adtech end of the framework, the researchers ran tests in a number of countries in the EU — visiting websites they manually verified had correctly configured the framework to send the user’s consent string, and selecting only basic ads; refusing personalized/tracking-based ads/profiling etc and also limited the choice of adtech processor to a single vendor.

The testers also made sure to object to “legitimate interests” so that their consent preferences could not be bypassed in that way.

If the TCF was functioning as Feehan’s remarks to Engadget earlier this month suggests — i.e. if users can just deny tracking simply by saying ‘no’ via the TCF — the researchers would have expected to observe data flowing only as the individual had specified it should.

Instead, they found — in most cases — data flows that looked very different vs the choices that had been expressed.

The paper also details numerous instances of tracking cookies being set prior to the user’s consent choices even being signalled. (Although they say they excluded such examples from their analysis as they were specifically aiming to study what happens after a user has submitted their choices via the TCF.)

Examples cited in the study of adtech vendors appearing to override/ignore TCF signals denying tracking include a visitor with a Belgian IP address to a popular local news website, nieuwsblad.be — who provides consent to basic ads only, and only consents to ads from Google (so they’re explicitly rejecting “personalized” ads and profiling) — yet who, on checking Chrome Developer Tools for network HTTP requests, observes HTTPS requests sent to ib.adnxs.com, a domain owned by AppNexus (aka Xandr), which responds by dropping a cookie called “uuid2” set for three months.

“Given that [this user] objected to personalised ads and creating a personalised profile, only provided consent to Google, and the fact that these consent choices were directly included in the HTTP request to adnxs.com, it is not clear why the AppNexus server responded by setting a persistent, advertising related cookie in [the user’s] browser,” the researchers observe.

In another example, a user with a French IP address visits the news website lemonde.fr and once again — despite not consenting to any cookies or purposes offered in the consent banner — they see HTTPS request being sent to id5-sync.com, which responds by setting a cookie called “id5” for three months, and triggering a 302 HTTP redirect to sync data with rtb-csync.smartadserver.com.

“This specific HTTPS request that was sent to id5-sync.com contains the previously mentioned TCF string in a query string parameter called “gdpr_consent”,” the researchers report, adding that: “The domain id5-sync.com belongs to ID5, a London-based “identity platform for the digital advertising industry”.”

They further note that the ID5 Universal ID is described in a github overview as a “shared, neutral identifier that publishers, advertisers, and ad tech platforms can use to recognise users”.

So, again, if the user is saying they don’t want to be identified and tracked for ads, why is the id5 cookie being dropped at all?

In another example detailed in the study, also involving a French IP address — this time the user visits the newspaper latribune.fr — the user’s consent choices are again apparently tossing in the virtual trash.

In this instance the user had specified they wanted basic ads served by US supply side platform OpenX.

However Openx.net was observed triggering user ID syncs with “numerous other parties”, including Amazon, Google, DataXu, AppNexus, Beeswax (bidr.io), Adelphic Predictive Data platform (ipredictive.com), AdPilot (erne.co), Simplifi Holdings (simpli.fi), and others, per the study.

In another example — involving a French IP user visiting atlantico.fr; and consenting to basic (not personalized) ads from Google only — the user sees a “lot of HTTPS requests being made with this TCF consent string, some of which appear to be user data syncing or setting tracking cookies”.

The researchers go on to note that: “A request sent to s.cpx.to responses by setting a cookie for 1-year called “cpSess”. This domain is owned by London-based Captify, and the “cpSess” cookie appears to be used to store and link personal information about the user” — before citing another source that suggests this cookie is “used as a tracking mechanism for […] advertising companies” and “helps with the delivery of targeted marketing adverts whilst users browse”.

The study details numerous other examples of unexpected data flows and syncing being observed after the user has asked not to be tracked.

The researchers also detail results of large-scale automated tests, as well as the manual examples cited above — based on crawler data from 48,698 different publisher domains — and found evidence of “tens of thousands” of ad requests erroneously claiming the GDPR does not apply to web users who were in the EU.

Out of 35,389 publishers found to have an HTTPS request that was sent to an ad tech vendor and contained either the ‘gdpr=0’ query string parameter, or the ‘gdpr=1’ query string...
Please login to view full content. Log in or register now.