Ad tech companies that serve targeted advertisements maintain detailed profiles of each consumer. They often contain browsing history, location data, links or advertisements clicked, search history, personal information the consumer has provided, and information purchased from data brokers. Ad tech companies use this data to make inferences about people’s demographics, characteristics, and interests. This data collection is ubiquitous and extremely difficult for people to avoid, and it can lead to discrimination, government surveillance, and security issues.
Here are some examples of how ad tech collects consumers’ data discretely.
Browser or device fingerprinting can distinguish one device or browser from another based on certain characteristics, such as the hardware specifications of the device, the fonts that are installed, the browser being used, and the signals the browser sends. When all of these characteristics match, it’s a good bet that it’s the same device or browser. The Electronic Frontier Foundation found that for a browser chosen at random, only 1 in 286,777 other browsers will share the same fingerprint. Fingerprinting is much harder to detect than cookies because it leaves nothing on the consumer’s device, and it’s much more difficult for consumers to control since there is nothing to clear or delete. Some browsers, like TOR or Apple’s Safari, deploy countermeasures to make fingerprinting more difficult, but it remains a risk.
Cookies and fingerprinting can also be used for tracking when consumers use browsers on mobile devices. However, in apps, trackers must use different methods. Every iOS and Android device has a unique advertising ID built in for the express purpose of surveillance advertising. Consumers can reset this ID, but advertisers can usually still track them using probabilistic matching (described below). Though more difficult to get, trackers also have access to the mobile phone number or the device’s hardware ID through some apps on Android (iOS blocks access to these identifiers). Unlike the advertising ID, consumers can’t reset these identifiers.
On a mobile device, many apps gather GPS location data even if they don’t actually need it to operate, and then the apps sell this data to ad tech companies. The data are anonymized before it is shared, but it is very easy to “de-anonymize” and link the data to individual consumers. Outside of mobile, an IP address can indicate a consumer’s location. IP addresses are based on the network a consumer is connected to, so consumers’ IP addresses change as they move around. Though an IP address can’t give an exact GPS location, it can identify a consumer’s city or even zip code.
The methods described so far are all device-specific. However, companies know that consumers use multiple devices, and they employ probabilistic matching to trace them from one device to the next. By comparing data across different devices — for example, similar search histories or activity on two devices in similar locations — they can determine that the devices likely belong to the same person.
Because of the wide array of technologies used by trackers and their ever-changing nature, regulation cannot focus on one technology or another. For example, third-party cookies are slowly fading out of use; they have already been blocked by Safari and Firefox, and Chrome plans to block them by 2023. However, as cookies phase out, Google is developing a new tracking method known as FLoC. As another example of new tracking technology, companies are beginning to use cameras in stores to track consumers and the products they may be interested in. Regulating specific tracking technologies only incentivizes trackers to find sneakier ways to profile consumers.
How can consumers avoid being tracked and profiled for surveillance advertising?
It is extremely difficult for people to avoid all of the tracking and profiling that facilitates surveillance advertising. Consumers can clear cookies on their computers, but not all tracking involves cookies, and their use is diminishing. Ad blockers work by rejecting the code that loads ads from running on consumers’ browsers and thus stop some tracking by default, but not all; for instance, ad blockers have a harder time preventing fingerprinting, and some tracking code is not associated with ad placement. Furthermore, tracking or ad code can sometimes also be doing something necessary for the webpage to work, and many websites have started requiring users to disable ad blockers in order to access content.
Consumers can use global privacy controls (GPC) on their browsers to send a signal communicating a desire to not have their data sold, but that says nothing about data collection. Moreover, companies can simply ignore these signals unless they are required to honor them. In many cases, consumers must install these tools or turn them on, which can be a complicated and intimidating process.
Clicking on options such as “do not sell my data” or “do not track me” on every website a consumer visits is too burdensome. Furthermore, privacy legislation often contains numerous exceptions for certain types of data such as that disclosed on social media, certain types of businesses such as financial institutions and corporate affiliates, and certain uses of data, such as profiling that does not have a “significant legal effect” on the consumer – a determination left up to the business.
The bottom line is that surveillance advertising is unfair. It uses invisible and invasive techniques to manipulate consumers and rob them of real choice in the marketplace. Even if anti-tracking tools come pre-installed on consumers’ devices and are on by default, they will not prevent all tracking and profiling, nor will legal requirements to honor GPC signals guarantee that companies will do so. The risks of surveillance advertising outweigh the benefits, and contextual advertising provides a good alternative. Therefore, many organizations in the U.S. and other countries are calling on legislators to ban surveillance advertising.