Criticism of big tech companies that track us across the internet without our informed consent misses a bigger picture: There are hundreds of ad-tracking companies that do the same, and regulators have been powerless to rein them in.
A report by the Danish privacy consulting firm Cookiebot says that 112 ad-tracking companies collect information about visitors to government and public sector websites in European Union countries, even though the websites are not ad-supported. Of these, 52 were found on French government sites; German taxpayer-funded sites were found to be the best protected, yet one-third of their pages still contained advertising trackers.
If you don’t recall authorising that activity, that’s because you didn’t. Even if you clicked on an “I accept cookies” pop-up, which probably didn’t explain properly what cookies you were accepting, it didn’t cover all of the trackers. Some were smuggled in. “Modern websites typically include multiple 3rd party javascript technologies to power various functions, such as video players, social sharing widgets, web analytics, galleries and comments sections,” Cookiebot wrote.
“These scripts can act as Trojan horses, opening backdoors to the website code through which ad tech companies can silently insert their trackers.”
Government websites are often built on the cheap and include all kinds of third-party components. So not even the governments of EU member States comply with the union’s General Data Protection Directive, which requires site administrators to make sure users consent to the collection of their data.
Cookiebot has developed a technology to scan web pages for trackers, and it’s selling tools to ensure sites are GDPR-compliant. If you administer a site, Cookiebot wants you to worry about unauthorised trackers and potential large fines for GDPR noncompliance. But if privacy regulators decided to use a similar technology to check all sites for compliance, they’d be swamped and most violators would never be fined. Besides, it could be argued that smuggled trackers are akin to viruses, and that websites cannot be held responsible for noncompliance if they’ve been, in effect, hacked.
There are more
Cookiebot’s findings are more important to ordinary users and regulators than they are to website administrators. If you’re worried that Facebook and Google are watching you everywhere, which they are, you should also worry about a long list of companies, from AcuityAds to Zemanta that openly do the same, and a shorter list of adtech firms that don’t even identify themselves properly.
The problem of digital privacy isn’t about a few big companies. Sure, Facebook has the resources to fight back against anti-tracking technology in browsers, engaging in a cops-and-robbers game with the likes of Apple, according to the Cookiebot report. And sure, ubiquitous Google is the most active user of trackers. But the tracking won’t stop if the activity of the giants is regulated. Nor will clearer rules for cookie consent, as proposed in the EU’s still-to-be-enacted ePrivacy Regulation, eliminate the constant surveillance; they’ll likely just make it harder to detect.
Root cause
The root cause of all the pernicious surveillance is ad targeting as a business model. As long as it exists, we will be watched on the web even at moments when we most hate being watched. A ban on all targeted advertising, or even just on targeted political ads, as the inventor of the World Wide Web, Tim Berners-Lee, has suggested, would probably go too far. But there is a more effective way of regulating than trying to micromanage cookie settings.
Governments could seek to ban ad targeting based on anything except information directly provided by internet users. Those who want more personalisation, and thus potentially more relevant ads, should choose those options when signing up for social-network and free-email accounts, as well as when subscribing to news media that sell ads. Those who don’t want it should be shown random or loosely targeted ads, just like in the pre-tracking days.
This wouldn’t kill Facebook or Google, which have huge audiences. But it would undermine the ad-surveillance industry and introduce some much-needed honesty into our relationship with digital advertising.