The Bipartisan Digital Advertising Act Would Break Up Big Trackers

3 days 4 hours ago

In May, Senators Mike Lee, Amy Klobuchar, Ted Cruz, and Richard Blumenthal introduced the “Competition and Transparency in Digital Advertising Act.” The bill, also called the “Digital Advertising Act” or just “DAA” for short, is an ambitious attempt to regulate, and even break up, the biggest online advertising companies in the world.

The biggest trackers on the internet, including Google, Facebook, and Amazon, are all vertically integrated. This means they own multiple parts of a supply chain - specifically, the digital advertising supply chain, from the apps and websites that show ads to the exchanges that sell them and the warehouses of data that are used to target them. These companies harm users by collecting vast amounts of personal information without meaningful consent, sharing that data, and selling services that allow discriminatory and predatory behavioral targeting. They also use vertical integration to crush competition at every level of the market, preventing less-harmful advertising business models from gaining a foothold.

The DAA specifically targets vertical integration in the digital advertising industry. The bill categorizes ad services into, roughly, four kinds of business:

  • Publishers create websites and apps, and show content directly to users. They sell ad space around that content.
  • Ad exchanges run auctions for ad space from many different publishers, and solicit bids from many different advertisers.
  • Sell-side brokerages work with publishers to monetize their ad space on exchanges. These are sometimes called “supply-side platforms” in the industry.
  • Buy-side brokerages work with advertisers to buy ad space via exchanges. These are sometimes called “demand-side platforms” in the industry.

In broad strokes, the bill would prevent any company that makes more than $20 billion per year in advertising revenue from owning more than one of those components at a time. It also creates new obligations for advertising businesses to operate fairly, without self-preferencing, and prohibits them from acting against the interests of their clients. The bill is complex and nuanced, and we will not analyze every provision of it here. Instead, we will consider how the main ideas behind this bill might affect the internet if enacted.

How would this affect the real world?

The DAA would likely apply to all three of the biggest ad tech companies in the world: Meta, Amazon, and Google. As we’ll describe, all of these companies act as both publishers and service providers at multiple levels of the ad tech “stack.”

Meta is a “publisher” because it operates websites and apps that serve content to users directly, including Facebook, Instagram, Whatsapp, and Oculus. It also operates a massive third-party ad platform, called “Audience Network,” which sells ad space in “thousands” of third-party apps that reach “over 1 billion” people each month. Audience Network essentially acts as a supply-side platform, a demand-side platform, and an exchange at the same time. Furthermore, Meta uses both its user-facing apps and those “thousands” of third-party Audience Network apps to gather data about our online behavior. The data it gathers about users on its social media platforms are used to target them in Audience Network apps; those apps, in turn, collect yet more data user behavior. This kind of cross-platform data collection is common to all of the ad tech oligarchs, and it helps them target users more precisely (and more invasively) than their smaller competitors.

Amazon has been rapidly developing its own advertising business. While online advertising was once widely viewed as a duopoly of Google and Facebook, today the ad market is better characterized as a triopoly. Amazon operates several third-party advertising services, including Amazon DSP, an analytics platform called Amazon Attribution, and a supply-side ad server called Sizmek Ad Suite. It also sells ad space on Amazon properties like its flagship website amazon.com, its Kindle e-readers, Twitch.tv, and its many video streaming services. Like Facebook, Amazon can use data about user behavior on its own properties to target them on third-party publishers and vice versa.

Google is the biggest of all. It makes billions of dollars selling ads on its user-facing services, including Google Search, YouTube, and Google Maps. But behind the scenes, Google’s ad infrastructure is even more expansive. Google operates at least ten different components that handle different parts of the ad business for different kinds of clients. Its ad exchange (AdX, formerly Doubleclick Ad Exchange), supply-side platform (Google Ad Manager, formerly Doubleclick for Publishers) and mobile ad platform (AdMob) all dominate their respective market segments. Its trackers, inserted into third-party websites, are far and away the most common on the web. And in addition to the massive information advantage it has over competitors, Google has repeatedly been accused of using its different components to secretly self-preference and directly undermine competition. As a result, the company is currently the subject of several different antitrust investigations around the world.

All of these companies likely meet the revenue threshold specified by the DAA. That means if the bill becomes law, all three may be required to divest their advertising businesses. Google could operate Youtube and Search, or the infrastructure that serves ads on those sites, but not both. Furthermore, if all of its advertising components were spun off into one “Google Ads” conglomerate that still made over $20B in revenue, the resulting company would have to choose between its ad exchange, its supply-side platforms, or its demand-side platforms, and spin off its other parts. Essentially, the ad giants will have to break themselves into component parts until each component either falls below the revenue threshold or operates just one layer of the ad tech stack.

Why do break-ups matter?

Google and Facebook build user-facing platforms, but their main customers are advertisers. This central conflict of interest manifests in design choices that sell out our privacy. For example, Google has made sure that Chrome and Android keep sharing private information by default even as competing browsers and operating systems take a more pro-privacy stance. When advertiser interests conflict with user rights, Google tends to side with its customers.

Splitting user-facing platforms apart from ad tech tools would cut right through this tension. Chrome and Android developers would face competitive pressure from rivals who design tools that cater to users alone.

Separating ads from publishing can protect rights that US privacy laws do not address. A majority of proposed and enacted privacy laws in the U.S. regulate data sharing between distinct companies more strictly than data sharing within a single corporation. For example, the California Privacy Rights Act (CPRA) allows users to opt out of having their personal information “shared or sold,” but it does not give users the right to object to many kinds of intra-company sharing—like when Google’s search engine shares data with Google Ads to enable hyper-specific behavioral targeting on Google properties. Breaking user-facing services apart from advertiser-facing businesses will make it easier to regulate these flows of private information.

Splitting ad empires apart also holds the promise of a fairer ad market. Removing tech companies’ content and app businesses from their ad businesses, and splitting the sell-side and buy-side of the ad-tech stack, will make self-preferencing, bid-rigging, and other forms of fraud and cheating less profitable, less lucrative, and easier to detect. This will help media producers and individual creators get their rightful share of revenue from the ads that run against their work, and it will help protect small businesses and other advertisers from being price-gouged or defrauded by powerful, integrated ad-tech businesses.

Conclusion

The Digital Advertising Act is a bold, promising legislative proposal. It could split apart the most toxic parts of Big Tech to make the internet more competitive, more decentralized, and more respectful of users’ digital human rights, like the right to privacy. As with any complex legislation, the impacts of this bill must be thoroughly explored before it becomes law. But we believe in the methods described in the bill: they have the power to reshape the internet for the better.

Bennett Cyphers

Security and Privacy Tips for People Seeking An Abortion

3 days 4 hours ago

Given the shifting state of the law, people seeking an abortion, or any kind of reproductive healthcare that might end with the termination of a pregnancy,  may need to pay close attention to their digital privacy and security. We've previously covered how those involved in the abortion access movement can keep themselves and their communities safe. We've also laid out a principled guide for platforms to respect user privacy and rights to bodily autonomy. This post is a guide specifically for anyone seeking an abortion and worried about their digital privacy. There is a lot of crossover with the tips outlined in the previously mentioned guides; many tips bear repeating. 

We are not yet sure how companies may respond to law enforcement requests for any abortion related data, and you may not have much control over their choices.  But you can do a lot to control who you are giving your information to, what kind of data they get, and how it might be connected to the rest of your digital life.

Keep This Data Separate from Your Daily Activities

If you are worried about legal pressure, the most important thing to remember is to keep these activities separate from less sensitive ones. This can be done many ways, but the underlying idea is to keep that information compartmentalized away from other aspects of your "regular" life. This makes it harder to trace back to you. 

Choosing a separate browser with hardened privacy settings is an easy and free start. Browsers like Brave, Firefox, and DuckDuckGo on mobile are all easy-to-use options that come with hardened privacy settings out of the box. It's a good idea to look into the “preferences” menu of whichever browser you choose, and raise the privacy settings even further. It's also a good idea to turn off this browser's features to remember browsing history and site data/cookies. Here’s what that looks like in Firefox’s “Privacy and Security” menu: 

Firefox's cookies and history options in its privacy menu

How to turn off Firefox's feature that remembers browser history

If you are calling clinics or healthcare providers, consider keeping a secondary phone number like Google Voice (which is free), Hushed, or Burner (both Hushed and Burner are paid apps, but have significantly better privacy policies than Google Voice). Having a separate email address, especially one that is made with privacy and security in mind, is also a good idea. Some email services you might consider are Tutanota and Protonmail.

Mobile Privacy

One way to protect your privacy is to get a “burner phone” – meaning a phone that’s not connected to your normal cell phone account. But keeping a super secure burner phone may be hard for many people. If so, consider reviewing the privacy settings on your current cell phone to see what information is being collected about you, who is collecting it, and what they might do with it.

If you're using a period tracker app already, carefully examine its privacy settings. If you can, consider switching to a more privacy-focused app.  Euki, for example, promises not to store any user information.

Turn off ad identifiers on your phone. We've laid out a guide for doing so on iOS and Android here. This restricts individual apps' abilities to track your behavior when you use them, and limits their sharing of that information with others.

While you're at it, it's a good idea to review the other permissions that apps have on your phone, especially location services. For apps that require location data for their core functionality (such as Google Maps), choose an option like "While Using" that only gives the app permission to view your location when it's open (remember to fully close out of those apps when you are finished using them).

If you have a "Find My" feature turned on for your phone, like Apple's function to see where your phone is from your other computers, you will want to consider turning that off before traveling to or from a location you don't want someone else being able to see you visit.

If you're traveling to or from a location (such as a clinic or a rally) where there is a likelihood law enforcement may stop you or seize your device, or if you're often near someone who may look into your phone without permission, turning off biometric unlocking is a good idea. This means turning off any feature for unlocking your phone using your face ID or fingerprint. Instead you should opt for a passcode that is difficult to guess (like all passwords: make it long, unique, and random).

Since you are likely using your phone to text and call others that will share similar data privacy and security concerns as you, it’s a good idea to download Signal, an end-to-end-encrypted messaging app. For a more thorough walkthrough, check out this guide for Android and this for iOS.

Lock & Encrypt

Anticipating how data on your devices might be seized as evidence is a scary thought. You don't need to know how encryption works, but checking to make sure it's turned on for all your devices is vital. Android and iOS devices have full-disk encryption on by default (though it doesn't hurt to check). Doing the same for your laptops and other computers is just as important. It's likely that encryption is on by default for your operating system, but it's worthwhile to check. Here is how to check for MacOS, and also for Windows. Linux users ought to check for guides for their choice of distribution and how to enable full disk encryption from there.

Delete & Turn Off

Deleting things from your phone or computer isn't as easy as it sounds. For sensitive data, you want to make sure it's done right.

When deleting images from your phone, make sure to remove them from "recently deleted" folders. Here is a guide on permanently deleting from iOS. Similar to iOS, Android's Google Photos app requires you to delete photos from its "Bin" folder where it stores recently deleted images for a period of time.

For your computer, using "secure deletion" features on either Windows or MacOS is a good call, but are not as important as making sure full disk encryption is turned on (discussed in the above section)

If you’re especially worried that someone might learn about a specific location you are traveling to or, simply turning off your phone and leaving your laptop at home is the easiest and most foolproof solution. Only you can decide if the risk outweighs the benefit of keeping your phone on when traveling to or from a clinic or abortion rally. For more reading, here is our guide on safely attending a protest, which may be useful for you to make that decision for yourself.

Daly Barnett

【おすすめ本】隈元信二『探訪 ローカル番組の作り手たち』―作り手動かす熱き思い 民放局探訪の渾身リポート=河野慎二

3 days 7 hours ago
 新聞社で30年以上放送界を取材した著者は退職後、北海道から沖縄まで民放各局の番組の作り手を探訪して話を聞き、渾身のリポートを本書にまとめた。「作り手たちがいかに熱き思いに突き動かされているか」という番組制作者の気概がビンビンと伝わってくる。 著者は山形放送の伊藤清隆取締役報道制作局長を探訪する。山形放送は19年、ドキュメンタリー「想画と綴り方~戦争が奪った子どもたちの〝心〟~」で民放連賞(テレビ教養最優秀)とJCJ賞を受賞した。 伊藤は「変わらないのは『戦争をしち..
JCJ

オープンソースプロジェクトの脆弱性修正にかかる時間が 3 年間で倍以上に増加したとの調査結果

3 days 15 hours ago
headless 曰く、Snyk が Linux Foundation の協力によりまとめた報告書「State of Open Source Security 2022」によると、オープンソースパッケージの依存関係によりソフトウェアサプライチェーンの複雑さが増し、脆弱性の修正にかかる時間が長くなる傾向がみられるそうだ(プレスリリース、 BetaNews の記事)。 オープンソースパッケージは現代的なアプリケーションで重要な要素となっており、開発者は数多くのオープンソースパッケージをプロジェクトで使用する。プロジェクトごとの直接的な依存関係は平均 80、最も多い JavaScript プロジェクトでは平均 174 まで増加する。依存関係は直接的なものだけでなく、推移的 (間接的) な依存関係もある。推移的依存関係は見えないリスクを生むだけでなく、修正も困難だ。脆弱性全体の 40 % が推移的依存関係で見つかっており、プロジェクトごとの平均的な脆弱性の数 49 に対し、18 ~ 20 が推移的依存関係から発生することになる。 その一方でオープンソースソフトウェア (OSS) の開発・利用に関するセキュリティポリシーを確立している組織は 49 %。組織内の OSS のセキュリティを信頼していないという回答は 41 % にのぼる。ただし、72% は 2022 年末までにある程度以上のセキュリティを確保できると回答しているという。オープンソースプロジェクトで脆弱性が修正されるまでの (平均) 時間は 2018 年の 49 日間から 2021 年には 110 日間まで増加しており、プロプライエタリプロジェクトよりも 18.75 % 長い時間を要するとのことだ。

すべて読む | オープンソースセクション | オープンソース | セキュリティ | デベロッパー |

関連ストーリー:
国内でVLC media playerの脆弱性を利用したサイバー攻撃。PC Matic発表 2022年05月18日
解凍・圧縮ソフト「7-Zip」に未修正の脆弱性 2022年04月19日
cURLの作者に大企業から「log4j脆弱性に対する24時間以内の無料サポートを求める」メール届く 2022年01月27日
log4j問題等を受け、米政府がGAFAやApacheらを集めたOSSセキュリティサミットを開催 2022年01月18日
人気オープンソースプロジェクトの脆弱性、1年で倍増 2020年06月11日

nagazou