-
I've published my comment on IAB's Global Privacy Platform. GPP proposes to not just replace the TCF framework as the new standard for privacy signaling in the EU, but also become the signal for all privacy compliance, including upcoming US state laws 🧵 aramzs.github.io/web-standards/2022/09/02/global-privacy-platform-review.htmlPermalink On twitter.com
♻️ 14 Retweets
❤️ 34 Favorites
Mood 0
-
Pressure is high on the IAB to present a new standard for privacy signaling. EU courts have basically declared TCF, their previous standard, not just insufficient but actively in violation of the European Economic Area privacy law GDPR... techcrunch.com/2022/02/02/iab-tcf-gdpr-breaches/amp/Permalink On twitter.com
♻️ 2 Retweets
❤️ 6 Favorites
Mood -5 🙁
-
The deadline on reform for IAB's spec in regards to EEA has been pushed back by their appeals, the ad tech community has additional concerns as no signaling method or spec has been publicly discussed to meet new US state laws dropping starting on Jan 1 and throughout next year...Permalink On twitter.com
♻️ 1 Retweets
❤️ 1 Favorite
Mood -1 🙁
-
The result is an enormous void around US state law compliance and the future of privacy signaling in the EEA. GPP is implied to be the solution for both...Permalink On twitter.com
♻️ 1 Retweets
❤️ 3 Favorites
Mood +1 🙂
-
The GPP spec provides a mechanism for encompassing all current & future privacy rules through a smart and mechanically effective encoding process I tested myself as well as an API pattern. But better compressing of data on to a string is not really what we need from this spec...Permalink On twitter.com
♻️ 1 Retweets
❤️ 1 Favorite
Mood +5 🙂
-
The core of my concerns is GPP's failure to provide any real change over TCF, besides this bolt on of new string encoding methods. GPP does not represent a significant technical change from TCF & it is hard to see how it could possibly meet the basic objections from EU courts...Permalink On twitter.com
♻️ 1 Retweets
❤️ 2 Favorites
Mood -2 🙁
-
I go deep into some of the technical issues in the post. All the problems of TCF are here, as are even more problems. Notably, their backwards compatibility process seems to mean layering over past APIs in unclear ways. aramzs.github.io/web-standards/2022/09/02/global-privacy-platform-review.html#api-layering-for-gpps-technical-systemPermalink On twitter.com
❤️ 4 Favorites
Mood -5 🙁
-
But those details are really just the icing on some concepts that are just intrinsically unsound, some of which carry over from TCF, some of which are new. The idea of infinitely bolting on new privacy string components, while cleverly handled, is not really a way forward...Permalink On twitter.com
❤️ 2 Favorites
Mood -2 🙁
-
The IAB's further pushing of Vendor List continues to make them a gatekeeper in the ad tech community in theory (bad) but in reality means we end up w/different vendor and CMP lists and none of them sufficient. The new way to specify your vendor list opens a fingerprint risk...On twitter.com
❤️ 1 Favorite
Mood -5 🙁
-
Many people have already noted that the extremely complex vendor list and per-vendor consent process has a high risk of becoming its own fingerprint that identifies users and GPP's increased complexity only makes that worse...Permalink On twitter.com
❤️ 2 Favorites
Mood -2 🙁
-
GPP alludes to some of the work the IAB has done around systems to audit ad tech after the fact, but EU courts are likely to find non-real-time enforcement insufficient, as they should. GPP, as it stands, can make no guarantees of compliance...Permalink On twitter.com
❤️ 1 Favorite
Mood -3 🙁
-
And the fraction of ad tech on the IAB's vendor list makes even the idea of auditing all vendors involved in an ad request in the US, where many more tend to be involved and an even smaller fraction has self-identified on to the IAB's list, sort of ludicrous...Permalink On twitter.com
❤️ 2 Favorites
Mood -3 🙁
-
The ad tech Lumascape identifies over 10,000 ad tech vendors, any of which might be involved in making an ad call on a page. The IAB's TCF vendor list that GPP will use as well is less than 2,000. In fact my rough count of the latest puts it at 770... iabeurope.eu/vendor-list/Permalink On twitter.com
Mood 0
-
This gets to the biggest problem in the GPP. Even if the IAB was successful at convincing ad tech companies (including their own members!) to on-board to the Global Vendor List, it would only centralize them and turn them into gatekeepers unfairly...Permalink On twitter.com
Mood +1 🙂
-
But the IAB has not been successful at getting Vendors to sign on. And GPP means it must now face the outsized task of getting non-EEA vendors to sign on as well...Permalink On twitter.com
Mood +3 🙂
-
This does not bode well, considering the IAB could not even get some of the major ad tech cos (that are IAB members!) to sign on to the LSPA that is a major part of how current CCPA CA privacy law compliance is handled, forcing many to get individual addendums w/major vendors...Permalink On twitter.com
❤️ 2 Favorites
Mood 0
-
The unfortunate thing is that the IAB Tech Lab has made significant improvements to its operation over the past few years. It's very disappointing to see them repeat most of the major old mistakes...Permalink On twitter.com
❤️ 1 Favorite
Mood -3 🙁
-
The most significant issue in GPP is the continued use of vendor lists at all. The idea that users could or would consent to individual vendors party to an ad transaction on the web is one of the EU courts' major objections as I understand it...Permalink On twitter.com
❤️ 1 Favorite
Mood +3 🙂
-
And rightfully so! Even the relatively small number of *almost 1,000 vendors* on the Global Vendor List is a ludicrous number of individual entities to require users to consent to every time they enter a site. No user could understand what they are even actually consenting to...Permalink On twitter.com
❤️ 1 Favorite
Mood 0
-
And it feels like this setup is a clear inducement to deploy dark patterns as a result. This is incredibly disappointing after the amazing work the IAB Tech Lab did on the USP API, the compliance mechanism for the California's privacy signaling process...Permalink On twitter.com
❤️ 1 Favorite
Mood +5 🙂
-
While USP still lacks real-time-enforcement and monitoring, it does provide a simple, straightforward human-readable privacy signal. There's no vendor list (instead sites rely on privacy contract addendums or the LSPA contract), and there's almost no fingerprinting risk...Permalink On twitter.com
Mood -4 🙁
-
Vendor-level consents alone should sink GPP. As a methodology it might end up becoming actively illegal in the EEA any day now and even if it didn't it is clearly anti-user and anti-privacy. The right answer here is simple & human-readable...Permalink On twitter.com
Mood -2 🙁
-
And really this should be going a step even further than that. An effective privacy compliance system from the IAB shouldn't just be a signaling system (though that is needed) but a standard set of hooks to actively turn off on- and off-page technology that tracks users...Permalink On twitter.com
Mood +2 🙂
-
At end of day the IAB Tech Lab has the knowledge and capability to give us an effective privacy signaling standard. GPP doesn't look like it though. Presenting it as a solution while the EEA is actively objecting to TCF seems like a great way to sink the entire OpenRTB system...Permalink On twitter.com
❤️ 1 Favorite
Mood +11 🙂
-
This thread is already longer than I intended, so I'll stop here and encourage you to read my comment, which goes into detail on this and more - aramzs.github.io/web-standards/2022/09/02/global-privacy-platform-review.htmlPermalink On twitter.com
❤️ 1 Favorite
Mood +1 🙂
-
(If you are curious about the underlying EEA objections around the use of the vendor list, here's a great place to start, which digs into it with johnnyryan - protocol.com/bulletins/iab-europe-tcf )Permalink On twitter.com
♻️ 1 Retweets
❤️ 4 Favorites
Mood +4 🙂
-
(One more note: You can sign up to view the LSPA yourself - tools.iabtechlab.com/lspa and if you do you'll see that --in just one major example-- Magnite, which calls itself "The Largest Independent Sell-Side Ad Platform", does not appear to be a signatory.)Permalink On twitter.com
Mood 0
-
(Also, if you are curious about Fibonacci encoding, here's the Glitch project I used to run tests around it - glitch.com/~fibonacci-code-testing )Permalink On twitter.com
❤️ 1 Favorite
Mood +1 🙂
-
If you are curious, the EU's case against the IAB's TCF is continuing APD_GBA/1567553287762632704Permalink On twitter.com
Mood +1 🙂
-
Good dive into how bad things are going for TCF. Chronotope/1567856277967060992?t=q10tyWOjQKEJLYbBta5ZDg&s=19Permalink On twitter.com
Mood 0