Chronotope’s avatarChronotope’s Twitter Archive—№ 155,886

                                              1. I've published my comment on IAB's Global Privacy Platform. GPP proposes to not just replace the TCF framework as the new standard for privacy signaling in the EU, but also become the signal for all privacy compliance, including upcoming US state laws 🧵 aramzs.github.io/web-standards/2022/09/02/global-privacy-platform-review.html
                                                OpenGraph image for aramzs.github.io/web-standards/2022/09/02/global-privacy-platform-review.html
                                            1. …in reply to @Chronotope
                                              Pressure is high on the IAB to present a new standard for privacy signaling. EU courts have basically declared TCF, their previous standard, not just insufficient but actively in violation of the European Economic Area privacy law GDPR... techcrunch.com/2022/02/02/iab-tcf-gdpr-breaches/amp/
                                              OpenGraph image for techcrunch.com/2022/02/02/iab-tcf-gdpr-breaches/amp/
                                          1. …in reply to @Chronotope
                                            The deadline on reform for IAB's spec in regards to EEA has been pushed back by their appeals, the ad tech community has additional concerns as no signaling method or spec has been publicly discussed to meet new US state laws dropping starting on Jan 1 and throughout next year...
                                        1. …in reply to @Chronotope
                                          The result is an enormous void around US state law compliance and the future of privacy signaling in the EEA. GPP is implied to be the solution for both...
                                      1. …in reply to @Chronotope
                                        The GPP spec provides a mechanism for encompassing all current & future privacy rules through a smart and mechanically effective encoding process I tested myself as well as an API pattern. But better compressing of data on to a string is not really what we need from this spec...
                                    1. …in reply to @Chronotope
                                      The core of my concerns is GPP's failure to provide any real change over TCF, besides this bolt on of new string encoding methods. GPP does not represent a significant technical change from TCF & it is hard to see how it could possibly meet the basic objections from EU courts...
                                  1. …in reply to @Chronotope
                                    I go deep into some of the technical issues in the post. All the problems of TCF are here, as are even more problems. Notably, their backwards compatibility process seems to mean layering over past APIs in unclear ways. aramzs.github.io/web-standards/2022/09/02/global-privacy-platform-review.html#api-layering-for-gpps-technical-system
                                    OpenGraph image for aramzs.github.io/web-standards/2022/09/02/global-privacy-platform-review.html#api-layering-for-gpps-technical-system
                                1. …in reply to @Chronotope
                                  But those details are really just the icing on some concepts that are just intrinsically unsound, some of which carry over from TCF, some of which are new. The idea of infinitely bolting on new privacy string components, while cleverly handled, is not really a way forward...
                              1. …in reply to @Chronotope
                                The IAB's further pushing of Vendor List continues to make them a gatekeeper in the ad tech community in theory (bad) but in reality means we end up w/different vendor and CMP lists and none of them sufficient. The new way to specify your vendor list opens a fingerprint risk...
                            1. …in reply to @Chronotope
                              Many people have already noted that the extremely complex vendor list and per-vendor consent process has a high risk of becoming its own fingerprint that identifies users and GPP's increased complexity only makes that worse...
                          1. …in reply to @Chronotope
                            GPP alludes to some of the work the IAB has done around systems to audit ad tech after the fact, but EU courts are likely to find non-real-time enforcement insufficient, as they should. GPP, as it stands, can make no guarantees of compliance...
                        1. …in reply to @Chronotope
                          And the fraction of ad tech on the IAB's vendor list makes even the idea of auditing all vendors involved in an ad request in the US, where many more tend to be involved and an even smaller fraction has self-identified on to the IAB's list, sort of ludicrous...
                      1. …in reply to @Chronotope
                        The ad tech Lumascape identifies over 10,000 ad tech vendors, any of which might be involved in making an ad call on a page. The IAB's TCF vendor list that GPP will use as well is less than 2,000. In fact my rough count of the latest puts it at 770... iabeurope.eu/vendor-list/
                        OpenGraph image for iabeurope.eu/vendor-list/
                    1. …in reply to @Chronotope
                      This gets to the biggest problem in the GPP. Even if the IAB was successful at convincing ad tech companies (including their own members!) to on-board to the Global Vendor List, it would only centralize them and turn them into gatekeepers unfairly...
                  1. …in reply to @Chronotope
                    But the IAB has not been successful at getting Vendors to sign on. And GPP means it must now face the outsized task of getting non-EEA vendors to sign on as well...
                1. …in reply to @Chronotope
                  This does not bode well, considering the IAB could not even get some of the major ad tech cos (that are IAB members!) to sign on to the LSPA that is a major part of how current CCPA CA privacy law compliance is handled, forcing many to get individual addendums w/major vendors...
              1. …in reply to @Chronotope
                The unfortunate thing is that the IAB Tech Lab has made significant improvements to its operation over the past few years. It's very disappointing to see them repeat most of the major old mistakes...
            1. …in reply to @Chronotope
              The most significant issue in GPP is the continued use of vendor lists at all. The idea that users could or would consent to individual vendors party to an ad transaction on the web is one of the EU courts' major objections as I understand it...
          1. …in reply to @Chronotope
            And rightfully so! Even the relatively small number of *almost 1,000 vendors* on the Global Vendor List is a ludicrous number of individual entities to require users to consent to every time they enter a site. No user could understand what they are even actually consenting to...
        1. …in reply to @Chronotope
          And it feels like this setup is a clear inducement to deploy dark patterns as a result. This is incredibly disappointing after the amazing work the IAB Tech Lab did on the USP API, the compliance mechanism for the California's privacy signaling process...
      1. …in reply to @Chronotope
        While USP still lacks real-time-enforcement and monitoring, it does provide a simple, straightforward human-readable privacy signal. There's no vendor list (instead sites rely on privacy contract addendums or the LSPA contract), and there's almost no fingerprinting risk...
    1. …in reply to @Chronotope
      Vendor-level consents alone should sink GPP. As a methodology it might end up becoming actively illegal in the EEA any day now and even if it didn't it is clearly anti-user and anti-privacy. The right answer here is simple & human-readable...
  1. …in reply to @Chronotope
    And really this should be going a step even further than that. An effective privacy compliance system from the IAB shouldn't just be a signaling system (though that is needed) but a standard set of hooks to actively turn off on- and off-page technology that tracks users...
    1. …in reply to @Chronotope
      At end of day the IAB Tech Lab has the knowledge and capability to give us an effective privacy signaling standard. GPP doesn't look like it though. Presenting it as a solution while the EEA is actively objecting to TCF seems like a great way to sink the entire OpenRTB system...
      1. …in reply to @Chronotope
        This thread is already longer than I intended, so I'll stop here and encourage you to read my comment, which goes into detail on this and more - aramzs.github.io/web-standards/2022/09/02/global-privacy-platform-review.html
        OpenGraph image for aramzs.github.io/web-standards/2022/09/02/global-privacy-platform-review.html
        1. …in reply to @Chronotope
          (If you are curious about the underlying EEA objections around the use of the vendor list, here's a great place to start, which digs into it with johnnyryan - protocol.com/bulletins/iab-europe-tcf )
          OpenGraph image for protocol.com/bulletins/iab-europe-tcf
          1. …in reply to @Chronotope
            (One more note: You can sign up to view the LSPA yourself - tools.iabtechlab.com/lspa and if you do you'll see that --in just one major example-- Magnite, which calls itself "The Largest Independent Sell-Side Ad Platform", does not appear to be a signatory.)
            OpenGraph image for tools.iabtechlab.com/lspa
            1. …in reply to @Chronotope
              (Also, if you are curious about Fibonacci encoding, here's the Glitch project I used to run tests around it - glitch.com/~fibonacci-code-testing )
              OpenGraph image for glitch.com/~fibonacci-code-testing
              1. …in reply to @Chronotope
                If you are curious, the EU's case against the IAB's TCF is continuing APD_GBA/1567553287762632704
                1. …in reply to @Chronotope
                  Good dive into how bad things are going for TCF. Chronotope/1567856277967060992?t=q10tyWOjQKEJLYbBta5ZDg&s=19


Search tweets' text