My colleagues Emily and Frank have in the past months been contributing our company’s work on ethical data use to the W3C’s Spatial Data on the Web Interest Group.
The W3C now has published a draft document on the responsible use of spatial data, to invite comments and feedback. It is not a normative document but aims to promote discussion. Comments can be filed directly on the Github link mentioned, or through the group’s mailing list (subscribe, archives).
“The purpose of this document is to raise awareness of the ethical responsibilities of both providers and users of spatial data on the web. While there is considerable discussion of data ethics in general, this document illustrates the issues specifically associated with the nature of spatial data and both the benefits and risks of sharing this information implicitly and explicitly on the web.
Spatial data may be seen as a fingerprint: For an individual every combination of their location in space, time, and theme is unique. The collection and sharing of individuals spatial data can lead to beneficial insights and services, but it can also compromise citizens’ privacy. This, in turn, may make them vulnerable to governmental overreach, tracking, discrimination, unwanted advertisement, and so forth. Hence, spatial data must be handled with due care. But what is careful, and what is careless? Let’s discuss this.”
2013 artwork by Jon Thomson and Alison Craighead. Located at the Greenwich Meridian, the sign marks the distance from itself in miles around the globe. Image by Alex Liivet, license CC-BY
Facebook has warned that it may pull out of Europe if the Irish data protection commissioner enforces a ban on sharing data with the US, after a landmark ruling by the European court of justice found in July that there were insufficient safeguards against snooping by US intelligence agencies.
Never issue a threat you’re not really willing to follow up on… FB says it might stop servicing EU citizens because it isn’t allowed to transfer their data to US servers over data protection concerns. To me it would seem good news if the FB data-kraken would withdraw its tentacles. It is also an open admission that they can’t provide their service if it is not tied to adtech and the rage-fed algorithmic timeline built on detailed data collection. Call it, I’d say.
Privacy regulations such as the GDPR say that you need to seek permission from your website visitors before tracking them.
Most GDPR consent banner implementations are deliberately engineered to be difficult to use and are full of dark patterns that are illegal according to the law..... If you implement a proper GDPR consent banner, a vast majority of visitors will most probably decline to give you consent. 91% to be exact out of 19,000 visitors in my study.
GDPR and adtech tracking cannot be reconciled, a point the bookmark below shows once more: 91% will not provide consent when given a clear unambiguous choice. GDPR enforcement needs a boost. So that adtech may die.
Marko Saric points to various options available to adtech users: targeted ads for consenting visitors only, showing ads just based on the page visited (as he says, “Google made their first billions that way“), use GDPR compliant statistics tools, and switch to more ethical monetisation methods. A likely result of publishers trying to get consent without offering a clear way to not opt-in (it’s not about opting-out, GDPR requires informed and unforced consent through opt-in, no consent is the default and may not impact service), while most websurfers don’t want to share their data, will mean blanket solutions like ad and tracker blocking by browsers as default. As Saric says most advertisers are very aware that visitors don’t want to be tracked, they might just be waiting to be actively stopped by GDPR enforcement and the cash stops coming in (FB e.g. has some $6 billion reasons every single month to continue tracking you).
(ht Peter O’Shaughnessy)
Ian Forrester over at Cubic Garden has submitted a GDPR request to ClearView AI, the alt-right linked company that is hawking their facial recognition database (based on scraped online images) to law enforcement as well as commercial outfits. Should be interesting to follow along. Recently IBM stopped facial recognition work (they previously showed not being up to speed with CC licensing it seemed to me), and others like Amazon and MicroSoft did too when it comes to law enforcement. Facial recognition is extremely sensitive to bias.
Facial recognition 1, by EFF, license CC BY
The conclusion of a report by the Norwegian consumer association, Forbrukerrådet, minces no words: adtech is systematically in breach of GDPR rules. The report’s title is Out of Control.
The extent of tracking makes it impossible for us to make informed choices about how our personal data is collected, shared and used, Finn Myrstad, director of digital policy in the Norwegian Consumer Council is quoted. This is a key issue. The GDPR demands meaningful consent, not just the token consent that sites and apps still often try to get away with. Earlier a French ruling stated much the same about a boiler plate consent form advocated by IAB and that form has since disappeared, or at least I don’t encounter it anymore during my web surfing.
It reads as if the report is the basis for various GDPR complaints in multiple EU countries, so it will be interesting to see those progress through the system.
I’m very much in agreement with Doc Searls position that GDPR is lethal to AdTech.
I came across a nice illustration of the effect (ht Tomasino). Below is an image that shows you what happens when you visit USAToday on its GDPR compliant version and its non GDPR version. Paul Calvano who made the image says “The US site is 5.5MB and contains 835 requests loaded from 188 hosts. When loaded from France it’s 297KB, 36 requests and contains no 3rd party content.” The image shows what a striking difference that is:
Goed nieuws. Mijn eenmanszaak krijgt eindelijk een BTW-nummer dat niet mijn BSN-nummer bevat. Dat nummer moet op je website, je brieven en facturen staan, en daarmee geef ik dus gedwongen persoonsgebonden gegevens bloot. Dat is strijdig met de AVG. Per 1 januari 2020 kan ik in externe communicatie een ander nummer hanteren.