New IAB adtech framework 'as flawed as the last one'

A reformed adtech system, launched by IAB Europe in response to a ruling that its official framework is in breach of GDPR, simply cannot audit what happens to personal data after it has been broadcast to thousands of companies, hundreds of billions of times a day.

That is the damning conclusion of a probe into IAB Europe’s new “Vendor Compliance Programme”, designed to replace its Transparency & Consent Framework (TCF), which is used by Google and thousands of others as the official real-time bidding framework.

The launch follows pledges made by IAB to the Belgian data protection authority following an investigation into the system triggered by 22 complaints, including one from the Irish Council for Civil Liberties (ICCL).

In response to this pressure, IAB Europe claims the “Vendor Compliance Programme” will audit whether companies honour or ignore requests about how the data is being used by using a website “crawler” to examine what happens on an end-user device.

But the ICCL claims it is impossible to audit the majority of data traffic as crawlers cannot see what happens between companies servers.

The report states: “It can not observe what is sent in the bid request, or what companies it was sent to, or who those companies then passed that data on to, and what each company did with it. This ‘server-side’ problem is insoluble, and is the consequence of RTB’s inherent insecurity.

It goes on to cite a number of factors which prevent transparency:

First, ad exchanges broadcast personal data to a very large number of companies behind the scenes, between companies’ servers, where IAB Europe’s crawler cannot observe it. For instance, Microsoft’s advertising exchange claims the right to broadcast data to 1,647 other companies, while Google claims the right to broadcast data to 1,057 other companies.

Second, an real-time bidding auction for an individual advertising slot on a website is often not just one single auction, but an auction of auctions in which several ad exchanges compete to find the best bid. Thus, for one single advertising slot shown on a single web page, several ad exchanges often each broadcast personal data about the person viewing the web page to an even larger number of other companies.

This means that data protection depends on whether hundreds or thousands of companies can be trusted to honour a TCF request, every time there is an RTB auction. The TCF has no way of verifying whether they do so, the report claims.

Third, hundreds of billions of auctions happen every day, each involving a broadcast of data to many companies. As a result, even very small companies receive very large volumes of sensitive data.

The report concludes: “The lack of transparency and control in the TCF is therefore unchanged by IAB Europe’s new Vendor Compliance Programme. It remains impossible for a person to know what companies actually receive their data, or what will do with their personal data, or for a person enforce their rights under the GDPR over that data.”

IAB Europe has yet to comment on the findings.