TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | When Cross-Device Tracking Goes Beyond Creepy Related reading: Draft ICO report finds gaps in Google's Privacy Sandbox



Last week I had planned to write about fear and technology. Of course, that’s not a new topic. Adam Thierer, for one, has written extensively about it, and recently, the ITIF issued a whitepaper on the rise in so-called “privacy panics.”

In a nutshell, it’s easy for the media, lawmakers and public to freak out about the privacy invasiveness of some new technology. Headlines flash. Twitter explodes. A U.S. senator sends the company a letter. And maybe a regulator makes a phone call.

More often than not, the marketplace gets used to the new technology, the furor dies down and it becomes part of everyday life—think Facebook’s move to a News Feed a few years back. Sometimes, though, the panic seems justified.

Enter audio beacons and, specifically, the ad-tech software made by a company called SilverPush.

They’re not new. TechCrunch did a piece on them in 2014, citing their “unusual approach to cross-device ad targeting.” I’ll leave it to the Center for Democracy & Technology to explain how it works:

format_quoteThe industry leader of cross-device tracking using audio beacons is SilverPush. When a user encounters a SilverPush advertiser on the web, the advertiser drops a cookie on the computer while also playing an ultrasonic audio through the use of the speakers on the computer or device. The inaudible code is recognized and received on the other smart device by the software development kit installed on it. SilverPush also embeds audio beacon signals into TV commercials which are ‘picked up silently by an app installed on a (device)(unknown to the user).’ The audio beacon enables companies like SilverPush to know which ads the user saw, how long the user watched the ad before changing the channel, which kind of smart devices the individual uses, along with other information that adds to the profile of each user that is linked across devices."

So essentially, if I’m in the privacy of my living room, watching TV, an inaudible sound wave finds and connects to any of my devices within range to connect them for data aggregation and mining. As a colleague of mine pointed out, this type of audio technology is not a new thing. In fact, there’s a section on it in the CISSP handbook. But the highly competitive ad ecosystem has gotten creative and now employs this technique.

This type of data collection bothers me for several reasons. For one, it takes tracking beyond the purely digital level by actually traversing a user’s physical space. Secondly, this type of use is not known by most people. I read and write about privacy technology every day, and it’s just hitting my radar. There’s very little transparency here. Third, this use creates one more path for malicious actors to access my devices. It’s one more security vulnerability that’s out there.

I understand that companies need to be innovative, need to push the envelope. I appreciate that kind of thinking. But companies using this type of technology need to be more transparent to consumers about what they’re doing. There needs to be notice and a way for users to opt out of this kind of tracking. With more Internet-of-Things devices making their way into our lives, this type of tracking will only increase. As will the security vulnerabilities that come with it.

In the privacy world, we talk a lot about Privacy by Design, notice, choice, transparency and cultivating the trust of consumers. I see none of that here.

There are good people in advertising; I have friends in the business and they care very much about what they’re doing. I’m also all for an ad-supported Internet that allows me to receive tons of free, awesome content. I love that. And there are good actors in industry that think about privacy. The DAA today released new guidance on cross-device tracking—a positive development, for sure.

But there’s a line—not just a creepy line, but one that's truly surreptitious and invasive—and this kind of use by SilverPush has all the hallmarks of that kind of privacy invasion.

Are we just going to continue to ramp up an arms race that, on one side, features increasingly invasive technology to track individuals, and on the other, more effective ad-blocking technology to stymy the former? Is this comprehensive style of data collection without notice, choice or transparency fair to consumers?

Do the people at SilverPush get so wrapped up in creating better advertising data they don’t even consider how consumers might react? Or do they think they don’t care? Or, worse, do they think they’ll never notice?

This all leads up to Monday’s Federal Trade Commission roundtable on cross-device tracking. I look forward to tuning in to see what industry, advocacy and others have to say about the state of play here. It’s too bad that a representative from SilverPush isn’t on the agenda. Hopefully, they’ll be there or will tune into what’s discussed. And hopefully others deploying and implementing audio beacons are paying attention, too.

It’s easy to get caught up in the headlines, to take part in “this week’s privacy panic,” but this use of audio beacons is legitimately invasive, in my mind, and one that we should be able to opt out of. Companies often talk about gaining the trust of consumers. Using this kind of technology without any transparency, notice or control will only erode consumers' trust further.

I’m curious: If you were CPO at SilverPush, what would your counsel be? What triggers the creepy line for you and how do you implement that in your policy decisions?

photo credit: Playing Dragon Age via photopin (license)

Get Your Cross-Device Download Here

The IAPP Westin Research Center Practice Guide on Cross-Device Tracking provides background and resources on how cross-device tracking technologies work and discusses privacy concerns, solutions and applicable laws and guidance. Need to brief the CEO? This is your shortcut.

1 Comment

If you want to comment on this post, you need to login.

  • comment john smith • Mar 19, 2016
    It's good to know about outlandish tactics such s this, so thanks for the reporting aspect of this article.
    But I'm having a hard time seeing how this is any worse than a commercial organization reading through all of your personal and business email, analyzing it (in real time and *amazing* depth), connecting it with as much of your web browsing habits as possible, connecting to your offline person whenever possible, and storing it in perpetuity without any restrictions on how it can be used now or in the future.  That's gmail.
    The only reason silverpush gets on people's nerves is that it feels like it crosses over your physical space in some way.  It's far, far less invasive than gmail (and all the associated google services that tie in), but because it's "invisible", most people just don't understand how deeply it goes.
    I'm not trying to say that silverpush is in any way a good thing, but rather, that the "creepy line" needs to be drawn *much* further back.