Analytics and advertising tools, what risks for your privacy?

How marketing companies that monitor you work and what options you have to opt out of being tracked

Published by Pixel de Tracking on May 10, 2020

When you browse the web or use a mobile app, you are tracked by many companies. Here is a (partial) overview of the different analytics and advertising tools and their consequences for your privacy.

Analytics tools

These tools aim to provide usage statistics for a website or app; for example, they allow you to track:

  • Indicators such as the number of visitors, sessions, page views, or conversions.
  • The pages and screens viewed.
  • Entry points to the site (direct traffic, search engines, social networks, websites).
  • Visitor characteristics: region, device, browser, screen size, etc.

On the web, analytics tools that use first-party cookies

Most analytics tools compartmentalize data by customer. For example, your browsing path on L'Équipe is of no use in providing statistics to the Le Monde site. On the web, this separation is technically enforced through the use of first-party cookies: you are tracked via a pseudonym placed on the client's domain (example: lequipe.fr), and this pseudonym cannot technically be read by another domain (example: lemonde.fr). Here are examples of tools using first-party cookies:

  • Google Analytics: Google's analytics tool is present on most websites and many apps. By default, it works via first-party cookies.
  • Adobe Analytics: via the acquisition of Omniture in 2009, Adobe offers an analytics tool widely used by large companies.
  • AT Internet: a French analytics tool, still quite popular on French media sites.
  • Matomo: formerly Piwik, an open-source analytics tool that can be self-hosted (as on this blog).

First-party cookies have the “advantage” of being more durable than third-party cookies. In order to protect their users' privacy, browsers are increasingly blocking third-party cookies (Safari, Firefox, and Brave lead the way; Chrome is dead last but has decided to block third-party cookies within 2 years).

Note that when you log in to a website, you lose your anonymity and the site may potentially combine your on-site journey, regardless of the device you use, with CRM data already recorded about you (your subscription, your purchases, etc.). Without sending named personal data, some sites will simply send your customer ID to the analytics tool, then export raw data from the analytics tool to their Business Intelligence tool for later analysis.

How can you avoid this tracking? You can install an ad blocker such as uBlock Origin.

On the web, other analytics tools use third-party cookies

However, some web analytics tools can track you across multiple sites via third-party cookies: your pseudonym is placed on the analytics tool's domain, allowing it to access that pseudonym regardless of the site you visit. Obviously, the impact on your privacy is worse: the tool can then profile you through your browsing on each website where it is installed. Examples include:

  • Google Analytics: Google's free analytics tool is present on most websites and many apps. By default on the web, Google Analytics installs first-party cookies, but it offers an opt-in option for its customers to activate third-party cookies (on the doubleclick.net domain), in addition to first-party cookies. This option allows the client website to enable certain advertising features such as remarketing, but also to obtain aggregated information about the visitor profile (demographics and interests). Activating this feature obviously allows Google to profile you even better.
  • Quantcast: this advertising company offers publishers a free analytics tool. The tool allows publishers to better understand their audience, but above all allows Quantcast to enrich its user profile database.

The Google Analytics audience building tool allows advertisers to define very precise targets to then retarget them:

Audience_Builder_Google_Analytics

Here too, an ad blocker such as uBlock Origin will protect you.

Analytics tools in apps

The degree of surveillance by analytics tools in apps is higher. First, these analytics tools access user identifiers that are more persistent and accessible to all apps: in particular Apple's IDFA and Google's AAID. Users can deactivate these identifiers, but the options are well hidden (and your surveillance is not over, since other "first-party" identifiers then take over). By comparison, third-party cookies are increasingly blocked by browsers and privacy extensions.

Analytics tools dedicated to apps (or which started by offering their services to apps) also offer features to track users individually, which is still rarely the case for analytics tools specialized in the web (in general, these tools are older and more limited in terms of features). These tools also often collect non-anonymized personal data such as your name or email address, which remains rare in web analytics tools. For example, here is how Mixpanel sells its solution on its site:

mixpanel

These companies can therefore combine a lot of information about you. Some specialize in analytics and have no commercial reason to combine your personal data from different apps, but other companies also provide advertising services and therefore allow themselves to combine your personal data. Here are examples identified during app tests on this blog:

  • Mixpanel: a pure analytics tool that started with apps.
  • Amplitude: another pure analytics tool that started with apps.
  • Adjust: an analytics tool for apps that also offers attribution (knowing which advertising campaigns are effective), fraud prevention, audience segmentation, and retargeting.
  • AppsFlyer: another analytics tool for apps offering a multitude of services such as marketing analysis, fraud prevention, and attribution.

Protecting yourself becomes more complicated here, with apps rarely giving you control over these tools. On iOS, you will need to use apps such as DNSCloak, AdGuard or NextDNS.

Advertising solutions

Since advertising is very often based on your behavior, these solutions do not respect your privacy. The risk nevertheless differs depending on the purpose of each type of company. Via the Ad Ops Insider site (more details here), here is a diagram summarizing the exchanges between the different actors involved in delivering an ad to you:

RTB

Now let us look at the different tools involved, and their implications for your privacy.

Tools operating on behalf of a publisher or advertiser

These tools do not need to combine your behavioral data from multiple customers to work well. Here are the main tools on the publisher side (the website on which ads are displayed):

  • The publisher ad server: the “conductor”, the tool that decides which advertising campaigns to display when you visit a media site, and measures their delivery on behalf of the publisher. It has to arbitrate between direct sales (advertising campaigns sold directly by the publisher, often with a fixed number of ad impressions) and indirect sales (advertising that the publisher does not control, but delegates to ad networks and SSPs). The publisher ad server does not need to know your browsing across the web to function correctly, "only" your behavior on the publisher's site.
  • The SSP (Supply-Side Platform) or ad exchange: the programmatic marketplace. Its role is to auction off the publisher's advertising opportunities. It is connected to many DSPs (programmatic buying platforms operated by advertisers) and ad networks (intermediaries who have often also developed programmatic buying platforms). It also does not need to know your behavior on the web to work properly. Note that publishers often put several SSPs into competition using a mechanism called “Header Bidding”.

Some solutions combine both a publisher ad server and an SSP: in particular Google Ad Manager (the dominant player), AppNexus (renamed Xandr since its buyout by AT&T), Freewheel (bought by Comcast) and Smart AdServer (a French player). Many solutions only offer an SSP.

On the advertiser side, here are the main tools:

  • The advertiser ad server: the tool in charge of delivering advertising and measuring its effectiveness on behalf of the advertiser. It measures all the advertiser's campaigns: direct and indirect purchases (via ad networks and DSPs). The advertiser ad server does not need to know your browsing across the web to function correctly, "only" to remember the different interactions with the advertiser's ads.
  • The DSP (Demand-Side Platform): the programmatic buying platform. Its role is to buy advertising on behalf of the advertiser, on the right sites, for the right target (the most relevant users), and at the right price. This tool does not need to know your behavior on the web to work correctly, but it can bid more intelligently if it knows your history with the advertiser. Note that advertisers can use several DSPs in order to put them in competition.

Some solutions combine both advertiser ad server and DSP: again, we find Google via Display & Video 360 (the dominant player), but also Adform. Many solutions only offer a DSP.

Publishers and advertisers may also use DMPs (Data Management Platforms). These tools allow them to collect your browsing data, combine it with personal data from a CRM (subscriptions, purchases, etc.), and transfer it if necessary to their advertising tools. Examples:

  • A publisher can sell Sony PlayStation an advertising campaign targeted at subscribers to its video games newsletter. The publisher's DMP collects the video games newsletter subscribers, then transfers this "target" to the publisher's ad server, which can deliver the advertising campaign to the right audience.
  • An e-commerce site wants to exclude people who have already installed its app from its advertising campaign promoting the app. The advertiser's DMP collects the profiles of users who have installed the app, then transfers this "target" to the advertiser's DSP, which can exclude that target from the campaign.

Targeted advertising campaigns mechanically result in a leak of your personal data to these adtech players.

The main companies offering DMPs are marketing giants such as Oracle, Salesforce and Adobe. These companies offer many other marketing tools such as CRMs, and are therefore able to cover most of an advertiser's customer management needs.

Programmatic, where your personal data leaks everywhere

In theory, these tools do not need to track you with a single pseudonym across the entire web or across all apps to function (only within their client's scope, just like analytics tools using first-party cookies). In practice, this is nevertheless what they do (via third-party cookies), and this is what allows programmatic buying to work.

The DSPs and ad networks that buy advertising space programmatically “need” to know you in order to bid intelligently. Except that they do not have direct access to your device (they are called by the SSPs, which do have access to your device). In apps, this is not a problem because SSPs send your advertising identifier (IDFA at Apple, AAID at Google).

On the web, you do not have a unique identifier for all the sites you visit, so SSPs must synchronize your identifier with connected DSPs (for example, DSP 1, which recognizes you via the identifier "123", learns that you have the identifier "xyz" with SSP A, which allows it to recognize you when SSP A sends it an advertising opportunity). If you want to go deeper, the cookie synchronization mechanism is very well explained on the Ad Ops Insider website, from which the diagram below comes:

Cookie_sync

Let's summarize the leak of your personal data:

  • In apps, SSPs leak your personal data to numerous DSPs and ad networks (sometimes hundreds) without prior identifier synchronization. The leak of your personal data is entirely hidden (it happens between SSP servers and DSP servers). You will only be able to see the ad from the DSP that won the auction (but each DSP called will have been able to enrich your user profile).
  • On the web, because SSPs first have to synchronize your identifiers with connected DSPs, it is possible to see these “ID synchronization pixels” passing by, causing additional delays.

These leaks of your personal data are not limited to interactions between SSPs and DSPs. That is a simplification. They also involve other players in the advertising chain, such as (non-exhaustive list):

  • Fraud detection solutions (advertising attracts mafias because it is a lucrative market; a significant share of ads served are never seen by humans, only by bots).
  • Viewability measurement solutions (unscrupulous publishers like to place ads at the bottom of the page, where you will never see them).
  • Solutions that sell user data, for example social media sharing tools such as ShareThis, which collect your browsing data for resale.
  • Attribution solutions, which will measure each of your advertising interactions to evaluate which advertising campaigns are the most effective.

On this subject, you can read here the elements of Brave's complaint against Google and the IAB (Interactive Advertising Bureau, the pressure group for adtech companies) regarding the violation of the GDPR by RTB (Real-Time Bidding: programmatic advertising). The complaint was filed in September 2018, the ICO (the UK CNIL) has put the investigation on hold due to Coronavirus, so do not be in a hurry.

Here is a overview of the main players (again, non-exhaustive list) involved in the advertising chain:

Lumascape_Adtech

What can you do? If you follow these actors' recommendations, you can install opt-out cookies for each of them, which is not very practical. These actors also co-built the Transparency & Consent Framework (TCF), a protocol for transmitting information about your consent. But the TCF does not work correctly:

  • As we have already seen, the consent banners on which the TCF is based use Dark Patterns to make refusing tracking difficult, not to mention that they do not work properly.
  • The TCF is a communication protocol between adtech players; nothing then forces them to respect the signal received.
  • In particular, not giving your consent does not prevent these actors from collecting your personal data or even profiling you. Some simply consider that they should deactivate personalized advertising.
  • Controls, and therefore sanctions, are almost non-existent; the advertising industry claims that self-regulation is enough.

The consequences of this ultra-complex ecosystem, where anything goes:

  • Your personal data leaks to hundreds of different tools, with no real control possible.
  • Publishers receive only half of the money spent by advertisers, with each intermediary taking a commission.

waterfall

Study on programmatic transparency; note that the study cannot explain 15% of the money spent.

Ad networks, intermediaries working with both publishers and advertisers

SSPs and DSPs are tools controlled by publishers and advertisers (“self-service” tools):

  • The commission is fixed in the contract (between 5% and 15% in general).
  • The configuration of the SSP is the responsibility of the publisher (minimum sales price, advertisers accepted, advertising formats accepted, preferential agreements for certain brands).
  • The setting of advertising campaigns is the responsibility of the advertiser (or the agency operating the DSP, subject to validation by the advertiser): choice of distribution sites, targeting, advertising formats or bidding strategy to achieve the objective.

Ad networks, on the other hand, do not leave control to the advertiser or publisher:

  • The publisher has minimal control via its SSP if the ad network buys programmatically.
  • The advertiser cannot decide in advance on which sites or apps it will advertise.
  • It often does not have access to detailed reporting on its advertising campaign.
  • It does not choose its bidding strategy itself, but delegates decisions to the ad network.
  • In return, the effort required is minimal.
  • The ad network commission is often opaque but easily rises to 30% (Google AdSense) or even 50% (Criteo).

Why go through an ad network then? For two main reasons:

  • The campaign will be less costly to operate (no need for complex settings on a DSP).
  • The results will often be better (these ad networks monitor you extensively; your personal data makes them more effective).

One might believe that ad networks are in the minority compared to DSPs and SSPs, operated directly by advertisers and publishers, but this is not the case:

  • On the web, Google AdSense represents a considerable part of publishers' revenues.
  • Still on the web, intermediaries such as Criteo also have very significant weight. They buy programmatically but can also buy directly from publishers to avoid the SSP commission.
  • In apps, Google and Facebook ad networks are very powerful: Google AdMob and Facebook Audience Network.
  • Still in apps, programmatic has more difficulty establishing itself because advertising formats are often customized, and fit less easily into the box of programmatic standardization. Ad networks are still very powerful.

For your privacy, these ad networks are a disaster because, in order to earn more money, they have to profile you better. Here is “their” virtuous circle:

  • Capture your personal data through the delivery of targeted ads (or simply by “listening” to advertising opportunities in programmatic).
  • For some (Google, Facebook, Twitter, Pinterest, LinkedIn), additional capture of your personal data via essential B2C services (search engine, social networks, professional network, etc.).
  • For some (Google, Facebook, Quantcast, etc.), additional capture of your personal data via analytics tools.
  • Improvements to “profiling” and “pricing” algorithms through the mass of personal data collected, and through measuring the performance of advertising campaigns.
  • Advertising campaigns become more effective, advertisers are willing to spend more money.
  • Publishers increase their revenues and are ready to open up their advertising inventory further.
  • Even broader capture of your personal data.

In this little game, the following companies are doing very well but leave you almost no control, because their business models conflict with respect for your privacy:

  • Google: the Mountain View giant knows everything about your aspirations, which benefits its ad network, dominant on the web (Google AdSense) and very well established in apps (Google AdMob). Your control over this capture of your personal data is very limited: Google does not allow you to refuse the collection of your personal data, only to refuse personalized advertising and the association of your personal data with your Google profile.
  • Facebook: the Menlo Park giant also knows you intimately, which allows its ad network Facebook Audience Network to work very well in apps. Facebook gives you no control over its collection of your personal data.
  • Criteo: the French adtech giant, world leader in retargeting (ads that follow you everywhere after you view a product), does not allow you to refuse collection, only to refuse personalized advertising.

What can you do? A complaint from Privacy International was filed against Criteo, Quantcast and Tapad in November 2018, and the CNIL started investigating Criteo in March 2020, so do not be in a hurry.

For now, the only solution remains technical, and therefore not accessible to all users: installing an ad blocker such as uBlock Origin on the web, or apps such as DNSCloak, AdGuard or NextDNS on iOS.