Cognitive dissonance
Better than Feedly, Twitter allowed me to discover fascinating people, experts in their field, with offbeat or incisive takes on current events. It was also an excellent amplifier for my writing on adtech and surveillance capitalism. But its abuses, increasingly glaring since Elon Musk's acquisition, got the better of me.
2 articles sum up my feelings on this social network very well:
- "On Twitter, we look down", where the author details his conflicted relationship with Twitter, and why he is still on it.
- "How to Blow Up a Timeline", where the author explains how exceptional and fragile the magic of yesterday's Twitter was.
The last straw that triggered the closure of my account? The renaming of Twitter to X, a detail in Elon Musk's cultural vandalism project. You can now find me on Mastodon, a federated social network, which belongs to no one and therefore cannot be controlled by a fascist, megalomaniac billionaire.
Having published a lot on Twitter, sometimes on topics that deserved a full article, I nevertheless wanted to be able to republish my tweets elsewhere. So I followed these 2 steps:
- Downloading my archives via the Twitter site.
- The installation of tweetback (thanks @aeris) on my blog, helped by this article.
My tweets are therefore available here, with a search engine to find tweets on a specific theme, and this post to reference the tweets that I want to find easily.
Credit where credit is due: let's start this collection of tweets with the creator of surveillance capitalism.
The godfather of adtech
I had already written an article on "Google's domination of advertising markets", the monopolistic nature of Google's adtech brick and advertising surveillance are closely linked:
- With the Privacy Sandbox, Google will no longer allow you to be tracked via a user ID? Not really...
- On the possibility of using user identifiers on Google's adtech stack, after the disappearance of third-party cookies from Chrome.
- Still Google's doublespeak on user identifiers.
- Unlike iOS, it is still very difficult to refuse advertising tracking on Android.
- The European Commission in its investigation into Google's adtech weighs privacy and competition, a bad approach.
- Google Ad Exchange, or fraudsters' paradise.
Google Chrome, advertising agent
Browsers are generally called "User Agents", this is not the case for Chrome, Google's dominant browser:
- A guide to "privacy" in Chrome.
- Google Chrome onboarding, a textbook case for #DarkPatterns.
- “First-Party Set”, a Privacy Sandbox device aimed at continuing tracking within Google sites (YouTube, Maps, etc.).
- “First-Party Set”, a new tracking vector now in Chrome.
- Privacy Sandbox, ePrivacy applies (CNIL) and consent is therefore mandatory.
You can delve deeper into the Chrome subject with 2 of my articles:
- "The problematic HTTP header sent by Chrome to Google."
- "End of third-party cookies on Chrome and Privacy Sandbox: sham privacy protection."
Google Analytics, the advertising Trojan horse
In its minimal configuration, Google Analytics should work without advertising surveillance, but it is not that simple:
- Creating a Google account, or the art of the #DarkPattern to better monitor you.
- Google Analytics #PrivacyWashing.
- On the illegality of Google Analytics, a debunk of the article by @Devergranne.
- A long thread on the illegality of Google Analytics, following the decisions of the Austrian and then French CNILs.
- Does Auchan still use Google Analytics? There is room for doubt.
- The list of complaints from @NOYBeu to the CNIL, for transfer of personal data to the US (Google & Facebook).
Other Google tools
Google adtech, Chrome and Google Analytics are far from the only tools dedicated to better monitoring you:
- Using Google Tag Manager's Server-Side Tagging.
- Google Fonts, a Trojan horse for monitoring you?
- Your conversations with Google Bard are read by humans.
Learn more about the subject by reading my article "Google Tag Manager, the new anti-adblock weapon".
Alias Meta, the worst of surveillance capitalism, a source of inspiration for Google and for all adtech.
Limitless data collection
In my article "With Facebook’s “Resilient Signals,” advertising surveillance evolves", I detailed how Facebook circumvented browser tracking protections. As with Google, abuse of dominant position and violation of your privacy go hand in hand, as I wrote in the article "Facebook and WhatsApp, the art of betraying you". Facebook is doing everything it can to capture more and more user data:
- How Facebook adapts to browser protections and other ad blockers.
- Facebook advertising tools use fingerprinting on third-party apps, for example with Duolingo.
- In particular, Facebook collects data from your phone's accelerometer.
- Data sharing between WhatsApp and Facebook/Meta.
- Moderation on WhatsApp, your messages are not always private.
Partnerships with the whole world
2 interesting examples, but Facebook has interfaced its advertising ecosystem with all the tools that matter:
- A partnership with Criteo on Facebook and Instagram.
- Shopify is launching into targeted advertising (on Facebook, etc.), with data from its customers.
Violating the law, a specialty
Facebook mocks regulations and the CNIL:
- Cookie banners (ePrivacy): Facebook is still mocking you (and the CNIL).
- The obstacle course to object to targeted advertising on Facebook/Instagram.
- On WhatsApp, the journey promises to be just as difficult.
- Facebook's (and Google's) #PrivacyWashing.
Platform surveillance, via “Pixels” & “Conversion APIs”
To bypass your ad blockers and other browser protections, Facebook created its “Pixel” and its “Conversion API” (CAPI), inspiring other platforms:
- Facebook.
- Google.
- TikTok.
- Snapchat.
- Pinterest.
- An example of a leak on Greenpeace.
- Another example with Amnesty International.
- A thread of leak examples.
- A study showing the extent of these leaks.
- Lockr, a service to hide your email... and continue advertising surveillance.
I also talk about these data leaks in the article "Guerlain (LVMH): luxury and surveillance".
Apple
As my article states "Does Apple really protect you from advertising surveillance?", Apple is not perfect when it comes to privacy, but it is generally an ally in the face of surveillance from Google, Facebook and adtech.
A specific definition of “tracking”
Apple has put in place fairly effective mechanisms to protect you from advertising surveillance, which do not affect its own business, which has the gift of annoying adtech:
- Advertising industry misinformation about Apple.
- On Apple tracking.
- Apple's arguments regarding its "tracking" vs. the advertising industry's tracking.
- The arguments of adtech lobbyists, anti-Apple.
- Debunking lobbyist Eric Seufert on Apple ATT.
- Apple would favor targeted advertising in its own apps, according to France Digitale's complaint.
- The Gesture’s complaint against Apple ATT.
- Arguments deployed by apps to track you (ATT pop-ups).
- Apple does not clean house: some apps continue to track you after you object.
- Facebook notes that it is still possible to monitor Safari users via tracking settings (NB: in private browsing, no longer).
- Apple “privacy manifests”, an initiative to counter fingerprinting.
Apple loves your personal data
Some Apple practices are problematic:
- The obstacle course to deactivate Siri #darkpattern.
- Apple does not respect ePrivacy on its own site.
Adtech
Alongside Google and Facebook, thousands of companies are “innovating”, often to better monitor you.
Adtech, one huge black box
Almost incomprehensible operations, a proliferation of intermediaries, data leaks and scandals: welcome to the wonderful world of adtech:
- When one of the creators of "Real Time Bidding" doesn't understand how he could have been re-targeted, it's a bad sign for this opaque industry.
- A group of American senators are wondering which countries personal data goes to as part of “Real Time Bidding”.
- No scandals linked to advertising cookies? Not really, as this long list shows.
- Advertising resellers, the door wide open to personal data leaks and fraud.
- About an essential mechanism for “Real Time Bidding”, cookie synchronization.
- Illustration of cookie synchronization with ID5, a disaster for the user experience and for your privacy.
Identifying you to better monitor you
Adtech has talent for finding new tracking mechanisms:
- Bypassing browser protections and other ad blockers? Some companies, like Tracedock, communicate this clearly.
- In adtech too, we have solutions to bypass browser protections (e.g. Safari ITP).
- First.id, an identifier that would bypass browsers' anti-tracking protections.
- Detail of the "promise" of first.id, in relation to Apple's browser, Safari (and its ITP protection).
- Tracking in adtech still, with the company ID5, specialized in user identification.
- TrustId, or how telephone operators (Orange, Bouygues Telecom, SFR, etc.) want to allow the advertising industry to monitor you using your SIM card.
- Tracking without cookies or consent, free white paper from the IAB.
- Stronger than Google Tag Manager's Server-Side Tagging to bypass browser protections and other ad blockers? Cloudflare's Zaraz.
- Taboola (clickbait links at the bottom of articles) has "cookieless" technology: your email (and the limits of Safari ITP?).
- Deciphering a presentation from Liveramp, one of the leaders in “data”.
Disguised tracking via CNAME aliases
Some adtech players endanger the security of your online accounts by pushing the use of a domain alias called CNAME, simply to bypass browser protections. Many French sites do not ask questions and follow these recommendations. Some examples:
- Criteo pushes the technique to all its customers.
- Eulerian too.
- Another French player offering this option, Mediarithmics.
- American players are not left out, with Adobe.
The solution to this tracking? Firefox with uBlock Origin, and "NextDNS, my new favorite tracker and ad blocker".
Cookie banners, bane of the web
Rather than changing its business model, adtech prefers to ruin your user experience:
- Analysis of the latest version of the advertising consent protocol (cookie banners), the IAB's TCF v2.2.
- TCF deemed illegal? Webinar reaction from Didomi, the leader in cookie banners.
- Two cookie banners on the same site!
- Beautiful cookie banner, on the Ingeniance Tech Blog site.
- A beautiful #DarkPattern from TrustArc on the Starbucks website, cookie banner which takes more than 30 seconds to validate your refusal of consent.
- AT Internet, consent exemption and third-party cookies.
- Do you use an adblock? No access to Rustica.
- Non-compliant Gens de Confiance cookies banner, quickly corrected!
- L'Équipe, champion of surveillance.
To go further, read "On the legality of IAB consent banners", an analysis of the consent banners offered by Sirdata.
Sirdata
Supplier of cookie banners, behavioral data and “consentless” solutions, Sirdata is an interesting company:
- Consent on a myriad of sites with Sirdata.
- Recycling without consent from Sirdata.
- Sirdata challenges the CNIL’s Google Analytics proxy recommendation.
- With what arguments does Sirdata claim to make Google Analytics compliant with the law (via its product, the Sirdata Helper)?
- Sirdata Analytics Helper and Le Figaro.
- The impunity of Sirdata, the CNIL is absent.
Legitimate interest, the biggest scam in adtech
The biggest scam in adtech? Claiming to have a “legitimate interest” (one of the legal bases of the GDPR) in monitoring you:
- Monitor you using your IP address, without consent.
- Targeted advertising based on legitimate interest, with the Figaro website.
- Same problem on the Le Figaro App.
- Radio France, Didomi and legitimate interest in targeted advertising.
Positive initiatives
Advertising and respect for privacy are not irreconcilable:
- Firefox and advertising, choices that respect privacy (including IPA, an interesting initiative with... Facebook).
- An interesting proposal from NOYB to replace the horrible cookie banners.
Sites and Applications
This ad surveillance complex would not work if websites and apps refused to use it. But the advertising bonanza is often too tempting.
Abusive conditions of use
Many sites play with the regulations, or even free themselves from them:
- Twitter didn't wait for Elon Musk to spit on your privacy.
- How Microsoft forces you to give up your phone number.
- Decathlon, full-on surveillance with Valiuz.
- The Valiuz personal data cooperative, present on all Mulliez group sites.
- The pernicious update of Doctolib’s terms of use.
- Uber, targeted advertising by default.
- The Elyze App, where how to build a database of political opinions without consent.
To learn more, you can read "Decathlon, all-in on surveillance".
Personal data leaks
It's not just the conditions of use, these rarely correspond to the reality on the ground:
- French publishers such as L'Équipe and Le Bon Coin continue to work with Tapad, a controversial company that has closed in Europe.
- SNCF Connect app: your personal data leaks without consent.
- Cozy Cloud and privacy: promises vs reality.
- A video player on the Echos (Digiteka) website leads to massive leaks of personal data.
- The BBC does not comply with the ePrivacy Directive (cookies).
- Registration on the electoral lists and leaks of personal data to AT Internet.
- Real estate loan with Pretto, advertising surveillance included.
- Weather apps and the leak of your geolocation, a love story.
- Personal data leak with the LastPass iOS application.
- Groupama, cookies, #DarkPattern and CNAME.
Covid and personal data leaks
Lots of fantasies in France about surveillance linked to TousAntiCovid (compared to the little media coverage on algorithmic video surveillance for example, with France at the forefront of the field as denounced by La Quadrature du Net), but I nevertheless looked at the TousAntiCovid app:
The hypocrisy of the environment
In the category “we like denouncing Google and Facebook, but forget to put our own house in order”:
- The hypocrisy of Amnesty International, first to denounce surveillance capitalism but blind on its own site.
- The hypocrisy of Amnesty International, continued.
- Subscribe to support the press and avoid Google surveillance? A large part of the French press allows Google to manage subscriptions (and your personal data).
- Reaction from the CEO of Le Figaro after the CNIL fine.
- After the CNIL fine, Le Figaro is still flouting the law.
The CNIL, a very frustrating ally
To defend yourself against advertising surveillance, there are regulations, embodied in France by the CNIL. It is well-intentioned, sometimes makes important decisions (against Google or Facebook), but acts too rarely and very slowly. Lack of resources or complacency with adtech? Probably a bit of both...
The CNIL and cookies
As the CNIL does not want to apply the law for information sites, abuses are widespread:
- A thread of threads on different types of abuse.
- The good students who then degraded their consent interface.
- “Continue without accepting”, the history of the #DarkPattern promoted by the CNIL.
- “Continue without accepting”, the CNIL’s #DarkPattern widespread on the web.
- “Continue without accepting”, the CNIL’s #DarkPattern generalized in apps.
- “Continue without accepting”, at the bottom of the banner.
- “Continue without accepting”, with acceptance at the top right.
- Absence of the “Refuse all” button on the web.
- Absence of the “Refuse all” button in apps.
- Non-essential cookies placed before acceptance on the web.
- Non-essential cookies placed before acceptance in apps.
- Non-essential cookies placed after refusal of consent, in apps.
- Cookie wall, on the web.
- Cookie wall, in apps.
- Degradation of the user interface if consent is refused.
- Cookies and video player on L'Est Républicain.
To learn more, read the following articles:
CNIL sanctions
The CNIL therefore sometimes sanctions Google and Facebook. We can regret the slowness of the procedures and the amounts, which are not very large compared to the revenue of these 2 companies, but these sanctions do eventually have an effect:
- Advertising cookies without consent at Google and Facebook.
- On the weakness of the CNIL's sanctions against Google and Facebook.
- Luxembourg's sanctions are much more severe.
- The CNIL sanctions Google for the absence of the “Refuse all” button.
- But Google is still mocking the CNIL.
- If you click "Reject all" on the Google banner, does it still monitor you? Mystery...
- NOYB's (critical) opinion on the CNIL.