| HN Mirror

Y	Hacker News new \| ask \| show \| jobs


	by jefftk 1267 days ago
	I left Google six months ago, and don't work in ads anymore. Ads without fraud detection are worth very little, and (my interpretation is) the GDPR requires consent (including the ability to say no without consequences) for that.

1 comments

dmitriid 1267 days ago

> I left Google six months ago, and don't work in ads anymore.

But you did work there, and you keep saying the same things over and over again.

> and (my interpretation is) the GDPR requires consent (including the ability to say no without consequences) for that.

You posit your incorrect interpretations as if they were fact. And you keep on conflating several things into one. Even though you've had plenty of time to, you know, read something about the things you're talking about.

1. Not all ads need to be personalised ads. No, personalised ads are not a requirement. No, if it doesn't mean that you can't have ads at all.

2. No, fraud detection doesn't mean your ads are personalised. No, fraud detection doesn't mean that your ads must be personalised.

3. No, fraud detection doesn't mean you need to collect personalised data beyond what's necessary for fraud detection. No, fraud detection doesn't mean you can willy-nilly use that data in anything other than fraud detection. No, fraud detection doesn't mean you can use that data for personalised ads, sell that data to third parties, or keep that data indefinitely long.

And yet, here we are, again, when you keep saying that these three disparate things are one and the same and that "GDPR is an overreach that prevents sites from showing ads". You keep repeating the same falsehoods over, and over, and over again. Please, stop.

link

jefftk 1266 days ago

I agree with your #1, #2, or #3 and you're right that I've been saying several different things in different parts of this thread, where it's not entirely obvious how they fit together. I do have a coherent view, though -- let me walk through the whole thing and try to clarify.

My main view is that it should be legal to offer advertising-supported services where users can't just opt out of the advertising. If before a service can show any ads they need to offer the user a free choice on whether to see ads, where there are no consequences for clicking "no" other than that they don't see ads, users will overwhelmingly click "no" and the site will not be viable.

(I additionally think that it should be legal to offer services that are supported only by personalized ads, where users can choose between (1) using the service and having personalized ads vs (2) doing neither. I've argued that elsewhere in this discussion, but that's a bit of an aside to my main point.)

While I don't think the GDPR as-written prohibits such services, with the decisions coming out of the data protection agencies in the more privacy sensitive European countries I think the GDPR as-interpreted does make them economically non-viable for most sites because viability requires effective fraud detection.

If a service is going to show ads even if the user has clicked "no" and consented to nothing, it needs to be able to run the full ads stack without relying on anything that requires user consent. This includes:

* No cookies or other client-side storage, not even for detecting ad fraud. See the recent CNIL decision against Microsoft. [1]

* No network requests to any server operated by a US company or any subsidiary of one. See Schrems II [2] and follow-up rulings on applications such as analytics [3], fonts [4], and CDNs [5].

Together these rule out all commercially available adtech options I know about.

But let's say you decide to build something fully in-house, or you use some future ad product from a startup run by very careful Germans. What do you still need to do?

The GDPR requires you to have one of several legal bases for any personal data you process. With "consent" out of the picture, almost all of them are irrelevant for ads, with the potential exception of "legitimate interest". [6] Is detecting ad fraud or other invalid traffic something a site has a legitimate interest in?

The ad industry has historically thought that sites did. For example, the TCFv2 categorizes this under "Special Purpose 1", with users having "No right-to-object to processing under legitimate interests" [7]. On the other hand, points 52 and 53 of the recent Microsoft ruling [8] read to me as saying that since users do not visit sites to see ads that sites cannot claim that they have a legitimate interest in using personal data to attempt to determine whether their ads are being viewed by real people. This is not fully settled; among other things the Microsoft ruling was on the interaction of GDPR and ePrivacy, and ePrivacy is stricter on some points. But I think it's more likely than not that when we get clarity from the regulators it will turn out that the kind of detailed tracking of user behavior necessary for effective detection of ad fraud is not considered to be within a publisher's legitimate interests.

[1] https://news.ycombinator.com/item?id=34096210

[2] https://trustarc.com/blog/2022/11/30/schrems-ii-decision-cha...

[3] https://noyb.eu/en/austrian-dsb-eu-us-data-transfers-google-...

[4] https://www.theregister.com/2022/01/31/website_fine_google_f...

[5] https://www.theregister.com/2021/12/08/germany_cookie_servic...

[6] https://gdpr.eu/article-6-how-to-process-personal-data-legal...

[7] https://iabeurope.eu/iab-europe-transparency-consent-framewo...

[8] https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000046768989

link

dmitriid 1266 days ago

> I agree with your #1, #2, or #3

> I do have a coherent view, though

It's strange that you agree... and yet your coherent view keeps on repeating the same lies, falsehoods, and keeps conflating things.

> My main view is that it should be legal to offer advertising-supported services where users can't just opt out of the advertising.

Let me re-iterate: You can still have ads on your site. GDPR does not preclude you from using ads on your site. GDPR doesn't care if you have ads on your site. Nothing in GDPR prevents you from having ads on your site.

I mean, come on. Go to spotify.com, download Spotify, and you will disover (undoubtedly to your surprise) that it offers exactly two tiers: ad-supported, and paid.

It's GDPR-compliant.

> it needs to be able to run the full ads stack without relying on anything that requires user consent

You can do that. Again. To re-iterate:

Not all ads need to be personalised ads. No, personalised ads are not a requirement. No, it doesn't mean that you can't have ads at all.

> No cookies or other client-side storage, not even for detecting ad fraud. See the recent CNIL decision against Microsoft. [1]

This is, of course, a blatant misinterpretation of that decision bordering on a lie. And a false generalisation.

> No network requests to any server operated by a US company or any subsidiary of one. See Schrems II [2]

Exactly. Because the US literally said: we don't care about user privacy and we assert the right to view and peruse any data of any citizen of any country in the world if they use American companies.

It is just amazing to me that for a person who keeps saying "I care about privacy" you complain about everything that improves privacy.

> The GDPR requires you to have one of several legal bases for any personal data you process.

Yes. Of course. Why do you want it any other way?

> With "consent" out of the picture, almost all of them are irrelevant for ads

Not all ads need to be personalised ads. No, personalised ads are not a requirement. No, if it doesn't mean that you can't have ads at all.

> Is detecting ad fraud or other invalid traffic something a site has a legitimate interest in?

No, fraud detection doesn't mean you need to collect personalised data beyond what's necessary for fraud detection. No, fraud detection doesn't mean you can willy-nilly use that data in anything other than fraud detection. No, fraud detection doesn't mean you can use that data for personalised ads, sell that data to third parties, or keep that data indefinitely long.

> The ad industry has historically thought that sites did.

No, The ad industry has historically thought that users' data is a free for all buffet with no consequences. They are now facing those consequences, and you go out of your way to protect the status quo.

link

jefftk 1266 days ago

> Go to spotify.com, download Spotify, and you will discover (undoubtedly to your surprise) that it offers exactly two tiers: ad-supported, and paid. It's GDPR-compliant.

Why do you think Spotify is GDPR compliant? For example, if you look at https://support.spotify.com/us/article/gdpr-article-15-infor... they say "we use your personal data to tailor advertising to your interests" and their declared legal basis is "Our legitimate interests here include using advertising to fund the Spotify Service, so that we can offer much of it for free."

I agree there are tons of ad-supported services where if you decline their consent banners they still show you ads. But I think somewhere between "extremely few" and "none" of them are actually GDPR-compliant.

> for a person who keeps saying "I care about privacy" you complain about everything that improves privacy.

Where am I saying "I care about privacy"? My recent privacy writing is https://www.jefftk.com/p/privacy-tradeoffs and https://www.jefftk.com/p/preparing-for-less-privacy

I think there are commonly significant tradeoffs involved around privacy, and "maximize privacy over everything else" is not my view.

> > Is detecting ad fraud or other invalid traffic something a site has a legitimate interest in?

> No, fraud detection doesn't mean you need to collect personalised data beyond what's necessary for fraud detection. No, fraud detection doesn't mean you can willy-nilly use that data in anything other than fraud detection. No, fraud detection doesn't mean you can use that data for personalised ads, sell that data to third parties, or keep that data indefinitely long.

You're not engaging with my point. I agree that if you say you're doing something for "fraud detection" but it isn't actually needed for fraud detection than the GDPR prohibits that. But what I wrote in my previous message is that even "actually trying to do fraud detection and nothing else" is very likely not something courts will consider to be within the legitimate interest of companies.

link

dmitriid 1265 days ago

All I can say is: even though you say you agree with me, you keep deliberately saying the same falsehoods, deliberately clumping disparate and non-related things together, and deliberately misrepresenting and misinterpreting everything related to privacy decisions in Europe.

I've said all I had to say here: https://news.ycombinator.com/item?id=34268322

For a person who writes things like "I rarely see enough concern over is that you can't trust the future to keep things private", you do sure go out of your way to defend arbitrary bulk data collection for the most mundane of things, ads. Oh, and the defeatist "we can't expect to keep things private, so to hell with it, no consent for any private data is necessary".

I have nothing to say to you further.

Adieu.

Final food for thought, not that it will convince you: https://jacquesmattheij.com/if-you-have-nothing-to-hide/

link