Cookies are dying, and the tracking industry is scrambling to replace them. Google has proposed Federated Learning of Cohorts (FLoC), TURTLEDOVE, and other bird-themed tech that would have browsers do some of the behavioral profiling that third-party trackers do today. But a coalition of independent surveillance advertisers has a different plan. Instead of stuffing more tracking tech into the browser (which they don’t control), they’d like to use more stable identifiers, like email addresses, to identify and track users across their devices.
There are several proposals from ad tech providers to preserve “addressable media” (read: individualized surveillance advertising) after cookies die off. We’ll focus on just one: Unified Identifier 2.0, or UID2 for short, developed by independent ad tech company The Trade Desk. UID2 is a successor to The Trade Desk’s cookie-based “unified ID.” Much like FLoC, UID2 is not a drop-in replacement for cookies, but aims to replace some of their functionality. It won’t replicate all of the privacy problems of third-party cookies, but it will create new ones.
There are key differences between UID2 and Google’s proposals. FLoC will not allow third-party trackers to identify specific people on its own. There are still big problems with FLoC: it continues to enable auxiliary harms of targeted ads, like discrimination, and it bolsters other methods of tracking, like fingerprinting. But FLoC’s designers intend to move towards a world with less individualized third-party tracking. FLoC is a misguided effort with some laudable goals.
In contrast, UID2 is supposed to make it easier for trackers to identify people. It doubles down on the track-profile-target business model. If UID2 succeeds, faceless ad tech companies and data brokers will still track you around the web—and they’ll have an easier time tying your web browsing to your activity on other devices. UID2’s proponents want advertisers to have access to long-term behavioral profiles that capture nearly everything you do on any Internet-connected device, and they want to make it easier for trackers to share your data with each other. Despite its designers’ ill-taken claims around “privacy” and “transparency,” UID2 is a step backward for user privacy.
How Does UID2 Work?
In a nutshell, UID2 is a series of protocols for collecting, processing, and passing around users’ personally-identifying information (“PII”). Unlike cookies or FLoC, UID2 doesn’t aim to change how browsers work; rather, its designers want to standardize how advertisers share information. The UID2 authors have published a draft technical standard on Github. Information moves through the system like this:
- A publisher (like a website or app) asks a user for their personally-identifying information (PII), like an email address or a phone number.
- The publisher shares that PII with a UID2 “operator” (an ad tech firm).
- The operator hashes the PII to generate a “Unified Identifier” (the UID2). This is the number that identifies the user in the system.
- A centralized administrator (perhaps The Trade Desk itself) distributes encryption keys to the operator, who encrypts the UID2 to generate a “token.” The operator sends this encrypted token back to the publisher.
- The publisher shares the token with advertisers.
- Advertisers who receive the token can freely share it thro (PIIughout the advertising supply chain.
- Any ad tech firm who is a “compliant member” of the ecosystem can receive decryption keys from the administrator. These firms can decrypt the token into a raw identifier (a UID2).
- The UID2 serves as the basis for a user profile, and allows trackers to link different pieces of data about a person together. Raw UID2s can be shared with data brokers and other actors within the system to facilitate the merging of user data.
The description of the system raises several questions. For example:
- Who will act as an “administrator” in the system? Will there be one or many, and how will this impact competition on the Internet?
- Who will act as an “operator?” Outside of operators, who will the “members” of the system be? What responsibilities towards user data will these actors have?
- Who will have access to raw UID2 identifiers? The draft specification implies that publishers will only see encrypted tokens, but most advertisers and data brokers will see raw, stable identifiers.
What we do know is that a new identifier, the UID2, will be generated from your email. This UID2 will be shared among advertisers and data brokers, and it will anchor their behavioral profiles about you. And your UID2 will be the same across all your devices. Read Full Article at EFF >