Illustration by Agata Susiuk
Behind today’s ‘free and open’ internet lie shadowy firms who have made your data their business – many of them based in Berlin.
If you didn’t look for them, you wouldn’t even know they were there. But install a simple privacy tool like Ghostery and you’ll find them lurking on nearly every website you visit, like a swarm of cockroaches underneath spotless floorboards. Their names are nonsensical: Eyeota, Nugg.Ad, Quantcast, Zanox. You don’t know them. But they know you.
These are the invisible engines that power the internet today: data mining companies that determine which ads you are shown by monitoring what you do online. As the €27.3 billion industry continues to expand, these companies are devising ever-cleverer ways to get at that information while staying within Europe’s strict, yet pliable, privacy laws. And many of them have their roots in Berlin’s own blossoming start-up scene.
One of those companies is Nugg.ad, once a start-up, now an international corporation owned by Deutsche Post specialising in “Predictive Behavioural Targeting” with eight offices across Europe. Accepting us into their cheerfully yellow Friedrichshain headquarters, consulting director Sema Saglik was all smiles as she explained the company’s business model – and, of course, their amazing privacy record.
Nugg.ad partners with the publishers of over 4000 sites (including those in the Axel Springer group, such as Bild.de) to log users’ pageviews via the invisible graphics known as “tracking pixels”. They correlate data about what kind of content you view – “sports”, “health and beauty”, etc. – with “anonymous survey responses” about age, gender and other interests to put together your likely profile. This profile (minus your IP address, which is cut off using third-party software) is relayed via browser cookie to the original website as well as advertising networks, who use this information to show you the ads and content they think you’re likely to click on via an automated process called “real-time bidding”. This all happens in a matter of milliseconds.
Saglik estimates 85 percent of German users have a Nugg.ad cookie on their computer – so even if you’re not clicking on the ads they’ve helped to place, chances are someone is. “Just one percent is enough,” says Jonas*, a tech-savvy Berliner who used to work at digital marketing company Neue Digital (now Razorfish). “A lot of people won’t click on the ads, but the ones who do offer enough revenue.”
The ‘good ol’ shopping experience
Welcome to the new digital economy: an internet where we’re given access to seemingly unlimited amounts of information… which we’re paying for, largely unbeknownst to us, with information of our own. As author and documentarist Astra Taylor writes in The People’s Platform: Taking Back Power and Culture in the Digital Age, “Web 2.0 is not about users buying products. Rather, the users are the product.”
Not that the organisations buying and selling this product will admit to it. Nugg.ad claims they’re benefiting not only advertisers but users, by showing them only the ads that are relevant to them. Says Saglik: “When you’re a 25-year-old male, you don’t want to see ads for diapers.” Another such company, TheAdex – with offices in Berlin, Düsseldorf, London and Switzerland – justifies their practices similarly on their website: “We dream of the ‘good ol’ days’ when you went to the local butcher or baker and they knew exactly what you wanted and why. It seems like a serious breach of privacy viewed through a modern prism, but for some reason we don’t feel that way when it’s a small business owner. The intent is the same: to make a better shopping experience for the customer.”
It sounds innocuous enough. But in the case of the butcher you know exactly what information you’re giving out and what he’s doing with it. To the average internet user, this isn’t quite as clear when it comes to “predictive behavioural targeting” and “next generation data management solutions”. And in the case of people who publish on platforms such as Blogger, the analogy is closer to the butcher’s landlord getting information about you behind the butcher’s back.
Companies thus take advantage of consumers’ ignorance to pull some seriously sneaky manoeuvres – conflicting the programmers who are working behind the scenes. “If you want to work in the start up scene now, you’ve got to navigate tonnes of dodgy job offers,” says Nicolas*, a programmer from Finland. Niels*, also from Scandinavia, moved to Berlin to work in the hyped start-up scene. He found himself at the “ad attention measuring technology” company Meetrics, which runs scripts on over 2000 sites including Spiegel Online, Germany’s most influential news site. Their technology allows them to see and store data about how people’s mice move about a web page – “where they click, where they scroll. The information is sold both to the webpage owners and advertisers so that they can see which advertisements are most successful for whom. We could also pull up specific IP addresses and replay how a person navigated a specific web page.” According to him, there was also a plug-in that they developed that would be installed, usually without awareness of the consequences, by a user who clicked on a certain ad, survey or offer to ‘win a free Ipad’. “This plug-in had the full potential to take over that person’s web browser, to take their private information such as bank account numbers, passwords…”
Hidden terms and conditions
How much of this is legal? Surprisingly, nearly all of it – even in Germany, the country with some of the strictest data protection laws in the world. “Basically, in the US, you can do anything you want with data as long as you don’t infringe the rights of the person,” says Jana Moser, a lawyer specialising in digital privacy law. “In Germany, you can only use data to provide the service specified by the website – that which is really, strictly mandatory, nothing more.” But there is a catch.
Under current law, there is a difference in the treatment of personally identifiable data (names, addresses, credit card numbers) and anonymous or pseudonymous data: numbers that are not personally identifiable, but might be in combination with each other. The difference between the two can be as simple as a string of three digits: in Germany, IP addresses are considered personally identifiable information, yet with cookies and tracking pixels, logging these numbers is inevitable. That’s why many companies, including Nugg. ad, use an outside program or “third-party anonymiser” to randomise or truncate users’ IPs. You only need the last three digits to be removed for the address to be rendered anonymous. Still, information about the router used or the city of origin might remain.
The more “anonymous data” companies collect, the easier it is to correlate their ‘profile’ of you. “It gets to the point that it’s not anonymous at all,” says Jonas. “Companies never technically break the law because they use exchange binaries and work together to collect data and pass it along. They can take your data from several different sources and correlate it all in a matter of seconds and come up with a profile linked to your name.” This is possible, he says, through application process interface (API) technology, a tool that allows web applications to share data from cookies. “It’s happening all the time. The law in Germany is that you are not allowed to collect something like this, but companies are doing it anyway – if you get caught, you have to pay a fine, but usually the company will just pay it because the chance of actually getting caught doing this is pretty small and the risk is usually worth it.”
It’s a common tactic for companies to spread information around different servers in different countries, taking advantage of differing privacy laws. Or they can move around within Germany, says Moser: “All companies have to respect the same laws, but when it comes to interpretation of the law, different authorities in different federal states have different opinions. The more they know about the technical infrastructure, the faster they react. So, you’ll hear about the authorities in Hamburg going against Facebook… but the authorities in Saxony? Never.”
Perpetually obsolete regulations
A better, comprehensive data protection policy is clearly needed to keep up with the times – and in fact, since 2012 the EU has been putting together such a policy, a reform of the current laws (which were passed in 1995). Yet keeping digital privacy laws vague and open to interpretation might be the most effective tactic at regulating Big Data, says Moser. “The more detailed regulation we have, the more difficult it will be to catch up in the future. We can’t just say, ‘We have to regulate iBeacons’, for example, because in one year we might not have iBeacons anymore.”
The data industry is therefore counted on to regulate itself, through a series of (optional) privacy programmes like the European Privacy Seal, a certification awarded to companies that pass inspection by third-party IT experts, and the Deutscher Datenschutzrat Online-Werbung (DDOW), the industry body that came up with a codex of guidelines for German digital advertising companies. In the wake of the Snowden revelations and increasing consumer uneasiness, Big Data players have also come to recognise the value of transparency – so long as they’re the ones doing the revealing. The Your Online Choices program, for instance, displays a tiny blue icon in the corner of ads; click on it and you’ll be brought to a website, created by the European Digital Advertising Alliance, that informs you why and how your data’s being used and includes a “Preference Management” section in which you can opt out of data collection by over 80 companies in one fell swoop (theoretically – it’s plagued with “connection problems”). Nugg.ad CEO Stephan Noller is even putting on a “Data Days” festival this October, complete with talks on “Data-driven Applications vs. Ethics and Policies.”
“I think self-regulation can be good,” says Moser. “But what should never happen again is this Safe Harbour concept.” That’s the agreement, dating back to 1998, by which US-based companies like Google and Facebook are currently allowed to gather data on EU citizens. They only need to “self-certify” that they are in compliance with European data protection law, as enforced, by all accounts ineffectively, by the US Federal Trade Commission. In August, the US consumer rights advocacy group Center for Digital Democracy (CDD), accused 30 American data companies – including Adobe, AOL and data brokerage giant Acxiom – of “compiling, using and sharing EU consumers’ personal information without their awareness and meaningful consent”. The group called for the suspension of Safe Harbour, which would prohibit any US-based site from collecting data in Europe.
Instead of counting on corporations to conform to bendable, perpetually obsolete regulations, the best option would be for users to take their data into their own hands. You can start small, by blocking cookies or deleting them after every browsing session and downloading a browser plug-in like Disconnect, Scriptpolicy or Ghostery to display and block all advertising and analytical requests.
If every internet user was as informed as possible and chose to opt out of everything, “the entire industry would collapse,” says one Berlin insider. You can see the beginnings of this for yourself. Block every single cookie and tracker and your personal internet experience will fundamentally change – videos won’t load, for example. In the long run, though, it might be a small sacrifice to make yourself a totally free member of the new digital economy order.
Originally published in issue #130, September 2014.