Uh oh! European carriers are trying to get into 'personalized' ad targeting

As Google works on reconfiguring its adtech stack to move away from cookie-based ad targeting to something else that's not yet fixed but which it claims will be better for individual web users' privacy -- and after Apple's move last year to lock down third-party tracking of app users on iOS, also on a claim its better for user privacy -- a number of telcos in Europe are sniffing opportunity to press in the polar opposite direction.

In recent months it's emerged that several telcos in the region are testing what they describe as a "cross-operator infrastructure for digital advertising and digital marketing" -- aka TrustPid, as they're branding the ad targeting initiative -- although, as is customary with respawning adtech, they're claiming their approach is "secure and privacy-friendly."

Users of mobile networks -- who pay their hard-earned money to get cellular connectivity, not to be clobbered with (yet) more consent pop-up spam and/or be ad-stalked around the internet -- may well take a very different view, as they wonder how many times they're going to have to keep slaying the tracking zombie.

EU privacy regulators are also on early alert, having fielded complaints and/or raised concerns over the telcos' approach -- which suggests regulatory intervention could follow if carriers decide to move ahead with a full launch.

The carriers are dubbing their plan a "counter-design to third-party cookies" -- and say it involves the creation of "pseudo-anonymous tokens" that are linked to the mobile device user's IP and mobile phone number (which is classified as personal data under EU law).

The 'twist,' if you can call it that, is that different tokens are generated for each ad partner -- which they claim "limits" the merging of data from different ad partners to create profiles on customers. But individual level ad targeting is still individual level ad targeting. (And consent spam may still be unlawfully attention sapping.)

The telcos involved in TrustPid are proposing to manage -- and presumably monetize -- advertisers' access to this network-based infrastructure.

Technical details of how the tracking-based targeting is intended to work in practice are not immediately clear -- but here's how Vodafone, which is leading the initiative -- explains the approach online:

As noted above, the proposal by European telcos to embed themselves into the ad-tracking game has quickly attracted plenty of the wrong kinds of attention -- with regulators and data protection experts querying the legal basis for the processing -- as well as, more broadly -- questioning the ethics of repurposing mobile network traffic for ad tracking.

News of the proposal to fire up individual-level ad-targeting at the carrier level in Europe made it into German press late last month where it was reported that Vodafone and Deutsche Telekom were testing TrustPid locally -- with the German publisher Bild/Springer initially signed up (another local publisher, NTV/RTL Group, has since also been reported to have joined the tests).

A report in Spiegel called the TrustPid trial "the return of the supercookie" -- a reference to a deeply unpopular tracking technique used by U.S. carrier Verizon about a decade ago (which also attracted FCC sanction).

"Cellular providers like Vodafone and Deutsche Telekom are in a unique position. Even if the browser routinely deletes cookies or even changes the IP address, the provider can still link the data traffic to the respective cell phone number," Spiegel wrote in the report [translated from German with machine translation]. "Advertisers don't want access to names or real mobile phone numbers, only to a pseudonymous identifier. However, this can quickly be reassigned to a specific user profile, for example when shopping in an online shop or logging in to an e-mail provider."

The newspaper went on to quote a spokesperson for the data protection authority in North Rhine-Westphalia -- raising questions about the appropriateness of TrustPid's stated reliance on user consent for its legal basis. The DPA's spokesperson added that the authority would be taking a closer look at the initiative's compliance with EU data protection law.

Media attention to the TrustPid trial in Germany was quickly followed by an announcement by the country's federal data protection authority, the BfDI -- presumably getting a lot of alarmed inbound from citizens of the famously privacy-loving country at that point -- admitting that the project was presented to it in 2021. But it emphasized it had not given any kind of sign-off on lawfulness of the approach.

Indeed, on the contrary, the federal authority said it had flagged a number of "data protection issues" vis-a-vis the proposal, including its focus on relying on consent for its legal basis.

"At that time, we pointed out various data protection problem areas, in particular the requirements for effective consent. However, we have NOT made any final project assessment or given any kind of approval. It was only agreed that there will be further consultations with the relevant telecommunications service providers in the future," the authority wrote [in German; we've used machine translation] at the end of May.

Nonetheless, Vodafone et al. appear to have pressed on with their tests -- which, earlier this month, were reported to have spread to Spain, via local carriers Movistar and Orange.

Asked about the legal basis being relied upon for the experimental tracking system, Simon Poulter, a senior spokesman for Vodafone, denied that TrustPid is akin to a 'supercookie.'

"What we’re trialling in Germany is a system based on digital tokens which do not include any directly identifiable information. Participation in the trial is only possible after having previously given voluntary and explicit consent (so-called opt-in)," he told TechCrunch.

"For a single user, the token generated will be different for each different partner. This limits the merging of data from different parties to create extensive profiles on customers -- one of the big drawbacks for consumers in the way digital advertising works today. The tokens are expired after 90 days providing consumers with further protection. The telecommunications providers do not enhance the tokens with any customer, traffic or location data nor is this provided by the service in any other way. Neither the partners, nor TrustPid itself, can identify an individual by means of the tokens created by TrustPid."

In further remarks, Vodafone's spokesman also claimed:

The service doesn't intercept or alter the data flows between a user and a website in any way, contrary to how other technologies sometimes called supercookies work" -- and went on to dub it a "win-win" for users who he also claimed can "take control over their online privacy and decide who can show them personalized content and advertising."

While there are some technical differences between assigning a permanent, fixed ad identifier per mobile device and linking single-use pseudo-anonymous tokens to target ads per device, at bottom both are setting out to repurpose mobile network infrastructure for tracking. And many mobile users would say that sums to the same kind of creepy.

In TrustPid's case, telcos banding together with select publishers to erect a whole new attention-sapping vector targeting mobile users -- which requires them to keep denying consent to ad-tracking as they go about their business on the mobile web as they're faced with yet another unfamiliar-sounding 'partner' in the laundry list of cookie pop-up consent demanding data processors -- does not sound like the kind of 'control' most people would prize.

It also pays to remember that a large chunk of current online advertising was recently found in breach of EU data protection rules -- after the IAB Europe and its TCF framework were deemed to be delivering compliance theatre (rather than lawful compliance), exactly because of bogus reliance on non-compliant consent spam.

The IAB was given a few months to come up with a reformed approach. So a bunch of European carriers proposing a new wave of consent-based tracking of regional mobile users looks ill-thought through, to put it mildly.

Genuine user control -- if that's what Vodafone et al. actually want to deliver -- would require this tracking infrastructure to be always off at source. Unless or until a mobile user instructed their telco to turn it on. Aka, making it opt-in.

But -- as far as we can gather -- that's not how TrustPid has been designed to work.

TrustPid's website claims users can withdraw their consent at any time via its Privacy Portal (i.e., in addition to repeatedly denying consent at the publisher website level). However when TechCrunch attempted this process -- by accessing TrustPid's bespoke "manage your consent" process via a mobile device connected to a participating mobile network -- we were unable to access any controls that allowed us to actually opt out. (It's possible the test has only been rolled out to a portion of participating carrier network's users; but if it's not clear who can even opt out that is not exactly looking amazing on the transparency front, either.)

The convoluted process TrustPid has devised to 'opt out' also merits a mention -- as it requires browsing to this brand name website (not your carrier's own site) while connected to a participating mobile network (not Wi-Fi) and clicking on a "Verify me" button that's accompanied by an off-putting chunk of text which states that you agree to the processing of your personal data "as detailed in the Privacy Notice [which is hyperlinked] in order to verify you and enable access to the "manage your consent" section of the Privacy Portal" (Actual quote; I kid ye not!).

When we tapped on this horrible-sounding "Verify me" button it disappeared and was replaced by the tedious-sounding word "Accessing…" which was accompanied by a looping status bar that just kept looping infinitely and never actually progressed to displaying anything -- such as an 'opt-out' button.

So, in our experience, TrustPid's claimed 'opt out' was indeed pure dark pattern theatre.

Moreover, since the TrustPid tokens are designed to re-spawn every 90 days, the opt-out-seeking user must -- presumably -- return afresh every three months to restate their desire not to be tracked.

If that's control, it's an exceptionally tedious flavor that makes a mockery of user agency by requiring exercising it a never-ending chore.

Failing TrustPid requiring affirmative user consent via an opt-in, the telcos could at least provide a persistent, centralized opt-out.

Instead they seem to have devised a 'control' that's either decentralized/scattered (i.e., across an unknown number of various publisher consent flows); and/or complex and inherently ephemeral as it perpetually resets on TrustPid's own multilayered "Privacy Portal" -- and ofc they've branded all this as "privacy-friendly."

Frankly it's exhausting just describing it. (Let alone having to mark a calendar with a recurring event to refresh an opt-out of a thing we never asked to be included in in the first place.)

TechCrunch contacted Spain's data protection watchdog about TrustPid's tests in the country to ask if it has any concerns. The regulator confirmed it has received a complaint and the AEPD's spokesperson told us it would process the complaint following standard procedures -- so it remains to be seen whether it (or any German DPAs) progress to opening a formal investigation.

(The AEPD received a similar complaint against Apple's IDFA -- an ad-tracking ID (albeit a fixed one) the iPhone maker links to iOS devices -- back in November 2020 and said at the time it would investigate that, though we've not seen any public outcome yet.)

Prior to a few DPAs expressing concerns, the TrustPid experiment landed on the radar of the Washington Post's privacy engineering lead, Aram Zucker-Scharff -- who tweeted this unreassuring assessment of what he'd spotted back in April, while pointing out that T-Mobile was already doing something similar in the U.S. on an opt-out basis.

Thing is, the U.S. does not have comprehensive data protection legislation to regulate how mobile users can be tracked. Whereas the European Union does -- via the ePrivacy Directive, which regulates tracking technologies and mandates that users are asked for their consent to such tracking.

Europe's top court has also weighed in in recent years -- making it clear that consent for non-essential tracking must be obtained prior to storing or accessing the tracking tech.

There is also the EU's General Data Protection Regulation (GDPR) -- and its requirement for privacy by design and default; for transparency -- and for consent to be informed, specific/non-bundled and freely given.

All of which should count for something when it comes to protecting European mobile users from creepy, network-level tracking.

Asked about TrustPid's approach to consent, Poulter claimed no processing of users' personal data occurs within the TrustPid system prior to a user accepting a cookie pop-up on a participating publishers' website. "Explicit consent is collected via participating partners before the point of data processing," he told us. "This consent is then used to provide the service. No tokens are generated unless consent is obtained. Each participating partner requires their own consent."

However, per his description of the system, none of the participating carriers themselves ever proactively ask for user consent at any point -- which, if they did that, would at least surface the fact they are trying to repurpose subscribers' mobile network traffic as ad-tracking infrastructure. So the source of the tracking looks obfuscated by design.

The average mobile user getting a pop-up on their device from their carrier -- asking if they can use their IP and mobile number so websites can target them with "personalized" ads -- would surely insta-hit the 'no way José!' button.

By outsourcing the gathering of consents to third party ad 'partners,' TrustPid's approach looks intended to dodge denials -- but by doing that it risks running counter to key principles baked into EU law.

There is also just the pure creepy optics. It looks hella baaaaaaad. Because this is mobile network traffic data. And can a telco really delegate consent collection of that to a random grab bag of other advertising 'partners'?

"Companies that operate communication networks should neither track their customers nor should they help others to track them," Wolfie Christl, a researcher at Cracked Labs in Austria -- who raised early concerns about TrustPid's approach -- told TechCrunch.

"I consider the project an irresponsible abuse of their very specific trusted position as communication network operators. It is a dangerous attack on the rights of millions. It appears they want to legally justify it with the misleading and meaningless pseudo-consent banners we have to deal with on websites every day, which is irresponsible and outrageous."

"The project undermines trust into communication technology and should be stopped immediately," Christl added. "I hope that European data protection authorities quickly team up and stop the project."

Dr. Lukasz Olejnik, a privacy researcher and consultant based in Europe -- who was similarly quick to query whether the telcos' experiment complies with the EU's 'privacy by design' requirements -- also highlights how unpopular this sort of tracking tends to be with users.

"While some U.S. carriers tried to field test such systems years ago, it never really caught on. The thing is, people rather disliked such systems and it’s no wonder why. Building it with privacy is hard. I am not aware of any privacy considerations or thinking put into this TrustPid endeavour," he said.

"When people subscribe to telecom carrier services, what they expect is a telecom service. Such additions are unexpected," he added.

Other carriers involved in the TrustPid project that we contacted for comment referred us back to Vodafone -- whose spokesperson did finally confirm that carriers do not intend to gather any consents themselves.

"The participating website must obtain explicit consent from the user at the point before any data processing begins," said Poulter.

"TrustPid makes use of Vodafone’s network connectivity to anonymously identify a user on a website -- once their consent has been expressly given. Only once that unique digital token is issued can advertisers and publishers use them for targeted advertisements. The tokens do not include any personally identifiable information. The tokens have a reduced lifespan and are specific to individual advertisers and publishers. The consumer is free to opt out at any time via the privacy portal that provides a transparent view of what consent they have given (i.e., opt in).

"Every brand or publisher token holds a consent against it, which can be revoked by the user at any time through a privacy portal. Once revoked, that brand or publisher can no longer use it for advertising. Vodafone does not control that process."

Vodafone's spokesman added: "We believe it is relevant to offer advertisers and publishers … a level playing field for the digital advertising sector but, most importantly, to offer end users greater control, choice and transparency."

If Vodafone believes the tracking system it wants to subject mobile users to is indeed fair and transparent -- and compliant with EU data protection law -- why are experts and regulators concerned?

Poulter did not offer a direct response to that question -- merely confirming that the telco "engaged with the BfDI to get its view from a telco regulation perspective."

"We will also engage with other regional or national regulators where they have any queries," he also told us, adding: "Specifically, the BfDI gave guidance on how to ensure compliance, including transparency and ensuring users can ‘reject’ with a single click at the first layer of consent request in the interface."

Of course Vodafone et al. won't be in control of the look and feel of cookie compliance on participating publishers' websites -- so won't be in a position to ensure a clear 'reject' option is offered at the first layer. And given we all know what a total compliance trash fire cookie consent pop-ups generally remain, as resource-strapped DPAs have largely looked the other way at such widespread privacy breaches, it looks safe to assume TrustPid's partners will deliver more of the same.

There's a further twist in the tale, too, as the BfDI told us TrustPid itself has been established as a U.K.-based company -- meaning it won't be regulated by EU-based regulators -- at a time when the U.K. government is moving forward on a plan to diverge domestic legislation from the EU's data protection framework, including by loosening the rules around consent for cookies … Fancy that!

The German federal data protection authority also confirmed it was "merely informed" by Vodafone about its trial of the TrustPid-technology together with Deutsche Telekom, as it regulates the two carriers.

"For TrustPID, the responsible data protection authority is not us but the British data protection authority ICO. The U.K.-based company TrustPid itself has not contacted the BfDI at any time," it told us.

"The mobile network provider creates a unique, pseudonymous network identifier for TrustPid. Therefore TrustPid technology could be seen as a value-added service according to the ePrivacy Directive. But the BfDI emphasizes that only an informed and voluntary given consent is an acceptable foundation for the use of this technology," the authority went on, expressing scepticism about the use of consent for this type of tracking."

"High standards must be set here and we are sceptical that the current consent fulfils that aim," it added. "The BfDI has not yet made a final decision regarding the data processing by Vodafone and Deutsche Telekom."