On the regulation of personal data distribution in online advertising platforms

Abstract Online tracking is the key enabling technology of modern online advertising. In the recently established model of real-time bidding (RTB), the web pages tracked by ad platforms are shared with advertising agencies (also called DSPs), which, in an auction-based system, may bid for user ad impressions. Since tracking data are no longer confined to ad platforms, RTB poses serious risks to privacy, especially with regard to user profiling, a practice that can be conducted at a very low cost by any DSP or related agency, as we reveal here. In this work, we illustrate these privacy risks by examining a data set with the real ad-auctions of a DSP, and show that for at least 55% of the users tracked by this agency, it paid nothing for their browsing data. To mitigate this abuse, we propose a system that regulates the distribution of bid requests (containing user tracking data) to potentially interested bidders, depending on their previous behavior. In our approach, an ad platform restricts the sharing of tracking data by limiting the number of DSPs participating in each auction, thereby leaving unchanged the current RTB architecture and protocols. However, doing so may have an evident impact on the ad platform’s revenue. The proposed system is designed accordingly, to ensure the revenue is maximized while the abuse by DSPs is prevented to a large degree. Experimental results seem to suggest that our system is able to correct misbehaving DSPs, and consequently enhance user privacy.

[1]  Jordi Forné,et al.  Online advertising: Analysis of privacy threats and protection approaches , 2017, Comput. Commun..

[2]  Javier Parra-Arnau,et al.  Pay-per-tracking: A collaborative masking model for web browsing , 2017, Inf. Sci..

[3]  Jun Wang,et al.  Real-time bidding for online advertising: measurement and analysis , 2013, ADKDD '13.

[4]  Aniket Kate,et al.  ObliviAd: Provably Secure and Practical Online Behavioral Advertising , 2012, 2012 IEEE Symposium on Security and Privacy.

[5]  Saikat Guha,et al.  Privad: Practical Privacy in Online Advertising , 2011, NSDI.

[6]  Yang Wang,et al.  Smart, useful, scary, creepy: perceptions of online behavioral advertising , 2012, SOUPS.

[7]  Vitaly Shmatikov,et al.  Robust De-anonymization of Large Sparse Datasets , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[8]  Krishna P. Gummadi,et al.  Privacy Risks with Facebook's PII-Based Targeting: Auditing a Data Broker's Advertising Interface , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[9]  Claude Castelluccia,et al.  Selling Off Privacy at Auction , 2014, NDSS 2014.

[10]  Latanya Sweeney,et al.  k-Anonymity: A Model for Protecting Privacy , 2002, Int. J. Uncertain. Fuzziness Knowl. Based Syst..

[11]  Aleksandra Korolova Privacy Violations Using Microtargeted Ads: A Case Study , 2011, J. Priv. Confidentiality.

[12]  F. Martínez-López,et al.  Online Advertising Intrusiveness and Consumers’ Avoidance Behaviors , 2014 .

[13]  Mike Smith Targeted : How Technology is Revolutionizing Advertising and the Way Companies Reach Consumers Ed. 1 , 2014 .

[14]  Lorrie Faith Cranor,et al.  A comparative study of online privacy policies and formats , 2009, Privacy Enhancing Technologies.

[15]  Helen Nissenbaum,et al.  Privacy in Context - Technology, Policy, and the Integrity of Social Life , 2009 .

[16]  Miguel Núñez del Prado Cortez,et al.  Geo-Location Inference Attacks: From Modelling to Privacy Risk Assessment (Short Paper) , 2014, 2014 Tenth European Dependable Computing Conference.

[17]  Peter Eckersley,et al.  How Unique Is Your Web Browser? , 2010, Privacy Enhancing Technologies.

[18]  Ahmad A. Kardan,et al.  Targeted advertisement in social networks using recommender systems , 2013, 7th International Conference on e-Commerce in Developing Countries:with focus on e-Security.

[19]  David Sánchez,et al.  Privacy-preserving and advertising-friendly web surfing , 2018, Comput. Commun..

[20]  Wen Zhang,et al.  How much can behavioral targeting help online advertising? , 2009, WWW '09.

[21]  Zekeriya Erkin,et al.  AHEad: Privacy-preserving online behavioural advertising using homomorphic encryption , 2017, 2017 IEEE Workshop on Information Forensics and Security (WIFS).

[22]  Matt Fredrikson,et al.  RePriv: Re-Envisioning In-Browser Privacy , 2011 .

[23]  Christo Wilson,et al.  How Tracking Companies Circumvented Ad Blockers Using WebSockets , 2018, Internet Measurement Conference.

[24]  Helen Nissenbaum,et al.  Adnostic: Privacy Preserving Targeted Advertising , 2010, NDSS.

[25]  Aaron Alva,et al.  Cross-Device Tracking: Measurement and Disclosures , 2017, Proc. Priv. Enhancing Technol..

[26]  Krishna P. Gummadi,et al.  Potential for Discrimination in Online Targeted Advertising , 2018, FAT.

[27]  Zhiyun Qian,et al.  The ad wars: retrospective measurement and analysis of anti-adblock filter lists , 2017, Internet Measurement Conference.

[28]  John C. Mitchell,et al.  Third-Party Web Tracking: Policy and Technology , 2012, 2012 IEEE Symposium on Security and Privacy.

[29]  Kirubakaran Ezra,et al.  Location based mobile advertising framework for commuters , 2015, 2015 International Conference on Computing and Network Communications (CoCoNet).

[30]  Zekeriya Erkin,et al.  BAdASS: Preserving Privacy in Behavioural Advertising with Applied Secret Sharing , 2018, IACR Cryptol. ePrint Arch..

[31]  David S. Evans The Online Advertising Industry: Economics, Evolution, and Privacy , 2009 .