Digital is the fastest growing advertising medium in India and around the world for its ability to be targeted. As per published reports, digital ad spends in India is roughly 14% of overall advertising spends. The medium is expected to clock a massive 33% growth and touch Rs 9,700 crore by December, 2017.
By the virtue of being a specifically targeted medium, brands are continuously increasing spends on the medium in their quest for higher return on investment (ROI). However, the same virtue has sparked a debate on the level of personal user data harvested by ad networks and the privacy issues it is causing.
A recent report by University of Washington pointed out that a $1,000 (around Rs 65,000) budget is enough to track individuals through ad trackers used by ad networks and the private information of consumers generated via it can easily fall into the wrong hands of a person with this miniscule budget and a website.
The report points out that third-parties can use the purchase of ads, for as little as $1,000, to extract private information about individuals. It did this by conducting a case study into it and found out how easy it was to use ad tracking network to one's own personal gain.
Interestingly the tracking can be done even if a consumer doesn't click on an ad and if it is just displayed on the smartphone. The ad network then reports back the data to the buyer. The data can further be used to track the location of individuals in real time to know whether they are going home or to work and any other location with the help of their mobile phones.
With the help of ad-trackers, one can know the number of users at a location, number of visits to a location, time of the visit to the location, apps installed by the consumer and when and for how long the apps are used by the consumer.
"We find that an individual or small group with a $1000 US Dollar budget can use targeted ads and a DSP (Demand-side providers that managed advertisers and bids) to track the locations of targeted individuals as they move from home, to work, and to other sensitive locations. We find that we can target ads to users of specific applications and at specific locations, which means that one can use purchased ads to count the number of Grindr (a gay online dating app) users or Quran Reciters (a religious app) users in a house. We find that we can use targeted ads to learn when a person is using a specific application (e.g., when a targeted individual is using Talkatone, a messaging app); a natural extension could be to observe whether two targeted individuals are using the same app at the same time, thereby yielding potential side-channel information about communications patterns," said the report.
The ad tracking works through cookies and Mobile Advertising ID (MAID). Typically, an advertiser facilitates a DSP setting a cookie on the user when they visit the advertiser's website.
Digital advertising experts agreed to the findings of this report and pointed that personal and private information can fall into the wrong hands very easily with this.
Oliver Eriksson, Regional Head, Global Advisory, VML Southeast Asia and India says, "It absolutely poses a threat to private information falling into the wrong hands. And, this is the reason why there has been a rapid increase in malvertising (malware distributed through legitimate ad networks and websites)."
Malvertising has been rising rapidly over the last few years. As per a RiskIQ report Malvertising spiked by 132% in 2016 over the previous year. Even in 2015 malvertising saw 325% growth during the year.
"It is without doubt that private information can be exposed by an attacker and the severity only increases if you include the rapid increase in malvertising. Malvertising attackers love the powerful profiling capabilities of these ad networks as they can very effectively optimize their attacks by precisely targeting specific sets of users," says Eriksson.
He further says that this is possible in India too in theory, but the research experiment would have to be recreated here to find out the exact costs for people to do it.
Vishal Rupani, COO and Co-Founder, mCanvas says, "Targeted advertising can be used as a weapon by an attacker to invade privacy and obtain personal information on an individual or group. The research appears to be the first in-depth study showing how easy it is to pinpoint someone's current physical location - with an accuracy of 8 meters - by running ads inside mobile apps. And that's just scratching the surface of what can be unearthed."
He further says it is not hard to replicate this in India as several ad ecosystem players offer advanced targeting options, which can be used to pinpoint someone's physical location.
Another expert mentioned that using an ad platform (or a combination of ad platforms) that offers hyperlocal targeting and email or phone matching services can make the job of an attacker easy. Someone with digital marketing expertise, a small budget and a lot of patience can track an individual and his routine hangout spots. Additionally, the data could also be used to identify which apps (Dating, Religious, Health) the individual uses, as several ad platforms report such source data (for ad performance evaluation) to the advertiser.
Rupani further adds that most advertisers use an 'Impression Tracker', also known as Web Beacons, to track where and when their ads were displayed. "The tracker loads as soon as the ad is delivered on the users device and it doesn't require the user to click the ad. The tracker enables one to gather several user parameters like IP address, Browser/OS/Device Identifier (user agent string) and a cookie of the device. Even if the ad is not seen by the user (in cases where it loaded below the fold), the tracker would still allow user data tracking," mentions Rupani.
Targeted Advertising Going Beyond its Purpose?
The purpose of targeted ads may have been to get the brands closer to the audience, but it seems to be going beyond the purpose. It seems that in the bargain for more customer data, it has opened the door to potential risks to an individual's privacy.
"While the ad ecosystem players don't intend infringing on privacy, the technology built by them, unfortunately creates opportunities for rogue elements to take advantage," says Rupani.
He further adds that targeted advertising was meant to show me ads that would be relevant to me and not something that would be irrelevant or annoying. "I'd rather see ads for men's shaving blades than for lingerie," he says.
If the ad targeting system is exploited, an attacker could invade an individual's privacy and compromise his or her safety. Religious fanatics, ideological vigilantes, stalkers, burglars, blackmailers and businesses with a malicious intent could use digital advertising to identify and track unsuspecting targets.
Similarly, Eriksson agrees that target advertising has gone beyond the intended purpose and could infringe of people's privacy.
"This is beyond doubt and anyone who says it isn't, is either protecting a revenue stream or very willing to simply accept the situation in exchange for more relevant, intelligent communications.... Many popular media sites in the US have up to 70 trackers on them. Install a Chrome app called Ghostery and you can see how many trackers are on each site you visit," he says.
Gopa Kumar, Vice President, Isobar says, "If ad tracking is getting into privacy issues with regards to spying on people and getting to more and more details then it becomes a challenge. This is the reason you are increasingly seeing the ad blockers today. On the other hand, ad tracking is need as it helps advertisers check that it is sent to a user and not to a bot. Obviously ad tracking is used to help ads become more efficient, but in technology there is always a flip-side to it as well."
One of the solution Eriksson says is that people can use to protect their data from falling into that hands of ad trackers is by using ad blockers. Although not all ad blockers on mobile can also block in-app ads. "For web browsing people can also install a web browser such as Brave that has built-in ad blocking and other features to protect your privacy," he says.
However, doing this will end up disrupting the digital advertising ecosystem and publishers of online content will be the most impacted as the decrease in revenue will need to be offset with other income streams in order to continue to support the creation of 'free' online content.
Kumar points out that India is one of the leading countries in terms of using ad blockers and it is imperative to take notice of this as the whole industry can go for a toss. "There should be necessary guidelines on how to use ad tracking for the industry so that it does not infringe on anybody's privacy," shares Kumar.
Mobile adblock usage has expanded rapidly to 59% of smartphones in India, according to a PageFair 2017 ad block report. India also is highest in terms of ad blockers on devices as it stood at 136 million till December 2016.
Rupani suggests that an industry-wide collaboration among ad networks is required to create a framework that maintains the original intent of targeted advertising and prevents privacy invasion.
In the meantime, Rupani further suggests that users can reset their Mobile Advertising ID on their phones periodically. However, this method too does not solve the problem completely but just makes it harder for an attacker to continuously track a user.
Other things that would help would be using secure Wi-Fi networks and sharing personal information only on secure websites.
Ad networks restricting the number of ads delivered to a person in a day or week from an advertiser would also help. Vetting of ad buyers will also help keep unscrupulous elements out, suggests Rupani.
Then there is also the option of laws and guidelines being put into place by government bodies to restrict the level of data collection of users.
Eriksson says regulation would help, but people around the world are already voting with their actions to install ad blockers.
Rupani, however, believes that regulation may not entirely be the solution. "This isn't a black and white case. Defining which data points can be captured or which ones are prohibited will not solve the problem. We need to consider all the stakeholders, ie users, advertisers, publishers, and technology vendors, points of view to arrive at a solution that works for all. The research study has done a fantastic job of igniting the conversation. It has highlighted the need for starting debates and discussions among stakeholders to identify more concerns and potential threats to privacy, and consequently work towards addressing them," he says.
If the digital advertising industry thought that bots and click farms were a big problem, they may have a much bigger problem on their hands with the threat of privacy due to ad trackers and rising ad blockers as a result. It is time for them to address this issue.