News outlets entrusted with promoting transparency and privacy are also lobbying behind closed doors against proposals to regulate the mass collection of Americans’ data.
In a filing last week, the Interactive Advertising Bureau, a trade group, reported it was lobbying against a push at the Federal Trade Commission to restrict the collection and sale of personal data for the purpose of delivering advertisements. The IAB represents both data brokers and online media outlets that depend on digital advertising, such as CNN, the New York Times, MSNBC, Time, U.S. News and World Report, the Washington Post, Vox, the Orlando Sentinel, Fox News, and dozens of other media companies.
Under President Joe Biden and FTC Chair Lina Khan, the advertising technology industry is facing its first real challenge of federal regulation. There are several bills in Congress that attempt to define and restrict the types of data collected on users and how that data is monetized. Last July, Biden called for the FTC to promulgate rules over the “surveillance of users” in his landmark executive order on competition, which identified unfair data collection as a challenge to both competition and privacy.
In December, the advocacy group Accountable Tech petitioned the FTC calling for regulation of what it calls “surveillance advertising”: the process of collecting mass data on users of popular apps and websites and creating profiles of those users based on location, age, sex, race, religion, browsing history, and interests in order to serve targeted ads. The industry has grown in leaps and bounds, now generating billions in revenue, but has so far faced limited regulation in the U.S.
Major media corporations increasingly rely on a vast ecosystem of privacy violations, even as the public relies on them to report on it.
In a letter, IAB called for the FTC to oppose a ban on data-driven advertising networks, claiming the modern media cannot exist without mass data collection. “Data-driven advertising has actually help preserve, and grow, news outlets since its inception over twenty years ago,” the letter said. “The thousands of media companies and news outlets that rely on data-driven advertising would be irreparably harmed by the Petition’s suggested rules.”
The privacy push has largely been framed as a showdown between technology companies and the administration. The lobbying reveals a tension that is rarely a center of the discourse around online privacy: Major media corporations increasingly rely on a vast ecosystem of privacy violations, even as the public relies on them to report on it. Major news outlets have remained mostly silent on the FTC’s current push and a parallel effort to ban surveillance advertising by the House and Senate by Rep. Anna Eshoo, D-Calif., and Sen. Cory Booker, D-N.J.
“They certainly report on aspects of this problem, but they’re not reporting on how they’re complicit in the surveillance advertising story,” said Jeff Chester, the executive director of the Center for Digital Democracy, which supports the FTC petition for regulation.
Chester noted that major media outlets will cover episodic scandals, such as the use of Facebook data by the firm Cambridge Analytica during the 2016 presidential election or algorithmic targeting of ads in politics, but don’t provide context of how the outlets themselves use and benefit from the same collection of data for routine advertising purposes. (On its website, The Intercept uses Google Analytics but does not host more invasive trackers. Its podcasts use a separate third-party system, which users can opt out of.)
“The large media companies have their own programmatic advertising operations, or what you might call surveillance advertising, using content on their own websites,” said Chester. “Not only are they not reporting on this issue and what’s at stake, but they don’t report on what they do. It’s not just a privacy issue. It’s a democracy issue. It’s a consumer protection issue.”
The tension was highlighted in a 2019 New York Times guest opinion column provocatively titled, “This Article Is Spying on You.” The article noted that a reader visiting a Times news article on, for instance, abortion might encounter tracking technology used by nearly 50 different companies, including BlueKai, a firm owned by the massive company Oracle that sells user data for markets to target those with “health conditions” and “medical terms.”
The column was based on a review of 4,000 U.S.-based news websites and 4,000 non-news sites conducted by Timothy Libert, formerly with Carnegie Mellon University, and Reuben Binns, with the University of Oxford. It found that news sites are generally more reliant on third-party tracking technology than non-news sites and had a lower degree of user privacy.
“While users may turn to the news to learn of the ways in which corporations compromise their privacy, it is news sites where we find the greatest risks to privacy,” noted the authors.
Since then, news sites’ user tracking has only gotten more extreme. In 2020, a study published by Ghostery, a company that provides tools to block third-party data collection, found that news websites contained the most trackers globally — more than business, banking, entertainment, or adult websites. The trackers tend to collect a variety of data, including browsing history, location, and phone identifying information.
And it’s been highly profitable. The New York Times, for instance, has moved away from traditional print advertising and paper delivery and is increasingly reliant on digital advertising and subscriptions. In its latest quarterly disclosure, the Times revealed that its digital ad revenues increased by $19.2 million over the same period in the previous year. The increase was driven in part by greater programmatic advertising revenue, a term for the automated ads served by third-party ad brokers. The Times, notably, is a member of IAB, the lobby group that defends the digital advertising industry from regulation.
Last month, as part of the regulatory push on data privacy, the FTC issued a $2 million fine against the advertising tech firm OpenX for illegally collecting and monetizing location data from children on a mass scale. Advertising platforms such as OpenX serve as an exchange, with data from thousands of web publishers and tens of thousands of apps feeding profiles of users into a system that advertising agencies use to place targeted ads that appear across multiple news websites as users browse the web.
Many gaming, weather, and dating apps, as well as a variety of websites, quietly collect behavioral, demographic, health, and location data on users that is sold to advertising tech brokers. Advertising agencies go to data brokers to better target potential consumers. As individuals browse the web, they are greeted by custom advertisements based on profiles of what data brokers believe to be their shopping habits, interests, or concerns.
OpenX, which processes nearly 100 billion ad requests per day, is one of the largest third-party platforms that serve as a key mechanism of this data exchange. The FTC alleged that OpenX vacuumed up location information on child-focused apps without parental consent and used the data to attract advertisers.
There were a few blogs and industry trade outlet stories that covered the settlement, but no pieces in major media outlets that have otherwise intensely covered Silicon Valley and the sprawling privacy issues presented by consumer-facing tech companies.
If major media outlets had covered the story, they would have had to acknowledge an awkward reality. OpenX is one of the largest third-party advertising platforms serving the news media, alongside AppNexus, Google, and Facebook. The company is used or has been used in recent months for the placement of targeted ads by outlets such as the New York Times, CNN, Gizmodo, HuffPost, Fox News, and Der Spiegel. Several outlets said they were in the process of reviewing the advertising partnership with OpenX but could not comment further.
“We work with OpenX as a marketplace through which advertisers may bid to place ads on our website. We do not provide OpenX with either data relating to children or precise location data,” said Danielle Rhoades Ha, a spokesperson for the New York Times. The Times’s response, however, belies the nature of the third-party ad broker business; the Times does collect user location data, and its third-party behavioral ad partners, such as OpenX, use an array of sources to monetize location data for the placement of ads on sites such as the Times’s website. Other publications did not respond or declined to comment on their ties to OpenX.
“Almost all sites are trapped in a system of surveillance capitalism, in which they either steal data or rely on technology that steals data.”
The growth of digital advertising has forced nearly every major for-profit news website to utilize the most intrusive forms of mass surveillance, including browsing history and location data — a dynamic highlighted by the OpenX fine.
“It’s really a puzzling and tricky situation because almost all sites are trapped in a system of surveillance capitalism, in which they either steal data or rely on technology that steals data,” said Krzysztof Modras, director of engineering and product at Ghostery. “I don’t think OpenX is abnormal at all.”
Though advertising is the focus of the data collection industry, the applications of user data are boundless. Law enforcement agencies have tapped the oceans of user data, including for the targeting of protesters and activist groups. Powerful political interests have hired data brokers to better influence voters. The data broker Acxiom, another tech firm that partners with many news websites, has provided data to the FBI and discussed programs to sell user data to the Pentagon.
The Pillar, a conservative Catholic publication, claimed to have obtained location data from the gay hookup app Grinder from third-party data brokers to out a prominent Catholic priest as gay.
In the case of the FTC fine issued in December, OpenX had sourced precise geolocation data from children under the age of 13, including child-directed apps “for toddlers,” “for kids,” and “preschool learning,” in the data the company offered to advertisers, in violation of the Children’s Online Privacy Protection Act, or COPPA, rule.
“OpenX secretly collected location data and opened the door to privacy violations on a massive scale, including against children,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a statement. “Digital advertising gatekeepers may operate behind the scenes, but they are not above the law.”
Following the settlement, OpenX agreed to a periodic review of the apps the company uses to source its data. Max Nelson, a spokesperson for the company, pointed to a statement issued by the firm that noted the use of children’s location data was an “unintentional error” that has since been fixed.
Critics argue that the FTC needs to go beyond enforcing COPPA by cracking down on the sources of data that feed into the larger ecosystem. Many children’s websites and apps contain code that enable the sharing of user data with brokers. The tracking technology, known as an SDK, or software development kit, is intentionally embedded by web developers in order to monetize user data.
Angela Campbell, professor of law at Georgetown University, has argued for more enforcement and an update to the current law to make it easier for regulators to create clear rules to protect children from targeted data collection and advertising. Campbell noted that OpenX’s many partners also could have been targeted by regulators.
“I have a children’s app, if it’s a child-directed app and I’m the app developer, and I use an SDK from OpenX, I’m responsible,” noted Campbell. “This whole bidding process and advertising process is not transparent so the public doesn’t know about it. The FTC has not enforced this COPPA law very much at all.”
News outlets are also implicated. Although major media publications say they are not intentionally selling children’s data to OpenX and other brokers, these statements are largely expressions of plausible deniability rather than affirmative knowledge.
Unlike products and services which are specifically targeted at children, which are required under federal COPPA guidelines to collect age information, media sites are not required to verify the age of users as their products are primarily directed at adult audiences. This means that by default, news media sites assume all readers are adults and treat the data of all visitors the same, so children’s data is almost certainly provided to brokers — it just isn’t labeled as such.
Even news media sites with student sections, such as CNN Student News, which describes itself as “ten-minute, commercial-free, daily news program designed for middle and high school classes” do not consistently collect age information, thereby following the media industry standard assumption that readers are adults.
The near-unavoidable nature of online surveillance has presented similarly thorny issues for other privacy-centric organizations. Last year, Ashkan Soltani, a prominent privacy advocate, noted that the American Civil Liberties Union used many of the very data trackers the group has long critiqued. The ACLU shared personally identifiable information with third parties such as Facebook, including names, email addresses, phone numbers, and ZIP codes.
The decision to use the tracking technology was made by the ACLU’s fundraising and advocacy team, not its legal department, which often does not work in tandem, noted Catherine Crump, a former ACLU attorney who now leads the Samuelson Law, Technology & Public Policy Clinic at the University of California’s Berkeley School of Law.
This is all the more reason, advocates say, to focus on broad reform rather than simply highlighting cases of individual bad actors.
“There’s a tendency to focus on individual narratives even in the face of systemic problems,” said Alan Butler, the president of Electronic Privacy Information Center, who favors universal opt-out solutions for users and strict rules on so-called secondary collection of data.
“It’s not a solution to just bring a fine or enforcement when there is surveillance advertising happening up and down the stack and throughout the ecosystem,” added Butler.
The bigger question for the media might be, how do we create a free press that isn’t reliant on mass data collection?
“Does the free internet mean an internet dominated by surveillance and manipulation?” asked Chester, of Center for Digital Democracy. “What does it mean that the only way to have an independent news media is to have this kind of surveillance system? Those issues [have] not been covered by the press.”