On the surface of it, browsing the internet feels pretty simple: we click a link and visit a website – clicking to get rid of a few annoying pop-ups about privacy along the way – and it shows us what we want to read, alongside a few adverts.
That might be what we see, but beneath the bonnet there is far more going on than we realise: every single click on the internet launches a huge international auction, as companies try to match up our personal data and make guesses about us, scattering our information across the world – all to serve us an advert.
Middle men sitting between brands and the customers they try to advertise to process our data, join up different data sets about us, make guesses about our location, wealth, and demographics, and propel it to dozens of companies.
The result, according to some data experts, is that the kind of data breaches or invasions of privacy that we might associate with Facebook and Cambridge Analytica, and firms of its type, aren’t some rare violation of business-as-usual online – they are business-as-usual online.
In Europe how our information is used is now governed by strict rules known as the GDPR (General Data Protection Regulation). In the UK, the Information Commissioner’s Office (ICO – which regulates some uses of data), warned in a report released earlier this month that it plans to look into “data brokers”. These are the companies that buy-in, match up, aggregate and sell on our online and offline data.
One example the ICO is already concerned about, was the UK’s three main political parties using outside data to try to guess the ethnicity of different households in a bid to decide which voters to target – a practice the ICO said likely violated GDPR.
But that could just be the start: some experts think that if anyone kicks up what’s really going on for brands to get their online adverts to us, that it won’t just be data brokers or political campaigns on the hook, but every major advertiser too. So, then: what really happens each time we click?
Before You Click
Online advertising is essentially a version of capitalist match-making. The advertiser wants to show its product to someone who might buy it, and the website owner delivering the advert wants to get as much money as possible for the click it’s just received.
That means that almost all online advertising is delivered through instantaneous auctions, taking place in milliseconds, to see who’s most willing to pay for a few seconds of your attention – this is known in the trade as “programmatic” advertising.
For matchmaking, we need two sides: in this case, a brand and you. The brand’s step happens first – with them deciding the kind of person they would like to target, often based on a database of existing customers, or a mailing list, or data they have bought in.
They then hand it over to a Data Management Platform, who might then get in touch with a data broker to, for example, match up the mailing list to people in affluent postcodes, if it’s a high-end product – why pay to advertise to someone you don’t think will be able to buy? At this point, this “enriched” data is making algorithmic guesses about your private information – already a potential violation of GDPR.
That company in turn sends a segment of the data to what’s known as a Demand Side Platform – the company in charge of finding the right places (and right price) to place adverts to find people similar to those the company wants to target. It’s not trying to find those exact people, but rather anyone online who looks similar to them.
The brand, and the companies working on its behalf, are now ready and waiting – they know who they’re looking for. Now, they just need some possible candidates.
This is where you come in. You might have followed a link from social media, email, a search engine, or even just typed in a web address, but now you’ve arrived at a site your computer or phone has sent a message to its server asking it to deliver you the content you’ve asked for.
For any site showing programmatic adverts – including this one – this sets off a lengthy chain reaction. The first thing the site does is the obvious one that’s visible to us: it starts sending you the editorial (non-advertising) content that you’ve asked for. So far so good.
What it also does is then send a message saying – more or less – “give me some adverts please!” to a Supply Side Platform, a company specialised in doing the mirror of what the demand ones do: get as much info as it can to go into the matchmaking lottery and get the best price possible.
That Supply Side Platform then sends – via the website you visited – a request for your computer to send it as much information as it’s willing to: it will send details of your browser and its ID, your IP address (which gives your rough location), and as much information from cookies as it can, which can include details of your browsing history and much else.
Once it’s received whatever information your computer was willing to hand over – the more the better, as it lets advertisers target better – it bundles it up, and it’s ready for the main event: the auction for your attention.
This is the main event: the Supply Side Platform passes on its bundle of information about who’s viewing the website (and which website you’re viewing) to an ad exchange – the online equivalent of an auction house, which then essentially shows it to tens, hundreds, or possibly even thousands of bidders – the Demand Side Platforms we saw earlier.
This is the step that runs against our intuition: when we click the privacy pop-ups on each website we see, we roughly understand that the site we’re visiting sees some data about us, and whichever company shows us the advert sees some too.
But that’s not even the start of it: each Demand Side Platform might be looking at hundreds of possible clients, and your data can be sent to dozens or hundreds of DSPs with each click. All of this happens within the space of less than a second, in the time between clicking a link and the page fully loading – but that’s enough time to send at least a little of our data spinning across the world, in thousands of different places.
Eventually, each DSP finds the brand on its books that is willing to advertise to someone like you for the best price, and offers that up to the exchange. Whichever has the highest bid (subject to the criteria of which ads the site will accept) gets to show you the advert, which gets sent directly to your browser.
The deal is done – though that’s not quite where the data-transfer ends, as the DSP can ask your computer to send it “sync” information, another little packet of your browsing data, as an afterthought to the transaction.
All of this is just one advert, on one page. When you multiply that by multiple adverts on each page (sometimes served through different exchanges and platforms), and the dozens or hundreds of clicks we make each day, we send ourselves everywhere across the ether day by day.
What It All Means
This is a simplified version of how one type of advert is served, and it’s still extremely complicated – and we have almost no insight into exactly what each company in the chain does with our data. Can any of us really say when we click “accept” on a website that we understand what we’re accepting and what happens next?
For some of us, it’s fine: if that’s the cost of business, so be it. For those of us who worry about what could happen, there’s a few steps we can take on our own. For one, we can lock down our browser privacy settings, stopping them storing cookies. We can get a measure of protection by using ad-blockers. And we could go through the painstaking “more details” boxes – often with dozens of boxes to untick – hidden behind those “privacy” pop-ups as we visit a site.
The bigger picture, though, will only be changed by one of two things: either regulators will take action, or consumers will sue – and despite not being the ones involved in the intricacies of the online market, it could be the big brands, as the ultimate advertisers, who could find themselves on the hook, both reputationally and legally.
The whole situation is summarised by data protection expert and privacy advocate Johnny Ryan.
“Every single time a person loads a page on a website that uses ‘programmatic’ advertising, information about what they are reading and the device they use is broadcast to a large number of adtech companies, who then do God knows what with it,” he explains.
“We can guess about what they do, however, because of these companies are in business with data brokers. These brokers’ business model is to accumulate and sell highly sensitive profiles about people. This broadcast of who you are and what you are reading happens constantly, on every page load, on virtually every single website.”
“In GDPR terms, this “programmatic advertising” is a vast and ongoing data breach, and it means that everyone involved can be subject to an investigation by Elizabeth Denham, the Information Commissioner, and can be taken to court by Internet users.”
2018 feels like it’s been dominated by tales of data breach after data breach, by what certain groups have done with our data. It seems as if, now we’ve started scratching the surface, this could just be the very beginning.