EU parliament backs tighter rules on behavioural ads

The EU parliament has backed a call for tighter regulations on behavioral ads (aka microtargeting) in favor of less intrusive, contextual forms of advertising — urging Commission lawmakers to also assess further regulatory options, including looking at a phase-out leading to a full ban.

MEPs also want Internet users to be able to opt out of algorithmic content curation altogether.

The legislative initiative, introduced by the Legal Affairs committee, sets the parliament on a collision course with the business model of tech giants Facebook and Google.

Parliamentarians also backed a call for the Commission to look at options for setting up a European entity to monitor and impose fines to ensure compliance with rebooted digital rules — voicing support for a single, pan-EU Internet regulator to keep platforms in line.

The votes by the elected representatives of EU citizens are non-binding but send a clear signal to Commission lawmakers who are busy working on an update to existing ecommerce rules, via the forthcoming Digital Service Act (DSA) package — due to be introduced next month.

The DSA is intended to rework the regional rule book for digital services, including tackling controversial issues such as liability for user-generated content and online disinformation. And while only the Commission can propose laws, the DSA will need to gain the backing of the EU parliament (and the Council) if it is to go the legislative distance so the executive needs to take note of MEPs’ views.

Battle over adtech

The mass surveillance of Internet users for ad targeting — a space that’s dominated by Google and Facebook — looks set to be a major battleground as Commission lawmakers draw up the DSA package.

Last month Facebook’s policy VP Nick Clegg, a former MEP himself, urged regional lawmakers to look favorably on a business model he couched as “personalized advertising” — arguing that behavioral ad targeting allows small businesses to level the playing field with better resourced rivals.

However the legality of the model remains under legal attack on multiple fronts in the EU.

Scores of complaints have been lodged with EU data protection agencies over the mass exploitation of Internet users’ data by the adtech industry since the General Data Protection Regulation (GDPR) begun being applied — with complaints raising questions over the lawfulness of the processing and the standard of consent claimed.

Just last week, a preliminary report by Belgium’s data watchdog found that a flagship tool for gathering Internet users’ consent to ad tracking that’s operated by the IAB Europe fails to meet the required GDPR standard.

The use of Internet users’ personal data in the high velocity information exchange at the core of programmatic’s advertising’s real-time-bidding (RTB) process is also being probed by Ireland’s DPC, following a series of complaints. The UK’s ICO has warned for well over a year of systemic problems with RTB too.

Meanwhile some of the oldest unresolved GDPR complaints pertain to so-called ‘forced consent’ by Facebook  — given GDPR’s requirement that for consent to be lawful it must be freely given. Yet Facebook does not offer any opt-out from behavioral targeting; the ‘choice’ it offers is to use its service or not use it.

Google has also faced complaints over this issue. And last year France’s CNIL fined it $57M for not providing sufficiently clear info to Android users over how it was processing their data. But the key question of whether consent is required for ad targeting remains under investigation by Ireland’s DPC almost 2.5 years after the original GDPR complaint was filed — meaning the clock is ticking on a decision.

And still there’s more: Facebook’s processing of EU users’ personal data in the US also faces huge legal uncertainty because of the clash between fundamental EU privacy rights and US surveillance law.

A major ruling (aka Schrems II) by Europe’s top court this summer has made it clear EU data protection agencies have an obligation to step in and suspend transfers of personal data to third countries when there’s a risk the information is not adequately protected. This led to Ireland’s DPC sending Facebook a preliminary order to suspend EU data transfers.

Facebook has used the Irish courts to get a stay on that while it seeks a judiciary review of the regulator’s process — but the overarching legal uncertainty remains. (Not least because the complainant, angry that data continues to flow, has also been granted a judicial review of the DPC’s handling of his original complaint.)

There has also been an uptick in EU class actions targeting privacy rights, as the GDPR provides a framework that litigation funders feel they can profit off of.

All this legal activity focused on EU citizens’ privacy and data rights puts pressure on Commission lawmakers not to be seen to row back standards as they shape the DSA package — with the parliament now firing its own warning shot calling for tighter restrictions on intrusive adtech.

It’s not the first such call from MEPs, either. This summer the parliament urged the Commission to “ban platforms from displaying micro-targeted advertisements and to increase transparency for users”. And while they’ve now stepped away from calling for an immediate outright ban, yesterday’s votes were preceded by more detailed discussion — as parliamentarians sought to debate in earnest with the aim of influencing what ends up in the DSA package.

Ahead of the committee votes, online ad standards body, the IAB Europe, also sought to exert influence — putting out a statement urging EU lawmakers not to increase the regulatory load on online content and services.

“A facile and indiscriminate condemnation of ‘tracking’ ignores the fact that local, generalist press whose investigative reporting holds power to account in a democratic society, cannot be funded with contextual ads alone, since these publishers do not have the resources to invest in lifestyle and other features that lend themselves to  contextual targeting,” it suggested.

“Instead of adding redundant or contradictory provisions to the current rules, IAB Europe urges EU policymakers and regulators to work with the industry and support existing legal compliance standards such as the IAB Europe Transparency & Consent Framework [TCF], that can even help regulators with enforcement. The DSA should rather tackle clear problems meriting attention in the online space,” it added in the statement last month.

However, as we reported last week, the IAB Europe’s TCF has been found not to comply with existing EU standards following an investigation by the Belgium DPA’s inspectorate service — suggesting the tool offers quite the opposite of ‘model’ GDPR compliance. (Although a final decision by the DPA is pending.)

The EU parliament’s Civil Liberties committee also put forward a non-legislative resolution yesterday, focused on fundamental rights — including support for privacy and data protection — that gained MEPs’ backing.

Its resolution asserted that microtargeting based on people’s vulnerabilities is problematic, as well as raising concerns over the tech’s role as a conduit in the spreading of hate speech and disinformation.

The committee got backing for a call for greater transparency on the monetisation policies of online platforms.

‘Know your business customer’

Other measures MEPs supported in the series of votes yesterday included a call to set up a binding ‘notice-and-action’ mechanism so Internet users can notify online intermediaries about potentially illegal online content or activities — with the possibility of redress via a national dispute settlement body.

While MEPs rejected the use of upload filters or any form of ex-ante content control for harmful or illegal content. — saying the final decision on whether content is legal or not should be taken by an independent judiciary, not by private undertakings.

They also backed dealing with harmful content, hate speech and disinformation via enhanced transparency obligations on platforms and by helping citizens acquire media and digital literacy so they’re better able to navigate such content.

A push by the parliament’s Internal Market Committee for a ‘Know Your Business Customer’ principle to be introduced — to combat the sale of illegal and unsafe products online — also gained MEPs’ backing, with parliamentarians supporting measures to make platforms and marketplaces do a better job of detecting and taking down false claims and tackling rogue traders.

Parliamentarians also supported the introduction of specific rules to prevent (not merely remedy) market failures caused by dominant platform players as a means of opening up markets to new entrants — signalling support for the Commission’s plan to introduce ex ante rules for ‘gatekeeper’ platforms.

Liability for ‘high risk’ AI

The parliament also backed a legislative initiative recommending rules for AI — urging Commission lawmakers to present a new legal framework outlining the ethical principles and legal obligations to be followed when developing, deploying and using artificial intelligence, robotics and related technologies in the EU including for software, algorithms and data.

The Commission has made it clear it’s working on such a framework, setting out a white paper this year — with a full proposal expected in 2021.

MEPs backed a requirement that ‘high-risk’ AI technologies, such as those with self-learning capacities, be designed to allow for human oversight at any time — and called for a future-oriented civil liability framework that would make those operating such tech strictly liable for any resulting damage.

The parliament agreed such rules should apply to physical or virtual AI activity that harms or damages life, health, physical integrity, property, or causes significant immaterial harm if it results in “verifiable economic loss”.

#adtech, #advertising-tech, #ai, #artificial-intelligence, #behavioral-advertising, #digital-services-act, #eu-parliament, #europe, #facebook, #gdpr, #microtargeting, #online-regulation, #policy, #privacy, #tc


#Brandneu – 5 junge Startups, die ganz viel Aufmerksamkeit verdient haben

Jeden Tag entstehen überall in Deutschland, Österreich und der Schweiz neue Startups. präsentiert an dieser Stelle wieder einmal einige ganz junge Startups, die zuletzt, also in den vergangenen Tagen, Wochen und Monaten an den Start gegangen sind sowie einige junge Firmen, die zuletzt aus dem Stealth-Mode erwacht sind und erstmals für Schlagzeilen gesorgt haben.

Über Banxware möchte die bekannte Fintech-Gründerin Miriam Wohlfarth Kredite an Plattformhändler vergeben. Zum Konzept heißt es in Stellenanzeigen: “Our white-label software solution is an end-to-end application that covers the whole lending lifecycle”. Zum Gründerteam des Berliner FinTechs gehören außerdem Fabian Heiß, Aurel Stenzel und Jens Röhrborn.

Mit dem Hamburger Startup holos wird jede Glasscheibe zu einer digitalen Werbefläche. Das junge AdTech trackt dabei anonymisiert Personen, analysiert deren Geschlecht, Alter sowie äußere Merkmale und spielt dann entsprechend personalisierte Werbung aus. Gegründet wurde das Startup von Hamed Jalalzada und Marie-Christine König.

Das Berliner Startup Pflegehub, das von Fabian Blanda gegründet wurde, bietet laut Eigenwerbung eine “ganz neue” Art der Personalvermittlung im Bereich Pflege an. Die Pflegehub-App funktioniert dabei “ähnlich dem Matching-Prinzip bekannter Dating-Portale”. Arbeitgeber erhalten die Daten der Kontakte, wenn die Nutzer der Kontaktaufnahme zustimmt.

Das Unternehmen 4Mobil möchte den Automobilmarkt mit einem Konzept in Sachen “digitaler Vertrieb, Advertising und Social Media” bereichern. “ Auf unserer Plattform gibt es nicht nur die Autos, die einen Käufer suchen, wir kennen auch die zukünftigen Käufer für Autos”, teilt die Jungfirma aus Holzwickede im Ruhrgebiet, die von Sakir Kürt gegründet wurde, mit.

Das junge Kölner Unternehmen DueDash bringt Gründer und Experten aus aller Welt auf einer Plattform zusammen. Das Motto dabei lautet “Making Startups Investable”. Konkret es somit um gezielte Unterstützung sein Geschäft aufzubauen und Investmentgelder zu erhalten. Gegründet wurde das Unternehmen von Markus Buck, Michail Kosak, Parul Madan und Nikhil Madan.

Tipp: In unserem Newsletter Startup-Radar berichten wir einmal in der Woche über junge, frische und brandneue Startups, die noch nicht jeder kennt. Alle diese Startups stellen wir in unserem kostenpflichtigen Newsletter kurz und knapp vor und bringen sie so auf den Radar der bundesweiten Startup-Szene und im besten Fall auf die Agenda von Investoren, Unternehmen und potenziellen Kooperationspartnern. Jetzt unseren Newsletter Startup-Radar sofort abonnieren!

Startup-Jobs: Auf der Suche nach einer neuen Herausforderung? In der unserer Jobbörse findet Ihr Stellenanzeigen von Startups und Unternehmen.

Foto (oben): Shutterstock

#4mobil, #adtech, #aktuell, #banxware, #berlin, #brandneu, #duedash, #fintech, #hamburg, #holos, #holzwickede, #hr, #koln, #pflegehub, #ruhrgebiet, #startup-radar


#DealMonitor – Magazino sammelt 21 Millionen ein – Evum Motors bekommt 12 Millionen

Im aktuellen #DealMonitor für den 24. September werfen wir wieder einen Blick auf die wichtigsten, spannendsten und interessantesten Investments und Exits des Tages. Alle Deals der Vortage gibt es im großen und übersichtlichen #DealMonitor-Archiv.


+++ Das Hamburger Unternehmen Jungheinrich, ein Intralogistikanbieter, und die Europäische Investitionsbank (EIB) investieren 21 Millionen Euro in das Münchner Robotik-Startup Magazino. “Zusätzlich zu den Investitionen der Bestandsgesellschafter sowie der Jungheinrich AG, gewährt die Europäische Investitionsbank (EIB) der Magazino GmbH eine Finanzierung von bis zu 12 Millionen Euro”, teilt das Unternehmen mit. Das Startup wurde 2014 von Nikolas Engelhard, Lukas Zanger und Frederik Brantner gegründet. Über 110 Mitarbeiter wirken derzeit für Magazino, einen Hersteller von Regal- und Kommissionierungsrobotern.

Evum Motors
+++ Bayern Kapital und ein mittelständisches Familienunternehmen aus Baden-Württemberg investieren 12 Millionen Euro in das Münchner Startup Evum Motors. Investoren wie Otto Spanner, die Glatthaar-Gruppe und die Franz Schabmüller Firmengruppe sind schon seit 2018 am Unternehmen beteiligt. “Die stolze Investitionssumme wird das Münchner Unternehmen dazu nutzen, den Serienanlauf, Markteinstieg und Aufbau des Händler- und Servicenetzes in Deutschland voranzutreiben”, heißt es in der Presseaussendung.
+++ Der schwedische Geldgeber WiT Ventures und ein nicht genannter deutscher AgTech-Investor sowie Bestandinvestor Claas, ein bekannter Landmaschinenkonzern, investieren 4,5 Millionen Euro in, eine noch junge Handelsplattform für gebrauchte Landmaschinen. Das 2015 gegründete AgTech-Unternehmen wird von Nicolas Lohr, Franz von Consbruch und Kaspar Sternberg geführt. Das Hamburger Startup beschäftigt derzeit 30 Mitarbeiter.

+++ Der Frühphasen-Investor Capnamic Ventures und 42CAP investieren 2,3 Millionen Euro in das Batterie-Startup Accure. Das Unternehmen aus Aachen wurde 2020 von den Wissenschaftlern Kai-Philipp Kairies, Georg Angenendt und Johannes Palmer, die an der RWTH Aachen zu Batteriesystemen promoviert haben, gegründet. Accure bietet Unternehmen eine “Plattform, die durch APIs Zugang zu Batteriedaten ermöglicht, um diese verwalten, analysieren und schließlich die Entwicklung des Gesundheitszustands von Batterien vorhersagen zu können”.

+++ Die Altinvestoren Alpana Ventures, SICTIC und DAA Capital sowie neue Investoren wie Bettina Hein, Unternehmerin und Löwin in der TV24-Show “Die Höhle der Löwen Schweiz”, investieren eine siebenstellige Summe in das Schweizer Logistik-Startup LuckaBox. Das Unternehmen, ein “cloud-basierter Multi-Carrier Last-Mile-Forwarder für Einzelhändler” aus Winterthur wurde 2017 von Maite Mihm und Aike Festini gegründet.


+++ Der Customer-Data-Plattform-Anbieter CrossEngage und GPredictive, Anbieter einer Customer Prediction Plattform, schließen sich zusammen. Project A Ventures, Vorwerk Ventures, Earlybird, Target Partners, IBB Ventures sowie die Facelift-Gründer Benjamin Schroeter und Teja Töpfer investieren 6,5 Millionen Euro in das fusionierte Unternehmen, das künftig auf den Namen CrossEngage setzt. CrossEngage wurde 2015 von Manuel Hinz und Markus Wübben gegründet. CrossEngage ermöglicht es Werbetreibenden, ihre Zielgruppen durch individualisierte Botschaften sowie durch die automatisierte Auswahl und Kombination der Marketing-Kanäle zu erreichen. Über 10 Millionen flossen bisher in das Unternehmen, das zuletzt beinahe noch von Wirecard übernommen worden wäre. GPredictive bietet seinen Kunden “komplexe ‘Big-Data-Analysen’ für Marketing und Vertrieb als Full-Service-Dienstleistung”. Target Partners investierte bereits 2015 2,5 Millionen Euro in GPredictive. Insgesamt flossen rund 5 Millionen in das Hamburger Unternehmen.

Achtung! Wir freuen uns über Tipps, Infos und Hinweise, was wir in unserem #DealMonitor alles so aufgreifen sollten. Schreibt uns eure Vorschläge entweder ganz klassisch per E-Mail oder nutzt unsere “Stille Post“, unseren Briefkasten für Insider-Infos.

Startup-Jobs: Auf der Suche nach einer neuen Herausforderung? In der unserer Jobbörse findet Ihr Stellenanzeigen von Startups und Unternehmen.

Foto (oben): azrael74

#42cap, #aachen, #accure, #adtech, #aktuell, #alpana-ventures, #bayern-kapital, #berlin, #capnamic-ventures, #crossengage, #daa-capital, #e-farm-com, #earlybird-venture-capital, #evum-motors, #gpredictive, #hamburg, #ibb-ventures, #jungheinrich, #logistik, #luckabox, #magazino, #project-a-ventures, #sictic, #target-partners, #venture-capital, #vorwerk-ventures, #winterthur, #wit-ventures


Ireland’s data watchdog slammed for letting adtech carry on ‘biggest breach of all time’

A dossier of evidence detailing how the online ad targeting industry profiles Internet users’ intimate characteristics without their knowledge or consent has been published today by the Irish Council for Civil Liberties (ICCL), piling more pressure on the country’s data watchdog to take enforcement action over what complainants contend is the “biggest data breach of all time”.

The publication follows a now two-year-old complaint lodged with Ireland’s Data Protection Commission (DPC) claiming unlawful exploitation of personal data via the programmatic advertising Real-Time Bidding (RTB) process — including dominant RTB systems devised by Google and the Internet Advertising Bureau (IAB).

The Irish DPC opened an investigation into Google’s online Ad Exchange in May 2019, following a complaint filed by Dr Johnny Ryan (then at Brave, now a senior fellow at the ICCL) in September 2018 — but two years on that complaint, like so many major cross-border GDPR cases, remains unresolved.

And, indeed, multiple RTB complaints have been filed with regulators across the EU but none have yet been resolved. It’s a major black mark against the bloc’s flagship data protection framework.

“September 2020 marks two years since my formal complaint to the Irish Data Protection Commission about the “Real-Time Bidding” data breach. This submission demonstrates the consequences of two years of failure to enforce,” writes Ryan in the report.

Among hair-raising highlights in the ICCL dossier are that:

  • Google’s RTB system sends data to 968 companies;
  • that a data broker company which uses RTB data to profile people influenced the 2019 Polish Parliamentary Election by targeting LGBTQ+ people; 
  • that a profile built by a data broker with RTB data allows users of Google’s system to target 1,200 people in Ireland profiled in a “Substance abuse” category, with other health condition profiles offered by the same data broker available via Google reported to include “Diabetes”, “Chronic Pain”, and “Sleep Disorders”;
  • that the IAB’s RTB system allows users to target 1,300 people in Ireland profiled in a “AIDS & HIV” category, based on a data broker profile build with RTB data, while other categories from the same data broker include “Incest & Abuse Support”, “Brain Tumor”, “Incontinence”, and “Depression”;
  • that a data broker that gathers RTB data tracked the movements of people in Italy to see if they observed the Covid-19 lockdown;
  • that a data broker that illicitly profiled Black Lives Matters protesters in the US has also been allowed to gather RTB data about Europeans;
  • that the industry template for profiles includes intimate personal characteristics such as “Infertility”, “STD”, and “Conservative” politics;

Under EU data protection law, personal information that relates to highly sensitive and intimate topics — such as health, sexuality and politics — is what’s known as special category personal data. Processing this type of information generally requires explicit consent from users — with only very narrow exceptions, such as for protecting the vital interests of the data subjects (and serving behavioral ads clearly wouldn’t meet such a bar).

So it’s hard to see how the current practices of the targeted ad industry can possibly be compliant with EU law, in spite of the massive scale on which Internet users’ data is being processed.

In the report, the ICCL estimates that just three ad exchanges (OpenX, IndexExchange and PubMatic) have made around 113.9 trillion RTB broadcasts in the past year.

“Google’s RTB system now sends people’s private data to more companies, and from more websites than when the DPC was notified two years ago,” it writes. “A single ad exchange using the IAB RTB system now sends 120 billion RTB broadcasts in a day, an increase of 140% over two years ago when the DPC was notified.”

“Real-Time Bidding operates behind the scenes on websites and apps. It constantly broadcasts the private things we do and watch online, and where we are in the real-world, to countless companies. As a result, we are all an open book to data broker companies, and others, who can build intimate dossiers about each of us,” it adds. 

Reached for a response to the report, Google sent us the following statement:

We enforce strict privacy protocols and standards to protect people’s personal information, including industry-leading safeguards on the use of data for real-time bidding. We do not allow advertisers to select ads based on sensitive personal data and we do not share people’s sensitive personal data, browsing histories or profiles with advertisers. We perform audits of ad buyers on Google’s ad exchange and if we find breaches of our policies we take action.

We also reached out to the IAB Europe for comment on the report. A spokeswoman told us it would issue a response tomorrow.

Responding to the ICCL submission, the DPC’s deputy commissioner Graham Doyle sent this statement: “Extensive recent updates and correspondence on this matter, including a meeting, have been provided by the DPC. The investigation has progressed and a full update on the next steps provided to the concerned party.”

However in a follow up to Doyle’s remarks, Ryan told TechCrunch he has “no idea” what the DPC is referring to when it mentions a “full update”. On “next steps” he said the regulator informed him it will produce a document setting out what it believes the issues are — within four weeks of its letter, dated September 15.

Ryan expressed particular concern that the DPC’s enquiry does not appear to cover security — which is the crux of the RTB complaints, since GDPR’s security principle puts an obligation on processors to ensure data is handled securely and protected against unauthorized processing or loss. (Whereas RTB broadcasts personal data across the Internet, leaking highly sensitive information in the process, per earlier evidence gathered by the complainants.)

He told TechCrunch the regulator finally sent him a letter, in May 2020, in response to his request to know what the scope of the inquiry is — saying then that it is examining the following issues:

  • Whether Google has a lawful basis for processing of personal data, including special category data, for the purposes of targeted advertising via the Authorised Buyers mechanism and, specifically, for the sourcing, sharing and combining of the personal data collected by Google with other companies / partners;
  • How Google complies with its transparency obligations, particularly with regard to Art. 5(1), 12, 13 and 14 of the GDPR;
  • The legal basis / bases for Google’s retention of personal data processed in the context of the Authorised Buyers mechanism and how it complies with Article 5(1)(c) in respect of its retention of personal data processed through the Authorised Buyers mechanism;

We’ve asked the DPC to confirm whether its investigation of Google’s adtech is also examining compliance with GDPR Article 5(1)f and will update this report with any response.

The DPC did not respond to our question about the timing for any draft decision on Ryan’s two-year-old complaint. But Doyle also pointed us to work this year around cookies and other tracking technologies — including guidance on compliant usage — adding that it has set out its intention to begin related enforcement from next month, when a six-month grace period for industry to comply with the rules on tracking elapses.

The regulator also pointed to another related open enquiry — into adtech veteran Quantcast, also beginning in May 2019. (That enquiry followed a submission by privacy rights advocacy group, Privacy International.)

The DPC has said the Quantcast enquiry is examining the lawful basis claimed for processing Internet users’ data for ad targeting purposes, as well as considering whether transparency and data retention obligations are being fulfilled. It’s not clear whether the regulator is looking at the security of the data in that case, either. A summary of the scope of Quantcast enquiry in the DPC’s annual report states:

In particular, the DPC is examining whether Quantcast has discharged its obligations in connection with the processing and aggregating of personal data which it conducts for the purposes of profiling and utilising the profiles generated for targeted advertising. The inquiry is examining how, and to what extent, Quantcast fulfils its obligation to be transparent to individuals in relation to what it does with personal data (including sources of collection, combining and making the data available to its customers) as well as Quantcast’s personal data retention practices. The inquiry will also examine the lawful basis pursuant to which processing occurs.

While Ireland remains under huge pressure over the glacial pace of cross-border GDPR investigations, given it’s the lead regulator for many major tech platforms, it’s not the only EU regulator accused of sitting on its hands where enforcement is concerned.

The UK’s data watchdog has similarly faced anger for failing to act over RTB complaints — despite acknowledging systematic breaches. In its case, after months of regulatory inaction, the ICO announced earlier this year that it had ‘paused ‘its investigation into the industry’s processing of Internet users’ personal data — owing to disruption to businesses as a result of the COVID-19 pandemic.

#adtech, #advertising-tech, #data-protection, #dpc, #dr-johnny-ryan, #eu, #europe, #gdpr, #google, #iab, #ireland, #privacy, #rtb


#Brandneu – 6 neue Startups, die jeder auf dem Schirm haben sollte

Jeden Tag entstehen überall in Deutschland, Österreich und der Schweiz neue Startups. präsentiert an dieser Stelle wieder einmal einige ganz junge Startups, die zuletzt, also in den vergangenen Tagen, Wochen und Monaten an den Start gegangen sind sowie einige junge Firmen, die zuletzt aus dem Stealth-Mode erwacht sind und erstmals für Schlagzeilen gesorgt haben.

Hinter Simity verbirgt sich eine “CRM-Lösung für lokale Unternehmen, um offline Daten zum Kundenverhalten zu generieren”. Dabei geht es darum, dass Nutzer etwa besser mit ihrem Bestandskunden kommunizieren oder “Gästen vor Ort ein besonderes Angebot” schicken können.

Hashtags: #Tool #Software #CRM
Ort: Hannover
Gründer: Jan-Niklas Schmitz, Sebastian Böddeker

Das Travel-Startup TripLegend richtet sich an Millennials. Diesen möchte der digitale Reiseveranstalter “einzigartige Kleingruppen-Abenteuerreisen anbieten”. Dazu teilen die Berliner mit: “Wir kombinieren Technologien mit gesundem Menschenverstand, um die besten Lösungen für Mensch und Natur zu entwickeln”.

Hashtags: #Travel
Ort: Berlin
Gründer: Brian Ruhe, Alexander Ditzel, Martin Ditzel

Das junge Kölner Startup yeew bringt sich als “Partner für lokale Werbung auf Smartphones” in Stellung. Das AdTech aus dem Dunstkreis der Verlagsgruppe Aschendorff wird von den Seriengründern Coskun Tuna, früher Seeding Alliance, und Thorsten Kambach geführt.

Hashtags: #AdTech
Ort: Köln
Gründer: Coskun Tuna, Thorsten Kambach

Hinter Stargazr aus Hamburg verbirgt sich ein “webbasierter Softwareanbieter, der Controlling Teams unterstützt, ihr Unternehmensergebnis besser zu verstehen und zu steuern”. Stargazr aus Hamburg liefert somit eine “innovative KI-Software für modernes Controlling”.

Hashtags: #FinTech #Software
Ort: Hamburg
Gründer: Rafi Wadan, Juan C. Roldan

Philex Protein
Bei Philex Protein dreht sich alles um Proteinsnacks. Das Startup bietet verschiedene Sorten wie Apfel-Banane oder Dattel-Vanille als Backmischungen an. “Wir haben alle Früchte und jede einzelne Nuss gekostet und getestet” – versprechen die Gründer aus Bad Köstritz.

Hashtags:#Food #eCommerce
Ort: Bad Köstritz
Gründer: Philipp Weiler, Alexander Seliger

Bei JL-Clean dreht sich alles um Heimtextilreinigungen. Zum Start fokussieren sich die Gründer auf Teppichreinigungen. Polsterreinigung kommen demnächst hinzu. “Wir arbeiten nur mit etablierten mittelständischen Reinigungsunternehmen zusammen”, verspricht das junge Startup.

Hashtags: #Marktplatz #Dienstleitung
Ort: Frankfurt am Main
Gründer: Janis Curtius, Luca Bös

Tipp: In unserem Newsletter Startup-Radar berichten wir einmal in der Woche über junge, frische und brandneue Startups, die noch nicht jeder kennt. Alle diese Startups stellen wir in unserem kostenpflichtigen Newsletter kurz und knapp vor und bringen sie so auf den Radar der bundesweiten Startup-Szene und im besten Fall auf die Agenda von Investoren, Unternehmen und potenziellen Kooperationspartnern. Jetzt unseren Newsletter Startup-Radar sofort abonnieren!

Startup-Jobs: Auf der Suche nach einer neuen Herausforderung? In der unserer Jobbörse findet Ihr Stellenanzeigen von Startups und Unternehmen.

Foto (oben): Shutterstock

#aktuell, #brandneu, #jl-clean, #philesimity, #philex-protein, #simity, #stargazr, #startup-radar, #triplegend, #yeew


As it awaits its US fate, TikTok doubles down on its revenue funnel with marketing partners

There’s a big question mark hanging over the future of TikTok right now, in the form of what exactly will happen to its US business come September 20, when President Trump said he plans to shut down the Chinese-owned app over security concerns.

But in the meantime, it seems to be business as usual for the app.

Today, TikTok — which has 100 million users in the US — announced a slate of marketing partners to help brands create and measure the impact of campaigns on the app. The company, owned by ByteDance in China, is kicking off the program with 20 partners that include companies for campaign management (eg, Sprinklr and Bidalgo); for creative development (eg, QuickFrame and Shuttlerock); branded effects around VR and AR (eg, Bare Tree Media and Byte); and measurement (Kantar). The full list is below.

This is the latest expansion of TikTok for Business, the company’s advertising platform, which launched officially in June to bundle together TikTok’s existing marketing products alongside a new AR product it launched to rival Snapchat’s.

TikTok confirmed to us that this is a global initiative — that is, it’s set up to create marketing campaigns for wherever TikTok is available.

And I’m going to be honest. It feels a little like an alternate TikTok reality, like the kind you might see in a split-screen meme on the app itself.

On one side, adding in marketing partners is very, very standard for a social media app that’s doubling down on making money through adtech based on its growing and engaged (and young) audience. Facebook (and the apps in its stable like Instagram) did it. Twitter did it. Snapchat did it.

And now TikTok is doing it. It speaks to the company’s ambition to expand its platform to work with the biggest brands and at scale, leveraging its strong audience growth to build advertising units to sell brands and products to them in innovative and sticky ways that are uniquely “TikTok.”

One the other side, of course, TikTok is having anything other than a standard growth trajectory right now.

It’s in the middle of a messy bidding process for ByteDance to sell TikTok’s US assets (along, potentially, with others) to US owners. The company has had to deal with the abrupt departure of its US head. And now the situation seems to be spilling over into speculation over what might happen in other parts of the world, such as India. All of this means that it’s unclear what will happen to marketing relationships, and where advertisers and partners will be left if and when the app has to splinter.

Or indeed, how ad products and other IP would be passed on in a potential sale. (Right now, reportedly, one of the sticking points for a deal has been the possibility that China might limit which algorithms, which form the basis of how TikTok works, would be passed on in a sale.)

“With the launch of TikTok For Business, we’re building new opportunities for marketers to be creative storytellers and meaningfully engage with the TikTok community,” said Melissa Yang, Head of Ecosystem Partnerships, TikTok, noted in the blog post. “We’re thrilled to collaborate with some of the most strategic and trusted leaders in the advertising industry and continue giving marketers access to more tools to successfully create, measure and optimize ad campaigns on TikTok. We can’t wait to collaborate with partners to bring a creative and joyful experience to our brand partners and the broader TikTok community.”

We have asked TikTok if it can comment on how marketing programs like these would be affected if and when the company does split up into regional operations, and it declined to comment specifically:

“Unfortunately we’re not able to comment on speculation,” said a spokesperson. “In general we along with our partners are excited to kick off these partnerships and continue bringing more solutions to the marketing community.”

Here’s the full list of partners in the meantime, per TikTok:

Campaign Management to plan, create, optimize, and measure marketing campaigns

  • Bidalgo – Bidalgo drives growth and reduces user acquisition complexity for mobile marketers,  leveraging AI to generate actionable insights and powerful automation capabilities for creative production and media buying.
  • Bidshake – Empowers fast, efficient and reliable campaign management by enabling real-time, automated cross-channel actions based on aggregated data all from one platform.
  • Sprinklr – The world’s leading Customer Experience Management (CXM) platform.
  • WinClap – The marketing company that provides advanced AI analytics, expertise, and creative production to boost the performance of your campaigns
  • MakeMeReach – Multi-channel ads management platform optimized for scale.

Creative Development to build assets like videos that work on TikTok

  • QuickFrame – More than a marketplace connecting brands to video creators. We help businesses grow by transforming the way they produce video content at scale.
  • Shuttlerock – Transforms existing brand assets into stunning handcrafted video ads.
  • VidMob – Leading creative analytics & post-production platform that uses data to understand your creative, improve your ads and increase marketing performance.
  • Vidsy – Helping brands achieve their business goals with effective digital ad creative.
  • Cohley – Helps brands and agencies cost effectively scale the creation of UGC videos for ads.

Branded Effects for AR and VR content

  • Bare Tree Media – A full-service creative agency enabling brands to reach, engage and entertain consumers through the creation and digital publishing of augmented reality (AR), emojis, messaging stickers, and GIFs within popular messaging platforms.
  • Byte – Global specialists in branded AR, Byte is a martech agency that combines technology and creativity to  help solve brands’ challenges.
  • Happy Finish – Global creative production collective studio, creating realities. We specialise in cross-platform services including Retouch, CGI, Animation, VFX, VR, AR & Mixed Reality and Creative AI, and craft experiences for some of the biggest brands and agencies in the world.
  • IgniteXR – Ignite XR is an end-to-end creative solutions group for augmented reality, creating integrated AR campaigns for brands and translating ideas into engaging immersive creative experiences.
  • Poplar Studio – A global creative platform that makes the creation of 3D and AR campaigns easier, faster, affordable and fun — including face filters, world effects, mini-games, portals and image trackers.
  • Subvrsive – Subvrsive is an immersive innovation studio focused on creating content, software, and experiences that transform businesses on a global scale.
  • Tommy – A modern communications agency that uses technology, strategy, and award-winning design to help brands earn the attention of their audiences.
  • Unit9 – A production studio focusing on AR/VR, Digital, Experiential, Gaming, Innovation and Film projects.

Measurement to target and analyse campaigns

  • Kantar –  The world’s leading data, insights and consulting company.

TikTok is opening the program to other interested partners, it said.

#adtech, #advertising-tech, #marketing, #martech, #social, #tc, #tiktok


Facebook threatens to block news sharing in Australia as it lobbies against revenue share law

Adtech giant and self-styled ‘free speech champion’, Facebook, has threatened to pull the plug on the public sharing of news content on Facebook and Instagram in Australia.

The aggressive threat is Facebook’s attempt to lobby against a government plan that will require it and Google to share revenue with regional news media to recompense publishers for distributing and monetizing professionally produced content on their platforms.

Consultation on a draft of the mandatory code — which Australia’s lawmakers say is intended to address “acute bargaining power imbalances” between local news businesses and the adtech duopoly — closed on August 28, with a final version expected imminently from Australia’s Competition and Consumer Commission (ACCC) and then due to be put before parliament.

Facebook’s threat thus looks timed to turn the heat up on lawmakers as they’re about to debate the details of the code. However dangling the prospect of blocking professionally produced news in an attempt to thwart a law change that’s not in its commercial interests will do nothing to reduce lawmakers’ concerns about the level of market power being wielded by tech giants.

Last month Google also warned that if Australia goes ahead with the plan then the quality of regional search results and YouTube recommendations will suffer — becoming “less relevant and helpful” if the law goes into effect.

Both platform giants are essentially saying that unless the bulk of professional reportage can be freely distributed on their platforms, leaving them free to monetize it via serving ads and through the acquisition of associated user data, then unverified user generated content will be left to fill the gap.

The clear implication is that lower grade content — and potentially democracy-denting disinformation — will be left to thrive. Or, in plainer language, the threat boils down to: Give us your journalism for free or watch your society pay the price as our platforms plug the information gap with any old clickbait.

“The ACCC presumes that Facebook benefits most in its relationship with publishers, when in fact the reverse is true. News represents a fraction of what people see in their News Feed and is not a significant source of revenue for us. Still, we recognize that news provides a vitally important role in society and democracy, which is why we offer free tools and training to help media companies reach an audience many times larger than they have previously,” writes Facebook in the same blog post where it threatens — as a ‘last choice’ — to pull the plug on content it describes as playing “a vitally important role in society and democracy” because it doesn’t want to have to pay for it.

Facebook’s calculus is clearly elevating its own commercial interests above free speech. And indeed above democracy and society. Yet the tech giant’s go-to defence for not removing all sorts of toxic disinformation and/or hateful, abusive content — or indeed lying political ads — from circulating on its platform is a claim that it’s defending ‘free speech’. So this is a specially rank, two-faced kind of platform hypocrisy on display.

Last year the comic Sacha Baron Cohen slammed Facebook’s modus operandi as “ideological imperialism” — warning then that unaccountable Silicon Valley ‘robber barons’ are “acting like they’re above the reach of law”. Well, Australians are now getting a glimpse of what happens when the mask further slips.

The ACCC has responded to Facebook’s flex with a steely statement of its own, attributed to chair Rod Sims.

“Facebook’s threat today to prevent any sharing of news on its services in Australia is ill-timed and misconceived,” he writes. “The draft media bargaining code aims to ensure Australian news businesses, including independent, community and regional media, can get a seat at the table for fair negotiations with Facebook and Google.”

“Facebook already pays some media for news content. The code simply aims to bring fairness and transparency to Facebook and Google’s relationships with Australian news media businesses,” he adds.

“As the ACCC and the Government work to finalise the draft legislation, we hope all parties will engage in constructive discussions.”

A similar battle is playing out in France over Google News, following a recent pan-EU law change which extended copyright to news snippets. France has been at the forefront of implementing the change in national law — and Google has responded by changing how it displays news media content in Google News in the country, switching to showing headlines and URLs only (so removing snippets).

However earlier this year France’s competition watchdog slapped down the tactic — saying Google’s unilateral withdrawal of snippets to deny payment to publishers is likely to constitute an abuse of a dominant market position, which it asserted “seriously and immediately damaged the press sector.”

Google’s share of the search market in Europe remains massively dominant — with the tech giant taking greater than 90% marketshare. (Something that underpins a number of regional antitrust enforcements against various aspects of its business.)

In Australia, Facebook’s position as a news distributor appears to be less strong, with the ACCC citing the University of Canberra’s 2020 Digital News Report which found that 39% of Australians use Facebook for general news, and 49% use Facebook for news about COVID-19.

However information and disinformation do not distribute equally, with plenty of studies indicating a faster spread for fake news — which suggests Facebook’s platform power to distribute bullshit is far greater than its role in informing societies by spreading bona fide news. That in turn makes its threat to block genuine reportage an antisocial weaponization of its dominance of social media.

#adtech, #artificial-intelligence, #asia, #australia, #europe, #european-union, #facebook, #fake-news, #france, #google, #google-news, #instagram, #media, #news-media, #policy, #sacha-baron-cohen, #search-results, #snippets, #social-media


Cosmose, a platform that analyzes foot traffic in physical stores, gets $15 million Series A

Cosmose, a platform that tracks foot traffic in brick-and-mortar stores to help companies predict customer behavior, announced today it has raised a $15 million Series A. The round was by Tiga Investments, with participation from returning investors OTB Ventures and TDJ Pitango, who co-led Cosmose’s seed round last year. The company said its valuation is now more than $100 million.

The Series A will be used for product development and geographic expansion, starting with Southeast Asian markets this year, followed by the Middle East and India. Chief executive officer Miron Mironiuk, who founded Cosmose in 2014, said its goal is to break even and generate profit by 2021.

Cosmose has offices in Shanghai, Hong Kong, New York and Warsaw, where is software engineering team is based. Most of the stores its tech is currently use in are in China and Japan, and its clients include companies like Walmart, Marriott, Samsung, and LVMH.

As companies try to recover from the impact of COVID-19, Mironiuk said Cosmose’s platform has helped clients make decisions about when to reopen stores and what kind of inventory to stock, and how to increase revenue. For example, ‘some shops wanted to connect with customers who used to shop in their physical locations and encourage them to buy online,” he said. “Hotels in Japan were focused on promoting their in-house restaurants to local residents to make up for the lost revenue.” The company is also working with Boston Consulting Group on a report called “COVID-19 offline retail recovery traffic in China” for publication next week.

Mironiuk said that a PwC audit of the platform’s accuracy completed in December 2019 confirmed its ability to track customers within 1.6 meters of their location in a store, and that its data ecosystem now comprises of more than one billion smartphones and 360,000 stores. Cosmose’s plan is to grow that to two billion smartphones and 10 million stores by 2022.

The company offers three main products: Cosmose Analytics, which tracks customers’ movements inside brick-and-mortar stores; Cosmose AI, a data analytics and prediction platform to help retailers create marketing campaigns and increase sales; and Cosmose Media, for targeting online ads.

Cosmose does not require hardware installation, which means no regular maintenance is required after Cosmose maps a store, and helps it differentiate from rivals.

There are other companies that also analyze foot traffic in brick-and-mortar stores, including RetailNext and ShopperTrak, but being tracked might alarm customers who are concerned about their privacy. Mironiuk said all of the smartphone data Cosmose AI gathers is anonymized, so the company doesn’t know who shoppers are. The platform uses alphanumeric IDs called OMNIcookies, does not collect personal data like phone MAC addresses, mobile numbers, or email addresses, and follows data privacy laws in each of the countries it operates in. It also allows shoppers to opt-out of tracking.

In a press statement about the investment, Raymond Zage, the CEO and founder of Tiga Investments, said “I was attracted by the strong results Cosmose is already achieving for some of the world’s recognizable brands, while simultaneously ensuring user privacy is protected. Cosmose team is saving stores while enhancing consumer experience.”

#adtech, #asia, #brick-and-mortar, #china, #cosmose, #cosmose-ai, #europe, #fundings-exits, #hong-kong, #poland, #retail-tracking, #startups, #targeted-advertising, #tc


Google’s Sundar Pichai grilled over “destroying anonymity on the Internet”

Google’s Sundar Pichai faced an awkward line of enquiry during today’s House Antitrust Subcommittee hearing related to its 2007 acquisition of adtech platform DoubleClick, and how it went on to renege on an original promise to lawmakers and regulators that it would not (nor could not) merge DoubleClick data with Google account data — automagically doing just that almost a decade later.

By linking Internet users’ browsing data, as harvested via the DoubleClick cookie, to Google accounts it was able to join the dots of user identities, (Gmail) email data, search history, location data and so on (Google already having collapsed the privacy policies of separate products, to join up all that activity) with its users’ wider Internet browsing activity — vastly expanding its ability to profile and target people with behavioral ads.

Agency for Google users to prevent this massive privacy intrusion, there was none.

Rep. Val Demings contended that by combining DoubleClick cookie data and Google account data Google had essentially destroyed user privacy on the Internet. And — importantly, given the domestic antitrust scrutiny the company now faces — that that had only been possible because of the market power Google had amassed.

“When Google proposed the merger alarm bells were raised about the access to data Google would have — specifically the ability to connect a user’s personal identity with their browsing activity,” said Demings, before zooming in to hammer Pichai on another tech giant broken data privacy promise.

“Google… committed to Congress and to the antitrust enforcers that the deal would not reduce user privacy. Google chief’s legal advisor testified before the Senate Antitrust Subcommittee that Google wouldn’t be able to merge this data. Even if it wanted to, given contractual restrictions. But in June of 2016 Google went ahead and merged this data anyway — effectively destroying anonymity on the Internet,” she explained.

Demings then pressed Pichai on whether he personally signed off on the privacy-hostile move, given he became CEO of Google in 2015.


Pichai hesitated before attempting a bland response — only to be interrupted by Demings pressing him again: “Did you sign off on the decision or not?”

“I — I reviewed at a high level all the important decisions we make,” he said, after a micro pause.

He then segwayed in search of more comfortable territory, starting into Google’s usual marketing spiel — about how it “deeply cares about the privacy and security of our users”.

Demings was having none of it. The U-turn had enabled Google to combine a user’s search and browsing history, location data and information from emails stored in Gmail, she said, blasting it “absolutely staggering”.

She then referenced an email from a DoubleClick exec who had told the committee it was “exactly the kind of user reduction in privacy that users’ founders had previously worried would lead to a backlash”.

“‘They were unwavering on the policy due to philosophical reasons. Which is Larry [Page] and Sergey [Brin] fundamentally not wanting users associated with a cross-site cookie. They were also worried about a privacy storm, as well as damage to Google’s brand’,” she said, quoting directly from the email from the unnamed DoubleClick exec.

“So in 2007 Google’s founders feared making this change because they knew it would upset their users — but in 2016 Google didn’t seem to care,” Demings went on, before putting it to Pichai that what had changed between 2007 and 2016 is that Google gained “enormous market power”.

“So while Google had to care about user privacy in 2007 it no longer had to in 2016 — would you agree that what changed was Google gained enormous market power?” she asked.

The Alphabet and Google CEO responded by asking for a chance “to explain” — and then rattling off a list of controls Google offers users so they can try and shrink how it tracks them, further claiming it makes it “very easy” for people to control what it does with their information. (Some EU data regulators have taken a very different view of Google’s ‘transparency’, however.)

“We today make it very easy for users to be in control of their data,” claimed Pichai. “We have simplified their settings, they can turn ads personalization on or off — we have combined most of activity settings into three groupings. We remind users to go do a privacy check up. One billion users have done so.”

Demings, sounding unimpressed, cut him off again — saying: “I am concerned that Google’s bait and switch with DoubleClick is part of a broader pattern where Google buys up companies for the purposes of surveilling Americans and because of Google’s dominance users have no choice but to surrender.”

She went on to contend that “more user data means more money” for Google.

Pichai had a go at denying that — starting an answer with the claim that “in general that’s not true” before Demings repeated the contention: “So you’re saying that more user data does not mean the more money that Google can collect?”

That was easier for Pichai to sidestep. “Most of the data we collect is to help users and provide personalized experiences back”, he shot back, neatly avoiding the key point that the access Google has given itself to people’s data by cross linking their web browsing with Google IDs and product activity enables the tech giant to generate massive profits via targeting them with creepy ads, which in turn makes up the vast majority of Alphabet’s profit.

But with that Demings’ five minutes were up — although the hearing continues. You can tune in here.

#adtech, #advertising-tech, #alphabet, #behavioral-ads, #congress, #doubleclick, #gmail, #google, #larry-page, #privacy, #sergey-brin, #sundar-pichai


#Brandneu – 5 neue Startups, die gerade so richtig losrocken

Jeden Tag entstehen überall in Deutschland, Österreich und der Schweiz neue Startups. präsentiert an dieser Stelle wieder einmal einige ganz junge Startups, die zuletzt, also in den vergangenen Tagen, Wochen und Monaten an den Start gegangen sind sowie einige junge Firmen, die zuletzt aus dem Stealth-Mode erwacht sind und erstmals für Schlagzeilen gesorgt haben.

Bei Knowunity dreht sich alles um Schulwissen. Das Startup tritt an, um den Schulalltag durch Präsentationen, Karteikarten, Buchzusammenfassungen und Nachhilfe zu vereinfachen will. Den jungen Gründern schwebt eine “Art Spotify für den Schulalltag” vor.

Hashtags: #App #EdTech #eLearning
Ort: Stuttgart
Gründer: Lars Lins, Benedict Kurz, Julian Prigl

Tough Design
Bei Tough Design finden Onliner Rucksäcke, Aktentaschen und Accessoires aus sogenanntem Vollnarbenleder. Das junge Unternehmen, das von Yusuf Zorlu geführt wird, möchte sich vor allem als Anlaufstelle “für deutsche Qualität und die stilsichere Mode aus Düsseldorf” etablieren.

Ort: Düsseldorf
Gründer: Yusuf Zorlu

Bei CNC One wird gefräst – und zwar ordentlich. Das Startup bietet eine CNC-Fräsmaschine für den Hausgebrauch an. “Automated workflows and free video tutorials empower even beginners to machine beautiful products from Day One”, teilt die Jungfirma aus München mit.

Hashtags: #Hardware
Ort: München
Gründer: Sven Rittberger, Filip Simic

Advise Media Consulting
Das Hamburger Startup Advise Media Consulting verspricht eine “neue Ära im Media Auditing”. Die Jungfirma bietet ihren Kunden eine Plattform, mit der “sowohl lokale als auch internationale Pitch-, Tracking- und Monitoringprojekte zentral gesteuert, neutral analysiert und optimiert werden können”..

Hashtags: #AdTech
Ort: Hamburg
Gründer: Marino Vukovic, Rolf-Dieter Wulf

Das junge Unternehmen Kimoknow, eine Ausgründung des KIT, entwickelt digitale Montageassistenten. In der Selbstbeschreibung heißt es: “Ohne spezielle Kenntnisse können Objekte antrainiert werden. Dies wird automatisch von unserem Algorithmen übernommen”.

Hashtags: #IndustrialTech #B2B
Ort: Karlsruhe
Gründer: Lukas Kriete, Roman Wiegand, Aaron Boll, Michael Grethler, Vesa Klumpp

Tipp: In unserem Newsletter Startup-Radar berichten wir einmal in der Woche über junge, frische und brandneue Startups, die noch nicht jeder kennt. Alle diese Startups stellen wir in unserem kostenpflichtigen Newsletter kurz und knapp vor und bringen sie so auf den Radar der bundesweiten Startup-Szene und im besten Fall auf die Agenda von Investoren, Unternehmen und potenziellen Kooperationspartnern. Jetzt unseren Newsletter Startup-Radar sofort abonnieren!

Startup-Jobs: Auf der Suche nach einer neuen Herausforderung? In der unserer Jobbörse findet Ihr Stellenanzeigen von Startups und Unternehmen.

Foto (oben): Shutterstock

#advise-media-consulting, #aktuell, #brandneu, #cnc-one, #dusseldorf, #hamburg, #karlsruhe, #kimoknow, #knowunity, #munchen, #startup-radar, #stuttgart, #tough-design


Data from Dutch public broadcaster shows the value of ditching creepy ads

For anyone interested in the contested question of how much ‘value’ — or, well, how little — publishers derive from the privacy-hostile practice of tracking web users to behaviorally target them with ads, pro-privacy browser Brave has published some interesting data, obtained (with permission) from the Netherland’s public broadcaster, NPO.

The data shows the NPO grew ad revenue after ditching trackers to target ads in the first half of this year — and did so despite the coronavirus pandemic landing in March and dealing a heavy blow to digital advertising globally (contributing, for example, to Twitter reporting Q2 ad revenues down nearly a quarter).

The context here is that in January the broadcaster switched to serving contextual ads across its various websites, where it has an online video audience of 7.1M per month, and display reach of 5.8M per month.

Brave has just published an analysis of six months’ worth of data which shows NPO’s ad revenue increased every month over this period. Year-over-year increases after the broadcaster unplugged the usual morass of background adtech that makes surveillance capitalism ‘function’ are as follows:

  • January: 62%; February 79%; March 27%; April 9%; May 17%; June 17%;

Earlier this month Brave published five months’ worth of the NPO ad revenue data. So this is actually an update on an earlier blog post on the topic. The updated figures from Ster, the NPO’s ad sales house, slightly amend the earlier amounts, revising the reported figures further upwards. So, in short, non-tracking ad revenue bump has been sustained for half a year. Even amid a pandemic.

Now the idea that switching from behavioral to contextual targeting can lead to revenue growth is not a narrative you’ll hear from the ad tracking industry and its big tech backers. Aka the platform giants whose grip on the Internet’s attention economy and the digital infrastructure used for buying and selling targeted ads has helped them to huge profits over the past half decade or so (even as publisher revenues have largely stagnated or declined during this boom period for digital ad spending).

The adtech industry prefers to chainlink tracking and targeting to ad revenue — claiming publisher revenues would tank if content producers were forced to abandon their reader surveillance systems. (Here’s Google’s VP of ad platforms, last year, telling AdExchanger that the impact of tracker blocking on publishers’ programmatic ad revenues could cut CPMs in half, for example.)

Yet it’s not the first time there’s been a report of (surprise!) publisher uplift after ditching ad trackers.

Last year Digiday reported that the New York Times saw its ad revenue rise in Europe after it switched off creepy ads ahead of a major regional regulatory update, shifting over to contextual and geographical targeting.

The NYT does have a certain level of brand cache which not every publisher can claim. Hence the tracking industry counterclaims that its experience isn’t one that can be widely replicated by publishers. So the NPO data is additionally interesting in that it shows revenue uplift for a public broadcaster even across websites that aren’t dominant in their particular category, per Brave’s analysis.

Here’s its chief policy & industry relations officer, Dr Johnny Ryan, who writes:

NPO and its sales house, Ster, invested in contextual targeting and testing, and produced vast sales increases even with sites that do not appear to dominate their categories. This may be a tribute to Ster’s ability to sell inventory across NPO’s media group as a collective, but this benefit would have applied in 2019 and does not account for the revenue jump in 2020. A publisher does not therefore need to have market dominance to abandon 3rd party tracking and reproduce NPO’s vast revenue increase.

And here’s Ryan’s take on why “legitimate” (i.e. non junk/clickbait) publishers of all sizes should be able to follow the NPO’s example:

Although it is a national broadcast group, NPO websites do not dominate the web traffic rankings in the Netherlands. Only one of NPO’s properties ( ranks in the top 5 in its category in the Netherlands, according to Similar Web. None of the other NPO properties are in the Netherland’s top 100. The other NPO websites for which Similar Web provides a traffic rank estimation (versus other websites in the Netherlands) range from 180th to 5,040th most popular in the Netherlands. NPO properties’ popularity or market position in each content category are not correlated with increases in impressions sold. Country site rank, category site rank, and numbers of page views, vary widely between the properties, whereas the increases in impression sold are all above 83%, with one explicable exception [due to technical difficulties over the tracked period which prevented ads being served against one of its most popular programs].

Brave has its own commercial iron in the fire here, of course, given its approach to monetizing user eyeballs aligns with an anti-tracking marketplace ethos. But that hardly takes away from the NPO’s experience of — surprise! — revenue growth from ditching creepy ads.

Joost Negenman, NPO’s privacy officer, told TechCrunch they had certainly not expected to see ad revenue uplift from making the switch. The decision to move to contextual ads was made mid last year, as a result of the public broadcaster becoming “convinced” the programmatic targeting ad system it was using wasn’t compatible with its “public task”, as he tells it.

“We expected a rather dramatic drop in revenue,” says Negenman, noting that at that time the NPO was only getting a consent rate from users of around 10% for the ad cookies Ster needed for its programmatic ad system — down from 75%+ prior to GDPR (“probably” because its Cookie Consent Module at the time had been based on “implicit instead of explicit consent”; whereas GDPR mandates for consent to be legally valid it must be specific, informed and freely given).

“We also expected a drop because advertisers could completely ignore us when NPO and Ster turned away from this market adtech standard together, at a time when there was no sophisticated alternative in place,” he continues. “This fortunate misjudgment on our side was also fuelled by the strong belief (and preaches) in programmatic ad-solutions by online marketeers and companies.”

Negenman attributes the surprise revenue bounty from selling contextual ads to a couple of factors: Namely the “A-brand” pull of NPO and its affiliate broadcasters, meaning advertisers still wanted to be able to reach their users. And, well, to having the pro-privacy zeitgeist on its side.

“We’re all aware of the growing scrutiny on the adtech business, no explanation needed!” he says.

It’s worth noting the NPO’s switch to contextual ads did require some investment to pull off. The publisher shelled out for technology to enable contextual targeting across its web properties — such as building out descriptive metadata to enable more granular contextual targeting on video content. And the level of investment required to achieve similarly sophisticated contextual ad targeting might not be available to every publisher.

Yet the sustained revenue bump NPO experienced post-switch means it very quickly earned back what it spent — so for publishers that can afford to invest up front in transitioning away from tracking it looks like a very compelling case study.

“It paid for itself within a month or so!” confirms Negenman. “Considering all the money Ster didn’t have to share with Google and other in-betweens. From 1 advertisement Euro, 1 Euro goes to Ster!”

Though he also notes the broadcaster was helped by Dutch law placing an obligation on it to have subtitles for over 90% of its assets — meaning some of the leg work to build out contextual targeting had already been done.

“Subtitles data of course provides valuable descriptive metadata. So those tools where already in place,” he says. “But beside subtitles — that are nowadays easier to automate — standard program information like (sub)genre, titles of actors are of great value as well to add context on a video asset.”

Brave’s Ryan posits that the role of NPO’s sales house is also important to its success with contextual ads. “Smaller publishers may benefit from engaging with reputable sales houses that can aggregate supply as Ster does for NPO’s various properties,” he suggests. “Publishers of all sizes will benefit according to their reputations — unless advertisers and agencies purchase from sales houses with poor reputations.”

Asked whether he believes the switch would work for all publishers, Negenman does not go that far. “For all A-brands I definitely see this approach working, also news outlets have the perfect (meta)data needed to feed such a system,” he says, arguing there’s a place in the market for both contextual and targeted ads.

“Not all online advertising is the same,” he argues. “A shoe annoyingly following you online is something other than creating (A-)brand awareness. Perhaps the contextual system can start by creating privacy friendly ‘lagoons’ where a person is not tracked or followed by a shoe. There the system gets time to prove its worth in revenue and respect for its audience.”

“For other public broadcasters I believe they have more or less an (moral) obligation to at least start testing contextual ads,” he adds. “The adtech system’s use of personal and behavioral data has become so un-explainable that the GDPR information obligation is almost impossible to meet.”

As we’ve said before, the evidence of viable alternatives to privacy-torching surveillance capitalism is stacking up — even as harms linked to adtech platforms’ exploitation of people’s information keep piling up.

And while contextual ads may not sum to a revenue boom for every type of publisher, the notion that it’s tracking or nothing is clearly bogus.

(You could also make a pretty compelling case that abusive exploitation of people’s data that sustains low grade publishing is not at all a net societal good and so supporting a system that supports bottom feeding clickbait (and massive levels of ad fraud) is simply bad for everyone — well, other than the bottom feeders… )

Ryan goes so far as to call conventional adtech “a cancer eating at the heart of legitimate publishers”. And having worked inside the beast he’s castigating, via an earlier stint at anti-ad-blocking adtech company called PageFair, his critique is all the more hard hitting.

He’s used his insider knowledge to file a number of complaints with European regulators — most notably against the real-time bidding (RTB) practice programmatic advertising can rely on, drawing in vast quantities of Internet users’ personal information and scattershotting it back out again.

He contends this high velocity trading of personal data can’t possibly be compliant with Europe’s data protection framework — which, conversely, mandates that people’s information be securely handled, not spread around like confetti. (Though he believes RTB can work fine if you strip out personal data and only use it for contextual ads.)

European data protection regulators agree there’s a ‘lawfulness’ problem with current adtech practices. But have so far sat on their hands rather than taking enforcement action, given how widespread the problem is.

(Interestingly, Negenman says the NPO investigated continuing using programmatic RTB but with personal data stripped out. Though, in the event, he says this idea never got past the production stage. “Personally I can imagine a compliant combination,” he notes, adding: “Most importantly, the personal data must not leave the trusted data partner [and be shared with] the advertisers.”)

Turning a tanker clearly takes time. But the more publishers that see not pushing creepy ads on their users as an opportunity to experiment with alternatives, the more chance there will be for the market to shift wholesale for privacy — a shift that can be a huge win for publishers and users alike, as the NPO experience illustrates. 

Competition regulators, meanwhile, are closing in on big (ad)tech’s market power — and the conflicts of interest that arise from the “vertically integrated chain of intermediaries” which work to funnel the lion’s share of digital ad spend into platform coffers. So it’s not hard to conceive of an intervention to force market reform by breaking up Google’s business empire — to separate the ‘ad’ bits from its other ‘tech’.

The self-interested forces that underpin surveillance capitalism made their fortunes when no one was really looking at how their methods exploit people’s data. Now, with many more eyes trained on them, they are operating on borrowed time. It’s no longer a question of whether change is coming. The sands are shifting, with platforms themselves now moving to limit access to third party tracking cookies.

Savvy publishers would do well to get out ahead of the next round of platform power moves — and skate to where the puck’s headed.

#adtech, #advertising-tech, #brave, #digital-advertising, #digital-marketing, #europe, #gdpr, #google, #johnny-ryan, #marketing, #media, #netherlands, #online-advertising, #privacy, #real-time-bidding, #rtb, #targeted-advertising, #tc, #the-new-york-times


Pandora launches interactive voice ads into beta testing

Pandora is launching interactive voice ads into wider public testing, the company announced this morning. The music streaming service first introduced the new advertising format, where users verbally respond to advertiser prompts, back in December with help from a small set of early adopters, including Doritos, Ashley HomeStores, Unilever, Wendy’s, Turner Broadcasting, Comcast and Nestlé.

The ads begin by explaining to listeners what they are and how they work. They then play a short and simple message followed by a question that listeners can respond to. For example, a Wendy’s ad asked listeners if they were hungry, and if they say “yes,” the ad continued with a recommendation of what to eat. An Ashely HomeStores ads engaged listeners by offering tips on a better night’s sleep.

The format is meant in particular to aid advertisers in connecting with users who are not looking at their phone. For example, when people are listening to Pandora while driving, cooking, cleaning the house, or doing some other hands-free activity.

Since their debut, Pandora’s own data indicated the ads have been fairly well-received, in terms of the voice format. 47% of users said they either liked or loved the concept of responding with their voice, and 30% felt neutral. The stats paint a picture of an overall more positive reception, given that users don’t typically like ads at all. In addition, 72% of users also said they found the ad format easy to engage with.

However, Pandora cautioned advertisers that more testing is needed to understand which ads get users to respond and which do not. Based on early alpha testing, ads with higher engagement seemed be those that were entertaining, humorous, or used a recognizable brand voice, it says.

As the new ad format enters into beta testing, the company is expanding access to more advertisers. Advertisers including Acura, Anheuser-Busch, AT&T, Doritos, KFC, Lane Bryant, Purex Laundry Detergent, Purple, Unilever, T-Mobile, The Home Depot, Volvo, and Xfinity, among others, are signed up to test the interactive ads.

This broader test aims to determine what the benchmarks should be for voice ads, whether the ads need tweaking to optimize for better engagement, and whether ads are better for driving conversions at the upper funnel or if consumers are ready to take action, based on the ads’ content.

Related to the rollout of interactive voice ads, Pandora is also upgrading its “Voice Mode” feature, launched last year and made available to all users last July. The feature will now offer listeners on-demand access to specific tracks and albums in exchange for watching a brand video via Pandora’s existing Video Plus ad format, the same as for text-based searches.


#adtech, #advertising, #advertising-tech, #media, #mobile, #music, #pandora, #streaming-music, #voice, #voice-ads, #voice-assistant


Researchers find exposed data on millions of users of quiz app, TVSmiles

TVSmiles, a Berlin-based mobile native advertising app whose users earn digital currency in exchange for engaging with branded content such as quizzes, apps and videos, has suffered a data breach.

Security researcher UpGuard disclosed in a report today that it found an unsecured Amazon S3 bucket online last month — containing personal and device data tied to millions of the app’s users. According to TVSmiles’ marketing material the quiz app has up to three million users.

The storage bucket UpGuard found exposed to the Internet contained a 306 GB PostgreSQL database backup with “unencrypted personally identifiable information matched to individual users, profiling insights about users’ interests based on quiz responses, associations to smart devices, and accounts and login details for TVSmiles’ business relationships”, according to its report.

UpGuard writes that 261 database tables were present in the exposed repository — including a “core_users” table consisting of more than 6.6 million rows. Of the entries that had an email address tied to them UpGuard says it found 901,000 unique emails.

The exposed backup file appears to date back to August 2017.

Screengrab: UpGuard

After UpGuard reported the breach to TVSmiles, in an email sent May 13, the Berlin -based company responded on May 15, writing in an email that the repository “has been immediately secured” (UpGuard says it independently confirmed this).

TVSmiles co-founder, Gaylord Zach, added in this email to UpGuard that it would “further investigate the contents of the exposed data to take further actions”.

Reached for comment on the incident today, Zach confirmed UpGuard’s report and also confirmed that the exposed repository had been accidentally left unsecured for years.

He said internal analysis of available logs has found no unauthorized access besides UpGuard’s access of the data, adding that TVSmiles has yet to notify users of the incident — but is planning a communication to users within its mobile app and a blog post on its website.  

“Our analysis has revealed that the data consists of a database backup that was created in 2017 and mistakenly stored in a cloud storage repository provided within the cloud hosting environment,” Zach told us. “Allegedly this backup was created as a safety measure ahead of performed maintenance work. Further investigation revealed three independent but severe policy breaches: 1.) The backup was stored in plain format where all backups should have been encrypted; 2.) The affected repository was provisioned as a code repository and never intended to store data; 3.) The affected repository was intended for private use within the organization and never intended to be publicly available.

“The very unfortunate combination of these three factors resulted in the long period that this data remained stored without discovery.”

TVSmiles reported the breach to the German Data protection authorities — filing its report on May 17, per Zach.

Europe’s General Data Protection Regulation (GDPR) requires data controllers to report all breaches of personal data that pose a risk to people’s rights and freedoms to a supervisory authority within at least 72 hours of discovery.

“We are very thankful to UpGuard unveiling this exposure before it has led to material data breaches and harm to our users. We are very much embarrassed by this unnecessary exposure of user data. It is a strong reminder to every developer to do regular security checks and house keeping in order to avoid these incidents,” he added.

Screengrab: UpGuard

Clicks for data

TVSmiles’ business participates in a data-fuelled digital ad ecosystem that operates by linking user IDs to devices, digital activity and tracked interests, building individual profiles for the purpose of targeting screen users with advertising.

Hence the interactive content that the TVSmiles quiz app encourages users to engage with — rewarding activity with a proprietary digital currency (called ‘Smiles’) that can be exchanged for discount vouchers on products in its shop or directly for cash — functions both as direct marketing material to drive deeper engage around branded content; and a data harvesting tool in its own right, enabling the business to gather deeper insights on users’ interests which can in turn be monetized via user profiling and ad targeting.

Such insights enable TVSmiles to plug into a wider digital advertising ecosystem in which mobile users are profiled and tracked at scale across multiple apps, services and devices in order that targeted ads can follow eyeballs as they go — all powered by the background profiling of people’s digital activity and inferred interests.

According to Crunchbase the quiz app has raised a total of $12.6M in funding since being founded around seven years ago when it was pitching itself as a second screen app for TV viewers. It went on to launch its own ad platform, called Kwizzard, which packages ads into “a native, gamified ad format” — with the aim of luring app users to engage with quiz-based ad campaigns.

Given the nature of TVSmiles’ business — and a wider problematic lack of transparency around how the adtech industry functions — this data breach is a fascinating and unnerving glimpse of the breadth and depth of data harvesting that routinely goes on in the background of ad-supported digital services.

Even an app with a relatively small user base (single digit millions) can be sitting atop a massive repository of tracking data.

The online ad industry also continues to face major questions over the legal basis it claims for processing large volumes of personal data under the European Union’s data protection regime.


A master database plus access tokens

In terms of the types of data exposed in this breach, UpGuard said the 306 GB PostgreSQL database backup contained “centralized information” about users of the app, alongside what it describes as “large amounts of internal system and partnership information necessary for any business participating in the modern online advertising ecosystem”.

TVSmiles’ LinkedIn page reports the app having in excess of 2M users in Germany and the U.K. — per Google’s Play store the TVSmiles app has had in excess of 1M downloads to date, and while Apple’s iOS does not break out a ballpark figure for app downloads a video on the Play Store app page makes reference to 3M users — so it’s possible the 6.6M figure relates to total downloads over the app’s lifetime since launch back in September 2013.

Zach told us that the discrepancy between the user figures is a result of TVSmiles being a much smaller business now than it was in mid 2017 — when it was spending a lot on marketing and had more active users, including as a result of operating in the UK market (which it left in 2018).

“In general we are now a much smaller organisation compared to 2017,” he added.

Other tables in the repository were found by UpGuard to contain considerably more entries — such as a “tracking_token” table, with more than 235 million entry rows.

“A table in this database called “user_core” contained six million rows, with many users having their “country” field marked for other territories throughout Europe, making this data consistent with being a master database for TVSmiles at the time,” it writes in the report. “The user_core table contained fields for email address, fb_user, fb_access_token, first and last name, gender, date of birth, address, phone number, password, and others.”

UpGuard told us that the user_core table had password hashes filled in for 626,000 of the rows. It said these passwords appear to have been hashed using a type of hashing algorithm that’s known to be vulnerable to brute forcing — the sha256 algorithm — and therefore offers little protection against malicious attackers.

It added that it was able to locate three out of three random hashed passwords it checked in publicly available indexes which are easily searchable online — meaning these password hashes had already been reversed (which in turn suggests they may have been used elsewhere before; or else are commonly guessable).

It also found Facebook user IDs (“fb_user”) and access tokens (“fb_access_token”) stored in the repository for some of the listed TVSmiles users — presumably for those who used a Facebook account to login to the app.

“Not all data points were present for all users – for example, the Facebook specific fields would likely only be present for users who had connected with their Facebook identity, and users who had authenticated via Facebook would not inherently need to create a password for the app due to the functionality of that authentication method,” UpGuard suggests.

The exposed repository contained more than 312,000 access tokens tied to Facebook IDs, according to its analysis.

Screengrab: UpGuard

It also found a large collection of personal data stored in a table related to end user devices — which it said were linked to tracking tokens, ad IDs and user rewards.

“A table called “device_core” contains 7.5 million rows tied to physical devices,” UpGuard writes. “These devices have unique device ids, access tokens, and mappings to the user ids of their owners. Those device ids, in turn, are then relevant to a “tracking_token” table consisting of 235 million entry rows.

“The rows in the tracking_token table include fields such as campaign_id, placement_id, user_payout, and challenge_id, building up a picture of the TVSmiles activity – like which ads and activities users responded to – on each device – which can then be linked back to the user.”

Other personal data found in the repository includes precise location data — “users’ latitude and longitude” — with a related admin view configured for a database named “full device info”, which UpGuard says highlights “the “tracker_name,” a token value, and the nearest weather station”.

It also found a collection of “insights” related to TVSmiles users — listed in the form of “intents, interests, and other psychographic qualities”.

“These subjects ranged from consumer goods (e.g. books, video games, furniture, and clothing) to the user’s education and more esoteric interests,” the report notes.

Redacted screengrab: UpGuard

As well as storing (unencrypted) personal data attached to millions of users of the TVSmiles app, and hashed passwords for more than half a million of these entries, the exposed repository was found to contain information related to a number of the company’s own business clients — also tied to access tokens.

“It is reasonable to interpret these names as business clients, who have paid to publish ads on TVSmiles or have access to insights gleaned from end-user app interaction,” UpGuard writes of the “business_clients” table.

“These business users’ hashed passwords, phone numbers, email addresses, names, and other data points were also present. Conversely, TVSmiles’ own credentials for interacting with vendors necessary to provide the TVSmiles platform, like ad exchanges, fraud detection platforms, and email communication scheduling, were also present.”

UpGuard suggests that a hacker who stumbled across the unsecured bucket may have been able to use the tokens to gain access to a number of additional services where they could potentially obtain further user data — such as by exporting contact data; accessing or sending mail via a third party service; or reading historic service information and performance metrics.

“If this database had been located by malicious entities, prior to UpGuard discovering it and sending appropriate notification, the possibility exists that such credentials could have allowed an attacker to impersonate TVSmiles and collect additional information about arbitrary targets from those other platforms and service providers,” it adds.

Zach confirmed the data contained “legacy access tokens” — but said they stem from a deprecated login methodology that had since been replaced with a OAuth based sign on service.

The data originates from August 2017. Any contained access tokens would therefore have expired by now,” he told us, saying TVSmiles has not yet notified any business partners on account of seeing “no major risk based on the nature and age of the exposed tokens”.

“We would however not hesitate to contact and take action if we have underestimated or overseen risks,” he added. 


Questions of consent

After reviewing UpGuard’s report, Wolfie Christl, an EU-based privacy researcher who focuses on adtech and data-driven surveillance, called for EU data protection agencies to launch an immediate investigation.

“This is a massive data breach. But it is about more than that. It provides a glimpse into an opaque industry consisting of thousands of companies that secretly harvest extensive personal information on millions of people for business purposes,” he told TechCrunch.

“According to the leaked database, the company has digital profiles on 6M people and 7.5M devices. It seems that they linked names, email addresses and phone numbers to device identifiers, social media accounts, and to all kinds of behavioral data.

“Data protection authorities in Germany — and perhaps in other European countries — must immediately start an investigation. In addition to the data breach, they must examine whether the company, and its affiliates and partners, processed this extensive amount of personal data in a lawful way. Did they have a legal basis to process it?”

Screengrab: UpGuard

“The wider issue is that, two years after the GDPR came into full force, it has still not been enforced in major areas,” Christl added. “We still see large-scale misuse of personal information all over the digital world, from platforms to digital marketing to mobile apps. EU authorities should have acted years ago, they must do so now.”

In its privacy policy, TVSmiles states that it only uses app users’ personal data “to the extent that this is legally permissible or you have given your consent… for the purposes of advertising, market research or the needs-based design of our offer” .

“We are obtaining user consent to the use of data and have created a dedicated section within our app to obtain consent like location data, advertising identifier, sharing of personal data with advertising partners,” Zach told us on this, adding that consent information is provided to “various advertising and tracking partners” — assuming users agree to be tracked via responses to its consent flows (shown below).

Screenshots: TVSmiles

References to a number of third party adtech companies can be found in TVSmiles’ repository, per UpGuard, suggesting it was making use of their services for data structuring, enrichment and monetization purposes — including Adex, a data management platform and marketplace whose website touts the “easy selling and purchase of data”; Adjust, a mobile measurement and fraud-prevention firm geared towards mobile marketing; mobile app monetization company, Fyber; and product user behavior analytics platform, Mixpanel.

Another interesting component in this story is how TVSmiles’ business straddles the TV and online advertising realms. Its business began, more than half a decade ago, with a firm focus on the notion of being a ‘second screen’ app for TV viewers — including by using audio technology to automatically identify TV ads in order to serve related in-app content. This means it’s forged links with traditional media giants.

Back in 2014, for instance, it inked a marketing partnership for its app in Austria with European media giant ProSiebenSat.1’s marketing subsidiary, SevenOne Media. At the time ProSiebenSat.1 PULS 4’s MD, Michael Stix, billed the move as astrategic step” to integrate brand communication on the second screen, lauding the tie-up as a way to offer advertising customers “additional novel touchpoints” for their target group.

But the rise of smart TVs and digital sign-ins has paved the way for deeper linking of Internet activity and TV viewing. Especially as traditional mass media giants have been looking for ways to diversify their media businesses, with more competition for viewers’ eyeballs than ever before.

Behind all these screens a complex mass of adtech pipes is exchanging data linked to individual users — trading IDs and insights to join dots and serve targeted ads. So connected “touchpoints” are now very much integral, not secondary, these days.

UpGuard found labels (see below screengrab) in the exposed TVSmiles repository that refer to “seven_pass”: Aka a single sign-on solution for all ProSieben.Sat1’s digital services, called 7Pass.

An FAQ on TVSmiles’ website confirms TVSmiles users are able to use the 7Pass service to log in to the app.

Screengrab: UpGuard

In its privacy policy, TVSmiles states that “pseudonymized” data of users of the 7Pass login is sent to ProSiebenSat.1 Digital & its affiliates and to other affiliated companies of ProSiebenSat.1 Media SE — including quiz response data.

“In addition, survey data collected and provided by you via survey cards in the app are also transmitted pseudonymised to ProSiebenSat.1 Digital & Adjacent GmbH and other affiliated companies of ProSiebenSat.1 Media SE in order to enable you to use special quiz cards in the app, bring in more smilies and be able to offer special promotions in cooperation with ProSiebenSat.1,” it adds.

Of course, much like weak password hashes, “pseudonymised” personal data can be trivially easy to re-identify — such as by unifying tracking IDs.

Asked about the 7Pass service, Zach said TVSmiles had replaced its legacy user management with ProSiebenSat.1’s digital sign-on service — claiming the main objective was “to leverage a trustworthy well maintained sign-on service by a larger partner and remove the need of self managed credentials and access tokens”. 

“Given the sensitivity of user data and access credentials it seems like a wise choice in light of this case,” he added. 

In a more recent business development, TVSmiles sold its development division and adtech to a company called PubNative in December 2019. PubNative is a mobile SSP and programmatic ad exchange owned by a German holding company called MGI Media that’s made a large number of media and adtech acquisitions in recent years (as well as being majority owner of free-to-play gamesmaker, Gamigo).

At the time of this “acqui-hire” TVSmiles and PubNative suggested an ongoing business partnership. “As we recently branched into Connected TV, PubNative’s advanced tech stack supports our continued growth and allows us to expand our business internationally. Advancements on demand-side business development will be introduced gradually across the entire product line,” said Zach in a press statement at the end of last year.

Asked about the nature of the business relationship between TVSmiles and PubNative, Zach confirmed it sold “certain people and technology” to PubNative but retained its mobile apps and user base, adding: “No user data has been shared with PubNative and they have no involvement in this case.”

However he confirmed TVSmiles uses advertising technology provided by PubNative. 

“This technology (SDK) is built into the TVSmiles app. Data sharing is limited to those authorized by user consent for advertising use,” he added.

A static analysis by Exodus suggests the TVSmiles app contains more than 40 trackers — including PubNative’s. This plus the fact the TVSmiles repository was found by UpGuard to be storing precise user location data is interesting in light of a separate report, published in January, by Norway’s Consumer Council (NCC) — which delved into how the adtech industry non-transparently exploits app users’ data.

The NCC report identified PubNative as one of the entities receiving GPS data from a number of apps it tested (NB: it did not test the TVSmiles app). The Council found a majority of apps that it did test transmitted data to entities it characterized as “unexpected third parties” — meaning users were not being clearly informed about who was getting their information and what was being done with it, in its view.

Other SDKs contained in the TVSmiles app, per Exodus and a list of software suppliers in TVSmiles’ privacy policy, include Facebook Ads, Analytics and Places; Google Ads, Analytics, DoubleClick & more; and Twitter MoPub. Also present: A longer list of smaller adtech and mobile marketing/monetization players, from AdBuddiz to Vungle.

Looking through the Exodus report most of these trackers stem from advertising technology that is being used within TVSmiles app,” Zach also told us. 

#adtech, #advertising-tech, #berlin, #data-breach, #europe, #privacy, #security, #tc, #tvsmiles, #upguard