chevron-down Created with Sketch Beta.
August 10, 2023 Feature

Privacy-Friendly Aspects of Blockchain in Digital Advertising

Michiel Van Roey

A large part of our time spent online and on social media platforms we are being subjected to online targeted advertising. The online advertising (Ad Tech) market is reliant on the extraction, exploitation, and sharing of billions of consumers’ personal data with numerous companies (unknown to you) for the sole purpose of delivering ads that manifest in sales. This process of data sharing creates a complex web of privacy risks.

Privacy Problems in Online Advertising (Ad Tech)

When user data is transmitted to multiple parties, the risk of unauthorized access and data leakage significantly increases, potentially exposing sensitive information to malicious, self-interested actors. The lack of transparency makes it difficult for users to know exactly which entities have access to their data and how it is being used (or exploited). The different stakeholders in the Ad Tech industry are aware of the numerous privacy abuses inherent to this system, but nonetheless continue to take advantage of it. There are several reasons that explain this behavior.

Ad Tech Is a Billion-Dollar Industry

Online advertising is a lucrative business, expected to reach USD 982.82 billion by 2025. This model is entirely based on collecting as much personal data about consumers as possible (often without their knowledge or consent) while also increasing their screen time. Every second and click (literally) counts. What is being bought and sold by brands, ad agencies, and social media companies is people’s attention and engagement, at a cost-per-view (CPM, per 1000 views) or cost-per-click (CPC) rate (namely each time someone clicks an ad). For example, Facebook’s average CPC is approximately USD 1.72 worldwide; and each user clicks (on avg.) on 12 ads per month. In the US or Canada, Facebook has an average revenue per user around USD 163.86 per annum.

It Allows for Personalization (Despite Privacy Noncompliance)

The online advertising ecosystem offers a unique advantage over traditional advertising channels such as TV, press or radio stations: “personalization.” People’s online activity can be tracked, monitored, and processed to obtain a detailed profile of each individual revealing their preferences and interests. Conceptually, this is a good idea because knowing the interests of someone allows platforms and brands to show them ads and content that interest them. However, the obsession for personalization has led to the development of a sophisticated tracking ecosystem mainly motivated by the advertising industry. This ecosystem goes further than the online activity of people as the proliferation of smartphones and other smart devices allows platforms to also track every physical movement and precise location of an individual.

The prevailing model used in the Ad Tech space in programmatic advertising, called “Real-Time Bidding” or “RTB” involves an auction-based system whereby advertisers bid in real-time for ad placements on websites. In order to present you with the best ad at the right time—and in order to maximize the chances that you buy a product or service displayed—social media platforms and ad companies need to sell your attention and online behavior to the highest bidding business/organization. They therefore collect a large amount of personal data about you in order to present brands with the most accurate picture of who you are and what you like. Some of this data is collected directly from you, whereas other information is collected via cookies or other third parties.

What Alternative Do Brands Have?

Many businesses use online advertising because they do not have many alternative options. Today, if a brand wants to have an online presence, they have no option but to resort to the advertising services that Facebook, Instagram, and Google provide.

Ad Tech Change Is Coming

This sophisticated tracking ecosystem has led to scandals that have prompted concern and reaction by people as well as public administrations. As further explained below, recent privacy laws are making it increasingly difficult for the Ad Tech industry to continue its current course, and alternative technologies are emerging to replace third-party tracking cookies. In addition, despite all of this tracking, the

Ad Tech industry still largely fails to show people ads that are of real interest. The result is that many people consider online ads to be annoying and useless, which (along with the perception of privacy intrusion) has induced many people to install ad blocker solutions.

Privacy Laws around the World—A First Step in the Right Direction

In recent years, several administrations have developed modern privacy and data protection legislations that render illegal many of the practices conducted in the past (and those that are still ongoing today) by online Ad Tech stakeholders. Examples are the General Data Protection Regulation (GDPR) in the EU, the California Consumer Privacy Act (CCPA) and its successor the California Privacy Rights Act (CPRA), the Brazilian Data Protection Law (LGPD), Protection of Personal Information Act (POPI) in South Africa, and many more.

These privacy laws set out uniform rules that relate to the processing of personal data from individuals by organizations. Most of these legal efforts include similar principles and objectives, putting in place requirements for brands for properly collecting and handling personal data, laying down rights for individuals (often called “data subjects”) whose data are being collected and processed, and imposing large fines for violations (e.g., Article 83 of the GDPR establishes a tiered approach to fines based on the severity of the violation, with the maximum fine set at 4 percent of the annual global turnover or €20 million, whichever is higher.)

Large fines up to USD 1.2 billion have been given to social media platforms Whatsapp, Facebook/Meta, TikTok, and Twitter as well as Ad Tech’s largest player, Google, for numerous privacy infractions linked to the collection and use of people’s personal data. For each of these tech giants, the main source of income comes from digital advertising dollars. Although these fines send a strong message to the Ad Tech industry that their current privacy infringements have (far-reaching) consequence, they are not sufficient to change the system. It will also take awareness and even action from the people, who seem more and more aware that the issue exists.

ConsumerS’ Awareness Increases, and They Want to Act

Although today people have little control over the use of their personal data by brands in the digital Ad Tech space, it seems people are becoming increasingly aware of these privacy problems and are willing to act. A recent consumer privacy survey conducted by Cisco Systems shows that people care about their personal data and want to actively take action to protect it. The study showed 84% of people “care”; 80% of people are “willing to act”; and 48% of people have already “acted,” for example, by switching providers based on their data policies or data sharing practices. These insights show that 91 percent of the so-called privacy actives won’t buy a product or service anymore if they don’t trust how their data are being used. Finally, the study showed people feel they are unable to protect their personal data, naming as one of the biggest challenges how to figure out what companies are doing with their personal data.

The End of Third-Party Cookies—A Welcome Milestone towards Privacy-Preserving Ad Tech Solutions

Another proposal which will combat the misuse of personal data in the Ad Tech industry is the elimination of third-party cookies, the most widespread technique to conduct privacy-threatening tracking of people on the web. Several solutions are emerging in what is called the “post-cookies era” in the context of online advertising:

  • As a first, Google proposed FLOC (Federated Learning of Cohorts), a solution where people will be assigned to a cohort formed by N (N > 1000) users, and only the cohort ID of a user will be revealed to third parties. While Google announced the cessation of cookies in Chrome browser (responsible for two-thirds of the browser marketplace) by the beginning of 2022, they’ve recently delayed this event to 2023 (or even 2024), and it is still uncertain what will be the outcome of this process.
  • A second group of solutions, known as PDPs (Personal Data Platforms), offer what can be considered as consent-based advertising. PDPs handle people’s data, typically offering an individual the option to control his or her data and with whom it can be shared. This allows people to participate in the online advertising through a consent-based process.
  • A final group of solutions offers privacy-preserving advertising approaches called zero knowledge advertising, namely an advertising ecosystem where no personal data from an internet user is leaked or shared with third parties (i.e., advertisers, publishers), and where the individual still receives relevant ads anonymously. In order to operate such a system, both blockchain and (decentralized) digital identity are used.

While these pioneering solutions represent doubtlessly important contributions to the field, they still have some limitations. For instance, some of them only operate as a walled garden, limiting their operation to specific venues. Other approaches, such as FLoC or PDPs, do not offer the possibility of running full-private advertising processes (a.k.a. Zero Knowledge Advertising) or enable auditability.

Blockchain and Digital Identity: An introduction

Blockchain

A prominent technological development undergoing rapid adoption in recent years is blockchain. It facilitates the recording of transactions and tracking the ownership of assets, whether physical or digital, within a network. The term “decentralized” signifies the absence of a traditional centralized authority or intermediary that guarantees transaction validity or validates asset ownership. Blockchains are designed as “immutable,” append-only ledgers, allowing data to be added but not removed except under extraordinary circumstances.

While blockchain technology gained prominence with the rise of virtual currencies like Bitcoin, its applications extend far beyond cryptocurrencies. Its potential is often compared to that of the TCP/IP protocol suite, which underpins the functioning of the internet as we know it today. Blockchain enables a vast range of business models and industries, encompassing (decentralized) FinTech products like crypto-securities, smart property registers, peer-to-peer lending, decentralized crowdfunding, financial instrument trading, and much more.

Digital Identity and Self-Sovereign Identity

Digital identity refers to the unique digital representation of an individual or entity that allows them to interact, transact, and authenticate themselves in the digital realm. In the blockchain ecosystem, decentralized digital identity or self-sovereign identity (SSI) serves as a mechanism to establish trust and secure interactions between participants. Where traditional identity systems rely on centralized authorities for identity verification and authentication, SSI empowers individuals to control their digital identities themselves by leveraging cryptographic techniques. Individuals can create self-sovereign identities that are portable, secure, and resistant to manipulation or unauthorized access.

Blockchain and Digital Identity: Transforming Digital Advertising

Integrating blockchain and (decentralized) digital identity solutions in the online Ad Tech system can significantly enhance privacy and transparency and combat the existing privacy issues. Because users provide consent for data access and control how their information is used for the purpose of delivering ads, it constitutes a more transparent and user-centric approach to data management than the current online advertising data collection and sharing practices. In this section, we briefly highlight certain privacy-friendly benefits that can be achieved by integrating blockchain and (decentralized) digital identity solutions in the digital advertising ecosystem.

Enhanced Data Privacy and Consent Management

Blockchain-based digital identity solutions would enable users to manage their consent preferences efficiently. Users would have granular control over which (categories of) advertisers can access their data. Through smart contracts, users could define the terms for the use of their data for advertising purposes.

Secure Data Sharing and Storage

As discussed above, brands are gathering customer data through surveillance mechanisms such as third-party cookies, allowing them to set up retargeting campaigns and email. However, much of this observed consumer behavior is accurate, making these campaigns inefficient in terms of conversion. By using consent-based advertising combined with digital identity, brands would be able to obtain personal information from the individual consumers themselves, while at the same time guaranteeing only the approved brand receives this information. When a user’s consent is given, their data would be securely shared with only specific advertisers through encrypted channels. Other Ad Tech players that are not identified with unique decentralized identifiers (DIDs) would not have access to such data.

Ad Tech players that process personal data can store such data in an “off-chain” repository, such as a cloud, or on a sidechain that is not public, and store on the blockchain only hashed identifiers or immutable proofs of the existence of such data, rather than the data itself. This combination of on-chain and off-chain storage allows organizations to avoid storing personal data as a “payload” on the blockchain (i.e., revealing the actual information transmitted, as opposed to metadata) while also allowing blockchain transactions to serve as mere pointers to the personal data.

Data Ownership and Monetization

Blockchain enables users to assert ownership over their personal data, empowering them to choose how their information is shared and monetized. Users can participate in tokenized ecosystems where they are rewarded for sharing data with advertisers, thus establishing a more equitable value exchange. Tokenization of advertising dollars will work well considering adverts are high-volume, low-value transactions on a global scale. Advertisers would be able to instantaneously pay out consumers for access to their data. These tokens can then be used within the ecosystem or exchanged for other goods and services, creating a fair value exchange between users and advertisers.

Contextual Targeting without Revealing a User’s Identity

In addition, blockchain-based platforms can leverage privacy-preserving techniques, such as zero-knowledge proofs, to enable contextual targeting without revealing specific user attributes. This approach ensures effective ad targeting while preserving individual privacy. With zero-knowledge advertising technology, which can even be integrated in the RTB and online Ad Tech system, each user is identified by a unique ID or avatar and uses a peer to peer (P2P) network formed by other users to hide their real identity. This P2P network guarantees that all communications started by user’s avatar A in device X are routed through other members of the P2P network towards their final destination (the website or social media platform ad space). By doing so, no third party can know the actual IP address of the device X involved in the communication, which means no third parties can retarget a user in the future, guaranteeing anonymity for a user who sees an ad.

Auditability

By using blockchain in the RTB and Ad Tech process, all executed transactions for the delivery of an ad are cryptographically signed by the involved players and stored in the blockchain. All players involved in a transaction provide undeniable proof of their agreement. Upon a dispute, e.g., a user rejecting its granted consent to an advertiser or an advertiser still using data from a user after the consent revoking process has been executed, the proofs available in the auditable transactions’ repository can be accessed to settle the dispute since they provide undeniable guarantees of the actions taken by each party.

A More Privacy-Friendly AdTech Future

As privacy concerns continue to dominate public discourse, the digital advertising industry faces the challenge of balancing personalized marketing with individual privacy. By leveraging blockchain technology and digital identity solutions, a privacy-preserving digital advertising ecosystem can be fostered. However, blockchain and digital identity technologies are still in an early stage of development. Several of the large blockchains (e.g., Ethereum) are still working on scaling issues, and companies like IOHK (behind the Cardano blockchain) have only recently launched the first MVP versions of their digital identity solutions. Although advantages highlighted above would be a clear win for consumers, it will likely still take a couple of years before the Ad Tech industry adopts a more privacy-friendly approach (which might include blockchain and SSI).

    Entity:
    The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.

    Michiel Van Roey

    Profila GmbH

    Michiel Van Roey is a technology and privacy lawyer at the Dutch Section of the Brussels Bar Association, Belgium, senior legal counsel at Cisco Systems Benelux, and co-founder and general counsel at Profila GmbH.