Meta, Yandex and the quest for UIDs

I’m Alan Chapell. I’ve been working at the intersection of privacy, competition, advertising and music for decades and I’m now a pundit writing for The Monopoly Report. I’m hosting another ASK ME ANYTHING session this Friday, June 13 at 11:30am EDT.

Our latest Monopoly Report podcast is out with part ONE of my interview with Jonathan Kanter, former Assistant AG for Antitrust with the U.S. Department of Justice. Jonathan and I talk about the recent evolution of antitrust enforcement in the U.S., and how that might impact the DOJ search trial taking place against Google.

Want to connect UIDs to data? There’s an app for that!

According to a research report, (and as reported by Ars Technica and the Washington Post) Meta and Yandex have figured out how to bypass core security and privacy protections offered by both the Android operating system and browsers that run on it. As a result, both companies were able to pass cookies or other identifiers from Firefox and Chromium-based browsers to their native Android apps for Facebook, Instagram, and various Yandex apps. According to the report, the companies are able to tie all or part of the browsing history to the account holder logged into the companies’ respective apps as a result.

At risk of stating the obvious, a few preliminary thoughts:

1. I have no idea whether these allegations are true.

2. If true, this all comes off as pretty shady behavior.

3. I hope Meta and Yandex are willing to share their side of the story at some point.

4. I think there’s some interesting points to be made regardless.

Is this just a lil’ bit of history repeating?

Here’s what comes to mind for me when I think of all this: widgets and buttons circa 2012.

I’m guessing that not everyone reading this article can remember this far back, but there was a time when the big trend was to augment your footprint by creating sharing buttons and widgets and placing them all over the Internet.

It was a huge land grab. Most of the social platforms and others in big tech and little tech alike had significant distribution via these types of buttons and widgets back in 2012 (give or take).

Widgets and sharing came to mind because the data flows as between the widget / button era were very similar to what Yandex and Meta were doing over the past couple of years. Back in the day, buttons and widgets would typically collect data regardless of whether or not the users interacted with them.

Yes, the tech giants claimed that they did not attach the browsing history collected via widgets/buttons to logged in users. Although candidly, I wasn’t able to independently verify those claims. And I certainly had no idea whether the assurances that Facebook and others provided in 2012 re: de-identification were maintained into 2013 and beyond. As is often the case with big tech, we just had to take their word.

Wait - so all this is Kosher?

I’m not saying that what is being alleged re: Yandex or Meta is OK. I made that point emphatically here. I’m just saying that what’s being alleged by Ars Technica and the others sounds an awful lot like the way buttons and widgets operated in the browser world over a decade ago.

In fact, this type of data flow was generally accepted back in those days (see an email discussion on the subject w/in the W3C Tracking Protection WG.) There were definitely privacy advocates that didn’t like the idea at all, but it was certainly accepted within much of the ads space as being in line with DAA standards.

For the record, I was uncomfortable with some of the distinctions being drawn about widgets - and had a real problem with the reality that data collected via buttons like AddThis was being considered “third-party” while the data collected via buttons from the tech giants default to “first-party.”

(I’ll save my first/third party data rant for another day. Maybe when we’re all back from Cannes.)

What can be learned from all this?

My overall points today are:

1. I struggle with the distinctions that are drawn here in the ads space.

2. One person’s unique data collection play is another person’s exploit.

3. “Do as I say, not as I do” is the motto of a rigged game.

Unfettered data exploitation might just be the new normal

I recently wrote a TMR thought piece analyzing what Perplexity’s CEO announced that he planned to do once they built or got control of a browser. The tl;dr of that article was that Perplexity contemplates using its browser’s URL string in a way that is far more aggressive than browsers have historically operated. Remember, folks: Perplexity is one of the companies that will certainly make a bid if/when Google is forced to divest Chrome.

If anything, big tech companies are looking to expand upon what is already a pretty sizable footprint. And in many (most?) contexts, that footprint leads to actual, identifiable people.

Meanwhile, in the land of the ad techs….

For some reason, a large segment of the ad tech community continues to self-flagellate over the use of pseudonymous UIDs. Are our UIDs really less privacy safe than their UIDs? Are big companies really that much more trustworthy than little companies in terms of how they use those UIDs?

If not, what are we in little-tech accomplishing by getting rid of UIDs at the very time that big tech seem to be expanding their use of UIDs?

Competing on privacy is laudable - bringing a knife to a gunfight is not helping us compete.

__________________________________________________________________________

If there’s an area that you want to see covered on these pages, if you agree/disagree with something I’ve written, if you want tell me you dig my music, or if you just want to yell at me, please reach out to me on LinkedIn or in the comments below.