Addressing the Adalytics report – investigation results
- Posted by Mathieu Roche
- On Dec 20, 2021
20 December 2021
Following the Adalytics research reported in a TechCrunch article published on Friday, Dec 17, the ID5 team has paused all its activities in Europe and launched a thorough analysis of the suggestion that we were storing cookies on users’ devices even when they did not consent to us processing personal data about them.
We have been able to replicate the issue reported in the Adalytics research. We used IP geolocation as one of the main criteria to determine if GDPR should apply to personal data processing. Although this approach is praised as a best practice in the Adalytics research, it is not bulletproof. In this case, Adalytics tried to simulate the behaviour of a Europe-based visitor (while running their tests from a non-GDPR jurisdiction) by using a VPN to mask their real origin. Because of this artefact, the HTTP header of their request included a parameter (“x-forwarded-for” or XFF) linking to an unknown IP address. As a result, our geolocation service wasn’t able to correctly localize this user in Europe.
We recognize that our decision to prioritize location over signals wasn’t protective enough of users’ preferences. We have therefore decided to apply a double verification (gdpr = 1 OR user IP address = Europe) to broaden the rules of inclusion of consent strings in our data management process. This modification was implemented on the morning of Saturday, December 18. From then on, requests carrying the gdpr=1 flag or coming from someone in Europe (and not including a valid consent for ID5 to access the device of the user and process personal data) are discarded and ID5 doesn’t provide an ID5 ID or initiate cookie matching calls.
We believe that the digital advertising industry needs a standard framework to enable the management of people’s preferences. The IAB Transparency & Consent Framework is the best initiative to achieve this goal. We will continue to engage with the IAB as well as our publisher and technology partners to improve the framework and better respect users’ choices.
Despite what privacy zealots claim, it is critical to strike a balance between reasonable, consented use of personal data and free access to digital content and services. A strong privacy-by-design approach will allow us to maintain this balance and continue to power the advertising business model of the Internet. It is ID5’s ambition to lead the industry’s efforts in that matter, and we will continue to improve our services to respect people’s choices as required by regulations globally.
Co-founder & CEO