13/03/2023

In the midst of ongoing scrutiny and concerns with competition in the ad tech industry, tech players are racing to develop a solution to replicate the tracking ability of third-party cookies while meeting heightened consumer privacy expectations. There has been a growing focus on moving away from the use of third-party cookies, including Apple’s implementation of App Tracking Transparency, and Google’s commitment to phase out third-party cookies.   Now a consortium of European mobile carriers have teamed up to implement their own solution called TrustPid, which the European Commission has recently cleared as having no competition concerns

What’s the problem being solved for?

Cookies are essentially bits of information which record web usage.  There are two types of cookies.  First-party cookies are generated by the website you are visiting, and capture information about how you are using the website (e.g., what you are putting in the shopping cart).  First-party cookies can only be accessed and used by that website and help enhance the user experience (e.g. by enabling automatic user log-in rather than remembering passwords).

Third-party cookies are generated by a domain other than the website you are visiting, such as a social media or advertising platform.  As with a first-party cookie, they capture your usage on the web-site, but the information captured by the third-party cookie is available to the third party who generated the third-party cookie, not the website you are visiting.  Most third-party cookies have a tracking function, collecting information about your usage across the internet.  Using this information, ad tech providers can build a profile of your interests that they use to target advertising (so it’s not really Siri listening to your conversations).

The demise of third party cookies is at hand.  Prompted by the pop up notices, users are increasingly blocking third party cookies, with some estimates that 40% of third-party cookies are now blocked.  Regulators, including gin the EU and California, are moving to treat third-party cookies as personal information subject to stricter privacy rules.

Since then, Google has hit roadblocks in developing a replacement for third-party cookies that has led to it extending its deadline for phasing out third-party cookies from 2022 to 2023, and then to 2024.  Google’s initial proposal, called Federated Learning of Cohorts (or FLoC), which proposed to bundle (or ‘flock’) users together into semi-anonymous groups with similar browsing habits, was permanently shelved in 2021 after strong criticism from competitors, consumer advocacy groups and regulators about its privacy implications.

Most recently, Google has proposed its Topics API (find out more here), which provides websites and advertisers only with high-level information about user interests, e.g., ‘Auto & Vehicles’, based on their recent browsing history.  The Topics API currently remains Google’s proposal of choice, and in February 2022 the UK’s CMA accepted binding transparency and consultation commitments from Google regarding its development and use.

However, Topics is not without criticism – though regulators are yet to have made a final judgment call, the World Wide Web Consortium’s Technical Architecture Group (TAG) indicated that the Topics API ‘does not achieve’ the protection of users from ‘unwanted tracking and profiling’.

European Telcos enter the fray

On 6 January 2023, the EC received a notification from four European mobile operators (Deutsche Telekom, Orange, Telefónica, and Vodafone) regarding their plan to create a JV offering a “privacy-led, digital identification solution to support the digital marketing and advertising activities of brands and publishers” which operates on the basis of creating pseudonymised tokens based on a user’s network subscription provided by the participating network operators.  As the JV was between erstwhile competitors, the mobile operators sought approval from the EC.  On 10 February 2023, the EC has unconditionally approved the creation of this JV, concluding that “the transaction would raise no competition concerns”.

This JV appears to be implementing the solution Vodafone and Deutsche Telekom started trialling in Germany in June 2022, currently named TrustPid. Vodafone has described TrustPid as “an alternative to the dominant platforms and a counter-design to the third-party cookies still present today.”  The German Federal Commissioner for Data Protection and Freedom of Information (BfDI) had been informed of the trial, and Vodafone states there are in ongoing discussions with the BfDI about the solution being trialled. 

How does TrustPid work, and how does it stack up against Topics?

 

Topics API

TrustPid

How does tracking work?

Google Chrome determines key topics of interest for past week based on browsing history.

Topics are kept for 3 weeks then deleted.

Websites (and their advertising partners) can access 3 top topics of users from past 3 weeks.

Telecommunications providers create a ‘persistent’ (i.e., embedded) pseudo-anonymous token based on a combination of a user’s IP address and mobile number. The TrustPid would be treated as ‘personal information’ for GDPR purposes, and is not disclosed to advertisers.  Instead, when a user visits a website, the TrustPid, in turn, generates additional temporary marketing tokens (website specific tokens) lasting 90 days which, subject to consents from the user, would be provided to the advertiser.  Advertisers cannot trace back these tokens to your IP address or mobile number.

A different website specific token is generated for each advertising partner to prevent merging data from different advertising partners to create customer profiles.

User controls and transparency

Users will be able to view the topics Chrome has identified, remove topics, or disable topics through Chrome settings.

When a user has given consent, advertisers and publishers will use the website specific tokens to provide the user with targeted online marketing, or conduct analytics.  Users have access to a TrustPid portal, where users can view the consents that have been given, revoke consents or block the TrustPid service.

What information do advertisers get?

Chrome will use a limited set of topics selected from a human-curated, publicly visible list. The list proposed contains around 350 topics to reduce the risk of fingerprinting.

The details are still unclear, but at some level TrustPid will store the customers’ browsing history and sell it to advertisers, in a de-identified form.

By use of the pseudo-anonymous tokens, TrustPid will not enable third party advertisers to directly discover who you are; the use of different tokens for each advertiser mitigates against ‘triangulation’ (cross tracking) of your usage across the internet, and the portal gives you the ability to manage who gets to access and use those tokens you generate, including to block outright any use (and the TrustPid service itself).

Competition issues

The EC’s consideration of the competition issues around TrustPid was quick. The EC was satisfied that the transaction would raise no competition concerns on the basis that the TrustPid service is structured on a non-discriminatory basis, being open to competing mobile operators to supply inputs.  In downstream sectors, the EC was satisfied that JV would not be able to (or incentivised to) exclude rival advertisers, mobile operators, or other providers of digital identification services. The EC also concluded that there would be no increase in the risk of coordination between the mobile operators, presumably due to TrustPid being a platform with a dedicated function, requiring limited data inputs.

Early criticisms

Since the launch of the trial by Vodafone and Deutsche Telekom in 2022, critics have raised concerns that TrustPid is, ironically given its intention to be an answer to third-party cookies, a ‘supercookie’ because it can be a superior tracking tool due to it being connected to users’ IP address and phone number, making it difficult for users to clear their data history or avoid being tracked.

William Harmer, product lead at Vodafone, says the project isn’t a super cookie because it doesn’t use data interception to build up customer profiles, unlike the ad tech once used by Verizon Wireless, which in 2016 was fined $1.35 million by the US Federal Communications Commission (FCC) for having injected super cookies into users’ mobile browser requests without consent. 

It also has been argued that information, such as mobile numbers, which are necessary to route calls through communications networks should not be monetised by the telcos/ISPs but that they should be “custodians of the confidentiality of your communications and your data”.  However, network information has long been used to provide value added services to consumers – such as the display of calling numbers on your mobile and your ability to block display of your own number when making calls. 

More broadly, TrustPid can be seen in a broader context of the ongoing struggle between telcos and OTT providers over where in the vertical network and service stack control of the user experience will sit, including the renewed battle over net neutrality in the context of 5G

The EC’s quick approval of TrustPid might be explained by its ongoing desire to dilute the power of Big Tech (and all the better that TrustPid is an EU innovation).

Authors: Peter Waters, Michelle Xu and Tom Kennedy

Read more: Mergers: Commission clears creation of a joint venture by Deutsche Telekom, Orange, Telefónica and Vodafone

""