Cognitive dissonance
Better than one Feedly, Twitter allowed me to meet exciting people, experts in their field, with an offbeat or incisive point of view on current events. It will also have been an excellent relay for my writings on adtech and surveillance capitalism. But its abuses, more and more glaring since its acquisition by Elon Musk, got the better of me.
2 articles sum up my feelings on this social network very well:
- "On Twitter, we look down", where the author details his schizophrenia regarding Twitter, why he is still on it.
- "How to Blow Up a Timeline", where the author talks about how exceptional and fragile the magic of Twitter was yesterday.
The last straw that triggered the closure of my account? The renaming of Twitter to X, a detail in Elon Musk's cultural vandalism project. You will now be able to find me on Mastodon, a federated social network, which does not belong to anyone and therefore cannot be controlled by a fascist megalomaniacal billionaire.
Having published a lot on Twitter, sometimes on subjects that deserved me to write an article, I nevertheless wanted to be able to republish my tweets elsewhere. So I followed these 2 steps:
- Downloading my archives via the Twitter site.
- The installation of tweetback (thanks @aeris) on my blog, helped by this article.
My tweets are therefore available here, with a search engine to find tweets on a specific theme, and this post to reference the tweets that I want to find easily.
To all honor, let's start this collection of tweets from the creator of surveillance capitalism.
The godfather of adtech
I had already written an article on "Google's domination of advertising markets", the monopolistic nature of Google's adtech brick and advertising surveillance are closely linked:
- With the Privacy Sandbox, Google will no longer allow you to be monitored via a user ID? Not really...
- On the possibility of using user identifiers on Google's adtech stack, after the disappearance of third-party cookies from Chrome.
- Still Google's doublespeak on user identifiers.
- Unlike iOS, it is still very difficult to refuse advertising tracking on Android.
- The European Commission in its investigation into Google's adtech weighs privacy and competition, a bad approach.
- The Google Ad-Exchange, where the fraudsters' paradise.
Google Chrome, advertising agent
Browsers are generally called "User Agents", this is not the case for Chrome, Google's dominant browser:
- A guide to "privacy" in Chrome.
- Google Chrome onboarding, a textbook case for #DarkPatterns.
- “First-Party Set”, a Privacy Sandbox device aimed at continuing tracking within Google sites (YouTube, Maps, etc.).
- “First-Party Set”, a new tracking vector now in Chrome.
- Privacy Sandbox, ePrivacy applies (CNIL) and consent is therefore mandatory.
You can delve deeper into the Chrome subject with 2 of my articles:
- "The problematic HTTP header sent by Chrome to Google."
- "End of third-party cookies on Chrome and Privacy Sandbox: sham privacy protection."
Google Analytics, the advertising Trojan horse
In minimum configuration, Google Analytics should work without advertising monitoring, but it is not that simple:
- Creating a Google account, where the art of #DarkPattern to better monitor you.
- Google Analytics #PrivacyWashing.
- On the illegality of Google Analytics, a debunk of the article by @Devergranne.
- A long thread on the illegality of Google Analytics, following the decisions of the Austrian and then French CNILs.
- Does Auchan still use Google Analytics? There is room for doubt.
- The list of complaints from @NOYBeu to the CNIL, for transfer of personal data to the US (Google & Facebook).
Other Google tools
Google adtech, Chrome or Google Analytics are far from being the only tools dedicated to better monitoring you:
- Using Google Tag Manager's Server-Side Tagging.
- Google Fonts, a Trojan horse to monitor you?
- Your conversations with Google Bard are read by humans.
Learn more about the subject by reading my article "Google Tag Manager, the new anti-adblock weapon".
Alias Meta, the worst of surveillance capitalism, a source of inspiration for Google and for all adtech.
Limitless data capture
In my article "With Facebook’s “Resilient Signals,” advertising surveillance evolves", I detailed how Facebook circumvented browser tracking protections. As with Google, abuse of dominant position and violation of your privacy go hand in hand, as I wrote in the article "Facebook and WhatsApp, the art of betraying you". Facebook is doing everything it can to capture more and more user data:
- How Facebook adapts to browser protections and other adblockers.
- Facebook advertising tools use fingerprinting on third-party apps, for example with Duolingo.
- In particular, Facebook collects data from your phone's accelerometer.
- Data sharing between WhatsApp and Facebook/Meta.
- Moderation on WhatsApp, your messages are not always private.
Partnerships with the whole world
2 interesting examples, but Facebook has interfaced its advertising ecosystem with all the tools that matter:
- A partnership with Criteo on Facebook and Instagram.
- Shopify is launching into targeted advertising (on Facebook, etc.), with data from its customers.
Violating the law, a specialty
Facebook makes fun of regulations and the CNIL:
- Cookie banners (ePrivacy), Facebook always makes fun of you (and the CNIL).
- The death course to oppose targeted advertising on Facebook/Instagram.
- On WhatsApp, the journey promises to be just as difficult.
- Facebook's (and Google's) #PrivacyWashing.
Platform monitoring, via “Pixels” & “Conversion APIs”
To bypass your adblockers and other browser protections, Facebook created its “Pixel” and its “Conversion API” (CAPI), it inspired other platforms:
- Facebook.
- Google.
- TikTok.
- Snapchat.
- Pinterest.
- An example of a leak on Greenpeace.
- Another example with Amnesty International.
- A thread of leak examples.
- A study showing the extent of these leaks.
- Lockr, a service to hide your email... and continue advertising monitoring.
I also talk about these data leaks in the article "Guerlain (LVMH): luxury and surveillance".
Apple
As my article states "Does Apple really protect you from advertising surveillance?", Apple is not perfect when it comes to privacy, but it is generally an ally in the face of surveillance from Google, Facebook and adtech.
A specific definition of “tracking”
Apple has put in place fairly effective mechanisms to protect you from advertising surveillance, which do not affect its own business, which has the gift of annoying adtech:
- Advertising industry misinformation about Apple.
- On Apple tracking.
- Apple's arguments regarding its "tracking" vs. the advertising industry's tracking.
- The arguments of adtech lobbyists, anti Apple.
- Debung of lobbyist Eric Seufert on Apple ATT.
- Apple would favor targeted advertising on its own Apps, complaint from France Digitale.
- The Gesture’s complaint against Apple ATT.
- Arguments deployed by apps to track you (ATT pop-ups).
- Apple does not clean up, some Apps continue to track you, after opposition.
- Facebook notes that it is still possible to monitor Safari users via tracking settings (NB: in private browsing, not anymore).
- Apple “privacy manifests”, an initiative to counter fingerprinting.
Apple loves your personal data
Some Apple practices are problematic:
- The obstacle course to deactivate Siri #darkpattern.
- Apple does not respect ePrivacy on its own site.
Adtech
Alongside Google and Facebook, thousands of companies are “innovating”, often to better monitor you.
Adtech, a huge black box
Almost incomprehensible operation, multiplication of intermediaries, data leaks and scandals, this is the wonderful world of adtech:
- When one of the creators of "Real Time Bidding" doesn't understand how he could have been re-targeted, it's a bad sign for this opaque industry.
- A group of American senators are wondering which countries personal data goes to as part of “Real Time Bidding”.
- No scandals linked to advertising cookies? Not really, as this long list shows.
- Advertising resellers, the door wide open to personal data leaks and fraud.
- About an essential mechanism for “Real Time Bidding”, cookie synchronization.
- Illustration of cookie synchronization with ID5, a disaster for the user experience and for your privacy.
Identify you, to better monitor you
Adtech has talent for finding new tracking mechanisms:
- Bypass browser protections and other adblocks? Some, like Tracedock, communicate this clearly.
- In adtech too, we have solutions to bypass browser protections (e.g. Safari ITP).
- First.id, an identifier that would bypass browsers' anti-tracking protections.
- Detail of the "promise" of first.id, in relation to Apple's browser, Safari (and its ITP protection).
- Tracking in adtech still, with the company ID5, specialized in user identification.
- TrustId, or how telephone operators (Orange, Bouygues Telecom, SFR, etc.) want to allow the advertising industry to monitor you using your SIM card.
- Tracking without cookies or consent, free white paper from the IAB.
- Stronger than Google Tag Manager's Server-Side Tagging to bypass browser protections and other adblocks? Zaraz from Cloudflare.
- Taboola (putaclic links at the bottom of the articles) has "cookieless" technology, your email (and the limits of Safari ITP?).
- Deciphering a presentation from Liveramp, one of the leaders in “data”.
Disguised tracking via CNAME aliases
Some adtech players endanger the security of your online accounts, pushing for the use of a domain alias called CNAME, just to bypass browser protections. Many French sites do not ask this question and follow these recommendations. Some examples:
- Criteo pushes the technique to all its customers.
- Eulerian too.
- Another French player offering this option, Mediarithmics.
- American players are not left out, with Adobe.
The solution to this tracking? Firefox with uBlock Origin, and "NextDNS, my new favorite tracker and ad blocker".
Cookie banners, bane of the web
Rather than changing its business model, adtech prefers to ruin your user experience:
- Analysis of the latest version of the advertising consent protocol (cookie banners), the IAB's TCF v2.2.
- TCF deemed illegal? Webinar reaction from Didomi, the leader in cookie banners.
- Two cookie banners on the same site!
- Beautiful cookie banner, on the Ingeniance Tech Blog site.
- A beautiful #DarkPattern from TrustArc on the Starbucks website, cookie banner which takes more than 30 seconds to validate your refusal of consent.
- AT Internet, consent exemption and third-party cookies.
- Do you use an adblock? No access to Rustica.
- Non-compliant Gens de Confiance cookies banner, quickly corrected!
- L'Équipe, champion of surveillance.
To go further, read "On the legality of IAB consent banners", an analysis of the consent banners offered by Sirdata.
Sirdata
Supplier of cookie banners, behavioral data and “consentless” solutions, Sirdata is an interesting company:
- Consent on a myriad of sites with Sirdata.
- Recycling without consent from Sirdata.
- Sirdata challenges the CNIL’s Google Analytics proxy recommendation.
- With what arguments does Sirdata claim to make Google Analytics compliant with the law (via its product, the Sirdata Helper)?
- Sirdata Analytics Helper and Le Figaro.
- The impunity of Sirdata, the CNIL is absent.
Legitimate interest, the biggest scam in adtech
The biggest scam in adtech? Claiming to have a “legitimate interest” (one of the legal bases of the GDPR) in monitoring you:
- Monitor you using your IP address, without consent.
- Targeted advertising based on legitimate interest, with the Figaro website.
- Same problem on the Le Figaro App.
- Radio France, Didomi and legitimate interest in targeted advertising.
Positive initiatives
Advertising and respect for privacy are not irreconcilable:
- Firefox and advertising, choices that respect privacy (including IPA, an interesting initiative with... Facebook).
- An interesting proposal from NOYB to replace the horrible cookie banners.
Sites and Applications
This ad surveillance complex would not work if websites and applications refused to use it. But the advertising bonanza is often too tempting.
Abusive conditions of use
Many sites play with the regulations, or even free themselves from them:
- Twitter didn't wait for Elon Musk to spit on your privacy.
- How Microsoft forces you to give up your phone number.
- Decathlon, thoroughly monitor with Valiuz.
- The Valiuz personal data cooperative, present on all Mulliez group sites.
- The pernicious update of Doctolib’s terms of use.
- Uber, targeted advertising by default.
- The Elyze App, where how to build a database of political opinions without consent.
To learn more, you can read "Decathlon, all-in on surveillance".
Personal data leaks
It's not just the conditions of use, these rarely correspond to the reality on the ground:
- French publishers such as L'Équipe and Le Bon Coin continue to work with Tapad, a controversial company that has closed in Europe.
- SNCF Connect app: your personal data leaks without consent.
- Cozy Cloud and privacy: promises vs reality.
- A video player on the Echos (Digiteka) website leads to massive leaks of personal data.
- The BBC does not comply with the ePrivacy Directive (cookies).
- Registration on the electoral lists and leaks of personal data to AT Internet.
- Real estate loan with Pretto, advertising monitoring included.
- Weather apps and the leak of your geolocation, a love story.
- Personal data leak with the LastPass iOS application.
- Groupama, cookies, #DarkPattern and CNAME.
Covid and personal data leaks
Lots of fantasies in France about surveillance linked to TousAntiCovid (compared to the little media coverage on algorithmic video surveillance for example, with France at the forefront of the field as denounced by La Quadrature du Net), but I nevertheless looked at the TousAntiCovid app:
The hypocrisy of the environment
In the category, we like to denounce Google and Facebook, but we forget to sweep our own door:
- The hypocrisy of Amnesty International, first to denounce surveillance capitalism but blind on its own site.
- The hypocrisy of Amnesty International, continued.
- Subscribe to support the press and avoid Google surveillance? A large part of the French press allows Google to manage subscriptions (and your personal data).
- Reaction from the CEO of Le Figaro after the CNIL fine.
- After the CNIL fine, Le Figaro is still flouting the law.
The CNIL, a very frustrating ally
To defend yourself against advertising surveillance, regulations, embodied in France by the CNIL. It is of good will, sometimes makes important decisions (against Google or Facebook), but acts only too rarely and very slowly. Lack of resources or complacency with adtech? Probably a bit of both...
The CNIL and cookies
As the CNIL does not want to apply the law for information sites, abuses are widespread:
- A thread of threads on different types of abuse.
- The good students who then degraded their consent interface.
- “Continue without accepting”, the history of the #DarkPattern promoted by the CNIL.
- “Continue without accepting”, the #DakPattern of the CNIL widespread on the web.
- “Continue without accepting”, the CNIL’s #DakPattern generalized on Apps.
- “Continue without accepting”, at the bottom of the banner.
- “Continue without accepting”, with acceptance at the top right.
- Absence of the “Refuse all” button on the web.
- Absence of the “Refuse all” button on Apps.
- Non-essential cookies placed before acceptance on the web.
- Non-essential cookies placed before acceptance on the Apps.
- Non-essential cookies placed after refusal of consent, on the Apps.
- Cookie wall, on the web.
- Cookie wall, on Apps.
- Degradation of the user interface if consent is refused.
- Cookies and video player on the Republican East.
To learn more, read the following articles:
CNIL sanctions
The CNIL therefore sometimes sanctions Google and Facebook, we can regret the slowness of the procedures and the amounts not so large compared to the income of these 2 companies, but these sanctions end up having an effect:
- Advertising cookies without consent at Google and Facebook.
- On the weakness of the CNIL's sanctions against Google and Facebook.
- Luxembourg's sanctions are much more severe.
- The CNIL sanctions Google for the absence of the “Refuse all” button.
- But Google still makes fun of the CNIL.
- If you click "Reject all" on the Google banner, is it still monitoring you? Mystery...
- NOYB's (critical) opinion on the CNIL.