Episode 42: Contextual Integrity in the ads space

Podcast Host

This podcast is brought to you by audiohook, the leading independent audio dsp. Audiohook has direct publisher integrations into all major podcast and streaming radio platforms, providing 40% more inventory than what could be accessed in omnichannel DSPs. What's more, audiobook has full transcripts on more than 90% of all podcast inventory, enabling advanced contextual targeting and brand suitability. Audio Hook is so confident that in addition to CPM buys, they offer the industry's only pay for performance option where brands can scale audio and podcasting with peace of mind mind knowing they are only paying for outcomes. Visit audiohook.com to learn more. That's audiohook.com.

Alan Chappelle

Welcome to the Monopoly Report the Monopoly Report is dedicated to chronicling and analyzing the impact of antitrust and other regulations on the global advertising economy. If you are new to the Monopoly Report, you can subscribe to our weekly newsletter@monopoly-report.com and you can check out all of the Monopoly report podcasts@monopolyreportpod.com I'm Alan Chappelle. This week my guest is Professor Helen Nissenbaum. Professor Nissenbaum is the Andrew H. And Ann R. Tisch professor of Information Science and the founding Director of the Digital Life Initiative at Cornell Tech. Her research spans issues of bias, trust, security, public autonomy and accountability in digital systems, most notably privacy as contextual integrity. While Professor Nissenbaum is really accomplished, she is not necessarily an expert in the ad space. Nonetheless, she has written on a bunch of topics like profiling and privacy enhancing technologies, and Helen is an influential voice within the larger privacy community. She is also someone who has been critical of the ad space and I think it's really important for all of us to listen to our critics. So let's get to it. Hi Helen, thanks for coming on the pod. How are you?

Helen Nissenbaum

I'm fine. Hi Ellen, thanks for having me.

Alan Chappelle

I'm really looking forward to this discussion and hopefully we can we can get this done before the big thunderstorm that's apparently heading to the east coast comes. Yes, my first question is this so the conventional view is is that first party data is more privacy safe than third party data and that view has been encapsulated into the ad industry self regulatory codes and it was a concept that was arguably even supported by the FTC years ago. So can you summarize your understanding of what first party data is and share why you think that notion that first party might be better? It might be misguided?

Helen Nissenbaum

I do think it's misguided and I hope you'll forgive me, because to explain why, I need to talk a little bit about the theory of contextual integrity. There are two common views on privacy. One is that privacy is akin to secrecy. So you have more privacy if the data is withheld and kept secret. And you'll often see that concept of privacy at play in computer science material, even though it's not completely explicated as such. And there's the view of privacy as control over information about yourself. Now, contextual integrity, it partly absorbs those two intuitions, but mainly the starting position is that data flows, and often flow of data is very productive, and we need it, society needs it, different values needed, like health or commerce and so on. So the important aspect of privacy that contextual integrity tries to grab onto is the idea of appropriate flow. So what we mean by appropriate flow, according to this theory, is flow that is constrained by certain contextual norms. They're like social norms or social rules. And those rules depend on various, what I call parameters. But you can say factors. One of the factors is the recipient of the data. So who's getting the data? Like, who's sharing it, who's it about, what kind of data it is, and under what constraints is the data being shared. Now, sometimes a recipient of the data, which we can think about as the first party recipient of the data, could be a problematic recipient. So, for example, if you're commonly, we hear these kinds of examples, you're law enforcement and you're surveilling a population and you're placing people under, you know, there's facial recognition and so on, that is not considered acceptable in a democratic society, then even the first party can be considered problematic. So it really depends on these other factors to determine whether first party or third party. Now, as a matter of fact, it's often the case that when we are sharing information with first parties, we're doing it in a very conscious way. And so as a matter of fact, if you look at the cases of first parties and third parties, we often find that first parties are more acceptable in receiving information about us. But there's nothing required in that.

Alan Chappelle

Okay, that makes sense. And so it's really dependent and sort of at some level that gets to, I would assume, consumer expectations. What would be reasonable for a consumer or for a data subject to think about where the data may ultimately end up going?

Helen Nissenbaum

Expectation is a signal that there's a norm in place. So if something happens, usually then we have expectations around it. And for this theory that I was describing, contextual integrity, expectation is the first line of defense. But sometimes expectation can be wonky. We can expect things that are not good and they have to be studied and so on. But the existence of a norm is often signaled by an expectation so that people, when the expectation is not met. So let's say you're engaging with a website and then you find that these ads, and most people, maybe now less and less so, would think that the ads emanate from the website. Then they learn. No, they actually come from ad networks and, and so on. I'm sure, you know, you know, you've talked a lot about this on podcasts, then they may be shocked. And this doesn't meet expectations.

Alan Chappelle

Got it? Oh no, that, that, that makes sense. And that's, that's always a little bit of a challenge though, because if you're trying to create a mass consumer product, you know, one group of consumers may have absolutely no idea on how, what the inner workings are, and then another group may have a much better sense. And so it's very difficult, I think, to, to cater to a disparate set of consumer interests and expectations.

Helen Nissenbaum

I partly agree with you. And that's the whole discussion of privacy and specifically consumer privacy. But privacy generally has the serious problem in that most people, even quite educated, knowledgeable people, have no idea what happens in the background. And so when you simply go by, for example, we do surveys or we watch people's preferences when they express a preference, and I'm being quite precise with my terminology, you know, I'm a philosopher, so we have to be really precise. So I differentiate between interests and preferences. People want to act most of the time to promote their own interests or the interests of people who they care about because we're not self centered only. However, we may prefer to do things because we don't know that they affect our interests negatively. So sometimes because there's this huge gap in what is happening and what people understand, they'll often behave in certain ways or express certain preferences because they lack understanding or awareness. So the one important thing just to quickly add, because I wasn't sure whether your question was getting to that, is that sometimes there's a lot of argumentation about privacy and people will say, oh, it's just a preference. Ice cream. You like chocolate, I like vanilla. Some people are more exhibitionist than other people. And on the one hand, yes, in some subset of cases we do accept that people have different preferences. But for the most part, when I'm looking at privacy, I'm looking beyond those personal preferences to what is acceptable and.

Alan Chappelle

Not and that's a fair point because there are concepts of dignity that don't always rise obviously to the surface, but are nonetheless there. My understanding correctly.

Helen Nissenbaum

Personally, I haven't found the dignitarian justifications for privacy useful for what I do, something I didn't mention about contextual integrity. A fundamental thesis of contextual integrity is that privacy is good for individuals. It serves the individual data subject's interests, but it's also good for society. To the extent that we might make an argument that one or other policy or practice is promoting interests of individuals. Some of those may be dignitarian, but I like to really look at how privacy serves society at large. I like to think that privacy, for example, in the health domain not only serves the individual hand health interests, but can actually create a health context that's more efficient and more effective because of appropriate data flow. So I don't fully go all in with the dignitarian types of arguments.

Alan Chappelle

I would love to dig down a little bit into the societal interest concept because that's really interesting.

Helen Nissenbaum

Yes. And sometimes it's because when I'm thinking of privacy, I think of data flow. And that's what. When I think about privacy protection, I mean constraints on data flow. And then I interject this word, appropriate constraints on data flow, and. Which is a little different from the notice and choice kinds of models that still dominate. If you think about voting in a democratic election, the reason, like historically we could think of, why is it that people are, you know, go through this whole rigmarole to vote in a democratic election so that we can count. So we know you voted, but we don't know what you voted. And that is in order to allow you to vote autonomously, you don't have to fear that you're going to face consequence and even personal consequences and so on. Your vote is your vote, and that not only is good for you, but it's also good for a healthy democracy.

Alan Chappelle

But you used a term just a moment ago appropriate to define a certain use case. Now walk me through how you're approaching the word appropriate because it would seem at least a little bit subjective.

Helen Nissenbaum

Well, here's a different way of thinking about it. It's instrumental, so it's subject to something else. So let's just take something very mundane. So you place an order for something and the party wants to know your address, and they also want to know the credit card number and things like that. We may say, oh, that's personal information, but obviously in those cases we would say that's appropriate. So for this transaction to take place. This is the information that needs to flow and that's what we mean. So it's subject to a certain end goal. This is appropriate. So it's not about subjectivity, but it is subject to a certain end goal.

Alan Chappelle

So with your permission, I want to take that concept and bring it a little closer into the ad space, which is what, what our main focus is here. So your most recent paper goes into some detail on the challenges associated with creating profiles based on inferences drawn from a data set. Privacy laws are increasingly viewing an inference as personal data profile. That certainly merits additional scrutiny. But specific to your research, what do you view as the problems or issues that are associated with drawing those types of inferences? Inferences. And then once we discuss that, maybe we can talk about AI, which is sort of the, the, not only the big subject, but the thing that's blowing everything up, right?

Helen Nissenbaum

Yes. So I've said things like ads can be annoying, but I don't mind. You know, I don't think it's a problem in and of itself that there should be ads or that the placement of ads should support other activities. And obviously I'm very pleased that support some very pro social beneficial things both online and elsewhere. So it's not an antipathy towards ads. What I never understood and liked was the practice of surveilling. And then later on we have Trishana Zuboff's concept of surveillance capitalism. I want to set that aside. But the idea that you need to monitor people's activities 24, 7 online in order to create profiles for advertising, it seemed to kill a flea with a cannon. You know, that thing. I was worried not so much about the ads, but about that whole practice that gave rise to behavioral advertising. So that's really what I care about.

Alan Chappelle

First, I would say I agree with you. And I feel like, uh, the ads industry has fallen into this slippery slope that, okay, if you happen to know that a particular user is in New York, it would be helpful in terms of serving them, I don't know, an ad for their favorite bagel store versus in California, an ad for something else, surfing or something. I get that. That makes a lot of sense. And then I could even get two or three data points. Now my comfort level might extend to 10 data points. Yours might be one or two that I get. But once you cross the line and you're now into a constant surveillance mode where the big tech companies have, you know, they know almost everything about you, that to me seems like a lot. Now is that better for advertising, I don't know. But here's the problem that I have. I am personally comfortable with, you know, half dozen data points. The law doesn't really treat a half dozen data points differently than a bazillion data points. And so it's created a literal race to the bottom where everybody just grabs as much as they can. And I struggle because I don't know how to answer that or I don't know how to address that issue. And I'm curious if your. If your research has touched on similar issues.

Helen Nissenbaum

I hear what you're saying, and it really rings true to me. I want to try and make it more robust. I don't want the argument to hinge on how many data points are acceptable, because sometimes one data point could be sufficient to make it unacceptable. And I am mindful that when. And I sort of missed the boat a little bit when you'd asked the question in terms of profile. And this is an, like, in an interesting space, let's say, because they're different parties with different interests. And on the one hand, you have the merchants and their representatives and, you know, maybe the advertisers, and then you have the other parties who are kind of selling their services. And as we know, it's a very complicated setup. So if I'm the tech company, you know, the ad network, I want to explain why I'm adding value to the whole process. And as you say, it's this weird slippery slope. Look, I can surveil this person everywhere they go, not even online, but off. And I've connected their different devices, so I'm following them absolutely everywhere. So trust me, you know, there's this intervening step which is to show that all of these, as you say, gazillion data points actually can reduce to something that actually is useful for the advertiser. And I'm not sure that for all the added labor and for all the added threat that comes from this 24, 7 surveillance, you're going to get as an advertiser, enough value. So I'm even just talking about it from a functional point of view. And I know that there's been a lot of test and questions, people doing research about how effective this and that. So that's all about, like, how well does this actually work, this much surveillance for this much added value. And then in between all of that is the threats to the individual who are being surveilled all the time. And even way back, there was work that never really went anywhere. It was a very obscure article about a product that we were trying to design called Adnostic. And basically what Adnostic wanted to do was for the person to surveil themselves. Which actually Google had tried a version of that recently with Flock.

Alan Chappelle

Yeah.

Helen Nissenbaum

And so we had proposed this, a few of us who'd been working on it, we said, you know, you are the best. You can keep your history on your browser and then your browser can say, oh Helen, you look like you wanting to plan a holiday in Italy. Let's go see what's on offer. You know, so it's more to have the intentional engagement of the person to say I'm going to put out a profile of myself because this is what I want to learn about. If such a thing could happen, I would feel much more sanguine about it because it really would allow the individual to have a say in what profile is being revealed about him or herself and whether I'm, what neighborhood and what my race is, what my gender is and all those things that are troubling aren't necessarily going to affect my profile.

Alan Chappelle

So that, that's a really interesting concept. So one can imagine an AI based agent that does a lot of what you're talking about here where it, it basically, okay, like you know, I'm Alan and I'm, I'm, and I'm, I'm a musician and I'm, I like this and this and I've got a five year old daughter and like have at it. What is it that I, you know, what, what is it that I need? And it does seem like we're getting close to those types of agents actually being created. Where I'm a little surprised is that if I'm understanding you correctly, that you see that as a positive privacy step.

Helen Nissenbaum

The whole AI agent stuff is.

Alan Chappelle

Yeah, I, yeah, fair enough.

Helen Nissenbaum

It's going to trick us all, you know, because we're going to believe one thing about what these agents are and what they're doing for us. But okay, what we did with Adnostic, what the proposition here was, and I actually think Google tried to do something like this, but then the world, you know, the group who were doing it, they were really smart people and I think they had some really good intention in what they were doing. The idea is that you don't go out into the ad space and say, hey, I'm a 30 year old male with a 5 year old daughter and this is how much I earned, blah blah, blah, give me an ad. You don't, you say, hey, give me ads. And my AI agent is going to pick the ads. For me to see. And you're not going to see which ads my agent has picked for me to see.

Alan Chappelle

Fair. Okay. So my first thing is God bless you for thinking of me as a 30 year old male.

Helen Nissenbaum

Well enough.

Alan Chappelle

But see, I can see that being rather interesting and I would agree with you that the people working on Flock and the whole sandbox within Google, we're trying to make the world a better place. The biggest challenge with that, and I don't want to get too sidetracked, but when you have the largest advertising company in the world building something that now everybody has to use and will give them an even larger share of the market that should have been dead on arrival just on that basis.

Helen Nissenbaum

I have to quote my. I don't think we put it in the article, the no cookies for you article. My colleague Vitaly Shmadakov, who I teach with him, he's got a great sense of humor. He says what they were trying to do was to get rid of 100 sketchy actors to replace a hundred sketchy small guys with one sketchy giant. You know, so it's like how do we think of it without the profile? Let's be. And of course a lot of what happened. And then, then Google had to withdraw their idea of no third parties because there was the whole problem of monopoly and anti competitive. I, that's the reality. I do get it. Even in healthcare, it used to be, oh, we had our family physician who knew everything about us and then it's like, oh, suddenly there's a this specialist who's the heart and that's the eyes and that's the stomach. And then we just find that the total person is forgotten because this, you know, we've just distributed all these bits and pieces.

Alan Chappelle

Well and also now you spend a quarter of your spare time going to doctor's appointments where I can remember, you just go to like one and that was, that was it. So I. Okay, so one place where I think we've got some common ground is conceptually we're aiming at a ever increasing slippery slope here in that we might disagree that in terms of one data point, two data points, five data points, but it seems like we as an industry are shooting at maybe the wrong things. I will tell you this, and again, this is just my view, but I think it's based on some of the research I've seen. If you go to complete contextual targeting, you are something like, you know, 60ish percentage as effective. And that makes it really difficult to compete with Google because the size of Their footprint doesn't require a lot of the same things that the, the smaller guy needs to have. So I, I guess the, not to turn this into a filibuster, but I guess that from my perspective, if we could figure out a mechanism where we could agree on what is reasonable in terms of number of profiles, scale sensitivity, I think that would be a better place to be because if you could agree on that kinds of stuff, you might be able to, to at least create a common vernacular where it might be limited because right now it isn't at all. And so I feel like we have advocates who are saying no, zero and I can tell you zero doesn't work. Now we can debate on whether it's three, four, five or whatever, but I would love to figure out a way to bring the debate there rather than zero versus a kajillion.

Helen Nissenbaum

I don't see this as trying to find a middle ground because it doesn't matter to me how many data points there are. From the point of view that the way I've been thinking about privacy, what matters is what the nature of the information is. So if you need a gajillion points to infer some kind of profile that's going to be more receptive to an ad that I'm going to place and if I can make the argument that this is an important thing, thing to have happen, then I'm not going to complain if it's a gajillion or if it's one. There's so much that concerns me about some of the things that are taken as truth in this whole ad space because when you say about contextual advertising being 60% less effective, I sort of, I, I want to know more about it because maybe contextual advertising would be 50% less expensive. You know, I, I also think that it, it's a good idea to notice how the cost of advertising goes up because this middle man, the middle party, these mid midway parties have to find some way to justify their existence. And it's not clear that this is helping the people on either side.

Alan Chappelle

Well, it's certainly not collectively helping the publishers. There's a whole bunch of things that are significantly negatively impacting the publisher world. I don't know that the ad tech shenanigans are in the top five, but they're certainly in the top ten list of things that are, that are harming the publisher community. And I think that's a fair criticism. You know, the, the ad tech started solving a very specific problem and then a second problem and then a Third problem. And then when you get to the hundredth problem, I think collectively there's a sense of losing sight of exactly what it is that you're trying to do.

Helen Nissenbaum

Yeah. And I mean, this is what I learned from people who are experts. I'm not an expert in the ad space. I mean, I did, we did some pretty interesting testing. I have this little product called Ad Nauseam and clicks on all the ads on a page. And we wanted to prove that the clicks were actually being counted. And so we did this whole setup where we were the publisher and we were the advertiser. And actually as a result of that, we were able to see what the charge is, you know, what that 20% is being taken by the ad network. Nothing. It was just something that fell out of the test that we were doing was revealing.

Alan Chappelle

One of the other things I wanted to chat about was privacy enhancing technologies, because I think you've done a fair amount of work in that area. And can you share a couple of privacy enhancing technologies, you know, how they get used, you know, just so we're starting from kind of a common baseline of our understanding.

Helen Nissenbaum

Yes. And so in the article that you'd seen and you'd mentioned in our initial introductory emails, it was an article that had come out that I had co written with my colleague Vitaly Shmadakov and also Kirsten Martin. And she, she does business ethics and her expertise is in empirical testing. And we were really, in part because Vitaly had been following the Flock discussion and the sandbox very closely and I had been noticing an uptake of this notion of privacy enhancing technology. And I was curious about it because as a, as a philosopher who's been studying privacy and online, because ads became one of those attractive areas where we could poke the bear, we could poke the black box. So they had, as you heard, like the privacy by design idea, which had come in perhaps via Canada, and the privacy by design idea was then morphed maybe through the GDPR into this idea of privacy enhancing technology. So it's like privacy by design. And the difference here is to say that you could regulate privacy through law and policy, but maybe what we should be doing is building technologies that are privacy protective and thus the idea of privacy, privacy enhancing technology. And I would say some people thought that, oh, that's even better than just regulating, let's do the regulation through technology. And there's a whole discussion that you could have. And what we then were looking at was, and we did look at specific technologies, but we started more looking at the principles behind certain technologies. So when you looked at that slogan we don't share with third parties as the slogan, and then an instance of that, which is when Google announced that it was shutting off the third party cookies, you could say that was the technical instantiation of this high level. So back to your initial question. I would say that the announcement of shutting off third party party cookies, and as some of the browsers are already doing, they're saying, you know, restrict third party cookies or don't allow pop ups which sometimes share information and so on, those you could consider to be privacy enhancing technologies. Then the other two were to distinguish between primitive data primitives, the data that's collected from you versus the inferences that are drawn. And some people decided that somehow the directly collected information was somehow more privacy relevant than the inference. So they would like, oh, we get rid of the primitive data right away or we don't share the primitive data, when in fact. And then the third one is the federated learning idea, which is that whatever analysis we do, and now AI comes into the picture, we do it on your device, we don't pull it into the central server. So those were the three areas that we looked at.

Alan Chappelle

So what strikes me about all three of those is that they're expensive for the resource intensive and that they are based on the notion that if you limit data access, the number of entities you might touch data who have access to data, you are protecting privacy. And I thought your paper went into that a little bit and maybe was critical of that as an overarching goal.

Helen Nissenbaum

You know, again, you could consider that as a very rough heuristic. But when you poke at that rough heuristic, you understand that sometimes that one party who gets data about you could be really dangerous. So you always have to look at who's getting the data and the capacity, you know, capacity in which they're acting as recipients of the data. And again, it could be one. If there are a hundred people, then all you're saying is that as a heuristic there could be some bad apples in the barrel, more likely. But I don't think we're safer with one because there could be one bad. By the way, let me just say one more thing about the one and how it actually is working in this commercial space. Often the recipient, the people we're dealing with, mostly when we're using our phone or apps or online, those folks are people who have a lot of information already about us. That one little bit like you would go into a store and they'd say, hey, so could you give me your zip code? And you might think, you know, that's not a very personal bit of information, but then what I learned from colleagues is that given the other information they already have about you, that one little extra bit plugs the hole, you know, so it's who the receiver is and what else they know about you, and also how much population data they have about you. So that one tiny little bit of innocuous data could mean a whole lot of different things to different people.

Alan Chappelle

And that's really where I think this becomes so difficult, is ascertaining, because you're right in some. I wouldn't say it's all that common, but there are some instances where a mere zip code could be really problematic. Certainly lat long as we're learning, unfortunately, by the day, that's becoming more and more problematic. And I think it's probably a good thing that that states and even the FTC is recognizing that. So I'm with you. I would, you know, maybe draw an analogy from, from, as I was growing up, the. The Orwellian concept was less hundreds of companies having some data. The Orwellian concept is that, you know, a single entity having nearly all the data. And it strikes me that the overt goal of pets in most contexts, the natural output of that, is a very large entity to make sure that they have all the data and that nobody else does. And that doesn't seem like a good outcome.

Helen Nissenbaum

Can I just want to say something about your lat long and then I'll come back to this because this just so there's another article with Kirsten Martin that the title is what Is It About Location? She and I had done a series of three articles and that was the last one. And this is to show how, when, because people are not knowledgeable about what's going on with the technology, they will sometimes have. The responses are interesting, but also concerning. But we asked, we wanted to find out what is it about location, you know, ordinary people, why does it trigger them? And so when we asked them about sharing information with like FBI or this or this. So we always have to give a value for the recipient parameter. We're trying to see about location. So first surprising finding was that actually there's no difference between if you say in New York City or on the corner of 42nd street and Fifth Avenue, or Latitude, longitude, no difference in how people answer about their concerns. That's shocking, right?

Alan Chappelle

Yeah, that's interesting.

Helen Nissenbaum

But if you add semantics and you say at the cvs, obviously something abortion clinic Obviously, you know, so when you give meaning to that latitude long or you know, to the location, that triggers people and they're much more restrictive in who they want the data to go to. That makes sense. However, of course they don't know that to a tech company knowing latitude longitude is also to know cvs, abortion library or whatever. But you can see what it is that triggers. Anyway, that's, that's just, that's that. And then there was the other question that you really wanted to ask and I can't remember what it was.

Alan Chappelle

Well, I was drawing the comparison to amount of data collected by large entities and how that to me was the Orwellian concept that I grew up with.

Helen Nissenbaum

But notice that again I'm coming back to contextual integrity because it's not any large entity, it's a specific large entity. It's the large entity that knows everything about you and also is powerfully strong and can affect your life in important ways. So when again, let's look at something more benevolent. When it's your healthcare provider, you want that healthcare provider to have all, all the information that's relevant to treating whatever mysterious thing is going on with your body because you make assumptions about how they'll behave, what their intentions are and so on. When you're a parent, you're watching your three year old like an eagle. You go to a pool, you have to watch every minute. You're, you're the Orwellian party in relation to your three year old kid. And yet we don't have a problem, I don't think. We think being a good parent, that's what you have to do. And it has to do with why you're collecting and what you're doing and so on. So that's the part we don't often bring out. That's why regulation's so important. So brilliant. Hippocratic oath said get everything you need and then you must promise confidentiality. And that makes everything work nicely.

Alan Chappelle

And for better or worse, that concept has not made its way into the ad space. And, and because there's an assumption that if it's your, your Gmail needs the information that Chrome or YouTube or any of the other services will also somehow get access to that information. And you know, we're now on the 10 year anniversary of that. Google took all of their data and basically put it into one big pot.

Helen Nissenbaum

And you know, it's even worse than you think. And it's not only Google. So again, it's like I'm touching on things that I've it's so interesting because we've hopped around. But one of one. Another article, but recently called the Great Regulatory Dodge is about one of the laws we look at is the Gramnidge Dodge Bliley Act. And I mean there's a bigger story to the rationale behind it, but one of the results of it is that there's almost totally free data flow not only among, say, Chrome and so on, but about Alphabet. And if you look at companies like Meta even we looked at Microsoft, I mean they own hundreds of companies, not only tech companies. And what this means is that there's free and open data flow among all of those Microsoft owned companies.

Alan Chappelle

Yep. And that gets me back to the first party third party concept. Because. Because ownership is used as a proxy for privacy. Safe. And those two things don't have anything to do with each other. It might very well be that there's a legitimate reason for Chrome to have Gmail data, but that isn't even the question that gets asked. And it isn't even really about helping a data subject. It's we own it, we're going to take it and we're going to share it. Now I know Europe is trying to get at that a little bit with the Digital Markets act, where at least for the designated gatekeepers, there's some, some limits on, on how data can be shared across services. But it's a huge, not only a privacy challenge, but it, it's a business challenge because it creates a race to the bottom because they have all the data in the world. If I'm a startup, I'm going to use everything at my power and get as much data as I can because I want to compete.

Helen Nissenbaum

I mean it. You remind me actually in that article, in the no cookies for you article, I had forgotten this brilliant argument that we made, which was that we've taken ownership as a proxy for context. And so we've said I'm the first party if I'm Microsoft and any companies I own by definition are first parties. And that doesn't live with the spirit of, of whatever justification lies behind the first party third party. Because when you talking to what does Amex own? Does it own Open Table? It owns one of those restaurant booking. I don't want to purge myself on your podcast. So. And that just means that whether or not you're an American Express card user, when you make a booking on Open Table or with its main competitor, that information as a first party can go to American Express. So it really makes that that distinction just doesn't do anything for us anymore as long as something like the Grammy Bliley act holds.

Alan Chappelle

Yeah, well, the Grammy Spilly act is sort of the classic example of it's not about protecting privacy, it is about creating the appearance of protecting privacy. You know, and so that concept has now been embodied in a whole bunch of other laws or industry codes that, that touch on the ad space. And that's just people look at it and say, well, that's just the way it is. So I'm going to get as much data as I can in the EU.

Helen Nissenbaum

That try to push this idea of data minimization. I have had conversations with folks in Europe. I'm not like on the inside track, but I tried to say it's not just about minimizing, but it's about constraining in a sensible way. And I think I've seen things like data that's necessary in order to perform a transaction. They are approaching this concept and hopefully they'll go all the way.

Alan Chappelle

I hope so. I mean, one of the challenges that I find with EU data protection law, at least as it applies to my little neck of the woods, is that there is a knee jerk over reliance on consent. Everything requires a consent. And so, and if you're, if you take that position, you almost. Again, I'm wearing a, a very decidedly New York lawyer hat, but if you tell me I got to get a consent for anything, the advice to the business is going to be, well, you might as well get as much data as you can. And not, not that we don't have our own challenges here in the good old US of A in terms of the regulatory environment, but that is one of my challenges with, with Europe, my thing.

Helen Nissenbaum

And when I teach it, I always wind up consent is neither necessary nor sufficient for appropriate data flow.

Alan Chappelle

Yeah, I. Am I remembering correctly? You penned something maybe eight to ten years ago which was very. The whole notice and choice concept was woefully insufficient. And you might have been one of the first to. Because there's been people who've said it subsequent to that.

Helen Nissenbaum

Yes, now, all right. Always like to think we're the first, but this was an article with, you may have been mentioning. This is an article with Solon Barocos, who. Well, there were two articles. One was called On Notice. The trouble with notice and consent, that was really early. And then we had another one which was about end run around anonymity and consent. I think those two still hold. They still hold. You know, old in this business is like greater than five years.

Alan Chappelle

Well, like I said, there are so many things that that have now been in place for 10 years. So counteracting them is like counteracting a gospel of sorts. And so. And then not to mention that everything is. Everything is moving at a million miles per hour.

Helen Nissenbaum

Yeah.

Alan Chappelle

Well, thank you very much. This has been a lot of fun talking with you, Helen. I really appreciate you coming on the pod.

Helen Nissenbaum

Same. I hope. I hope your podcast travels far and wide.

Alan Chappelle

Why thank you. That was a great conversation. I think we were able to find some common ground when it comes to privacy, profiling and pets. The three P's and I think the ad space would be well served by attempting to incorporate Helen's concept of contextual integrity into our workflows. We have a bunch of other fantastic guests coming up on the Monopoly Report podcast over the next few weeks. Please subscribe to the show@monopolyreportpod.com or on Spotify, Apple, YouTube, or wherever you listen to your podcasts. And thanks for listening.

Podcast Host

Thank you for listening to the marketecture podcast. New episodes come out every Friday and an insightful vendor interview is published each Monday. You can subscribe to our library of hundreds of executive interviews at marketecture tv. You can also sign up for free for our weekly newsletter with my original strategic insights on the week's news at News Market tv. And if you're feeling social, we operate a vibrant Slack community that you can apply to join@adtechgod.com.