top of page

Surveillance for the Highest Bidder, Part II: Watching the Cookie Crumble

In the first instalment of this series on ADINT, we took a look at how the online advertising ecosystem functions and how it enables various actors to use online advertisements as a data collection tool. With ADINT, it is not only possible to gain an insight into a subject’s online behaviour, but also track their physical location through historical data. 

While ADINT is currently experiencing increased attention from the general public, legislators, companies and experts have been grappling with the issues surrounding personal digital data and its use for quite some time now. The result has been both a political and technical process worth looking at in order to understand where the online advertisement - or AdTech - industry and ADINT stand today, specifically in the European Union (EU).

As we explained in the last article, the online advertisement ecosystem revolves around "cookie" technology. Everyone surfing the web in the EU these days is familiar with cookie consent banners popping up when they visit a website. While the emergence of these consent banners is often attributed to the General Data Protection Regulation (GDPR) of the EU which came into effect in May 2018, the explanation is more complex. As the general privacy law (lex generalis), the GDPR primarily requires explicit user consent for the processing of personal data. The specialized law (lex specialis) for the processing of cookies, however, is the ePrivacy Directive, originally from 2002. So, when the GDPR’s Article 3 extra-territorial application came into effect in 2018, even companies outside the EU which processed EU citizens’ personal data – which includes cookies – now had to obtain explicit user consent, paving the way for the big and confusing banners. In terms of geolocation data, the ePrivacy Directive only requires explicit consent for the processing of location data by telecommunication providers and networks. Here again, the GDPR extends the scope of the right to privacy by requiring consent for any data that, on its own or in aggregation with other collected data, can identify a person. It follows from this that since 2018, cookies collecting geolocation data generally require the user’s explicit consent, notwithstanding a few exceptions.

However, due to the enormous amounts of data now being generated and processed every second, the enforcement of these regulations has not been without its challenges. Some AdTech vendors have been shown to ignore GDPR compliance and tracked cookies regardless of users opt-out. For example, Interactive Advertising Bureau Europe (IAB Europe, the leading association of the AdTech industry in Europe) is currently involved in a lawsuit before the EU Court of Justice (CJEU). IAB was found by a Belgian court to violate GDPR rules by claiming that the data strings it collected from users under its Transparency and Consent Framework (TCF) were not personal data. The association lost its challenge to this verdict on March 7, 2024 in front of the CJEU, which confirmed the Belgian court’s verdict that the AdTech data in question is in fact personal data.

But regulators have not been the only challenge to the online advertising sector. With users’ increasing sensitivity to privacy following the Snowden Revelations in 2013, operating system manufacturers have also adjusted their stance. In 2017, Apple introduced its Intelligent Tracking Prevention feature, positioning itself as a champion of users’ privacy and manoeuvring against its primary market competitor, Google. Under iOS 14, Apple enabled complete ad tracking opt-out in 2021, costing Meta 10 billion US dollars in revenue. Google has since tried to catch up with a similar strategy embodied in its Privacy Sandbox, which actively pursues the depreciation of third party cookies – or advertisement cookies - in its Chrome web browser. Both companies continue introducing privacy features into their devices and operating systems that slowly signal the end of the third-party cookie and threaten the cookie-based online advertising business model, forcing the AdTech industry to adapt. AdTech companies are starting to focus on small, high-quality ‘seed audiences’ that actively opt in to (or don’t actively opt out of) data processing and are attracted through incentives such as discounts or loyalty programs. The data obtained from these audiences can be leveraged by AI for extrapolation to maintain the effectiveness of advertising. Other strategies include focusing on first-party data collection and hashed emails, while actively maintaining the existing user base. 

But how does this affect ADINT? Geolocation data is subject to all of these changes. With the move to a privacy-focused, opt-in culture of online advertising, the population size for geotracking is expected to shrink considerably. Geotracking won’t be available for targeting ‘any’ individual device anymore. That is, if actors in the AdTech ecosystem are compliant, which they sometimes are not. As a result, ad-based geotracking in the EU becomes more reined in by regulators and operating system manufacturers, as the responsibility to opt out is placed onto the user. This poses a new challenge, as it is easily observable how overwhelming and confusing cookie consent banners have become, forcing many people to ‘accept all’ rather than actively read the list of data processing purposes and un-select each of them individually. Thankfully, the EU aims to tackle this issue with the legislative process for turning the ePrivacy Directive into the ePrivacy Regulation already underway, which foresees a streamlining of the cookie selection process. 

Another challenge dawns with the emergence of new AdTech business models and their reliance on AI. Legislative processes are famous for lagging behind developments in digital technology, which could prove a loophole for ADINT. While a user might have opted out of the location data processing on an app or website, AI models might be able to predict their movements by aggregating other existing user data and extrapolate it with movement behaviours from seed audiences to generate geolocation patterns. The sheer amount of personal data being collected and processed constantly would make it incredibly hard for law enforcement to trace back these processes and discover privacy-invasive actions, not to mention prosecute their perpetrators. In the meantime, users should be aware of their right to opt out and thereby maintain minimal exposure to ADINT. They should also be aware that by leaving the territory of the EU, the legislative framework around online privacy can be different and may constitute an additional risk for some individuals.

The short history of ADINT shows how quickly a technology was discovered to offer benefits to open-source intelligence collection. It also demonstrates how short-lived such benefits can be in the domain of the internet. Data-driven democracies have become increasingly conscious of privacy issues as a result of the ubiquity of free-flowing personal data. And much like in other technological domains, with the AdTech industry we can observe an adaptation by the side that sees its position diminished. Despite the developments in legislation and software architecture that were described in this article, in the oncoming age of artificial intelligence it seems like it won’t be the last we have heard of ADINT.


bottom of page