FTC's Cross-Device Study Reveals Opacity of Data-Sharing Practices

By Published on .

Edith Ramirez, chairwoman of the FTC.
Edith Ramirez, chairwoman of the FTC. Credit: FTC

More than a year following its workshop addressing privacy concerns related to cross-device tracking, the Federal Trade Commission released a report finding that much of the data sharing and matching used to that end happens behind closed doors, untraceable by observers.

The study monitored 100 popular websites through multiple tests on two devices and found that 861 third-party domains collected data on both devices. While the researchers acknowledge there's no way of knowing whether the data gathered was used for the express purpose of tying one device to another, they discovered that companies specializing in so-called probabilistic cross-device linking collected data from 34% of the sites visited.

Probabilistic approaches use signals like location and browsing history to try to find the same consumers across their various computers and mobile devices.

The report also found that 106 third-party domains shared unique, browser-specific cookie identifiers with 210 other third-party firms including dedicated cross-device tracking companies.

As marketing and ad tech firms enhance their consumer identification capabilities, the use of cross-device tracking in order to connect one unified consumer identity across all the devices a person uses has grown in popularity. But while marketers clamor for so-called omni-channel views of the consumer, there's very little detailed information available to observers regarding precisely how it all works and what specific companies are sharing data with one another to get there.

Data tracking and matching capabilities, and the willingness to exploit them for marketing purposes, are on the rise. Yet, as these technologies advance, privacy policies often are not reflective of those advancements. The FTC found that privacy policies associated with the sites it observed "contained little explicit discussion of cross-device tracking specifically, or whether consumers had the ability to turn off cross-device linkage." It found that just three sites provided specific information about enabling third-party cross-device tracking.

"Dozens of third party services sync unique cookie ID values, which could facilitate the sharing of crossdevice graph information," notes the "Cross-Device Tracking: Measurement and Disclosures" report, based on a study conducted by four Office of Technology Research and Investigation staff.

The study also found that at least 16 of the 100 sites reviewed shared personally identifiable information -- or hashed personally identifiable information – including email addresses or user names -- with 60 different third-party domains. The information could be used to link devices associated with an individual.

Once personally identifiable information has been hashed or encrypted to "de-identify" or "anonymize" it, the advertising industry and the data services supporting it -- almost across the board -- consider that data to be non-personally identifiable and therefore fair game for rampant sharing.

But the FTC has indicated in the past that it does not agree. When the commission held its cross-device tracking workshop in November 2015, FTC Chairwoman Edith Ramirez warned of the potential for privacy infringement even when dealing with information that's been hashed. Companies gathering increasing amounts of online and offline data "do this under the veil of anonymous identifiers and hashed P.I.I. [personally-identifiable information], but these identifiers are still persistent and can provide a strong link to the same individual online and offline," she said.

"Not only can these profiles be used to draw sensitive inferences about consumers, there is also a risk of unexpected and unwelcome use of data generated from cross-device tracking," she added.

The report stated, "These findings demonstrate that a broad range of companies possess the capacity to correlate user behavior across different devices that the users own," adding, "We could not definitively determine that the data was used by a company for that purpose in any particular instance."

The agency's limited ability to detect data collection and sharing on a precise level is nothing new. Companies involved in data collection and analytics, and things like matching and onboarding offline data for digital targeting and measurement, are willing to be somewhat transparent in terms of how their systems work. But they typically go dark when asked about partnerships and exactly where data links come from.

Most Popular