Event Recap: Panel at the Annual Privacy Forum 2020


Authors: Hunter Dorwart and Rob van Eijk

To track and to get tracked: new innovative methods and advancements

On September 30, 2020, the Future of Privacy Forum participated in a panel at the Annual Privacy Forum 2020 (APF-2020). The event is organized annually by the European Union Agency for Cybersecurity (ENISA), the Directorate-General for Communications Networks, Content and Technology (DG CONNECT), and the Católica University of Portugal, Lisbon School of Law.


FPF’s Rob van Eijk contributed to a panel on tracking and tracing, To track and to get tracked: new innovative methods and advancements, alongside Marit Hansen (State Data Protection Commissioner of Land Schleswig-Holstein), Fernando Silva (Banco de Portugal, DPO cabinet), and Prokopios Drogkaris (ENISA, moderator).


The Pros and Cons of Existing Legal Provisions Against Tracking 

The process of online tracking has evolved with the advancement of technology and as a result has become more ubiquitous and connected. Today, tracking through applications or even IoT devices is augmenting user behavior. In some instances, users might request the provision of such tracking services or consider it as the default option.


The proliferation of tracking tools across the technological ecosystem raises the question: how to define the process of tracking? Marit Hansen, defined tracking as the act of following something or someone and when done over the Internet, involves analyzing behavior by making inferences about a user’s personal interest, information, and preferences.


Hansen also pointed out that there are many different tracking techniques and mechanisms, e.g., monitoring web traffic through cookies, tracking across devices, using the Media Access Control (MAC) address of mobile phone to pinpoint geolocation, and utilizing Wi-Fi Access Points in public areas like airports or train stations. Such complexity has raised profound questions around how regulators can effectively limit the negative impacts of tracking without undermining further innovation or preventing the necessary use of these technologies.


According to Hansen, the implementation of the General Data Protection Regulation (GDPR) and ePrivacy Directive (2002/58/EC amended by 2009/136/EC) has not solved the problem, as it has pushed industry to rely on cookie banners to obtain consent, which often overwhelm or confuse consumers (see 2019 CJEU C-673/17). The purpose of a cookie banner is to inform users and ask for the consent of the user for services that are not strictly necessary. Users may often customize the use of cookies from a particular website through a dropdown menu. The problem, however, is that a user must choose from a list of multiple cookies such as essential cookies, functionality cookies, social media cookies, targeted cookies and advertising cookies. These choices create confusion and make it difficult to determine which cookies are strictly necessary for the website to function.


Recent Technological Changes in the Industry Can Complement Legal Instruments

In addition, any evaluation of existing legal provisions to mitigate harmful tracking must also take into account the way big industry players are addressing the concerns. Rob van Eijk gave an overview of how tracking technologies work behind the scenes of an online advertisement in order to make sense of the latest technological advancements in the industry (Figure 1).

Figure 1. A graphical representation of the dataflow behind the scenes of an online advertisement.


With respect to web browsing and cookies, there are a variety of tracking differences between the major browsers that illustrate how the industry is changing. For example, while both Firefox and Safari have restricted the use of third-party cookies on their browsers, the former uses enhanced tracking protection (ETP) while Safari utilizes Intelligent Tracking Prevention (ITP). In addition, Google announced that Chrome will follow Firefox and Safari in banning third-party cookies but will not implement the change until 2022.


Van Eijk also identified four technical approaches that, in his view, indicate where the post Do Not Track (DNT) system is headed.


  1. Stricter browser security settings, e.g., SameSite cookies and Strict Site Isolation. We remark that the implementation of these settings differs by browsers.
  2. Google’s Federated Learning of Cohorts (FLoC), which aims to embed privacy by decentralizing the browser itself. FLoC uses machine learning in the browser to group people into audience segments.
  3. Apple’s IDFA and App Tracking Transparency Framework, which requires developers in iOS 14 to offer Privacy Nutrition Labels and obtain consent prior to tracking users across apps and websites.
  4. The Global Privacy Control (GPC), which allows users to request that their data not be sold or shared and has been included in US state legislation such as the CCPA.


From the discussion, it became clear that the practice of tracking is changing across the entire ecosystem, not just within browsers but also across apps and through different policy initiatives. Such developments require policymakers and industry leaders to reevaluate their approach to traditional notice and choice frameworks because of the interconnected nature of technology and data sharing. Van Eijk suggested that relying solely on consent may not be the solution because it puts the burden on the user to avoid tracking. Rather, developers should embed safety and privacy within the configurability and design of the tools themselves. Such privacy by default should work in tandem with legal instruments.


Tracking Versus Tracing – Lessons Learned from Covid-19

Questions around tracking and tracing of data have become increasingly important in the context of Covid-19. Hansen stressed that tracing does not automatically equal tracking as tracing tools are not always used to identify and track specific users. Governments around the world have utilized tracing techniques to mitigate and control the spread of the virus. While these techniques share substantial overlap with tracking methods, tracing doesn’t “follow” users but merely allows individuals to be notified if they could contract Covid-19 based on their proximity to exposed areas or people.


Fernando Silva, pointed out that the debate about tracking and tracing is not new. The challenges have also evolved with technological advancements. Silva highlighted how more traditional methods of mapping created space for new tools such as Bluetooth, intelligent video analytics (IVA), RF and ultrasound tracking, biometric detection, and IPv6 fingerprinting. While each of these technologies offered safer methods for tracing, companies quickly began configuring these tools for tracking purposes.


A similar lesson has emerged from Covid-19 contact tracing apps. There is a growing concern that companies and governments will continue to use the pervasiveness and necessity of these apps to extend their tracking capabilities and create an environment more conducive to ubiquitous surveillance. Silva stressed that the current landscape has produced a variety of privacy risks and negative externalities. Such risks include the persistence of covert tracking, the diminished ability to exercise data subject rights, and the growing presence of function creep, the pervasive use of technologies for a purpose contrary to original intent.


Building Trust Through Verification and Design

Silva noted that at the heart of the debate around tracing lies an imbalance of power between individual users and the owners and operators of technology. As dependence on critical technologies grow, there is a real risk that users will lose even more control over how companies harvest their data. Indeed, without transparency and verification, new technologies can enable covert tracking and reinforce the imbalance of power by excluding individuals from services if they do not accept a more privacy-intrusive default setting.


In closing, Silva suggested that independent verification of these technologies could help engender trust and credibility in how governments and companies use them to combat Covid-19. Such verification could provide a layer of transparency around new technologies as well as push big industry players to take privacy considerations into account when designing these technologies in the first place.


The lessons learned not only from the pandemic but also years of legal and technical advancement have revealed a gap between the growing sophistication of tracking technologies and the regulatory environments that aim to protect individuals from intrusive and pervasive harm. Overcoming this gap requires embedding privacy into the configuration and design of technologies themselves and not letting new degrees of surveillance become the norm.


To learn more about FPF in Europe, please visit fpf.org/eu.