opn-190329-FACEBOOK-ASK-1553862908418

Criticism of big tech companies that track us across the internet without our informed consent misses a bigger picture: There are hundreds of ad-tracking companies that do the same, and regulators have been powerless to rein them in.

A report by the Danish privacy consulting firm Cookiebot says that 112 ad-tracking companies collect information about visitors to government and public sector websites in European Union countries, even though the websites are not ad-supported. Of these, 52 were found on French government sites; German taxpayer-funded sites were found to be the best protected, yet one-third of their pages still contained advertising trackers.

If you don’t recall authorising that activity, that’s because you didn’t. Even if you clicked on an “I accept cookies” pop-up, which probably didn’t explain properly what cookies you were accepting, it didn’t cover all of the trackers. Some were smuggled in. “Modern websites typically include multiple third party JavaScript technologies to power various functions, such as video players, social sharing widgets, web analytics, galleries and comments sections,” Cookiebot wrote. “These scripts can act as Trojan horses, opening backdoors to the website code through which ad tech companies can silently insert their trackers.”

Government websites are often built on the cheap and include all kinds of third-party components. So not even the governments of EU member states comply with the union’s General Data Protection Directive, which requires site administrators to make sure users consent to the collection of their data. If you visit a National Health Service website with questions about whether you are HIV positive, pregnant or sliding into alcoholism there’s a good chance you’re being watched in order to be targeted with ads. (It’s likely the situation is similar in the US where Facebook trackers are officially allowed on the websites of government health care services, but unauthorised ones are likely also present).

Cookiebot, of course, is an interested party. It has developed a technology to scan web pages for trackers, and it’s selling tools to ensure sites are GDPR-compliant. If you administer a site, Cookiebot wants you to worry about unauthorised trackers and potential large fines for GDPR noncompliance. But if privacy regulators decided to use a similar technology to check all sites for compliance, they’d be swamped and most violators would never be fined. Besides, it could be argued that smuggled trackers are akin to viruses, and that websites cannot be held responsible for noncompliance if they’ve been, in effect, hacked.

Cookiebot’s findings are more important to ordinary users and regulators than they are to website administrators. If you’re worried that Facebook and Google are watching you everywhere, which they are, you should also worry about a long list of companies, from AcuityAds to Zemanta that openly do the same, and a shorter list of adtech firms that don’t even identify themselves properly.

Earlier this year, the German Federal Cartel Office demanded that Facebook restrict its data collection from third-party sites. In its ruling, it made the peculiar argument that Facebook’s market dominance and its ability to collect data are somehow linked. But Cookiebot’s findings point to a flaw in that argument. Even if Facebook and Google were banned from gathering information about users’ browsing, they’d be able to buy the data from lots of other ad market players.

The problem of digital privacy (and some other problems, such as the decline of local media and the current ease of internet-based political manipulation) isn’t about a few big companies. Sure, Facebook has the resources to fight back against anti-tracking technology in browsers, engaging in a cops-and-robbers game with the likes of Apple, according to the Cookiebot report. And sure, ubiquitous Google is the most active user of trackers. But the tracking won’t stop if the activity of the giants is regulated. Nor will clearer rules for cookie consent, as proposed in the EU’s still-to-be-enacted ePrivacy Regulation, eliminate the constant surveillance; they’ll likely just make it harder to detect.

The root cause of all the pernicious surveillance is ad targeting as a business model. As long as it exists, we will be watched on the web even at moments when we most hate being watched.

A ban on all targeted advertising, or even just on targeted political ads, as the inventor of the World Wide Web, Tim Berners-Lee, has suggested, would probably go too far. But there is a more effective way of regulating than trying to micromanage cookie settings. Governments could seek to ban ad targeting based on anything except information directly provided by internet users. If I haven’t indicated that I want ads tailored to my location, age, marital status, specific list of interests or, say, my Amazon purchase history, I shouldn’t be getting any tailored ads. Those who want more personalisation, and thus potentially more relevant ads, should choose those options when signing up for social-network and free-email accounts, as well as when subscribing to news media that sell ads. Those who don’t want it should be shown random or loosely targeted ads, just like in the pre-tracking days.

This wouldn’t kill Facebook or Google, which have huge audiences. But it would undermine the ad-surveillance industry and introduce some much-needed honesty into our relationship with digital advertising.

Leonid Bershidsky is a noted columnist. He was the founding editor of the business daily Vedomosti and founded the opinion website Slon.ru.