Privacy-Enhancing Technologies Are Not a ‘Silver Bullet,’ PEPR Told
SANTA CLARA, Calif. -- Advertisers and regulators are considering the potential of privacy-enhancing technologies (PETs) to balance business interests with protecting consumers’ privacy, panel members said Monday during the USENIX Privacy Engineering Practice and Respect (PEPR) conference. But whether PETs, which include differential privacy and homomorphic encryption, are up to the task is unclear, panelists said.
Sign up for a free preview to unlock the rest of this article
Ad networks built their business models on targeting advertising using third-party cookies, but “over time, regulatory scrutiny has increased,” said Greg Chappell, an angel investor who previously worked on AI transparency at Meta. At the same time, Apple cracked down on tracking through its App Tracking Transparency framework, requiring user consent to have apps track them, while Google is on a “path of killing third-party cookies,” he said: For companies like Meta, these developments have “raised some fundamental concerns about the sustainability" of its advertising business models.
Google is “still in the very early days of trying to figure out where [PETs] work and where they don't,” said Miguel Guevara, a member of Google’s data protection team. A PET is “definitely not a silver bullet,” he said. “They’re expensive to implement, but I think there’s value in trying them out. … I don’t think that we can build a product from the ground up just with PETs … but if we are ever to transition to a more private future that’s more principled in the way that we use data, definitely we should start now experimenting.”
Regulators are eyeing PETs, as well. Many privacy laws in the U.S. and Europe “are based on the way that technology [worked] a long time ago,” when cookies were used, said Ari Levenfeld, global head of ads privacy for Google’s government affairs and public policy team. Regulators are “now looking to see if PETs could be used to address some of the fundamental privacy and security challenges” that the EU’s General Data Protection Regulation (GDPR) and U.S. state laws were meant to mitigate, he said.
However, “the jury is out, as far as regulators are concerned, about whether PETs actually could … address some of those challenges or … are not actually up to the challenge,” said Levenfeld. “And there's an opportunity for all of us in this room to have conversations with those policymakers in order to help them understand what this technology can do right now.” Regulation could incentivize developing and using PETs, but “the only way that's going to happen is if policymakers understand how the technology works in the first place."
Don Marti, Raptive vice president of ecosystem innovation, is skeptical that PETs will work for advertising. One promising early use case of PETs was as web browsers using differential privacy for crash reporting, he noted. “That way, the browser developer gets to find out which web pages crashed which version of the browser on which platforms, but they never get to see which of their users visited which pages.” That’s a use case “where both ends of the transaction have a shared interest in improving product quality.”
“Unfortunately,” said Marti, “some of those early successes for PETs sort of raised expectations that they could also be used in advertising, where they're not as good of a fit.” Unlike the crash-reporting example, advertising is an area “that’s inherently adversarial.”
Marti added that many of the kinds of PETs proposed for advertising “also have the side effect of enabling” surveillance pricing, a practice where companies charge different prices to people based on data they have about each individual. Some may say price discrimination is “great economics,” but users “hate it,” said Marti. Consumer Reports recently blasted Kroger for allegedly doing this, while California is considering legislation to prohibit surveillance pricing (see 2505210043).
Surveillance pricing can be done without PETs, acknowledged Marti, who previously conducted privacy research for Consumer Reports. However, PETs could be particularly harmful because they can obfuscate the questionable practice, making it harder for privacy researchers with limited funding to detect, said Marti.
Levenfeld agreed that “it’s important that if companies decide to use PETs, that they don’t replicate the sins of the past, and do things that … particularly hurt vulnerable groups when they’re using these new technologies." Something “at the forefront” right now for many privacy regulators is “making sure that that vulnerable groups are not exploited by some of these technologies.”
Levenfeld noted that one “PET that was really successful -- and then it wasn’t -- was the third-party cookie.” When cookies “first became common at scale,” people saw “a lot of privacy benefit to them because they’re pseudonymous,” he said. “But then eventually, people began to realize that there are a lot of privacy challenges associated with them as well.”
IAB Tech Lab plans to launch a privacy lab this summer and is exploring PETs that might help reduce advertisers’ revenue shortfalls from “signal loss,” which refers to reduced access to consumer data stemming from tech changes like privacy controls in web browsers (see 2503200041).