PhD Candidate Robbert van Eijk measures privacy component in online advertising
You check out Facebook to see if one of your friends or someone in your family has done something interesting. Your attention is drawn to a holiday advert. That’s a coincidence, you think, because just before you went to Facebook you had been searching internet for a holiday destination. But this is no coincidence: dozens of parties are looking over your shoulder to see what you are getting up to on internet and this influences which adverts you get to see and where. PhD Candidate Robbert van Eijk investigated this process and the observance of privacy legislation in European countries. He will defend his doctoral thesis on 29 January.
The technology which facilitates online advertising is called 'real-time bidding' (RTB). When you visit a website, within a few tenths of a second the advert space on that page is ‘auctioned’: on the basis of data saved in cookies it is determined what kind of adverts are most relevant for you. The provider who places the highest bid for this kind of advert ‘wins’ and is given - upon payment of course - space by the advertiser to promote his product. 'The motive to write this doctoral thesis came from the desire to investigate real-time bidding at the intersection between technology and the law’, Van Eijk explains. 'I wanted to find out more about what happens when as a visitor to a website you get to see adverts which appear to be tracking your steps. This topic is relevant in light of the application of the General Data Protection Regulation (GDPR) and the current cookie legislation and its rules which are laid down, among others, in Article 11.7a of the (Dutch) Telecommunications Act.'
In his research Van Eijk demonstrates that this privacy component can be measured. 'I combine law and data science in my research by applying mathematic algorithms to the network traffic picked up between the browser and the websites visited. Taking a network-science perspective to the privacy component of RTB is new, by being able to distinguish the networks of partners involved in an advertisement system when displaying an advert on the website which an internet user visits. These advertisement networks partly overlap one another. This new way of observing the process also shows which role partners have in an advertisement network in collecting and sharing the data of website visitors.'
Van Eijk demonstrates in the research that two kinds of algorithms enable transparency in the mutual collaboration arrangements (the betweenness). 'These are cluster edge betweenness and node betweenness. The first is a standard that is based on the shortest paths between the partners in an advertisement network. The algorithm solves an important issue: which RTB partners are clustered in an RTB system? The second solves another important issue: who are the dominant companies in a network of RTB partners? Node betweenness helps us to distinguish between the companies.'
In addition, the researcher provides transparency concerning various differences between European countries. 'I show that a Graph-Based Methodological Approach (GBMA) can indicate the situation concerning differences in permission in 28 European countries; for example, differences in cookie notifications and cookie walls. In Europe we see two mechanisms in relation to permission. An implicit permission (where tracking cookies have already been installed before the end user has given permission) and a strict permission mechanism (where the legal requirements are implemented to the extent that no tracking cookies are (allowed to be) installed on the equipment of the end user or information can be read from the equipment when he visits a webpage). In this way, countries with implicit mechanisms can be compared to countries where strict mechanisms predominate. This leads to unequal rights.'
Through his research, Van Eijk wants to contribute to the protection of online privacy for internet users. 'For example the research contributes to the recently commenced Inria PrivaWEB project on webtracking, e-Privacy regulations and user protection. The most important object of the research field is to increase transparency through privacy measurement.'
Doctoral research is a lonely process. The group feeling at the Dual PhD Centre helps when things get difficult.
Van Eijk works as a senior inspector at the Dutch Data Protection Authority in The Hague. 'My work deals with monitoring privacy legislation. The standards for this are laid down in the GDPR. In practice, this entails that I am working in a field where the law and technology overlap. Explaining how the technology works and the application of legal standards is an important part of my daily work. I am also involved in research where we sometimes go to monitor the systems of companies on location, to see if they are correctly handling personal data according to the statutory requirements.'
Besides working, Van Eijk participated on the Dual PhD Programme at Leiden University. 'The programme first lays the necessary support base for the research. This consists of three pillars: (1) work, (2) university and (3) personal life. The Dual PhD Programme contains an important pre-PhD year. In this period you are given the instruments and skills to conduct academic research. The Programme provides a great environment to cultivate the academic and social values that help to complete a doctoral thesis which can be defended successfully. One of the most important things which the Dual PhD Centre sets up is the search for a good match between the PhD Candidate and the supervisor. In my case I was very pleased with my supervisor Professor Jaap van den Herik and co-supervisor Dr. Mark Dechesne. Because doing PhD research is often a lonely process, the group feeling you get from being part of the Dual PhD Centre can help you at times when things are not going so well. For example, the weekly lunch where candidates can present and discuss their research in a safe environment.'
Professor H.J. van den Herik on Robbert van Eijk’s research:
'Robbert van Eijk has written a wonderful doctoral thesis on online advertising (RTB). The auction process behind RTB has been clearly unravelled (a technological tour de force), but even more interesting is the knowledge exchange process behind the auction. What do cookies do exactly? And how can large companies, such as Google and The Rubicon Project, (seem to) have all shared knowledge? What about online privacy?
The question now is: what will be the response in Brussels to this doctoral thesis? It is high time that consensus is reached on the ePrivacy Regulation. Professor Peter Swire, who was personal privacy advisor to Obama for eight years, is a member of the Opposition Committee.'
Text: Floris van den Driesche