Vodafone is already the Controller of your data if you are a Vodafone subscriber, so they’re transmitting your preferences (consent) to various Processors (people who have implemented the TrustPid API, which looks like this) whilst not transmitting your data.
IANAL, but I read up on TrustPID. It looks like they will argue that because they are taking hashed data (IP address + other stuff) from the mobile ISP they will argue they are not able to identifying a living person, even indirectly (criteria from the UK version of the GDPR). There are also some opt ins and the ability to opt out.
Vodafone’s argument (that free online services need this sort of ID) doesn’t really explain why they are the ones to implement it. It reminds me of Steve Job’s open letter about DRM back in 2007 that essentially said “it isn’t OUR fault we’re implementing all this DRM”, only to then offer consumers the ability to pay more to not have to deal with it. is Vodafone offering any of the free online services that is being impacted?
My bet, based on a good number of observations, is that it’s not primarily a pretence aimed towards external customers, it’s primarily a pretence aimed towards internal stakeholders.
I’ve not worked at Vodafone specifically, but I’d guess that many of their mission statements, values, etc. all reference “customer value” and the like. So any signficant feature - regardless of how customer-hostile it actually is - has to be dressed up in terms of customer value in order to get funding and prioritisation.
The fact that that pretence leaks out in the form of press releases talking about customer value is probably incidental to the internal double-think that’s going on.
I always find it funny when there are websites that talk about privacy concerns, and then they don’t have a “Reject All” button on their cookie consent pop ups. Always a hunt to find all the things you’re able to opt out of.
Oh sure, I didn’t mean to imply that it wasn’t problematic. I’m just surprised that Vodafone is (apparently) investing a bunch of money in something that Apple (and possibly Google) can easily circumvent for their users. In fact, I wonder if Private Relay would already mitigate this for iOS users.
I’m honestly not even sure that 100% TLS wouldn’t be sufficient - all the obvious implementations trivially fail with TLS, the slightly less obvious implementations would generally fail for any packets that have to travel across network boundaries. I would assume that to be willing to take the potential publicity hit, they’d have to be sure that they can make a profit so presume that they can defeat anything the clients can do?
I’m honestly not even sure that 100% TLS wouldn’t be sufficient - all the obvious implementations trivially fail with TLS, the slightly less obvious implementations would generally fail for any packets that have to travel across network boundaries.
Yeah presumably they’re not counting on injecting ads into pages, given that something like 90% of traffic is now encrypted.
I’d have to guess that this works something like:
User visits site.
Site serves ad-network code.
Ad-network observes that user’s IP is a vodafone IP and passes that IP on to a vodafone API to get vodaphone’s profile info – built out of data fed into it via calls like this, and vodafone’s observation of DNS and whatever other unencrypted data they can observe, buy, infer, etc (or maybe they just give out their Vodafone super-ID and let the ad networks worry about maintaining the profile for the ID). Vodafone makes money off of these calls.
That profile info feeds into the ad bidding.
Ad blockers still defeat this (unless the ad network stuff starts happening server-side instead of in-browser), but this would let them turn their complete knowledge of the user-IP mapping into an unblockable super tracking cookie that never resets.
In fact, I wonder if Private Relay would already mitigate this for iOS users.
Private Relay isn’t used by ads requested in-app.
For Safari traffic, reading Apple’s literature on iCloud Private Relay suggests that Vodafone could block private relay by preventing DNS resolution for mask.icloud.com and mask-h2.icloud.com or collect the super-cookie by using an (otherwise) unroutable IP address (it would be considered either Cellular services or Local network service; see the section on Coverage and Compatability). I think if you have a VPN installed on your handset, then some TrustPid code will probably be able to associate your VPN session with the identifier with help from an app, and I would suspect Vodafone would know how to do this.
If you route your traffic through a VPN on your laptop and tether your laptop through your vodafone mobile, you still might not be safe: This might be substantially harder for Vodafone because the only way to apply the TrustPid is now through correlation instead of a super-cookie. Advertisers are uncomfortable with this stuff in my experience, so I suspect if Vodafone is doing this, they probably won’t launch with it.
How does this pass GDPR?
Vodafone is already the Controller of your data if you are a Vodafone subscriber, so they’re transmitting your preferences (consent) to various Processors (people who have implemented the TrustPid API, which looks like this) whilst not transmitting your data.
thoughts and prayers? :D
IANAL, but I read up on TrustPID. It looks like they will argue that because they are taking hashed data (IP address + other stuff) from the mobile ISP they will argue they are not able to identifying a living person, even indirectly (criteria from the UK version of the GDPR). There are also some opt ins and the ability to opt out.
Looks thin to me.
Vodafone’s argument (that free online services need this sort of ID) doesn’t really explain why they are the ones to implement it. It reminds me of Steve Job’s open letter about DRM back in 2007 that essentially said “it isn’t OUR fault we’re implementing all this DRM”, only to then offer consumers the ability to pay more to not have to deal with it. is Vodafone offering any of the free online services that is being impacted?
I assume the answer is simply that they will be able to charge for it.
I’d assume the same, I just find it off-putting to have that be so obvious and yet pretend they’re on the side of their consumers.
My bet, based on a good number of observations, is that it’s not primarily a pretence aimed towards external customers, it’s primarily a pretence aimed towards internal stakeholders.
I’ve not worked at Vodafone specifically, but I’d guess that many of their mission statements, values, etc. all reference “customer value” and the like. So any signficant feature - regardless of how customer-hostile it actually is - has to be dressed up in terms of customer value in order to get funding and prioritisation.
The fact that that pretence leaks out in the form of press releases talking about customer value is probably incidental to the internal double-think that’s going on.
Vodafone owns a substantial amount of Verizon stock, and Verizon owns all of AOL and Yahoo’s advertising properties, so yes, in a way.
TIL this. Thanks for the enlightenment.
I always find it funny when there are websites that talk about privacy concerns, and then they don’t have a “Reject All” button on their cookie consent pop ups. Always a hunt to find all the things you’re able to opt out of.
Wouldn’t a VPN pretty trivially block this, though?
The problem is you’re paying for a service, and then to use that service safely you have to pay, and trust, yet another service.
Oh sure, I didn’t mean to imply that it wasn’t problematic. I’m just surprised that Vodafone is (apparently) investing a bunch of money in something that Apple (and possibly Google) can easily circumvent for their users. In fact, I wonder if Private Relay would already mitigate this for iOS users.
Ah, fair enough :D
I’m honestly not even sure that 100% TLS wouldn’t be sufficient - all the obvious implementations trivially fail with TLS, the slightly less obvious implementations would generally fail for any packets that have to travel across network boundaries. I would assume that to be willing to take the potential publicity hit, they’d have to be sure that they can make a profit so presume that they can defeat anything the clients can do?
Yeah presumably they’re not counting on injecting ads into pages, given that something like 90% of traffic is now encrypted.
I’d have to guess that this works something like:
Ad blockers still defeat this (unless the ad network stuff starts happening server-side instead of in-browser), but this would let them turn their complete knowledge of the user-IP mapping into an unblockable super tracking cookie that never resets.
You presume the people pushing for this stuff to be used are the same as those who understand and implement it.
Private Relay isn’t used by ads requested in-app.
For Safari traffic, reading Apple’s literature on iCloud Private Relay suggests that Vodafone could block private relay by preventing DNS resolution for mask.icloud.com and mask-h2.icloud.com or collect the super-cookie by using an (otherwise) unroutable IP address (it would be considered either Cellular services or Local network service; see the section on Coverage and Compatability). I think if you have a VPN installed on your handset, then some TrustPid code will probably be able to associate your VPN session with the identifier with help from an app, and I would suspect Vodafone would know how to do this.
If you route your traffic through a VPN on your laptop and tether your laptop through your vodafone mobile, you still might not be safe: This might be substantially harder for Vodafone because the only way to apply the TrustPid is now through correlation instead of a super-cookie. Advertisers are uncomfortable with this stuff in my experience, so I suspect if Vodafone is doing this, they probably won’t launch with it.
Boy is that not a new problem.
/me eyes his private school and private hospital bills