How we can restore trust in digital advertising

digital, restore
how-we-can-restore-trust-in-digital-advertising
worked closely with the French privacy regulator (CNIL) to develop specific consent language around third-party use of location data and saw 70% consumer opt-in rates.

Benoit Grouchko is CEO and co-founder. I spoke to him recently about data and consumer privacy and his expectations for how CCPA will impact marketers.

ML: Google proposed an industry-wide initiative to try and preserve behavioral targeting in the U.S. while giving consumers more control over that data. Are you hopeful about this effort?

BG: Google
owns such a large piece of the digital advertising pie that one can only be
hopeful. Do they have the leverage to manipulate this to their benefit? Sure,
but their efforts can also do a lot of good on a macro level. 

It’s a good
sign and indicates that Google is seeking to be ahead of the regulation curve
by setting the precedent on privacy. What’s interesting is that a lot of the
best practices this blog proposes are already in place in France and the rest
of Europe. There’s a lot the US can learn from GDPR.

ML: Many surveys suggest that consumers increasingly distrust big internet companies, brands and digital advertising generally. Can trust in digital marketing be restored?

BG: I am an
optimist so, yes, I think trust can – and will – be restored. We sometimes
forget that digital advertising is a relatively new industry. And every
industry goes through a “correction” or “adjustment” of some kind at some point
in its history. We’ve been building up to this for a while now; the Facebook
debacle and the institution of GDPR are the two straws that broke the camel’s
back. 

I think
it’s a matter of time until things settle. I can’t say it will be soon, but
regulation will normalize over time and companies will fall into place. 

What we can
do individually – as people and companies – is to do what’s right for our
customers and to organize. We need to stop thinking of short-term gains and
think about the ecosystem as a whole. As you rightly pointed out, we all stand
to lose here. 

Often
consumers conflate mistrust with misunderstanding. Better transparency will
help people see that the “creepy types of targeting” they mistrust is not quite
as threatening as they perceive.

Advertisers are good at their jobs,
and even better when they use data. Being embedded in the ad industry, I have
the perspective that good advertising helps inform me about products or
opportunities I wouldn’t otherwise know. As digital literacy and transparency
increase, so will trust.

ML: We spoke about finding a middle point between irrelevant and creepy. In a post-GDPR, CCPA world how does all that happen on a mechanical level? 

BG: The middle
ground between irrelevant and creepy is an ad experience that optimizes
performance for the advertiser and is great for the consumer. Two things need
to happen to find that middle ground: first, advertisers need to get better at
understanding performance. Even if an ad is hyper-relevant, if a consumer
perceives it as creepy, it will decrease performance and deteriorate brand
sentiment. Advertisers need to look at performance over everything. The “creep”
factor will play into performance and help advertisers determine what types and
depth of targeting to use.

The second thing that needs to
happen is on the consumer level. Consumers need to become more digitally
literate. Any data that digital marketers ethically use will be anonymized.
Most consumers probably don’t understand that. It goes both ways, though. Many
consumers don’t know which apps are tracking them and when. Great transparency
and knowledge will help us reach a middle ground.

Regulations
will certainly help put some boundaries there and make sure nothing creepy
happens. However, there is a deeper question here around what is actually
creepy or not, as that might vary from one consumer to another.

ML: My understanding that most Europeans aren’t doing much in the way of managing cookie settings; they’re making binary choices (decline/accept). Is this accurate? 

BG: I think
European consumers are confused about how cookies function. I also think many
are wary of the concept. And they should be.

Many
companies use “tricks” to drive consumers to give consent. Some play with
screen placement and colors; others offer only a single choice, which is
consent. 

From my personal point of view, I think these choices relate back to digital literacy. More digitally literate people will make more complex choices and set their permissions at the top level. Most people are probably making binary choices, but as digital literacy increases, people will begin to change their attitudes. Pop-ups were once the bane of any Internet user’s existence. Now users have to deal with privacy, notification and tracking pop-ups. I doubt this will continue forever.

ML: Regarding CCPA, what is put in front of consumers when they visit a website will matter. If choices are complicated they’ll likely “accept” to get to the desired content and there won’t be much impact. Do you agree? 

BG: I couldn’t agree more. And it’s these manipulative/deceptive practices I stated above that are counterproductive to the cause. 

No one reads the entire terms and conditions. People use the Internet to increase speed and efficiency. Like I said, even the opt-in or opt-out choices may fade away at some point.

ML: In the U.S. “ad choices” — the industry’s prior attempt to deliver user control and choice re behavioral targeting — is a total failure.  Why would any of the newer “choice” initiatives (or CCPA) be any different?

BG: Something’s
got to give in terms of privacy and transparency in the US. I hope that CCPA
will learn from GDPR and how consumers reacted. While the first set of
regulations may create an undue burden, the landscape will reach equilibrium,
and everything should go back to “normal” at some point.

ML: How does Safari and ITP, which is a different approach to these same problems, affect the market? Many marketers see cookie blocking as a blunt instrument and very heavy-handed. How do you see what Apple is doing? 

BG: Apple has
always taken a hard line on security – and it’s served them well. If there were
more companies like Apple, perhaps we wouldn’t be in this situation to begin
with. The greedy argument is that digital advertising would not have reached
such heights but, as I said, this is a long-term game. 

The problem
I see now is that everyone has gotten a taste of the profits and set the bar
quite high, making it difficult for any one vendor to take such a hard line
without losing a ton of business. Not an easy problem to solve.

While a
hard line on security has served Apple well, consumer reaction always has a lot
of influence on regulation. Apple has always been able to simplify the digital
experience for consumers. But I still think this first round of guidelines will
be a learning experience, especially as other big players in tech respond.

ML: Whose job is it to educate consumers to make them more digitally literate? 

BG: I think, ultimately, it’s up to us in the industry to not only do what’s right in terms of respecting privacy but also to educate consumers on best practices. I feel that regulation is meaningless to consumers if they don’t understand the nature of the transactions in which they engage, how the technologies work, and the associated costs, benefits, trade-offs. 

Informed consumers are in the end
the future of our businesses, which are built on trust. It’s in our best
interest to do right by then to gain/regain this trust so we can build loyalty.

Regulators, advertisers, companies,
and web providers all have an obligation to be transparent about the digital
landscape and what it means for consumer privacy. But, if the burden falls to
these entities it creates a greater layer of complexity than necessary. It begs
the question: how much should regulators, advertisers, etc. inform consumers?

There certainly should be some
level of transparency, but privacy practices that, for example, initiate pop-up
requests for permission to run every nominal background task may end up
annoying or confusing consumers more than they help them. The landscape will
eventually reach equilibrium. Ultimately, in any society with freedom of
information, it’s up to consumers themselves (along with news organizations,
journalists, and watchdogs) to become digitally literate.


About The Author

Twitter or find him on LinkedIn.




It’s time to restore identity and trust to digital communications

Identity, restore
it’s-time-to-restore-identity-and-trust-to-digital-communications

Way back when the Internet was young and early internet surfers were using 3600 baud modems to launch themselves via copper into the Netscape driven cyberverse, trust and identity were not really as important as they are today. Flash forward to today: Identity and reputation both play a critical role for re-establishing trust across digital communications. Who calls or emails us and their credibility (whether the caller or sender is someone who’s credible enough and worth the time of the recipient to respond) are key elements that help us decide whether to take a call, open an email or respond to an SMS. Precautions, such as two-factor authentication, is based on the fact that we can’t trust just one form of identity. I hate to sound like an alarmist, but the Internet can be a scary place.

There are a number of other technologies and initiatives aimed at ensuring trust. For me, as someone who appreciates the history of digital communications, it’s interesting to see all of these efforts trying to accomplish something that was invented more than 50 years ago: caller ID. Remember caller ID from the good ol’ landline days…where you could view the number that was calling you on your phone and see or hear the caller’s name and location? 

Caller ID: Where has it gone?

The short answer is: caller ID still exists, but it’s a lot more complicated than you think.

When I said that it’s more than 50 years old, I wasn’t kidding. Caller ID was invented in 1968 by Ted Paraskevakos – long before cell phones were even an idea. The system that Mr. Paraskevakos invented (and Kazuo Hashimoto perfected in 1976) boiled down to this: when a person dialed another person, their phone sent a signal through the wires to the recipient. Landline numbers were (and today often still are) tied by physical wires connected to the local phone company’s central switch. In those days, a number was always identified with a specific address and location. Caller ID simply matched the number and location with the subscriber’s name and location. 

How cell phones complicate caller ID

The advent of cell phones made the caller ID process more complicated. Cell phones now dominate phone calls. Nearly 55% of US homes in 2018 did not have a landline – only a cell phone. That number jumps to 77% when you only count millennials (aged 25-34)! The basic technology of cell phone calls involve the use of any number of various stops between multiple carriers. In the U.S. alone, there are more than 1600 phone carriers, all with their own networks and sources for caller information. A cellular call is not tethered nor dependent upon physical landlines. In the old days of landlines, your neighbor down the street was on the same network that you were on. Nowadays, your neighbor might be on AT&T’s network and you might be using Verizon’s, regardless of the fact that you live around the corner from each other. Just imagine how many places a signal has to travel to connect you to family and friends that may live in the next suburb let alone halfway around the globe. The complexity is mindboggling.

In the early days of cell phones, caller ID was largely dependent on the contact list stored in someone’s cell phone. For the most part, during those days, the only people calling each other were people who knew each other. From a product perspective, wireless carriers in that era didn’t see caller ID as critical as other services – like text and voice mail – because of the prevalence of the contact list. A lot of consumers felt they already had caller ID, and still do today. But, in reality, as has become apparent in an age of robocalls and rampant phone scams, the majority of consumers do not have caller ID, and trust in the overall communications process has plummeted.

There’s a link here with how companies viewed address books for email marketing. A brand who managed to get their recipient to add their from address to their email client’s address book benefited from improved inbox placement. Similarly, caller ID helped establish credibility when a company calls to schedule delivery or returning a customer service call. Again, we live in an era of trust but verify because our communication channels and platforms have been exploited.

Caller ID comes to cell phones

The wireless carriers did eventually get around to offering true caller ID in 2011 for around $3-5/month. The delay was partly because smartphones – which could accommodate the complex caller ID process – didn’t hit the market until 2007.

But the main reason caller ID wasn’t a priority? Because it really wasn’t needed – until the plague of robocalls, spoofing and phone scams started to become ubiquitous. That led to a demand for caller ID with a name attached to a number that showed up on the phone.

And now:

  • T-Mobile offers services like Scam Likely and Scam ID
  • AT&T customers can opt-in to services such as Call Protect and Call Protect Plus
  • Verizon has Call Filter while Sprint offers Premium Caller ID.
  • iOS 13 will give iPhone users the ability to route all unknown calls to voice mail thus preventing the delivery of robocalls, but legitimate calls in the process, how many of you store the number of your Doctor’s Office, and is it consistent for inbound and outbound?

The problem is, fewer than 5% of consumers have opted into caller ID and name services on their cell phones. Again, caller ID has been available – it just hasn’t been widely utilized by consumers.

And now, even with traditional caller ID enabled on their cell phones – like we used to have on landlines – consumers may still not know who is calling them.

The reason? Spoofing. In its simplest form, spoofing a number or email address means the sender is pretending to be someone they are not when placing a call or sending an email. There are legitimate use cases for spoofing, such as a doctor’s office calling you, or the placing of a call by a ride-sharing app to protect the driver’s and the callee’s personal information. In an age when the phone system is no longer tethered by copper but has gone virtual thanks to SIP calling, bad actors (and some good) can decide who they want to be when calling you. They can even call you from your number! Today’s caller ID system only uses the phone number associated with the incoming call to lookup the name and location of the owner of that phone number in the database. That doesn’t work with spoofing when a call might appear to be from someone you know, but in reality it may be someone with malicious intent spoofing their number to trick you into answering it.

So while caller ID still exists today and is readily available, it doesn’t instill enough trust for you to answer the call. There really hasn’t been a way to prove that the person making the call is indeed who they say they are.

The new (old) era of communications 

Spoofing is why the communications industry is now starting to roll out a new technology known as SHAKEN/STIR. SHAKEN/STIR stands for “Secure Handling of Asserted information using toKENs” and “Secure Telephony Identity Revisited.” Simply put, with SHAKEN/STIR, the service provider that originates a call onto the public telephone network will cryptographically sign the caller ID and called number with a private key so the call can transit the networks securely. Upon reaching the terminating carrier, a public certificate is used to decrypt and verify the call.

Under this scheme, when a call finally reaches its destination it might be accompanied by a checkmark or some other indicator to signify it’s been certified as a legitimate call. Even for certified calls, the end user must still decide whether to take or reject a call based on the information they have.

The process is very similar to how websites currently handle trusted communications. Certification authorities (CAs) issue digital certificates verifying the authenticity of websites and their content. As a result, a user knows they are visiting a legitimate website, as opposed to one that has been setup to capture or steal information. This process is somewhat mirrored in the inbox by those little green and red lock icons you see in certain email clients that denote if the message was transmitted using TLS or if it failed certain authentication checks. This concept is finally coming to your mobile handset – and just in the nick of time! By some estimates, there are 9,500 fraudulent robocalls per second!

Times they are-a-changing!

In November 2018, Ajit Pai, the chairman of the Federal Communications Commission (FCC), required carriers to implement the SHAKEN/STIR framework to help establish the validity of placed calls by connecting callers and numbers through cryptographic signing. Remember caller ID? Knowing who called and being able to, with confidence, attest to the validity of that caller is critical to combatting spoofed calls and robocalls. Although SHAKEN/STIR won’t tell you exactly who called, it will provide a visual indicator that the caller owns the number initiating a call and help in tracing fraudulent calls. If a carrier can “automagically” tell that a call isn’t who it claims to be, or from whom it purports to have originated, then they can simply not deliver that call. This is pretty much how email authentication protects us from the rash of phishing attacks.

Earlier in the year, I wrote about the history of email in a 3 part series. Email had/has a similar authenticity problem: how do I know that the email I received actually came from the brand or person that claims to have sent it? As I said then, email was built at a time when trust and identity wasn’t as important. As the Internet matured and more of us came online, bad actors saw email as a highly exploitable channel. Standards bodies, such as the Internet Engineering Task Force (IETF), and their members took it upon themselves to create mechanisms to identify legitimate senders and drop the mail of bad actors pretending to be a legitimate brand. This potent mix of standards is now known as SPF, DKIM and DMARC.

The problem of phishing and spoofing in email is by no means solved. Bad actors continue to evolve their attacks. Simultaneously, the channel is thriving through evolutions such as Google’s AMP for Email and the renaissance that newsletters are having. Everything old is new again! 

What’s next?

Wouldn’t it be great if the consumer had more information than just a green check mark indicating the call has been verified? For me personally, I’m not sure that would instill enough confidence to answer a call from a number I hadn’t seen or heard of before. Call me a skeptic. Numerous companies – both carriers and technology vendors — are working on solutions to make the call you see more friendly and informational. Some of the solutions out there not only verify the call, but also create the ability for the caller to transmit the reason for the call. In the hypothetical example below, how likely would you be to pick up the call if your flight was canceled versus how it’s done today with a 1-800 calling you? If I hadn’t put United’s number in my contact list, I’d never answer that phone call. What if the notice on your phone looked like this?

and YouMail. Similarly, our inboxes are changing thanks to the likes of Google and the much anticipated BIMI (Brand Indicators for Message Identification). which rewards companies who sign email authentication for their emails, at enforcement, with brand logos next to their messages in the inbox. Trust and identity are at the center of much debate and controversy around Internet technologies. Recently, I had the pleasure of leading an on stage conversation with some of the authors of DKIM/DMARC and SHAKEN/STIR.

One wonders what the inventors of the original version of caller ID on landlines would think about today’s various technologies and efforts to pursue trusted communications – caller ID services from carriers, apps, SHAKEN/STIR and a number of other initiatives. All of it is needed to regain that sense of trust and faith in the phone call and inbox that we all took for granted during the golden age of landlines and the earliest days of email. The complexity of today’s communications process by default demands complex solutions and industry-wide cooperation. But industry-wide cooperation is not anything new. After all, carriers and system providers cooperated in the old days of landlines, too. There may have been less of them, but still, the cooperation was there. I believe that same sense of cooperation exists today, too, just on a bigger scale. Caller ID, innovation, trusted communications, industry cooperation – the more things change, the more they are the same.

Opinions expressed in this article are those of the guest author and not necessarily Marketing Land. Staff authors are listed here.


About The Author

Twilio SendGrid. Len serves as an evangelist and proponent of best practices and drives thought leadership and data-driven insights on industry trends. Len represents Twilio SendGrid on the board of M3AAWG (Messaging, Malware, Mobile Anti-Abuse Working Group) as vice chair in addition to co-chairing the Program Committee. He’s also part of the MAC (Member Advisory Committee) of the Email Experience Council where he serves as the organization’s vice chair. The EEC is owned by the Direct Marketing Association of America, a nearly 100-year-old organization where he also sits on the Ethics Committee. In addition, Len has worked closely with the Email Sender and Provider Coalition on issues surrounding data privacy and email deliverability.