The adtech industry was unable to muster even a single speaker to fill a 10-minute slot to discuss the security implications of programmatic advertising at a much-anticipated event yesterday.
The talks were run by the Information Commissioner's Office at an undisclosed location in central London as part of efforts to dig into the murky depths of targeted ads and the real-time auctions that drive the field.
It was badged as a fact-finding mission, and the ICO had emphasised that it wanted to hear "diverging views" from all sides and all parts of the advertising chain.
"In order to develop our understanding of all aspects of this complex ecosystem, our next step is to... bring together a range of representatives from across the adtech industry to explore each of our key themes," Simon McDougall, executive director for tech policy at the ICO, said in a blog post last month.
However, industry representatives declined to appear on stage to give their side of things in the security-focused section of the programme – one of three prongs McDougall had outlined for investigation.
This was not through a lack of trying on the ICO's behalf; as late as 3.45pm on the day before the event, an email went round to attendees searching for participants.
The mail, seen by The Reg, offered delegates from the adtech industry the chance to take a 10-minute slot in the afternoon session on security of personal data.
"Industry has thus far appeared reluctant to speak during this session and, while all delegates will be able to participate from the floor during the moderated discussions, there is an opportunity here for AdTech to put forward its views alongside those of the regulator and civil society," the email stated.
McDougall said in advance of the event that the ICO was particularly interested in how organisations "can have confidence and provide assurances that any onward transfers of data will be secure".
The issue is that programmatic advertising relies on the rapid sharing of users' personal data, which includes everything from the site they're on and the device they're using to their GPS coordinates. In a fraction of a second, this info is pinged around hundreds of publishers and exchanges.
Critics question whether it is possible to ensure the security of this data both as it whizzes between organisations and after the auction has finished – and forms part of a complaint lodged with European data protection agencies about the Interactive Advertising Bureau and Google.
The fact adtech industry reps didn't give their side of the security story at the event is like a red rag to a bull, allowing those critics to argue the reason they failed to appear is because they don't have a leg to stand on.
It is of course possible adtech bods didn't feel up to facing the wrath of the privacy warriors no doubt in attendance – an argument slightly undermined by the fact there was a better balance in other sessions.
Indeed, the ICO had brought industry to the event – although the nature of Chatham House rules means no one can name names – and they are said to have spoken in sessions on the other two strands of the ICO's potential probe.
These were transparency and personal data – what people are told about how their data is used for online advertising and how accurate those disclosures are – and the lawful basis for processing of personal data.
On the latter point, McDougall said ahead of the event that there were "several schools of thought around the suitability of various basis for processing personal data", which the ICO wanted to assess.
However, it is understood that the ICO is accepting written submissions from those who didn't get to speak on the day – so the adtech groups still have time to offer their thoughts on security.
We've approached the ICO for comment. The body is also set to publish a blog about the event soon. ®
Sponsored: Webcast: Ransomware has gone nuclear