Home Privacy Fun Fact About Clean Rooms: Data Security Isn’t A Given

Fun Fact About Clean Rooms: Data Security Isn’t A Given

SHARE:
data clean rooms (hero size)

Data clean rooms are magic. All you have to do is put your data inside, press a button, and it comes out matched, privacy safe and secure on the other side.

Just kidding.

Advertisers need to do their due diligence on potential clean room partners before working together, including (and especially) finding out how secure the platform is.

Because once data has been exposed, linked or enriched by another data set, “you can’t walk that back,” said Devon DeBlasio, VP of product marketing at InfoSum, speaking at an IAB Tech Lab Rearc privacy event in New York City last week.

Toothpaste doesn’t go back in the tube.

Somebody call security

Some of the potential security threats in a data clean room environment are the commingling of data, information leakage and “publisher ad observation.”

If, for example, a publisher knows which ads an advertiser is planning to serve, it could observe and log the first-party IDs associated with its own visitors who were also shown the ads. Then the publisher could look up the plaintext PII match keys for those identifiers and – voila! – the data has been exposed.

But not all threats are nefariously motivated, said Bosko Milekic, chief product officer at data collaboration platform Optable.

For example, say a media company owns and operates its own SSP or an advertiser has its own DSP. There’s nothing wrong with that, Milekic said, but even seemingly benign internal data sharing between them can be a form of “collusion” that leads to privacy and security problems, including data transfer through unsecured channels.

In order for data clean rooms to be considered secure, according to the IAB Tech Lab’s new technical standard for data clean room interoperability (which was released for public comment last week), the rooms have to check three important boxes.

Subscribe

AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

  1. All PII must be encrypted and never shared directly with any party.
  2. No participant should be able to learn anything about the identity of people who aren’t in their own contributed data set.
  3. No one involved should be able to learn anything about anyone in the overlapping audience.

Miss any of these steps, and a clean room can’t really call itself a clean room.

Always ask

But the devil is in those details, and there are a lot of other things for advertisers to consider before partnering with a data clean room.

For example (deep breath):

How does the clean room access data? Can the data stay put, or will it have to be streamed into another platform? Do you have to change the format of your data before sharing it? Are there controls for data governance and encryption? How granular are the controls? Is there a time limit for how long the clean room has access to the data? Will the data flows be audited? What queries can you run on the platform, and is there a specific query language? What type of liability do you have in case of a data breach, and whose responsibility is it? What happens if there’s a breach involving matched data?

“This gets very complicated,” DeBlasio said, “but these are very important questions to ask.”

And we’re not done.

Don’t forget to ask about which privacy-enhancing technologies (PETs) the data clean room uses, said Rachel Blum, principal architect and field CTO at Snowflake.

Some PETs are more privacy-enhancing than others, depending on the use case and the advertiser’s own risk tolerance. And PETs aren’t static. The “level” of privacy can be dialed up or down based on qualitative thresholds, and there’s usually a trade-off between privacy and accuracy.

A data breach is a headache no one wants, but implementing a PET that’s so strong you can’t do anything practical is also a problem.

“It’s important to consider what you’re interested in implementing and what risks you’re looking at,” Blum said. “You also need to be able to actually perform the activity.”

Must Read

LG Electronics

Alphonso Shareholders Win Their Suit Against LG Electronics Over Corporate Board Drama

After being summarily booted from the board of LG Ads in late 2022, Alphonso’s founding team has won its lawsuit against LG Electronics.

Bye-Bye Sizmek! Amazon Advances Flashtalking And Smartly As Alternatives In Advance Of The Shutdown

According to emails seen by AdExchanger that were sent to Amazon customers this week, Amazon is officially naming integration partners to offload clients of the Sizmek ad suite, now the Amazon Ad Server.

2024 Promises More Premium Inventory – And Bigger Budgets – For In-Game Ads

Given the deprecation of third-party cookies and the reemergence of contextual targeting, 2024 could be a big year for in-game ads – so long as game publishers position themselves as a source of premium inventory.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters

AdExchanger’s Top 3 Connected TV Newsletter Issues Of 2023

This was such a busy year in CTV land that we had to launch a dedicated newsletter just to keep up with all the trends, from measurement, currency, targeting and attribution to streaming data, identity, supply-path optimization and new ad formats – just to name a few.

M&A 2023: Ad Tech Deals Were Muted, But That Could Be A Mark Of Maturity

Who got bought in 2023, and who did the buying? Here’s a non-exhaustive list of some of the most notable ad tech M&A activity from this past year (with a few media and agency deals tossed in for good measure).

Comic: The Great Data Lakes

Snowflake Acquires Data Clean Room Startup Samooha

Snowflake has acquired Samooha, a startup that develops software to make clean room technology accessible to marketers who aren’t necessarily SQL wizards or data scientists.