EuroPriSe
wunderloop Short Public Report
Customer
wunderloop S.A., Luxemburg:
Legal Expert
Prof.Abel Consultancy
Contact Person: Prof. Dr. Ralf Bernd Abel
Chemnitzstr. 80
D-24837 Schleswig
Tel: +49 (0)4621 / 220 32
Fax: +49 (0)4621 / 220 34
E-Mail: prof.abel[at]t-online.de
Technical Expert
Technische Unternehmensberatung
Dipl.- Inf., Ing (grad.) Birger Fritzowski
Kattenbek 33, D-24248 Mönkeberg
Phone: +49 431 2 30 37
FAX: +49 431 2 30 47
e-mail: birger[at]fritzowski.de
Date: September 08, 2008
Abstract
Technical and legal experts have examined whether the applications of wunderloop Integrated Targeting Platform, wunderloop connect and wunderloop custom meet all the requirements set out by European data security and data protection laws and regulations. Many of these requirements deal with complicated processes and highly technical or legal issues. To determine to what extent wunderloop meets these requirements, one must ask the question: How well is the visitor to a website protected when wunderloop targeting technology is used?
wunderloop targeting technology ensures privacy by using data minimisation techniques. Before storing information about target segments, all personally identifiable information is removed by a 3rd-party anonymiser. The technology does not identify users by name, but only by a randomly-allocated number, and thus enables wunderloop to file users’ interests and to establish profiles for them without knowing their names and without being able to address users in any way except by number.
Data which could be utilised for tracking an individual are not stored anywhere. Thus, it can be concluded that when wunderloop targets and gives recommendations for advertising and other services on the web, it fulfills all the requirements of European data protection laws and wholly protects the privacy of web surfers.
1. Name and version of the IT product or IT-based service
The core technology product is called “Integrated Targeting Platform” (“ITP”) version 1.13 and is marketed as the software applications “wunderloop connect” and “wunderloop custom”.
2. Manufacturer of the IT product / Provider of the IT-based service
Company name: wunderloop S.A. (”wunderloop“)
Address: 412F, rue d’Esch,
L-1030 Luxembourg
German office (“wunderloop Germany”):
wunderloop media services GmbH
Holzdamm 18
D-20099 Hamburg
Contact persons: Ulrich Hegge, Managing Director
Phone Number: +49 (0) 40 432 07 – 810
Fax – Number: - 799
E-mail: ulrich.hegge[at]wunderloop.com
Dr. Christoph Bauer, CFO
Phone Number: +49 (0) 40 432 07 – 830
Fax – Number: - 799
E-Mail: christoph.bauer[at]wunderloop.com
Frank Conrad, Technical Director
Phone Number: +49 (0) 40 432 07 – 850
Fax – Number: - 799
E-Mail: frank.conrad[at]wunderloop.com
3. Time frame of evaluation
The evaluation took place from May 27th to July 24th, 2008.
4. EuroPriSe Experts who evaluated the IT product or IT-based service
Name of the Legal Expert:
Prof. Dr. Ralf B. Abel
Address: Prof. Dr.Abel Consultancy, Chemnitzstraße 80,
D-24837 Schleswig,
Phone.: +49 / 4621 / 2 20 32,
E-Mail: prof.abel[at]t-online.de
Name of technical expert:
Birger Fritzowski
Address: Kattenbek 33 D-24248 Mönkeberg
Phone: +49 431 2 30 37
FAX: +49 431 2 30 47
e-mail: birger[at]fritzowski.de
5. Certification Body
Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (Independent Centre for Privacy Protection Schleswig-Holstein), Holstenstr. 98, D-24103 Kiel, Germany
6. Specification of the Target of Evaluation (ToE)
The ToE includes:
- the service “Integrated Targeting Platform” as a core technology application,
- “wunderloop connect” as an application run as a web service by wunderloop itself,
• connect is based on the targeting core application, wunderloop ITP
• The application connect is an open AdExchange service.
- “wunderloop custom” as a licensed application which can be customised as required.
It does not include:
- transmission via networks (e.g. via mobile network, Internet, etc.)
- client hardware such as client laptops or desktops
- the production of content
- server hosting
- interfaces to other services
- the handling and accounting of publishers’/advertisers’ data
- use of application for providers of telecommunication services
7. General description of the IT product or IT service
The marketing purpose of the software solution is to make sure that online marketing reaches the right person at the right time with the right advertisement or other information (such as editorial content or product recommendations).
The solution provides newly-developed targeting and analysis methods in a modular format on one platform via an easy-to-use interface. ITP is based on a flexible software framework enabling the combination of criteria and selection options. Thus, with given data at their disposal, ITP users can determine the most relevant targeting criteria for their requirements. Profiles are established on the basis of a taxonomy defined by wunderloop. This taxonomy consists of approximately 800 nodes, i.e. categories which are linked to each other in a tree structure. There are approximately 50 generic terms, such as ‘sports’. On a second level ‘sports’ is subdivided into categories like ‘equestrian sport’ or ‘ball games’. These are further divided on a third level into more specific categories, such as ‘football’ or ‘handball’. With connect, profiles are established based on information obtained from users’ clicks when they visit customers’ websites.
In addition, the ITP technology is used to estimate the size of the target segments to be contacted. Therefore, during campaign planning ITP users will have a good idea of the results that can be expected and can change the settings as required. Campaign coverage for the desired target segments can be checked immediately and optimized accordingly. The software platform “Integrated Targeting” significantly simplifies and improves the planning and efficiency optimization of Internet advertising and the delivery of relevant content and product recommendations. Addressing the right people at the right time with the right ad is achieved anonymously on the basis of features connected to cookies. The technology does not identify a user by name, but only by a randomly-allocated number (cookie ID) and thus enables wunderloop to file users´ interests and to establish profiles without knowing their names. Identifying users is achieved by observing particular behavior patterns, for example that they look at certain products or content more frequently than average.
A maximum of 10 slots per profile will be stored, a slot being defined as one user-day. A user-day always refers to the most recent days of visit. If a user’s field of interest changes, the storage time for the new profile will also be ten days.
Profiles will be deleted when a user becomes inactive.
When using connect, all data for validated files will be deleted after 60 days of inactivity. For non-validated profiles, all data will be deleted after 30 days of inactivity.
When using custom, all data profiles — validated or non-validated — will be deleted after 50 days of inactivity. The corresponding log files will be stored from a minimum of 28 days to a maximum of 120 days, depending on the respective requirements, such as the billing and invoicing periods or time needed to answer enquiries. After this, they will be deleted. As a result of the technical analysis, the Integrated Targeting Platform (ITP), used in conjunction with custom and connect, returns a value that describes the cookie’s correlation to a particular target group. This value will be written into a cookie (“RCMD cookie”) and then used by a delivery system (e.g. by an ad server) to assign a relevant ad or content to the respective cookie.
The core software application is the “Integrated Targeting Platform (ITP). Based on this platform technology application, two applications are marketed: “wunderloop connect” and “wunderloop custom”.
a. wunderloop connect
wunderloop connect is based on the targeting core application wunderloop ITP. wunderloop’s technology tracks user behaviour and records this in a standardised data format. In doing this, the system learns from factors common to user behaviour and implements appropriate standards for configuring target segment profiles which mirror the given behavioural findings. Each website operator who signs up with wunderloop connect uses the wunderloop technology by means of a “tracking pixel” put into the source code of their Web pages. Advertising that matches these anonymous interest profiles, based on actual user behaviour and predictions of possible criteria and interests, can then be booked through wunderloop connect. The application wunderloop connect contains pre-defined standard settings for target segments.
b. wunderloop custom
The application wunderloop custom contains pre-defined standard — “out of the box” — settings as well, but target segments can be customised according to the needs of the website operator. It is available either as an ASP/SaaS (Application Service Providing / Software as a Service) solution or can be installed locally in the data centre of the wunderloop customer and is adaptable to specific customer requirements. Depending on one’s business requirements, one can choose from the targeting concepts below:
• Behavioural Targeting
• Predictive Targeting
• Geo Targeting
• Typology Targeting
• Search Keyword Targeting
8. Transnational Issues
The products and services currently being offered by wunderloop are marketed in Europe, including the EuroPriSe pilot states (but due to the nature of the Internet has no geographical limits per se). It is not specifically marketed and aimed at transnational customers, but it can be
used and is being used as such.
wunderloop connect data is always stored centrally in the German data centre operated by rsp. on behalf of wunderloop Hamburg.
All data being used transnational in a wunderloop custom installation is either stored in the wunderloop German data centre operated by rsp. on behalf of wunderloop or at the customer’s data centres.
9. Tools being used by the manufacturer of the product:
The operating system and database used for “custom” is chosen by the customer whereas “connect” uses the following systems:
Data are stored in an SQL database. Multiple databases on multiple servers can be used to optimize performance:
• MySQL: at least v4.1.11, recommended v5.0.
• Oracle: at least v9.2 with newest Patch Level.
As server operating system can be used:
• All – Inclusive - Support: Suse SLES 8, SELS 9
• Part – Support: Redhat, Debian
10. Version of EuroPriSe Criteria Catalogue for Experts used for the evaluation
EuroPriSe Catalogue Version 0.3
11. Evaluation results
The evaluation involved an in-depth examination of European laws and regulations. The main considerations are the following:
The most important concern regarding privacy protection on the Internet is the gathering, storage and use of personal data without the consent of, or even without being noticed by, the data subject (“user”).
The applications “wunderloop connect” and “wunderloop custom” are offered to the market to provide the delivery of behaviour-related data for advertising, content and product recommendations. The technology enables website operators and advertisers to increase the efficiency of their online marketing. For example, as users travel to various websites, they display a variety of interests and behaviours, and the tracking of this behaviour could obviously affect their right to privacy. To prevent this, wunderloop makes use of anonymisation methods.
The technology does not identify a user by name but by a randomly-allocated number, and thus enables wunderloop to file users’ interests and to establish profiles without knowing users’ names. When users enter a website run by a wunderloop customer, the wunderloop system enables this information to be used by advertisers, for example, whose ads match the users’ interests and thus enables the advertiser to send relevant information to the users just as they are visiting the website.
Normally, information from the cookie to wunderloop is transmitted in conjunction with the IP address. Due to technical reasons, this conjunction cannot be avoided. For this reason, the respective data are not sent directly to wunderloop, but first to a 3rd-party company which acts as an anonymiser. Thus the IP address belonging to the user will only reach the temporarily connected 3rd-party anonymiser and will not be given to wunderloop. It uses the IP address of the anonymiser to access the wunderloop system. After a request has been answered, the IP address is irreversibly deleted, and there is no way that it can be restored by the anonymiser. This procedure is technically protected and legally assured by contract.
The anonymiser is neither associated nor affiliated with, nor otherwise related to, wunderloop. There are neither personal nor corporate relations between these two companies. wunderloop is not the main customer and not even a major customer of the anonymiser. This ensures that all personal information in the shape of the users’ IP addresses is processed in a sphere completely separated from wunderloop. Re-personalisation of a particular user is technically impossible because wunderloop does not have access to any referential database. This processing meets the requirements of data avoidance and minimisation in Articles 6 and 7 of the Data Protection Directive.
Thus, in accordance with the literal interpretation of the Directive, wunderloop does not receive and does not process any personal data; it only deals with anonymous data.
In exceptional cases it might theoretically be possible for a user to be regarded as an identifiable person. In these - theoretical – cases personal data will be processed, and this processing will done be in accordance with the Data Protection Directive.
Storage of Data
wunderloop stores data only for a specifically defined maximum time (see above), after which it would be out-of-date and no longer needed by a business. Thus there is no realistic possibility of tracking a user.
Company Privacy Practices
As wunderloop identifies users only by randomly-allocated ID numbers and not by name and is neither interested in nor has the technical possibility to retrace the individuals behind these numbers, it displays its detailed and informative privacy policy on the website. This privacy website provides an easy-to-see box that can be clicked on to opt out of using tracking cookies. If users make use of this opt-out clause, a “no-tracking” cookie will be implemented on their hard discs.
Controller
The vendor of the ToE is wunderloop S.A., Luxemburg (“wunderloop”). The technical operations are carried out by wunderloop Media Services GmbH, Hamburg (“wunderloop Germany”) on behalf of wunderloop S.A.
All data are stored with and processed by wunderloop Germany. Thus, in accordance with the terms of the Data Protection Law, wunderloop Germany acts as a data controller.
Summary
The IT product wunderloop “Integrated Targeting Platform“ together with “wunderloop connect” and “wunderloop custom” can be regarded as an “informational-balance-of-powers” system. None of the parties involved has access to sufficient information to be able to find out information about or to generate user profiles of identifiable individuals. wunderloop does not possess any information by which an individual could be tracked. The customers (advertisers and/or publishers) only receive a specific recommendation as to what sort of content can be sent to a respective “target segment”. This is merely one-on-one information which does not enable anything personal about users or their identity to be discovered.
12. Data Flow
Details on data flow
With wunderloop integration, (standard) users (1) will be identified by User Cookies (2); the IP address belonging to the users will only reach the temporarily connected 3rd- party anonymiser (3) and will not be given to wunderloop (4).
It is not generally possible for wunderloop to link users and IP address data.
All tracking enquiries will be initiated by a 1×1 counting pixel; the target segment information is transferred to the AdServer (6) by a recommendation cookie (RCMD Cookie) (5).
Details of data flow
When implementing an application with dynamic Web pages where the match between User Id and target segment takes place through the Web server, user (1) will be identified by a User Cookie (2); the IP address belonging to the user will only reach the client’s Webserver (3) and will not reach wunderloop (4).
The tracking enquiry will be sent by Webserver (3) via HTTP to the wunderloop system (4). AdServer recommendations are provided as AdServer Key Words, which are sent directly to the AdServer.
13. Privacy-enhancing functionalities
The IT product encourages privacy, data protection and data security in a special and innovative way. It implements privacy by design by anonymising the data prior to any data processing. Neither primary nor secondary data contain information which allows any tracking of an individual’s name or identity.
15. Compensation of Weaknesses
not applicable
16. Decisions on relevant requirements:
1.2.1 Data avoidance and minimisation => Excellent
1.2.2.2 Privacy statement => Adequate
2.2.4 Deletion of data after fulfillment of requirements => Excellent
3.2.2 Pseudonymisation and anonymisation => Excellent
4.1.4 Right of erasure => Excellent
Experts’ statement
We affirm that the above-named IT product / IT-based service has been evaluated according to the EuroPriSe Criteria, Rules and Principles and that the findings as described above are the result of this evaluation.
Schleswig, September 15, 2008 Prof.Dr.R.Abel
Place, date Name of Legal Expert Signature of Legal Expert
Place, date Name of Technical Expert Signature of Technical Expert
Certification Result
The above-named IT product / IT-based service has passed the EuroPriSe evaluation.
It is certified that the above-named IT product / IT-based service facilitates the use of that product or service in a way compliant with European regulations on privacy and data security.