The IAB loves tracking users. But it hates users tracking them.


The Interactive Advertising Bureau (IAB) is a standards development group for the advertising industry. Their members love tracking users. They want to know where you are, who you're with, what you're buying, and what you think. All so they can convince you to spend slightly more on toothpaste. Or change your political opinions. Either way, they are your adversaries.

The IAB's tech lab is working on a system called UID2. It's a more advanced way to track you no matter what you do and no matter what steps you take to avoid it.

UID2 is a framework that enables deterministic identity for advertising opportunities on the open internet for many participants across the advertising ecosystem. The UID2 framework enables logged-in experiences from publisher websites, mobile apps, and Connected TV (CTV) apps to monetize through programmatic workflows.

Basically, they tie your email address to everything you do. Signed in to watch a TV show? Better sell that info to the advertisers so when you sign in to a different site they can send you targetted messages. Yuck.

One of the ways privacy conscious users normally avoid this is by subtly altering their email addresses for each service they use. For example, GMail ignores any dots in your username. So if you are Han.Solo@gmail.com you can also use H.ansolo@gmail.com or ha.ns.ol.o@gmail.com. A user might sign up to a service and use a specifically "dotted" email address. If they later start receiving spam to that address, they know the service has leaked or sold their info.

You can go one step further and use plus addressing. For example han.solo+amazon@gmail.com and han.solo+github@gmail.com. They both will appear in your normal inbox, but are unique for every service you use. Again, this is great for making sure that someone hasn't sold your email address to spammers.

The IAB hates this.

As part of the UID2 API they specifically describe how an advertiser must "normalise" their users' email addresses.

This means h.a.n.solo+iab@gmail.com becomes plain old hansolo@gmail.com

I think this is pretty shitty behaviour. If someone has deliberately set their email address in this form it is because the user does not want their identities to be commingled.

Last year, I asked them to respect users' privacy and reverse this change. They finally responded:

Thank you for your input, we thought long about this update and ultimately as it stands today it is not a change we would like to add.

So, there you have it. If you want to take even the smallest step to preserve your privacy - tough.
If you want to track which IAB members are using your data - tough.
If you want to track users even if they don't want to be tracked - the IAB is happy to help.

If you want to opt out of this - and you trust the IAB to handle your data safely - you can submit your email address and phone number to https://transparentadvertising.org/.

Personally, I recommend installing the uBlock advert blocker on all devices which support it.


20 thoughts on “The IAB loves tracking users. But it hates users tracking them.

  1. @Edent I’ve noticed several brands now blocking services like iCloud’s relay, which lets you sign up with a random email address that’s not related to yours. Firefox relays ducks around that by letting you use your own domain, which makes it much harder for them to block sign-ups, but that’s obviously only applicable to a few users.

  2. Gabor says:

    I've been loving fastmail's masked email functionality, which gives you a random email alias like "salty.hotdog8233@fastmail.com", plus it has 1password integration, so signing up to places is fairly straightforward if you use 1p.

  3. I just read this and the solution I use is my own instance of AnonAddy - and I create a new and unique email address for every site/service I use. If you don't want to run it yourself there is a SaaS version - plus it is FOSS.


  4. I have been using my own installation of AnonAddy for a couple of years now. I used to just have a catchall in my mail server which would forward anything which was sent to a non existing email address to a delegated account



  5. The plus convention is not specific to GMail (Sendmail, MS Exchange, Postfix and other email software have it), but they only require stripping it for @gmail.com domains. I have my own dedicated domain for vendors so I won't be impacted, and Apple's email masking feature will do the same, along with competing offerings from DuckDuckGo et al.

    Hashing PII like an email is also PII and this proposal is a blatant violation of GDPR, of course.

  6. Nikki says:

    Personally my opinion of anyone involved in advertising is so poor that I'd probably not be allowed to express it here. I can easily imagine a world without advertising as the web allows you to find anything you want without having someone trying to force it down your throat. Also the idea that many parts of the web could not exist without advertising support is facile. It's a bit like saying that free and open parks cannot exist without employing pick pockets to gather funds to pay for maintenance. If there are any parts of the web that really can not exist without advertising, they must be so bankrupt of alternatives ideas that their services could not be trusted to be useful.

  7. Oli says:

    I’m a big fan of Fastmail’s masked addresses for this reason.

    Word dot word four digit number at my own domain, goes in the password manager, never thought about again!

  8. says:

    I own my name dot [tld] so I can do slingshit@me.com. Looks like I'm still gonna be doing alright. Cloudflare's mail forwarding works well for this, before that I used ImprovMX. Both just point the proper DNS records from your site to someone's mail server for quick relay+disposal. I imagine having all mail filter through a magic box is technically A Bit Troublesome but it's still better than Google Mail!

  9. @Edent The issue at the core of privacy is dignity--to hide or reveal parts of ourselves as we create relationships. In this case, advertisers want a kind of "forced intimacy" with all of humankind--to prevent people from hiding parts of themselves--so they can offer goods and services. The difference between a friend recommending something--because they know you well--and the IAB or others advertising to you, is that a friend actually has your long-term best interest in mind.

  10. @EdentGood article, but I'm sad that you didn't mention one thing IAB is totally powerless against: Anonymous email services like AnonAddy and SimpleLogin (which was recently acquired by Protonmail). Truthfully, I find these tools to be WAY better than dot/+ tricks in Gmail. It's very easy to generate (and if you pay for domain support, customize). Now, every data vampire, service, transit login, etc. gets it's own email that I can identify (in the description) and when no longer needed, delete entirely.

  11. says:

    @Edent well that’s a bummer.How do they factor in that some services (like iCloud) do respect the full stops?Hello.World@icloud.com is a substantively different email address from HelloWorld@icloud.com, and resolves to two separate accounts!Normalising those would surely incorrectly mingle data?I’ve started using entirely random email addresses — generated by Apple’s Hide My Email — which should keep me circumspect. But that’s a paid feature of iCloud+; and not an option for some.

Leave a Reply

Your email address will not be published. Required fields are marked *