Google, Cloudflare and GDPR - my quandry

Just like most of the internet, I've been working hard making sure my site and services are GDPR compliant. For the most part, on the technical front I already was, and it's mostly been a case of making sure the documentation is up to scratch.

However, in one area, I've had to revisit a  decision that I've gone over and over after the past few years - having ads on (some) of the sites, compared to the alternatives.

I decided I'd create this post for a couple of reasons - partially because I suspect others may be in a similar situation, and also to try and help lay it out so I can spot alternatives to those I've already considered.



Why Ads?

To begin with, I'm going to ignore GDPR and explain the rationale for why ads are displayed in the first place, as it forms a fairly big component of the decision.

This site (and some of my other services) has long since passed the point where it's possible to reasonably serve it from just a single server. In the scheme of things, my traffic levels aren't exactly world-changing, but are still substantial enough that I need a certain amount of scale to help spread the load.

Visitors come from all around the world, so ideally I wanted content served from various locations to keep the response times low whether you were in the Continental US, Europe or Asia.

The obvious solution to this is a Content Distribution Network (CDN).

Now, the market has changed fairly substantially since this was set up, so cast your mind back to when Akamai was dominant (and expensive) and Cloudflare had only just come onto the scene. At that time, Cloudflare's free offering had limitations that wouldn't fit well with my needs, so it would have to be a paid plan.

The alternative was to build my own CDN, which I could more easily tailor to my needs. A bit of maths showed that I could achieve it for less than Cloudflare (and certainly Akamai) charged at the time - albeit with some maintenance overheads. It wouldn't have the sheer scale that a commercial CDN offered, but I didn't strictly need that level of scale.

The problem was, that in either case, this meant additional cost.

Although much of my documentation is written primarily for my own reference, my traffic levels would suggest that others find them a useful reference too. But there's a definite limit to how much I can financially subsidise the running of the site, so in either case it needed to be generating some form of direct income (and even more so, if I was going to use a commercial offering).

There was also another factor to consider when looking at the commercial offerings, but I'll discuss that in more depth later.

Ultimately the rationale for enabling ads was that I needed some additional scale, but thought it unwise to assume I could continue to pay for that in the long term. Partially because of the cost factor, but mostly because it was an interesting challenge, I built my own (small) CDN which today serves a selected few other sites as well as my own.

Today, ads still generate very little revenue (I certainly don't make a profit, and it's rare they break even), but do help ensure I'm subsidising the site and other services less than would otherwise be the case.


Enter GDPR and Google

Until recently, although GDPR had some implications for ads, I was reasonably comfortable with them. I'd need to seek informed consent before allowing them to load, but my only real objection to that is that I want to try and minimise the number of "do you consent to..." dialogs as I think it destroys the flow on sites. I suspect ad revenue would take a hit (with people clicking "No") but other than that, it wasn't too big an issue.

Unfortunately, Google recently seems to have decided that it has other ideas on how ads are going to work under GDPR. It's been reported in various places that Google wants to designate itself a controller for all data available through a site, and push the consent collection responsibilities (and liability) onto Publishers.

Looking at Google's own information on it, it does look like they intend to make Ad publishers responsible for seeking consent, and worse, not providing the information that would be required to collect meaningful consent. I haven't spotted where they seek to grab additional data, but the consent thing alone is a big issue.

I have absolutely no issue with getting user's consent before displaying ads, but I have a very big issue with Google even raising the possibility that they may try to use me as a human shield after they screw up. When Google Adsense (seeming inevitably, given the lack of informed consent) breaches GDPR, I don't want to find myself in the position of being pulled into it.

Needless to say, this has thrown a bit of a spanner into the works.

Google do claim they're going to be releasing a non-personalised ad solution in mid-May, but that's running close enough to the deadline that I have to assume it's not going to arrive, or not be suitable (especially given the stature of their current 'solution'). Especially given it's one of the very last things stopping me putting my GDPR compliant privacy policies live.


The Alternatives

This is where I begin to get a little bit stuck on what to do next. There are alternatives to running Google Ads, but deciding which is best is about more than which would be the most GDPR compliant.


Just Disable Ads

An easy solution, but it means I'm back to fully subsidising the running of the site, which (if my financial circumstances change) may threaten it's availability in future. Although I'm not ruling it out, it's not a solution I'm fully comfortable with, as I don't want the site to be too much of a cost-centre if it can be avoided.


Disable Ads and move to Cloudflare

Cloudflare's offering has moved on since the decision was first made, so (with a bit of adjustment) I could potentially even use their free offering. That'd allow me to lower my infrastructure costs (as I'd no longer be running the CDN) whilst retaining the ability to scale.

However, Cloudflare as a company has also moved on in those years, and has grown substantially. This brings me to a new concern (one I alluded to earlier - and also the reason they're in the title of this post).

Cloudflare is massive. They deliver content for a vast number of sites, which is great for them as a business. However, it also means that a huge number of sites are utterly dependant on a single player, who necessarily has very privileged access to their traffic. If you submit something to a Cloudflare'd site, Cloudflare have to be able to see it in order to do their jobs. They've also got an ability to track you across different sites (so long as they're all CF'd) that'd likely make even Google jealous.

Now, Cloudflare aren't really in the profiling and advertising business, so they shouldn't (generally) be building profiles on specific users (though they will profile IP/subnet behaviour in order to provide their threat defences). They do provide analytics services, though, so may be making more use of the data than we realise.

They are, of course, also a US company and subject to the whims of the US Government (who's position on privacy seems to be that it's something which should be fucked as regularly as possible). Although Cloudflare would/should fight it, there is the possibility that user's data will get caught up in the response to an overly broad warrant (not that this is specific to the US of course, but greater protections exist elsewhere).

My view on this, is that it doesn't actually matter whether Cloudflare currently are, it's that the privileged position you put them in gives them the ability to build profiles in just the way that Google does. There's a hell of a lot of trust involved, and ultimately it's not my place to extend that trust on my user's behalf.

Finally, even if we assume that Cloudflare is capable of collecting < 50% of the data, and presents a lower risk, than Google does with it's ads, there's still a very important distinction: ease of avoidance.

It's possible to exclude yourself from Google's tracking with an adblocker (and a bit of effort in keeping the rules up to date etc). It's not necessarily straight forward or convenient but it is possible. It also tends to be fairly visible when that blocking fails, as you'll get Google Ads.

With Cloudflare, on the other hand, not only will you not have a visual cue that it's served via Cloudflare (unless you get one of those stupid captchas!) but you don't really have a way to avoid them other than not visiting CF'd sites. You can use Tor or a VPN to hide your IP, but if your HTTP request in some way identifies you, Cloudflare can see it. Essentially, for users there is no choice.

A similar argument can, of course, be made for other large CDNs too.

My feeling on this is that whilst Google Ads aren't a great solution, using Cloudflare (free plan or otherwise) is an even worse solution. In order to avoid giving Google access to user data, I'd instead be handing even greater access to Cloudflare and removing user's ability to disable it from their client. I'm sure their service is great, but I really don't feel comfortable with them as a solution.


Move to another Ad Provider

Some would say there are far too many advertising companies out there, which should mean it's easy to find another to switch to, right?

The problem is, recent dickishness not withstanding, Google is pretty good as advertising networks go. I'm not referring to revenue here so much as their serving of non-intrusive ads and trying to make sure that malvertising doesn't sneak in. Not perfect, but pretty far ahead of the competition.

The other problem is that Google are the current market leader. Now that they (appear to) have decided to try and weasel around their GDPR responsibilities, it's quite possible that others in the market may follow their lead. So I may find that I'm having this conversation again within a few weeks.

It is a potential option, though.


Move behind a paywall

No. Information wants to be free, and I'm not going to contribute to the growing habit of putting things into silos. Particularly given that there still isn't a good micro-payments system available, so you're left signing up to (often expensive) subscriptions on a per-site basis.

Look at New Scientist for a prime example of just how bad it can be. You want to view a single article (let's say this one). At the bottom of the page are your payment options:

  • Subscribe to App + Web - £35 for 12 issues
  • Subscribe to Print + Web - £49 for 12 issues
  • Subscribe to Print + App + Web - £55 for 12 issues
  • Web access - £49 for 30 days access

If I don't want to subscribe (I don't particularly want to be handing out my details to every frigging site), or it's just that one article I'm interested in, it's more expensive that 12 months access. Either way, reading that one article means I've got to part with at least £35 and then hope they run enough content that interests me to justify the payment.

Aside from the fact I really don't like those options, I don't think it's a particularly good fit for my site anyway. Some of my services, maybe (though some of those already offer subs).


Move to a donation model

One option would be to remove the ads and seek (small) donations instead.

I've previously run sites using this model, and the problem is that to actually get a meaningful number of donations the "Donate Now" material needs to be very prominent, and the donation mechanism as quick and simple to follow as possible.

Wikipedia gets incredibly irritating every year with it's donation banners, but that really is the level of visibility you need to make it viable as a steady income stream. Small, non-intrusive donation notifications just don't work (been to the site before? Ever noticed the donation line at the foot of the page? They go unnoticed in sidebar's too)

I don't really want my sites looking like that, it feels like I'd be avoiding the annoyance of a consent dialog by replacing it with something that's more visually irritating. But, it would also (massively) ease the GDPR overheads as there needn't be a third party involved.



There are no good solutions to this - partially because the status quo isn't exactly particularly great either.

I need a certain amount of scale to provide the services I provide, and I don't want the site to be too much of a cost centre (it does indirectly still generate revenue through other means, like increased custom, but that's harder to predict). To achieve that scale I either need to run the infrastructure myself, or effectively outsource it to a third party like Cloudflare.

For the reasons laid out above, I'm not comfortable with my site being yet another sat behind the Cloudflare gate-keeper, but involving any third party in delivery raises similar concerns in my mind. I'm not sure that I can really consider it a viable option, particularly as if the free tier doesn't fit my needs, it's back to the same quandry but with that third party now included.

I've always been fairly privacy sensitive (the social icons at the bottom of this page, for example, load nothing from the social networks until you click them, or unblock them in the privacy pane on the left), and running ads has never sat particularly well with me. They (or some replacement) are fairly important to the continued existence of this site though.

If Google actually make a decent pass of launching non-personalised ads, they'd obviously be a better option that the current ads. Had it been an option all those years ago, I'd have selected them then too. My concern is that they won't, or that they'll continue to try and use publishers as a human shield.

Clearly, I have a decision to make, and it may be that I try a few things (such as the donation model) along the way. If I haven't decided in time, I do at least have the option of just turning the ads off whilst I decide, so time isn't too big a factor here. It may also be there's a solution I haven't thought of.

For avoidance of doubt, I don't think any of this is an issue with GDPR itself. In fact, I actively support what GDPR is aiming to achieve (though there is, perhaps, too much bureaucracy mixed into it), the way in which we process data has changed immensely and it's high time that protections were dragged up too.

I know some people are complaining about the effect that GDPR will have on WHOIS, but I'm not sure I entirely agree. It certainly will have an impact on security research in the short-term (as a useful portion of the dataset is being removed), but what seems to be being missed in the objections is an assessment that's crucial to Data Protection. Is it proportional and reasonable that every domain owner's contact details be publicly available so that you can more easily track malware? Given that there are still more legit domains than malicious, I would say the answer is no, and ultimately the data isn't being removed, it's just going to require an additional step to access. Anyway </tangent>

As much as I'd love to blame Google's somewhat toxic approach here, the decision isn't that much different to the one I faced every time I reconsidered the ads before GDPR even became a blip on the radar. All that GDPR has done really is to cause me to revisit, and with some additional repurcussions. Aside from the initial decision, I've not actively chosen Google Ads over the alternatives so much as failed to make a decision. In the coming weeks, one way or another, that ends....