Online ad auctions represent a threat to national security in the US and Europe, a civil rights group claims, because the data that enables personalized advertising could be used to compromise civilian and military leaders.
The Irish Council for Civil Liberties (ICCL), a Dublin-based advocacy organization, issued two reports this week exploring the purported privacy risks posed by real-time bidding (RTB).
The two ICCL reports – “Europe’s hidden security crisis” and “America’s hidden security crisis” – claim the data collected to target ads on the web and in apps puts political leaders, military personnel, and others at risk of blackmail, cyberattacks, and abuse while generally weakening organizational security.
“The RTB industry’s data free-for-all has created a serious national threat,” alleged Johnny Ryan, a senior fellow of ICCL, in a statement. “We call on the US Federal Trade Commission, European data protection authorities, and the European Commission to urgently act. The industry can not be allowed to put our elected leaders and military personnel at risk.”
The US-focused report, for one, warns RTB “can enable foreign states and non-state actors to target specific leaders and personnel in the United States, and mine RTB for information about their financial circumstances, mental state, and compromising intimate secrets,” adding: “This exposes America’s most sensitive institutions and industries to hacking, blackmail, and compromise.”
It seems the argument goes that all the heaps of data out there can be analyzed to reveal specific targets’ sensitive habits, opening them up to extortion and the like. We can also imagine someone using micro-targeting to throw suggestive, manipulative, or malware-laden adverts at particular individuals, or compromising the apps and sites a target frequents to gain more intelligence or infect their devices with spyware. The sky’s the limit, potentially.
Both ICCL reports cite a group of conservative Catholics acquiring app data to reveal a priest’s use of a gay dating app, for instance.
Other researchers have reached similar conclusions: last week The Register reported Duke University researchers found information about active military personnel could be bought from US data brokers for as little as $0.12 per record.
Google has challenged the reports for making inaccurate claims about its business – although Kent Walker, Google’s chief of global affairs, last year also called for action, in the form of a US federal data privacy law.
The reports also cite behavioral audience segments available to ad buyers from platforms like Microsoft Xander, Nielsen, Epsilon, LiveRamp, comScore, Oracle, and others. These include whether a person suffers from depression, or other conditions like chronic pain, substance abuse, or anxiety disorders.
Advertisers – or more troublingly, foreign intelligence agents – can also target gamblers, income level, debt, ideology, and religion, among audience segments.
The Internet Advertising Bureau (IAB), an industry trade group, gets called out for maintaining sensitive data categories as part of its technical standard for RTB. “The ‘IAB Context Taxonomy’ is an RTB industry standard that categorizes what target individuals are watching, reading, or listening to,” the report on Europe observes. “The code IAB-122 marks a person’s interest as ‘defense industry.'”
And the US-centric report alleges, “Google and other RTB firms send RTB data about people in the US to Russia and China, where national laws enable security agencies to access the data.”
We have the strictest restrictions in the industry on the types of data we share in real-time bidding
Google insists that it stopped providing data to Russia in 2022 and that its policies forbid abuse. “To protect people’s privacy, we have the strictest restrictions in the industry on the types of data we share in real-time bidding,” a spokesperson told The Register. “This report makes misleading and inaccurate claims about Google. Our real-time bidding policies simply don’t allow bad actors to compromise people’s privacy and security.”
Google maintains that it does not share Personally Identifiable Information bid requests, and that no Google Account information is ever shared with RTB buyers. The Chocolate Factory further argues that it follows the law in Europe to obtain consent for personalized advertising and that it does not allow advertisers to build or use profiles based on sensitive information.
The existence of policies against abusing RTB data doesn’t necessarily preclude data buyers from flouting those rules, however. The ICCL reports highlight a private firm based in Israel called ISA Security that makes a tool called Patternz – and boasts access to RTB data that covers five billion devices. Some of that data, it’s claimed, came from Google and Twitter.
The ISA website describes the software as an advertising-based intelligence tool. It claims “PATTERNZ allows national security agencies [to] utilize real-time and historical user advertising generated data to detect, monitor and predict users actions, security threats and anomalies based on users’ behavior, location patterns and mobile usage characteristics.”
ISA Security – which, at the time this article was filed, lacked a valid TLS certificate – could not be reached for comment because its web submission form was nonfunctional.
Microsoft and the Internet Advertising Bureau did not respond to requests for comment. ®
