Report spotlights vast scale of adtech’s ‘biggest data breach’
New data about the real-time-bidding (RTB) system’s use of web users’ info for tracking and ad targeting, released today by the Irish Council for Civil Liberties (ICCL), suggests Google and other key players in the high velocity, surveillance-based ad auction system are processing and passing people’s data billions of times per day.
“RTB is the biggest data breach ever recorded,” argues the ICCL. “It tracks and shares what people view online and their real-world location 294 billion times in the U.S. and 197 billion times in Europe every day.”
The ICCL’s report, which is based on industry figures that the rights organization says it obtained from a confidential source, offers an estimate of RTB per person per day across US states and European countries which suggests that web users in Colorado and the UK are among the most exposed by the system — with 987 and 462 RTB broadcasts apiece per person per day.
But even online individuals living in bottom of the chart, District of Columbia or Romania, have their information exposed by RTB an estimated 486 times per day or 149 times per day respectively, per the report.
The ICCL calculates that people living in the U.S. have their online activity and real-world location exposed 57% more often than people in Europe — likely as a result of differences in privacy regulation across the two regions.
Collectively, the ICCL estimates that U.S. Internet users’ online behaviour and locations are tracked and shared 107 trillion times a year, while Europeans’ data is exposed 71 trillion times a year.
“On average, a person in the U.S. has their online activity and location exposed 747 times every day by the RTB industry. In Europe, RTB exposes people’s data 376 times a day,” it also writes, adding: “Europeans and U.S. Internet users’ private data is sent to firms across the globe, including to Russia and China, without any means of controlling what is then done with the data.”
The report’s figures are likely a conservative estimate of the full extent of RTB since the ICCL includes the caveat that: “[T]he figures presented for RTB broadcasts as a low estimate. The industry figures on which we rely do not include Facebook or Amazon RTB broadcasts.”
Per the report, Google, the biggest player in the RTB system, allows 4,698 companies to receive RTB data about people in the U.S., while Microsoft — which ramped up its involvement in RTB in December last year when it bought adtech firm Xandr from AT&T — says it may send data to 1,647 companies.
That too is likely just the tip of the iceberg since RTB data is broadcast across the Internet — meaning it’s ripe for interception and exploitation by non-officially listed RTB ‘partners’, such as data brokers whose businesses involve people farming by compiling dossiers of data to reidentify and profile individual web users for profit, using info like device IDs, device fingerprinting, location etc to link web activity to a named individual, for example.
Privacy and security concerns have been raised about RTB for years — especially in Europe where there are laws in place that are supposed to prevent such a systematic abuse of people’s information. But awareness of the issue has been rising in the US too, following a number of location-tracking and data-sharing scandals.
The leaked Supreme Court opinion earlier this month which suggested the US’ highest court is preparing to overturn Roe v Wade — removing the constitutional protection for abortion — has further dialled up concern and sent shock waves through the country, with some commentators immediately urging women to delete their period tracking apps and pay close attention to their digital security and privacy hygiene.
The concern is ad tracking could expose personal data that can be used to identify women and people who are pregnant and/or seeking abortion services.
Many US states have already heavily restricted access to abortion. But if the Supreme Court overturns Roe v Wade a number of states are expected to ban abortion entirely — which means people who can get pregnant will be at increased risk from online surveillance as any online searches for abortion services or location tracking or other types of data mining of their digital activity could be used to built a case against them for obtaining or seeking to obtain an illegal abortion.
Highly sensitive personal data on web users is, meanwhile, routinely sucked up and shared for ad targeting purposes, as previous ICCL reports have detailed in hair-raising detail. The data broker industry also collects information on individuals to trade and sell — and in the US, especially, people’s location data appears all too easy to obtain.
Last year, for example, a top Catholic priest in the US was reported to have resigned after allegations were made about his sexuality based on a claim that data on his phone had been obtained which indicated use of the location-based gay hook-up app, Grindr.
A lack of online privacy could also negatively impinge on women’s health issues — making it easier to gather information to criminalize pregnant people who seek an abortion in a post-Roe world.
“There is no way to restrict the use of RTB data after it is broadcast,” emphasizes the ICCL in the report. “Data brokers used it to profile Black Lives Matter protestors. The US Department of Homeland Security and other agencies used it for warrant-less phone tracking. It was implicated in the outing of a gay Catholic priest through his use of Grindr. ICCL uncovered the sale of RTB data revealing likely survivors of sexual abuse.”
The report raises especially cutting question for European regulators since, unlike the US, the region has a comprehensive data protection framework. The General Data Protection Regulation (GDPR) has been in force across the EU since May 2018 and regulators should have been enforcing these privacy rights against out-of-control adtech for years.
Instead, there has been a collective reluctance to do so — likely as a result of how extensively and pervasively individual tracking and profiling tech has been embedded into web infrastructure, coupled with loud claims by the adtech industry that the free web cannot survive if Internet users’ privacy is respected. (Such claims ignore the existence of alternative forms of ad targeting, such as contextual, which do not require tracking and profiling of individual web users’ activity to function and which have been shown to be profitable for years, such as for non-tracking search engine, DuckDuckGo.)
An investigation opened by the Irish Data Protection Commission (DPC) into Google’s adtech three years ago (May 2019), following a number of RTB complaints, is — ostensibly — ongoing. But no decision has been issued.
The UK’s ICO also repeatedly fumbled enforcement action against RTB following complaints filed back in 2018, despite voicing a view publicly since 2019 that the behavioral ad industry is wildly out of control. And in a parting shot last fall, the outgoing information commissioner, Elizabeth Denham, urged the industry to undertake meaningful privacy reforms.
Since then, a flagship adtech industry mechanism for gathering web users’ consent to ad tracking — the IAB Europe’s self-styled Transparency and Consent Framework (TCF) — has itself been found in breach of the GDPR by Belgian’s data protection authority.
Its February 2022 decision, also found the IAB itself at fault, giving the industry body two months to submit a reform plan and six months to implement it. (NB: Google and the IAB are the two bodies that set standards for RTB.)
That consent issue is one (solid) complaint against RTB under Europe’s GDPR. However the ICCL’s concern has been focused on security — as it argues that high velocity, massive scale trading of people’s data to place ads by broadcasting it over the Internet to thousands of ‘partners’ (but also with the clear risk of interception and appropriation by scores of unknown others) is inherently insecure. And, regardless of the consent issues, the GDPR requires people’s information is adequately protected — hence its framing of RTB as the “biggest ever data breach”.
In March, the ICCL announced it intended to sue the DPC — accusing the regulator of years of inaction over RTB complaints (some of which were lodged the same year the GDPR came into application). That litigation is still pending.
It has also approached the EU ombudsperson to complaint that the European Commission is failing to properly monitor application of the regulation — which led to the former opening an enquiry to look at the Commission’s claims to the contrary earlier this year.
A requested deadline for the EU’s executive to submit information to the ombudsperson passed yesterday without a submission, per the ICCL, with the Commission reportedly asking for 10 more days to provide the requested data — which suggests the four-year anniversary of the GDPR coming into force (May 25, 2018) will pass by in the meanwhile (perhaps a little more quietly than it might have done if the ombudsperson had been in a position to issue a verdict)…
“As we approach the four year anniversary of the GDPR we release data on the biggest data breach of all time. And it is an indictment of the European Commission, and in particular commissioner [Didier] Reynders, that this data breach is repeated every day,” Johnny Ryan, senior fellow at the ICCL, told TechCrunch.
“It is time that the Commission does its job and compels Ireland to apply the GDPR correctly,” he added.
We also contacted Google, Microsoft, the DPC and the European Commission with questions about the ICCL’s report but at the time of writing none had not responded.
Ryan told us the ICCL is also writing to US lawmakers to highlight the scale of the “privacy crisis in online advertising” — and specifically pressing the Senate Subcommittee on Competition Policy, Antitrust and Consumer Rights to ensure adequate enforcement resources are provided to the FTC — so it can take urgent action “against this enormous breach”.
In the letter, which we’ve reviewed, the ICCL points out that private data on US citizens is sent to firms across the globe, including to Russia and China — “without any means of controlling what is then done with the data”.
War in Europe certainly adds a further dimension to this surveillance adtech story.
Russia’s invasion of Ukraine earlier this year has fuelled added concern about adtech’s mass surveillance of web users — i.e. if citizens’ data is finding its way back, via online tracking, to hostile third countries like Russia and its ally China.
Back in March, the Financial Times reported that scores of apps contain SDK technology made by the Russian search giant Yandex — which was accused of sending user data back to servers in Russia where it might be accessible to the Russian government.
In Europe, the GDPR requires that exports of personal data out of the bloc are protected to the same standard as citizens’ information should be wrapped with when it’s being processed or stored in Europe.
A landmark EU ruling in July 2020 saw the bloc’s top court strike down a flagship EU-US data transfer agreement over security concerns attached to US government mass surveillance programs — creating ongoing legal uncertainty around international data flows to risky third countries as the court underscored the need for EU regulators to proactively monitor data exports and step in to suspend any data flows to jurisdictions that lack adequate data protection.
Many of the key players in adtech are US-based — raising questions about the legality of any processing of Europeans’ data by the sector that’s taking place over the pond too, given the high standard that EU law requires for data to be legally exported.