How Massive Server-to-Server Data Transfers Represent a Hidden Threat to Privacy

It’s well known that we are routinely tracked whenever we use the internet. Most people also understand that the primary business model online is surveillance advertising, whereby huge quantities of personal data are collected and aggregated in order to provide information for highly targeted digital advertising. While those facts are common knowledge, we still lack detailed analysis of what exactly happens when we view pages and buy things online. This makes a new study about the nature and scale of US surveillance advertising from respected non-profit organization Consumer Reports particularly welcome, even if its findings are disturbing.

The report notes that there have been several important wins in privacy law and technology recently. These have imposed what it calls “modest constraints on the surveillance economy.” New privacy laws have been brought in, such as the California Consumer Privacy Act. They’ve given consumers the right to opt out of tracking by introducing measures such as requiring companies to respond to “authorized agents” designated by consumers to exercise their privacy rights. Moreover, digital platforms from Apple and Firefox have rolled out technology that limits the ability of sites and apps to track users across different contexts.

Ironically, these successes have led to a new, hitherto underappreciated problem: server-to-server data flows. The direct transfer of data from companies to digital platforms such as Meta to facilitate the placement of targeted ads (for example, on Facebook pages) occurs outside browsers or apps. It is therefore invisible to users and beyond their direct control.

However, Meta’s Download Your Information tool provides some insights into these server-to-server transfers. Drawing on its six-million-plus members, Consumer Reports asked people to enrol in a Facebook Surveillance Study so it could consolidate this data and use it to illuminate the scale of server-to-server transfers of personal data by companies for the purpose of targeted ads. A total of 709 sets of data were gathered and analyzed. While this is a relatively small sample, it’s a useful first insight into what’s going on in the US.

The Consumer Reports research revealed the following findings:

• More than 186,000 different companies were sending data to Meta about the 709 participants.
• Each of these 186,000-plus companies shared data on an average of eight participants in the study.
• The average participant in the study was identified in the data by 2,230 different companies; some were identified by more than 7,000 companies.
• The company that shared data on the largest number of participants was LiveRamp, a data broker, which shared data on 679 study participants (96%).

Aside from data brokers, the most common types of businesses that showed up in the volunteers’ data were individual brands and direct-to-consumer brands. Well-known US retailers, including Amazon and Walmart, also appeared frequently. Perhaps more surprising is the following result to emerge from the data analysis:

Many of the advertisers that targeted the largest percentages of study participants do not have a national footprint. For example, the Illinois Lottery shared data on nearly 70% of our volunteers. Local auto dealerships were also surprisingly well represented in the sample data, suggesting that they often have access to large marketing lists drawn from national sources. One car dealer in San Benito, Texas (pop. 24,665), for example, was responsible for sending information on approximately 10% of our study volunteers, though only 6.6% of study volunteers reside in the entire state of Texas. Several other local auto dealerships—including, for example, a small-town Porsche dealership—also leveraged contact info on around 10% of our volunteers.

This suggests that even relatively small businesses can collect or buy access to huge amounts of personal data for the purpose of targeted advertising – it’s not just about digital giants like Amazon. Moreover, highly specific microtargeting also seems to be easy and common, as Consumer Reports explains:

In addition, 96,000 of the companies (52%) were targeting only one of our 709 volunteers. This likely reflects the ease with which even small companies with limited marketing resources can experiment with Meta Ad Manager. Meta provides small businesses with easy implementations of advanced surveillance advertising technologies. The small business owner has only to set a budget, provide personal info on customers, and report customer buying behavior to Meta—Meta’s software does the rest.

As well as providing valuable information about the practice of server-to-server data transfers for the first time, the Consumer Reports data also identified a major problem: many of the supposed company names found in the data could not be connected with real corporate entities. For example, some of the names consisted of indecipherable strings of letters and numbers such as “Bm 5 100tkqc nlm.” This means that Facebook’s Download Your Information tool offers only limited transparency in practice, since it’s impossible to parse much of the data. Other factors that diminish its usefulness include the widespread use of intermediaries to purchase online ads that make it nearly impossible for consumers to understand who is doing what with their data.

As well as calling for true transparency from companies like Meta, the study makes a number of other policy recommendations. These include instituting data minimization provisions in privacy laws, giving authorized agents the ability to make rights requests, and setting up archives of all advertisements shown to users in a searchable, publicly available form. This mirrors a similar provision in the EU’s new Digital Services Act. As this useful report concludes, “American consumers deserve the same level of insight into the ad market as our European peers, instead of the mysterious black box we have today.”

Featured image by Rawpixel.