Real-Time Bidding Is Bad for Your Privacy and a Serious Threat to National Security

It’s extraordinary to think that it’s been six years since this blog started warning readers about real-time bidding (RTB), the system behind most online ads. In the few hundredths of a second after you click a link on most site, the blank advertising slots are put up for an automated auction among potential advertisers. In addition to information about the site and the ad space, reams of your personal information are also sent across the internet to potential bidders.

The person who has done the most to expose the dangers of RTB is Johnny Ryan, Senior Fellow of the Open Markets Institute in Washington DC and the Irish Council for Civil Liberties (ICCL). Two years ago, we reported on his work quantifying the scale of RTB’s harm to privacy, in which he found that around 100 trillion pieces of personal data are shared each year without consent or protection. Now he’s back with two new reports, co-written with Wolfie Christl, another expert on privacy and adtech whose work has appeared on this blog. The reports show how RTB leaks extremely sensitive information about key US and EU figures and military personnel to foreign states and non-state actors.

Specifically, the new reports, America’s hidden security crisis and Europe’s hidden security crisis, show how the private details of people working in intelligence, the military, and other sensitive industries can be obtained by foreign states and their intelligence services. The uncontrolled nature of RTB makes this easy, as there’s no guidance on who can obtain RTB data by acting as a Demand Side Platform (DSP) – that is, a bidder for digital ad space. This allows private surveillance companies to own DSPs and download as much information as they like from companies like Google and Microsoft. The latter act as Supply Side Platforms (SSPs), running digital ad exchanges where automated bids are made for online advertising slots on sites. The reports cite Near Intelligence and Rayzone as examples of surveillance companies able to tap into RTB data in this way. One of the more eye-opening revelations from Ryan and Christie concerns a company called ISA, which sells a surveillance tool called Patternz:

[ISA] claims Patternz has profiled 5 billion people by analysing large volumes of RTB data that it says it obtains from a large number of RTB companies (including Google and Twitter). Patternz creators claim “knowhow of operating a realtime bidding platform for the last 5 years”. … Patternz provides a targeted person’s current location, historical movements over several months, and who they frequently met. ISA says Patternz can identify a target’s children, co-workers, and their “driving path”.

The fact that companies in Russia and China are also able to access RTB data presents a more direct security threat. Once data is in the hands of companies in those locations, there is no control over where that data is then sent. Under both Chinese and Russian law, intelligence services can demand access to any data once it is brought in to China or Russia respectively. That’s a problem given the highly personal nature of the data, as the new reports underline:

RTB data often include location data or time-stamps or other identifiers that make it relatively easy for bad actors to link them to specific individuals. Foreign states and non-state actors can use RTB to spy on target individuals’ financial problems, mental state, and compromising intimate secrets. Even if target individuals use secure devices, data about them will still flow via RTB from personal devices, their friends, family, and compromising personal contacts.

That detailed information allows what the reports call “Cambridge Analytica-style psychological profiling of target individuals’ movements, financial problems, mental health problems and vulnerabilities, including if they are likely survivors of sexual abuse.” The opportunity for blackmail is evident, something that is particularly serious when the people targeted are in positions of power or have access to sensitive information. After providing many more detailed examples of how highly personal information is readily available because of RTB, the reports offer the following suggestion for neutralizing the security threat is identifies:

Google and IAB TechLab should amend their protocols so that no personal data are permitted in future RTB broadcasts. All identifying and linkable data must be removed. This includes high resolution timestamps, data extensions, unique identifiers, etc. This will foil foreign and non-state actors who operate their own DSPs, or who indirectly obtain RTB data from other entities that receive RTB broadcasts. This can be enforced and monitored at SSPs and ad exchanges.

To help address the problems its new reports identify, the Irish Council for Civil Liberties has launched Enforce, “a unit that operates globally to push technology back to democratic value.” It hopes to achieve that by sharing technical expertise with legislators in key jurisdictions, supporting civil society organizations, and taking legal action against “bad actors.” Enforce says it is already litigating in Germany, Belgium, Ireland, and Luxembourg.

It’s good news that Ryan’s crusade against RTB will be gaining support in this way. But it is absurd that six years after we first wrote about the deeply problematic nature of real-time bidding for privacy, governments around the world have still not taken the problem seriously and brought in new laws to deal with it. Let’s hope that the latest report from Ryan and Christie emphasizing how RTB represents a very real threat to national security will be enough to convince them the time to act is now.

Featured image by the Irish Council for Civil Liberties.