Security news that informs and inspires

U.S. Senators Press Ad Exchanges on Data Privacy


A group of U.S. senators are pressuring eight digital advertising exchanges - including Twitter, Google and AT&T - to reveal how they share American users’ data with foreign entities.

The concern is that the processes behind auctioning Americans’ personal information to companies could lead to sale of the data to hedge funds, political campaigns, and governments, who could then use them for malicious purposes, said the group of senators in several letters. These letters were sent to major players in the ad exchange space, including AT&T, Index Exchange, Google, Magnite, OpenX, PubMatic, Twitter and Verizon.

“Few Americans realize that some auction participants are siphoning off and storing ‘bidstream’ data to compile exhaustive dossiers about them,” according to the group of senators in the letters. “In turn, these dossiers are being openly sold to anyone with a credit card, including to hedge funds, political campaigns, and even to governments.”

Ad exchanges are digital marketplaces where publishers sell, and advertisers purchase, ad inventory (this is done directly, versus via ad networks, which act as an intermediary between buyers and sellers). The exchanges are facilitated via an auction process used to place targeted digital advertisements, called “real-time bidding.”

During the process of real-time bidding, ad publishers (typically the websites where ads will be displayed) will add their inventories for ad impressions (that represent each time an ad is displayed in a website visited by a user) into an auction pool. Bidders, who want to advertise their services on the publishers’ site, then will pick which impression they want to purchase. This is based on real-time information including the previous behavior of targeted users, the time of the data, the position of the ad and more.

This all happens in less than 100 milliseconds, meaning when a user of a certain website clicks through that website, in the background the real-time bidding is occurring in order to pick out the advertisement that user will see.

However, for most online ads, although only one company wins the auction, hundreds of firms that are also participating may receive sensitive data about the potential ad recipient. Dr. Johnny Ryan, senior fellow at The Irish Council for Civil Liberties and the Open Markets Institute, said this type of information is being shared “billions of times a day."

Ryan said, shared data may include a unique ID for users, what they are reading or watching, their location, descriptions of their devices, unique tracking IDs (or a cookie identification to allow advertising companies to build long-term profiles of users) and IP addresses (depending on the version of “real time bidding” system). In some cases a data broker segment ID may also be available.

“This could denote things like your income bracket, age and gender, habits, social media influence, ethnicity, sexual orientation, religion, political leaning, etc. (depending on the version of bidding system),” said Ryan.

“This information would be a goldmine for foreign intelligence services that could exploit it to inform and supercharge hacking, blackmail, and influence campaigns.”

Ryan said, public industry standards exist for what type of data can and should be sent as part of the real-time bidding process, including a standard from Google and from the Interactive Advertising Bureau.

However, despite these standards concerns have previously been raised over various U.S. federal agencies, as well as data brokers, who have collected data from digital marketplaces meant for advertising. A group of senators in July, for instance, sent a letter to Federal Trade Commmission (FTC) Chairman Joseph Simons urging him to further investigate the data privacy policies associated with real-time bidding. The letter claimed data broker Mobilewalla had used location and race data to profile participants in Black Lives Matter protests.

Beyond the U.S., “this information would be a goldmine for foreign intelligence services that could exploit it to inform and supercharge hacking, blackmail, and influence campaigns,” senators said.

Senators on Friday requested the eight ad exchanges disclose the specific information on users that is being provided to auction participants, including their devices, the websites they are accessing and apps they are using. They also asked the ad exchanges to disclose all companies (both foreign and domestic) they have provided bidstream data to in the past three years, which are not “contractually prohibited from sharing, selling, or using the data for any purpose unrelated to bidding on and delivering an ad.” In addition, ad exchanges are being asked to detail their efforts in auditing any compliancy efforts with contractual restrictions for sharing or selling bidstream data.

The senators - including Senators Ron Wyden (D-Ore.), Bill Cassidy (R-La.), Kirsten Gillibrand (D-N.Y.), Mark Warner (D-Va.), Sherrod Brown (D-Ohio), and Elizabeth Warren (D-Mass.) - asked companies to respond by May 4.

Of the eight companies contacted by senators, AT&T and Google responded to a request for comment. An AT&T spokesperson said, “we received the letter and will respond as requested, but we have thorough processes in place to protect the data referenced in the letter.”

A Google spokesperson said: "Privacy and transparency are core to how our ads services work.”

“We never sell people’s personal information and all ad buyers using our systems are subject to stringent policies and standards, including restrictions on the use and retention of information they receive,” said the spokesperson.