Hundreds of relatively obscure and overlooked companies are potentially provided with sensitive data on Americans by mainstream ad networks, including some companies based in Russia, China, and the United Arab Emirates, according to responses from ad tech companies to Senator Ron Wyden.
The news highlights potential privacy issues in the ecosystem of real-time bidding (RTB), where participants in the online ad business can obtain so-called bidstream data on individuals such as their GPS location, device identifiers, and browsing history. The letters show how vast that ecosystem is, and potentially the national security risk of companies across the world accessing such data.
"This information would be a goldmine for foreign intelligence services that could exploit it to inform and supercharge hacking, blackmail, and influence campaigns," Wyden said in a previous statement.
Do you know anything else about how bidstream data is being used? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on email@example.com, or email firstname.lastname@example.org.
Wyden sent letters to various ad tech companies, including Google, Verizon, Magnite, Pubmatic, Index Exchange, and OpenX, and asked them, among other things, to name the foreign-headquartered or foreign-majority owned firms that they have provided bidstream data from users in the U.S. to in the past three years.
In the new responses, Magnite provided Wyden with a list of over 150 companies without identifying which countries they are from. Wyden's staff then looked up where they were located, Keith Chu, communications director for Wyden's office, told Motherboard in an email.
Those include Adtiming and Mobvista International in China, League of Ads in Hong Kong, Yandex Europe AG, part of Russian-language search engine Yandex, and Adfalcon in the United Arab Emirates.
In its response Twitter, which owns ad company MoPub, pointed to its public list of partners, which include Mobvista and Pangle in China, and WapStart, Yandex, and Hybrid.ai in Russia.
OpenX said that "nearly all" of its partners were located in "Australia, Canada, Japan, the European Union, the United Kingdom, and Singapore."
Google, AT&T, PubMatic, and Verizon did not provide the names of foreign firms or countries they send Americans’ data to. These companies also did not answer a similar question when Motherboard asked in April.
Subscribe to our new cybersecurity podcast, CYBER.