A group of bipartisan lawmakers, including the chairman of the intelligence committee, have asked ad networks such as Google and Twitter what foreign companies they provide user data to, over concerns that foreign intelligence agencies could be leveraging them to harvest sensitive information on U.S. users, including their location.
"This information would be a goldmine for foreign intelligence services that could exploit it to inform and supercharge hacking, blackmail, and influence campaigns," a letter signed by Senators Ron Wyden, Mark Warner, Kirsten Gillibrand, Sherrod Brown, Elizabeth Warren, and Bill Cassidy, reads. The lawmakers sent the letter last week to AT&T, Verizon, Google, Twitter, and a number of other companies that maintain advertisement platforms.
The concerns center around the process of so-called real-time bidding, and the flow of "bidstream" data. Before an advertisement is displayed inside of an app or a browsing session, different companies bid to get their ad into that slot. As part of that process, participating companies obtain sensitive data on the user, even if they don't win the ad placement.
Do you work in the advertising industry with bidstream data? Do you have access to such data? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
"Few Americans realize that some auction participants are siphoning off and storing 'bidstream' data to compile exhaustive dossiers about them. In turn, these dossiers are being openly sold to anyone with a credit card, including to hedge funds, political campaigns, and even to governments," the letter continued.
Venntel, a government contractor that sells location data to Immigration and Customs Enforcement (ICE) and other law enforcement agencies obtains bidstream data, Motherboard previously reported. Israeli surveillance companies Rayzone and Bsightful also source this sort of data, Forbes reported.
"This is a deeply problematic practice when Western governments are abusing the data flows, and it becomes a national security emergency when these same global advertising companies are not vetting their own partners," Zach Edwards, a researcher who has closely followed the supply chain of various sources of data, told Motherboard in an online chat.
"It's long overdue for Congress to begin asking the largest tech companies in the world tough questions about their real-time-data-breach technology that underpins global advertising auctions and user data supply chains," Edwards continued. "Every time a person loads a website or a mobile app, it's likely that their data is being shared with at least dozens of companies, and when that user is interacting with an app or site with banner ads, typically several thousand companies could be receiving data about that visit in order to give those companies 'the opportunity to bid to show ads to that user.'"
The letter asked the ad companies to name the foreign-headquartered or foreign-majority owned firms that they have provided bidstream data from users in the U.S. to in the past three years. The other companies the lawmakers sent the letter to were Index Exchange, Magnite, OpenX, and PubMatic.
Mark Tallman, assistant professor at the Department of Emergency Management and Homeland Security at the Massachusetts Maritime Academy, told Motherboard in an email that "It’s difficult to imagine any policy solution or technical sorcery that can fully ‘secure’ consumers’ private data such that applications and platforms can collect it, and the publishing and advertising industries can access it, while guaranteeing that cybercriminals and foreign intelligence agencies will never get it. Our adversaries already know that they can buy (or steal) data from our marketplace that they could only dream of collecting on such a broad swath of Americans twenty years ago."
In March lawyers filed a class action suit against Google for what they described as selling users' data as part of the real-time bidding process.
Subscribe to our cybersecurity podcast CYBER, here.