News & Stories

EU and US officials’ data flows to China and Russia via RTB

Ray Fernandez

Nov 28, 20239 min read

EU and US officials' data flows to China and Russia via RTB: Header image

Other than the usual constant data tracking, privacy breaches, and the occasional scandal linked to politics, you’d think the online digital advertising world — worth billions of dollars — would be fairly harmless. Unfortunately, it is not. 

On November 14, the Irish Council for Liberties (ICCL) published two reports revealing serious security threats to the European Union and the United States. Two reports, “Europe’s hidden security crisis” and “America’s hidden security crisis,” assure that “extraordinarily sensitive information” related to key EU and US figures and military personnel is flowing straight into the hands of foreign states and non-state actors. The culprit? Real-time bidding (RTB), a digital online advertising system that is used to serve most ads found online today. 

ICCL report reaches grave conclusions 

Before we dive into an explanation of what RTB is and how this news affects average users, let’s look at the concerningly grave findings and conclusions that the ICCL reached. 

According to the ICCL, Google and other RTB firms are sending data from the US and the EU to Russia and China, where national laws allow security agencies to easily access this information.

“Our investigation highlights a widespread trade in data about sensitive European and American personnel and leaders that exposes them to blackmail, hacking, and compromise, and undermines the security of their organizations and institutions,” the ICCL said. 

Our investigation highlights a widespread trade in data about sensitive European and American personnel and leaders that exposes them to blackmail, hacking, and compromise, and undermines the security of their organizations and institutions.

Irish Council for Liberties (ICCL)

The report also concludes:

  • Tens of thousands of pages of RTB data reveal that EU and US military personnel and political decision-makers are targeted using RTB. 
  • RTB data includes location data, time stamps, and other identifiers, making it easy for bad actors to link the data to specific individuals. 
  • Foreign states and non-state actors can use RTB to gain information on specific targets, including financial data, mental state, and confidential information or secrets. 
  • Secure devices are not immune to RTB data breaches. 
  • RTB data breaches can include information from a target and their friends, family, and other personal contacts.
Image of a screenshot of Near Intelligence website.
A screenshot of Near Intelligence´s website, revealing how they openly advertise the data they collect. Linked as responsible by the ICCL report.

The ICCL report presented evidence of a wide range of extremely sensitive data being breached and exposed. ICCL assures they have examined tens of thousands of pages of this RTB data. Shockingly, this includes data that falls under the following labels: 

  • Aerospace and defense
  • US, French, German, and UK Army, Navy, and Air Force personnel.
  • Country judges
  • Politicians
  • Nuclear energy
  • Space technology
  • German civil servants and military personnel
  • People working in defense and space
  • People who work in the military
  • People working in the judiciary
  • Decision-makers for the government
  • National Security and International Affairs
  • Senior military officers
  • Government, defense, and emergency employees
  • Decision-makers for political organizations
  • Army, navy, and aerospace and defense
  • Military spouses and families
Screenshot of ISA website live.
Screenshot of the website from the company ISA open for RTB data business online and linked as responsible by the ICCL report.

The private sector in the RTB data breach business 

ICCL also identified several private companies in foreign countries leveraging RTB data to conduct what they described as “surreptitious surveillance.” Private companies mentioned in the report include ISA, a company that sells a surveillance tool called Patternz. The company’s site claims to “help national security agencies detect audience patterns and user behavior using digital advertising data mining and analytics.”

Using Patternz, a user can access a targeted person’s current location, historical movements over several months, and whom they frequently met with, complete with worldwide coverage and real-time analysis. The company’s site assures that Patternz can also identify a target’s children, coworkers, and driving patterns.

At the time this report was being written, the ISA website and the link to the Patternz platform were still online and claiming to operate on top of AWS Data Lake infrastructure for big data scaling and capabilities.

But ISA isn’t the only company mentioned in the report. Other private companies in this line of business include:

AiData: A Russian data broker that sells data on people in Russia who are frequent visitors to political opposition websites. 

Near Intelligence: The ICCL claims that it has obtained masses of RTB data from three ad exchanges and has used this data to profile 200 million Americans, selling RTB data about “billions” of devices to US security agencies. The website of Near Intelligence was up and running at the time this report was being written. 

Rayzone: A foreign private surveillance company that gets direct RTB broadcasts from ad exchanges and RTB data powers. Rayzone’s Echo surveillance tool is “a full stealth method of collection on any internet user” and offers “mass collection of all internet users in a country.” Bloomberg reports that Rayzone is an Israeli surveillance company, and its product Echo is a privacy nightmare. According to the media, the company buys up legally collected phone data and sells it back to governments around the globe that want to track people.

ICCL assures that a large number of entities receive extraordinarily sensitive RTB data about American and European leaders, sensitive sectors, defense personnel, their coworkers, and families and associates. “There is no way to control what they then do with the data,” the ICCL said. 

“Our examination of RTB data reveals Cambridge Analytica style psychological profiling of target individuals’ movements, financial problems, mental health problems, and vulnerabilities, including if they are likely survivors of sexual abuse,” the ICLL said. 

Our examination of RTB data reveals Cambridge Analytica style psychological profiling of target individuals’ movements, financial problems, mental health problems, and vulnerabilities, including if they are likely survivors of sexual abuse.

ICCL

“The RTB industry’s data free-for-all has created a serious national threat,” said Dr Johnny Ryan, a Senior Fellow of ICCL. “We call on the US Federal Trade Commission, European data protection authorities, and the European Commission to urgently act. The industry can not be allowed to put our elected leaders and military personnel at risk.”

Screenshot of ISA website.
ISA openly promoting its Patternz tool and what it can do.

What is RTB data, and why does this news affect everyone? 

Every time you visit a website on your computer, smartphone or any other device, and this website has any form of advertising, the RTB system is working in the background. The RTB system selects, in real-time, what ads you will see on each page. This is done through a rather complex process, which basically comes down to the highest bidder. 

Different companies wanting to show their ad to you will create campaigns through platforms like Google Ads — the largest global ad platform. When they create an ad, they upload their final design, images, or videos, and with it, a whole bunch of information that includes who they want the ad to reach. These targeted population settings can be narrowed down to very specific people or configured for the ad to reach billions of people. Information such as region, age, work, interests, and lots of other data can be included by the company running ads. 

But because there are so many companies running ads online and not many high-profile sites that the targeted users visit, businesses compete for that space in real-time by bidding on that space. This is where RTB, or real-time bidding, comes into play.

The data that the RTB system uses contains personal and sometimes sensitive information from users, including where they live and work, what their interests are, their history and purchases, their travels, and even data about their friends, family, and children. 

Naturally, the RTB system was designed to use this data to better serve ads. But when this sort of data trove falls into the wrong hands, it can be used for a wide range of malicious activities, including spying, spreading propaganda and misinformation, influencing political and social events, exploiting and exporting individuals and organizations, accessing accounts, stealing data and financial resources, tracking people’s movements, and targeting human rights activities, press, and other groups.

Screenshot of Near Intelligence website.
The Near Intelligence website can be accessed by anyone online.

How bad is the RTB privacy crisis?

The ICCL has been warning for several years now that the RTB data crisis is the worst data breach in the world. It tracks and shares what people view online and their real-world locations with countless companies 178 trillion times every year in the US and Europe.

ICCL assures: 

  • RTB tracks and broadcasts what every US and EU internet user does every 30 seconds that they are online. 
  • RTB systems track and broadcast what US users are reading and watching and where they are 747 times a day.
  • A person in Ohio, for example, will have their online activity and location exposed 812 times every day.
  • In Europe, RTB exposes people’s data 376 times a day.
  • Google sends 19.6 million broadcasts about German internet users’ online behavior every minute that they are online.

The biggest player in the RTB industry is Google, which operates the largest RTB ad exchange. Google’s RTB system is live on 15.6 million websites and millions of apps. It broadcasts what users are viewing or doing on a website or app and their “hyperlocal” locations 31 billion times every day in the US.

In 2017, researchers conducted an experiment to prove how dangerous the RTB system was. With just $1,000, they managed to track a specific individual, his physical movements, and sensitive information that could be damaging, including if the person was using religious or sexual apps.

The RTB system is global and open to virtually any actor that knows its way in. This includes foreign states and non-state actors, as well as interests in countries such as China and Russia. 

What can be done to solve the problem?

ICCL recommends that the IAB TechLab and Google — the two entities that set the rules for what data are permitted in RTB broadcasts — amend their protocols so that no personal data is permitted in future RTB broadcasts. According to the ICCL, the only way the RTB security threat can be easily neutralized is by fixing the technical standards used by IAB TechLab and Google. 

The ICCL also calls for the Federal Trade Commission (FTC) to create rules that ensure fair and transparent RTB practices, demanding that Google and IAB TechLab set ethical and legal RTB standards. The council also calls for lawmakers to legislate against the broadcasting of personal data, as well as enforcement of these laws.

Screenshot of Rayzone website.
The company Rayzone also openly promotes and sells its services online.

Actions every user can take today to increase their privacy and security 

Those who are high-level employees, sensitive workers, close contacts such as family or friends, and even regular users can take some steps to protect their privacy. 

To increase your privacy and security: 

  • Use a privacy-focused browser: Privacy-focused browsers like DuckDuckGo, Tor, and Brave prioritize user privacy and employ techniques to block tracking technologies, including cookies and device fingerprinting.
  • Install privacy extensions: Browser extensions can actively block tracking cookies, scripts, and other intrusive elements that collect and transmit user data.
  • Enable Do Not Track (DNT) requests: Most browsers allow users to send Do Not Track (DNT) requests to websites, indicating their preference not to be tracked. While DNT is not a foolproof solution, it can deter some websites from collecting and sharing user data.
  • Limit the use of third-party cookies: Third-party cookies are used by advertisers and other organizations to track users across different websites. Consider disabling third-party cookies in your browser settings to reduce tracking potential.
  • Be cautious about sharing personal information: Avoid sharing personal information such as your name, email address, or location on websites or apps unless you are confident of their privacy practices.
  • Use a VPN: A virtual private network (VPN) encrypts your internet traffic and masks your IP address, making it more difficult for websites and advertisers to track your online activities.
  • Consider using privacy-focused search engines: Privacy-focused search engines do not track user searches or collect personal data, unlike traditional search engines.
  • Be mindful of app permissions: When installing apps on your mobile devices, carefully review the permissions they request. Avoid granting apps unnecessary permissions that could allow them to track your location, contacts, or other sensitive information.
  • Educate yourself about privacy settings: Most websites and apps have privacy settings that allow users to control how their data is collected and used. Familiarize yourself with these settings and adjust them as needed to protect your privacy.
  • Stay informed about privacy developments: Keep up with the latest news and updates regarding online privacy and data protection. This will help you make informed decisions about your online activities and protect your personal information.

By combining all these measures, your privacy security posture should increase dramatically. However, we still advocate for a digital world where the responsibility for privacy and security falls on the shoulders of the people. And we hope for the day to come when anyone can visit a site without their most private data being leaked, broadcasted, saved, used, or sold and bought, especially by real criminals. 

Ray Fernandez Ray Fernandez
Ray has been covering tech and cybersecurity for over 15 years. His work has appeared on TechRepublic, VentureBeat, Forbes, Entrepreneur, and the Microsoft Blog, among others.