New Research on the Adtech Industry

The Norwegian Consumer Council has published an extensive report about how the adtech industry violates consumer privacy. At the same time, it is filing three legal complaints against six companies in this space. From a Twitter summary:

1. [thread] We are filing legal complaints against six companies based on our research, revealing systematic breaches to privacy, by shadowy #OutOfControl #adtech companies gathering & sharing heaps of personal data. https://forbrukerradet.no/out-of-control/#GDPR… #privacy

2. We observed how ten apps transmitted user data to at least 135 different third parties involved in advertising and/or behavioural profiling, exposing (yet again) a vast network of companies monetizing user data and using it for their own purposes.

3. Dating app @Grindr shared detailed user data with a large number of third parties. Data included the fact that you are using the app (clear indication of sexual orientation), IP address (personal data), Advertising ID, GPS location (very revealing), age, and gender.

From a news article:

The researchers also reported that the OkCupid app sent a user’s ethnicity and answers to personal profile questions—like “Have you used psychedelic drugs?”—to a firm that helps companies tailor marketing messages to users. The Times found that the OkCupid site had recently posted a list of more than 300 advertising and analytics “partners” with which it may share users’ information.

This is really good research exposing the inner workings of a very secretive industry.

Tags: , , ,

Posted on February 4, 2020 at 6:21 AM20 Comments

Comments

Winter February 4, 2020 6:57 AM

“OkCupid app sent a user’s ethnicity and answers to personal profile questions — like “Have you used psychedelic drugs?” — to a firm that helps companies tailor marketing messages to users. ”

The report sounds like that if this ends up in the European Court of Justice, it will be an almost open and shut case.

These two pieces of information are almost the textbook examples of information you should not even store, let alone share.

At least, this will be a good and clear test case of the GDPR.

Phaete February 4, 2020 7:02 AM

This is one to watch, i love the documentation.
The list of quotes in the 3rd party websites table is a hilarious inclusion.
As far as a testcase for GDPR i think this can do very well, as i said, i will keep watching this one.

Sed Contra February 4, 2020 7:28 AM

Love the many eyes of Sauron look in one of the phone images in the first link !

A full map of the network of distribution of the ad system might be very revealing. Do even the ad people know ?

Games on phones might be another area worth investigating. In my very small and biased sample, simple games that were ad free and could be played off-line are no longer that way.

JonKnowsNothing February 4, 2020 8:27 AM

From the UK news, it seems data harvesting on government pages for 3d party use isn’t uncommon. The kickback payments aren’t disclosed but it’s likely the councils are part of the product being sold, not just their constituents.

Much like the vast inclusion-donations of tech/Apple into the school system was not for the benefit of students, or the requirements for purchasing tech-kit as part of the educational process.

Just another toe hold.

These are just some of the findings in the article.

  • More than 400 local authorities allowed at least one third-party company to track individuals
  • track use of sensitive sections of their sites, such as when people were seeking financial help or support for substance abuse.
  • Twenty-three councils let data brokers – businesses that collect personal information
  • 7 million people are served by councils that allow one data broker, LiveRamp, to track people on their sites
  • 198 councils use real-time bidding (RTB) – when a web user loads a page, thousands of potential advertisers bid to serve them an advert in the blink of an eye.

Ad Real-time bidding (RTB) is another rat’s nest.

Rhetorical libertarian* style question:
* exchange “get rid of big government” with “get rid of big data harvesters”

  • What are we going to do with the all the highly educated folks that currently work for Google, Apple, M$, Amazon etc?
  • What else they can do besides continue to fuel the velocity of data?
  • What happens to them when we hit max data? (Bluffdale already has that covered).

ht tps://www.theguardian.com/technology/2020/feb/04/councils-let-firms-track-visits-to-webpages-on-benefits-and-disability

ht tps://en.wikipedia.org/wiki/Utah_Data_Center
An article by Forbes estimates the storage capacity as between 3 and 12 exabytes

(url fractured to prevent autorun)

Curious February 4, 2020 10:09 AM

In norwegian law you can sometimes read clauses that point out that this or that paragraph in particular cannot be opted out in any way by means of an agreement. I suppose there are a variety of issues (haven’t yet looked at this 180+ page report), but one might wonder how some people a long time ago, maybe thought that as long as there was an end user agreement to things, they could do basically anything with data re. individuals/persons (presumably any notion of ‘groups’ of people must be a subset of ‘individuals/persons).

I wonder if there by EU law (European Union), is or will be, certain types of exploitation re. privacy related issues that can or ought to be simply outlawed, the same way you in some instances couldn’t enter an agreement on terms that would violate certain parts of the law. Haven’t really thought about this myself beyond what I am writing here.

Curious February 4, 2020 2:39 PM

@Ismar

I actually don’t know how many paragraphs in the law having such clauses, could be that there aren’t as many as I like to think. What I learned, is that the freedom to enter an agreement is fairly wide, but as shown with housing rental agreement law (iirc)in places, the law forbids certain agreements and voids them if going against a particular type of clause in the law that is meant to protect the weaker party (renter).

Clive Robinson February 4, 2020 5:20 PM

@ Ismar,

Time to move to Norway ????

Not if “you have @ sweet tooth”, the price of “treats” is very very high.

https://www.theguardian.com/world/2019/nov/23/norwegian-sugar-tax-confectionery-border-sweden

And as mentioned in the article it’s not just sweets but cigarettes and alcohol as well.

The article mentions Norwegian’s day-tripping to Sweden, but as anyone who has been to Sweden from the UK or US knows the prices there are not exactly cheap either…

Good Job February 5, 2020 6:36 AM

Fantastic report. Hats off to the Norwegian Consumer Council.

The diversity in the report was wonderful. Apps for women, muslims, non-heterosexuals, apps from US, Germany, …, one data broker from Norway itself.

One of my favourite pieces was:

“Thus, the click-driven advertising systems of the adtech industry may be partly responsible for a general degradation of online content, in addition to being saddled with significant fraudulent activities.”

Indeed. Clickbait.

And:

“As a concrete example, after the GDPR came into entry in Europe, the New York
Times decided to stop using targeted advertising to European users. Instead,
the news provider began targeting based on context and general geographic
parameters. Despite not relying on tracking and profiling to tailor ads, the
publisher’s ad revenue kept increasing.”

Thus, they have highlighted the problem and its illegality, whilst also suggesting solutions.

Required Name February 5, 2020 1:04 PM

As an outsider to security, I don’t understand why it’s necessary to stealth around outside the ad industry to get this kind of information when they’re selling it to customers freely. Why doesn’t a group of researchers just pose as an information buyer and see what goodies come in the box?

It would be iteresting to know what sorts of intersections between demographic variables and online interests can be requested by buyers of the data brokers….”give me everyone in this area who is interested in drones and cybersecurity” etc. etc.

Everything that comes out of such a process is interesting. How are buyers vettted? Are they vetted? What kind of customized queries or profiles are available. What kind of no-resell contracts are applied?

There’s an entire world of non-criminal “insiders” operating here well within our present laws so why doesn’t someone just join the party as an annoited insider instead of skulking around outside the window as mere a subject?

metaschima February 5, 2020 2:22 PM

It’s an excellent article. In the past I was very much against Facebook and putting my personal information online. Due to pressure from friends and work I decided to take the plunge. Facebook desensitizes you to sharing personal information online. I don’t even use Facebook anymore but I know it still has my information as do hundreds of other companies Facebook sold it too. It does piss me off, but what can I do now. It’s out there, I don’t want it to be, but there’s no way to take it back.

EvilKiru February 5, 2020 2:54 PM

@Required Name: Possible reasons:

  1. Because it’s neither free nor cheap?
  2. Because they (the ad tech industry) only sell to known entities?
  3. Because they dig deep to make sure they’re not selling to the opposing team?

JonKnowsNothing February 5, 2020 3:20 PM

@Required Name

Other possible reasons:

  1. Don’t want to go to jail for having verboten information downloaded.
    This varies by jurisdiction and varies by what data is verboten.
  2. If you wanted the entire global volume of information that requires a Bluffdale size system to store it. The good news: Bluffdale has all of it and more. Bluffdale storage capacity: between 3 and 12 exabytes (2013)

In 1995 a 1 GB harddisk cost 849 USD…8,000,000,000 bits
In 2010 a 1 TB harddisk cost 80 USD……8,000,000,000,000 bits
1 Exabyte (not consumer available)………8,000,000,000,000,000,000 bits

ht tps://en.wikipedia.org/wiki/Utah_Data_Center
ht tps://en.wikipedia.org/wiki/Orders_of_magnitude_(data)
(url fractured to prevent autorun)

Required Name February 5, 2020 3:38 PM

@EvilKiru

All those things alone are interesting in and of themselves, if they’re shown to be true.

1- rich funder / organization. They’re out there.
2-3 long-game undercover corporation- make money from the industry before you expose it !

These things are both possible but not necessary.

Remember, we’re dealing with demi-criminals here, people with a fundamentally criminal bent who aren’t however on the wrong side of the law. How closely does anyone like that adhere to any code of conduct or norms? If Data-Broker-One promised not to resell info obtained Data-Broker-Two, do you trust that?

But all that spy-vs-spy stuff aside, the bottom line is, they need to sell their info and new buyers are always entering the market. Be one of them.

Required Name February 5, 2020 3:59 PM

@JonKnowsNothing

Last reply.

Data is not the new oil; it’s the new cocaine.

You’re setting the bar impossibly high, right? You don’t need to p0wn all the data. You just need a well engineered statistical sample of what they have and what they do do with it.

The really damaging use of this info is if its used to individualize denial of services and opportunities; if it filters down to employers, banks, insurance companies even hotels etc. But that’s it’s market, isn’t it? That’s what their trading worth is predicated on.

They can’t know, vet and control all the buyers of this stuff or there woudn’t be a market for it. There’s just too much money being offered by too many grasping hands to “keep the lid” on what goes on “between us”.

Take the opposition’s POV; pretend you have their problems. Think you’re not going to be exposed? Look at your leaky sieve of a boat. You’re making hay while you can because you know your days are numbered.

New data brokers and buyers are not starting credit unions, are they? They’re not participating in a respected, careful, well established industry which they think will blossom over the decades and populating their rank and file with t-crossing i-dotters, are they?

Required Name February 5, 2020 5:04 PM

@metaschima

You need to talk with your Congressperson. Making it illegal to use this data is something that can and should be done. When that happens, corporations will sweat about data and stay up nights worrying they might have somehow gotten some on themselves from somewhere. Then data will be their nightmare, not yours.
FB, Google et.al. will wither, and none too soon.

The EU’s right to be forgotten is a good first step. What kind of industry trades in people’s masturbation schedules and most intemperate political exclamations? What kind of society permits that industry to exist?

People believe in the whole borderless, information-wants-to-be-free routine because they haven’t lived with the consequences, and their imaginations are limited. It’s exploiting a chink in society’s armor against very obviously bad ideas is all.

The bottom line is, a perfectly transparent world strips people of the lies and disguises they literally evolved with which make peaceful co-habitation possible between members of a selfish, jealous, competitive species.

The Utopian forced-march experiment Brin, Page, Zuckerberg et.al. are inflicting on us plops us down on Gilligan’s Island in the episode where they all eat the mind-reading seeds and end up despising one another.

https://www.youtube.com/watch?v=rJntK-SUUjA

Watched February 6, 2020 2:58 AM

Cameras top-centre on bus stop ad LCD providers. Why?
A contract to clean bus shelters versus data collection of every passer-by. No prize as to who is winning in the data-laundering game.

Until mass data collection without oversight becomes illegal world-wide in accordance with basic human rights, this will continue to be the norm.

For now, at least in the current envrionment, it is still legal to cover one’s nose and mouth when passing potential government CCTV installations. Not to be too careful, I include Google Nest and Arlo installations in my risk profile. (Basically every consumer street-facing camera, and then some…)

Also one nitpick… it’s time to stop calling it CCTV. The circuit is very much open.

JonKnowsNothing February 6, 2020 2:26 PM

@Watched

re: Cameras top-centre on bus stop ad LCD providers. Why?

A pop singer installed a FaceID system at a concert using an attractive display to entice people to look at it. Reports were it was used to scan for known stalkers (a very serious and deadly problem). Anything that gets you to “gaze directly” gives a better face readout and more time to ID, verify and escort you out of the concert area.

re: A contract to clean bus shelters

In the USA, many cities have passed laws against homeless or unsheltered people. These vary in extreme but a common target is “anywhere they can sit or lie down”. A camera in the bus shelter would altert the local enforcers to come and remove the person and their personal belongings.

Other things that are illegal in some cities:

  • Sitting on steps
  • Sitting on the sidewalk
  • Sitting on a wall
  • Sitting on the curbside
  • Sitting with a boundary between dusk and dawn. (aka a park)
  • Eating food (eating a sandwich)
  • Giving another person food (aka a sandwich)
  • Sleeping in any of the above locations
  • Sleeping in your car (this can be city wide)

Cameras and other trigger traps have been known to turn on water sprinklers intended to soak anyone within their spray range.

Schneier September 10, 2021 5:04 AM

Many localities in the United States have implemented legislation prohibiting homeless or mcg to mg persons. These range from severe to extreme, but “anywhere they can sit or lie down” is a regular target. A camera in the bus stop would alert local cops, who would arrive to the bus stop and take the passenger and their possessions.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.