How targeted ads industry puts your data at risk of surveillance abuse

Our personal data is a valuable resource that fuels the online advertising industry, the engine of the new digital economy. But we are not the ones who benefit from this resource. Instead, ad tech companies rake in huge profits by selling our data, often without our knowledge or consent, let alone compensation.

This enormous trade, which is worth half a trillion dollars, involves many actors at different stages, but it is mostly hidden from our view despite its massive scale.

Let’s take a look behind the curtain.

Your data is auctioned every millisecond

Almost every app displays ads, and while you might get the impression that the ads you see are random and pop up in random places, it is not the case. More likely than not, the ads are targeted specifically to you. It means that someone else using the same app may get a completely different ad experience. Now, we’ll try to explain how the ad selection process works in detail.

Imagine you are using an app that has some space for ads (and chances are, you are, because more than a third of app publishers rely on ads to make money). The app wants to sell that space to the highest bidder, so it sends a request to a platform that connects app publishers with advertisers, such as Google Ads. This platform then sends the request to another platform that runs an ad exchange, a place where ad space is auctioned off in real time. The ad exchange then broadcasts the request to many other platforms that represent digital advertisers, such as Facebook Ads Manager or Google Display & Video 360. These analyze the information about your device and your online behavior, and decide how much they are willing to pay for the chance to show you an ad. This whole process, known as real-time bidding (RTB), happens in milliseconds, and the winner gets to display their ad on your screen.

But there is a catch: your data is not only seen by the advertiser who wins the auction and gets to show you their ad. When advertisers compete for the ad space on the app, they all get access to your data, which includes information about your device, location, app usage, and more. This is possible because there are no clear rules or standards for how bidstream data should be handled or protected. And that means the bidders who lose the auction can still use your data for other things. What kind of things? We will get to that soon.

Google and Facebook are the dominant players in the RTB market. Our data shows that Google Ads services account for over 11% of all initial ad requests, while Facebook Audience Network, which supports bidding in mobile apps as well as mobile websites, accounts for around 10%. Initial requests are the requests sent by the app to load an ad, which can trigger additional ad requests if they are successful. Applovin, a leading mobile in-app real-time bidding exchange, comes in third with around 7% of all ad requests. Amazon Ad System and Israel-based ironSource, which runs an ad exchange, follow with around 2.4% and 1.3% respectively.

Besides advertisers and publishers, another key player on the ad exchange is the data broker, who also accesses the bidstream data. Their goal is not to serve you ads, but to repackage this data, and sell it to their own customers, some of which may be government agencies. The latter, in turn, can use this “commercially obtained” data, which comes with no strings attached, as they please. Some of the common uses are surveillance, immigration enforcement, and policing.

How Gen Z’s app leaked their location data to the US government

A perfect illustration of this trend is a recent report by the Wall Street Journal that a consumer data broker called Near Intelligence was selling sensitive user data, including from the EU, to US government contractors through "pass-through entities" "until earlier this year". The data collected by Near Intelligence would land in the hands of DCSA (Defense Counterintelligence and Security Agency), NSA (National Security Agency), NGA (National Geospatial-Intelligence Agency), USAF Cyber Ops (United States Air Force Cyber Operations), the Defense Department, and JCOS (Joint Chiefs of Staff).

The data broker tapped into the flow of data that passed through several ad exchanges, and although those exchanges later claimed that Near was in violation of their TOS for reselling the data and using it for non-advertising purposes, it was able to do so for quite a while.

One of the apps that inadvertently supplied data to Near Intelligence (and through it to the US government) was Life360, a San Francisco-based app that allows friends and family to track each other’s location with consent, and which is especially popular with Gen Z, having been dubbed "the hottest back-to-school accessory". The app requires many permissions to work, such as access to your approximate location when you don’t use the app and access to precise location when you use it. The more permissions an app requires, the more data it can share with its ad partners, and the more potentially valuable this data is to the government.

Sometimes when apps' questionable data practices are exposed and challenged, they might claim to have changed their ways. But often, they continue doing business as usual, or with minor adjustments.

A separate investigation by The Markup found as far back as in December 2021 that Life360 was selling precise location data to about a dozen data partners, and that it was making quite a bit of money doing so. Life360 then said that it would stop selling data to brokers, but noted that it would continue to sell precise location data and "aggregated" location data to analytics companies. And while Life360 said Near was violating its terms of service by sharing its data with government agencies, the company appears to have taken not enough steps to prevent that from happening.

More common than you might think

The practice of government agencies obtaining sensitive user data by shady means — without warrant or legal oversight — is common, especially in the countries where data protection laws are not strong. This is basically everywhere with the possible exception of the EU. Data brokers participate in this clandestine trade with no scruples, willing to suffer any reputational damages that may come their way.

Apart from ad exchanges, another common way for data brokers to obtain data is directly through apps. Some apps may share precise location, others — your device type, your name, or your phone number — the list goes on. Importantly, all these bits of data are tied to your mobile advertising identifier, or, in other words, to a unique ID assigned to your device. Little by little, a data broker gets to know more about you as it obtains information from different apps and other online and offline sources, such as social media profiles and public records. In the end, the data broker is able to build your distinct profile.

One of the brokers that became notorious for mining data from apps is SafeGraph, whose case we covered in detail last year. In short, SafeGraph got access to the location data from apps that used its SDK, a software development kit. SDKs are pieces of code that app developers use to save time and money, as they provide ready-made features (such as location tracking) so that they don’t have to create them from scratch. Developers may also get paid by data brokers to share their users’ data through SDKs. This is rooted in the fact that if you allow an app to access your location, the SDK in that app will also be able to access it and send it to the broker.

In fact, the practice of data sharing, or rather data selling, is so ubiquitous that there's no shortage of examples. Here are just a few:

• In May 2022, a report found that US government agencies, such as ICE, bought billions of data points from private companies without any oversight. And whenever the practice was challenged, the government would find a way around the restrictions. For example, after Oregon banned sharing state data with ICE, the Oregon DMV sold driver’s license records to data brokers so that ICE could access them.

• In March 2021, Vice’s Motherboard revealed that a US military unit that conducts drone strikes and reconnaissance bought location data from ordinary apps via a tool called Locate X, developed by a data broker named Babel Street.

• In November 2020, it was revealed that the US military bought location data from a Muslim prayer app — one of the most remarkable cases to date.

No even a secret anymore

It's been an open secret for years that in cases where the government can't legally seize your data, it can use a roundabout way — buying it on the online data market. This practice is so well documented, that at some point even the US government stopped with the pretense. In March this year, FBI Director Christopher Wray for the first time acknowledged that the FBI had purchased US phone-geolocation information from private companies. He claimed, however, that the agency stopped doing it at some point. And it’s up to you if you take his words at face value.

What can you do to escape government surveillance through targeted ads?

You may feel powerless in the face of this data-mining and data-selling machine, whose every cog is designed to squeeze your data for profit. Without robust legislation that would forbid government agencies from obtaining data from private companies without any oversight, the practice is likely to continue. First, because it’s much easier for the government to obtain data this way; secondly, because it makes a nice profit.

So, what you can do realistically is to reduce the amount of traces you leave online, and obscure those that you will inevitably leave. There are some steps that you can take to protect your data from surveillance:

• Disable or reset your advertising identifier. Your advertising ID is a unique number assigned to your device and used by data brokers to link data about you from different sources. So if you disable (which is not always possible) or reset your advertising ID, it will make data brokers' mission of building your profile if not impossible, but more complicated.

• Don’t give your apps unnecessary permissions. Many apps ask for permissions that they do not really need, like access to your location, camera, contacts, etc. These can be used to collect and share your data with data brokers. You can check and change the permissions of your apps in your device settings. Also, even if an app legitimately needs certain sensitive permissions (such as a weather app needs access to your location), be prudent about giving them. Before downloading an app, research its privacy practices, read reviews, and check for any news about its data sharing behaviors.

• Use an ad blocker. We will never get tired of saying: every ad request — the request from your browser to load an ad — is also a tracking request! An ad blocker will prevent not only the ads from loading, but also stop the scripts that track your online behavior and interests. Earlier this year we’ve estimated that ad tracking requests comprise about 19.6% of internet traffic, and most of these requests are ‘hidden,’ i.e. dependent on initial ad requests coming through and other ad domains loading.

• Limit your use of "free" services. Remember, if you're not paying for it, you're not the customer; you're the product.