Young people using mobile phone in public underground train showing data breach by digital ad industry

Digital Ad Industry Stands Accused of “World’s Largest Data Breach” for Real-Time Bidding Models

A court case filed in the European Union is taking on the biggest players in the digital ad industry, accusing them of being responsible for the world’s largest data breach. That “breach” does not consist of a cyber attack or an insecure internet-connected server, however; the accusation is that the “real-time bidding” model used to serve targeted advertisements to internet users itself constitutes a data breach due to a failure to properly collect consent from the end user.

Real-time bidding draws on profiles of user activity gathered as web sites and apps are used, profiles that can contain sensitive personal information at times. These profiles are used to determine what ads a user is most likely to engage with. The court case, filed by non-profit organization The Irish Council for Civil Liberties (ICCL), is directed at the source of digital advertising standards used by companies such as Facebook, Google and Amazon.

Digital ad industry accused of collecting sensitive personal information without consent

The lawsuit is taking on the Interactive Advertising Bureau (IAB)’s New York-based Tech Lab, which develops standards used by the digital ad industry. The case appears to have been filed in mid-May, but the IAB says that it only recently became aware of it and is reviewing it with its legal team.

Dr. Johnny Ryan, the lead plaintiff in the case, is a former advertising industry professional with experience in the real-time bidding space. Ryan says that even if the digital ad industry is not directly collecting personally identifiable information to facilitate these systems, it collects such a breadth of information about user behavior and what users view that sensitive personal information is indirectly revealed and that the end user is not aware of it.

Real-time bidding shows ads to internet users via the websites they visit and the apps they use. These systems essentially place a blank advertising space on the site or app, which is filled when the user visits it based on what the ad network knows about that particular user. The end user does not have to have any direct interaction with the “ad brokers” that build profiles on them; profiles are instead made by identifying the unique device through various means, and using systems embedded in various websites and apps to observe and record what users interact with and what sorts of sites they visit as they move about their usual routines online.

The targeted advertising systems also draw on certain information gleaned from the device, such as what type or model it is and its physical location. Javvad Malik, Security Awareness Advocate for KnowBe4, expands on the process: “While there are some legitimate and useful uses for understanding customer behavior to make better suggestions, e.g. Netflix recommendations. There is a line that is often crossed … The company maintains the information is collected for future services and to bring greater convenience to its customers. And while that may be the case, transparency is important – it’s one of the underlying principles of GDPR, whereby data collected should only be used for the purposes it was intended for.”

This process happens in the background, usually without the targeted subject being aware of it. The digital ad industry’s legal “out” on this is that the information is not organized by using personally identifiable information, such as names or email addresses. But critics such as the ICCL contend that this process captures so much information that it is possible to glean sensitive details about the end user from it, and in some cases even identify them indirectly to a level that can meet the standard of a data breach. The process of “device fingerprinting,” often used when an advertising network does not have access to a more concrete identifier (like a special advertising ID or a MAC address), serves as a good illustration. It collects such a unique combination of device information, from browser type to lists of installed apps and battery level, that it can manage to pinpoint a unique user for the delivery of targeted ads to them.

Does real-time bidding constitute a data breach?

Ryan points out that the information that ad networks can indirectly scoop up about someone include categories of personal data that are protected in many countries: age, religion, sexual orientation, political affiliation, health conditions and more. Some nations require special disclosures and explicit consent from the user when this information is accessed or recorded, particularly in the European Union under the terms of the General Data Protection Regulation (GDPR). Failing to collect this consent could be viewed as a data breach under GDPR rules.

The lawsuit points to a specific system of coding used by the IAB to represent all of these categories of information used by online advertisers. These codes include entries for protected categories such as religion and sexual orientation. There are also codes for estimated income range and various medical conditions, all in regular use by the digital ad industry.

Ryan previously filed a similar data breach complaint with the Irish Data Protection Commissioner’s Office when the GDPR went into effect in 2018, but that investigation is still open. He says he has lodged similar complaints with other EU data authorities that have also similarly stalled out. ICCL has filed this particular lawsuit in Germany as it has connected the IAB to a consultancy it has retained there, which effectively makes the country its “headquarters” (lacking any other physical presence) and would send the case to Hamburg.

The IAB is already facing another major legal challenge in the EU, one that is not framed in terms of a data breach. Belgium’s data protection authority is reviewing complaints about an IAB framework for obtaining consent for ad tracking that is widely used by the digital ad industry, which argue that it does not meet the standards for sensitive information that the GDPR requires.