Market price display at street in the night showing RTB adtech exposing online behavior data

Report on RTB: Adtech “Biggest Data Breach Ever Recorded,” Online Behavior More Exposed in Countries Without Privacy Regulations

The Irish Council for Civil Liberties (ICCL), a non-profit in operation since 1976, has issued a scathing new report calling the real-time bidding (RTB) adtech industry as a whole the “biggest data breach ever recorded.” The report finds that online behavior is not only constantly and commonly tracked by web-spanning RTB programs, but that the data recorded eventually finds its way to countries all over the world.

Report claims RTB data shared freely by big tech firms running adtech programs

The ICCL’s claim of RTB adtech being the biggest data breach stems from the raw amount of information shared about internet user online behavior tied to their location, and the fact that many people are not aware that this data is being gathered or how widely it is being shared.

Meant to serve the most relevant ad possible to the person using a mobile app or browsing a website, RTB systems draw on often very detailed profiles of interests and personal information collected from a variety of sources. The study finds that adtech systems share this sort of online behavior data 294 billion times per day in the United States and 197 billion times per day in Europe. The average internet user in the US has their online behavior exposed to these systems 747 times each day; in Europe it is 376 times per day.

Who is collecting all of this RTB data? Much of it stems from the biggest names in big tech, those running adtech platforms that have tentacles in everything from operating systems to cloud-based services. One example cited in the report is Microsoft’s Xandr, acquired from AT&T in 2021, which reportedly sends information to as many as 1,647 other companies. Microsoft is currently one of the biggest players in the RTB market, along with comparable adtech outfits such as Google Ads and Facebook’s Audience Network.

The big adtech platforms tend to have policies about how this information is stored and used, more so in tightly regulated markets such as the EU. However, all of this goes out the window when the online behavior data is transferred to other companies. The report finds that the thousands of companies that the big RTB networks do business with are located all over the world, some in regions with serious data privacy concerns such as Russia and China. And once the data is out, there is no taking it back and it is impossible to see what these firms are doing with it.

Customers also do not necessarily use this accumulated online behavior data for advertising purposes. Some cases that have been highly publicized in recent years include the US Department of Homeland Security and other law enforcement agencies seeking it for use in tracking protesters in 2020, and a Catholic magazine using it to track the movements of and publicly out a gay priest due largely to data collected by the dating app Grindr.

Data privacy regulations do seem to make a difference, with US internet users having their online behavior exposed 57% more often than those in the EU. But internet users in Europe are still subject to adtech companies broadcasting data about them hundreds of times per day.

Garret Grajek, CEO of YouAttest, sees the present set of regulations as only the tip of the iceberg given the circumstances: “Data is the new coal – furnacing the most important world industry – commerce. How this data is collected, stored and reviewed will be the discussion point of our lifetimes. Rest assured – the more progressive states will increase their regulations and guidance around this data – as noted by GDPR in Europe and CCPA/CCPR in California. The key for corporations to know is that the legal entities ready to sue companies that handle RTB data have their knifes out. They must practice identity governance to ensure that the users and services that have access to this data are approved, their approval is documented and any change to access to this data is documented. This all falls under identity governance and is a key component for enterprises who want to stay in business collecting and using RTB data.”

Internet users often unaware online behavior is being tracked

Consent mechanisms enshrined in law by regulations such as the EU’S General Data Protection Regulation (GDPR) have increased public awareness of the reach of adtech into personal online behavior, but some of the most highly targeted countries (the US most notably) have little to nothing in place requiring that consumers be informed or warned about what data is being captured and how it is being used.

Even less transparent are the data brokers that collate information from primary sources such as online shopping sites and cloud services. These services create profiles that include personal and online behavior information from multiple sources, sometimes pairing these elements with public records and even medical or driving records.

Dave Cundiff, CISO of Cyvatar, believes that this report should give everyone pause: “When I see reports of this nature it causes me to stop and consider my online footprint. The breach is concerning but equally concerning is the fact the data is gathered for purchase for anyone willing to pay for it. So, the only difference is there will be the data available for free instead of purchase. Everything the consumer does online is tracked; this is how “free” services pay for themselves. Juggernaut tech companies like Google, Facebook, LinkedIn, Twitter, etc. get to billions of dollars in valuation. The parts of their platforms in use by the general public are not the value, it is the ability of those platforms to track those users, make determinations about how to guide them, and how to manipulate their experience to the benefit of the corporation. It is a Faustian bargain at best, but we should all consider what we do with our online presence and be critical of those convenient moments when it seems like “just what I needed” shows up. Is it really what you needed?”

Even in places like the EU, the regulators may not be doing an effective job of upholding the privacy rules. This report is not the ICCL’s first tilt with the RTB and adtech markets; the reason an Irish non-profit is so involved in this battle is largely due to big tech choosing to make Ireland its European headquarters, taking advantage of tax breaks offered to companies settling in the area of Dublin. Ireland’s lead regulator, the Irish Data Protection Commission (IDPC), has been repeatedly criticized for appearing to stall out cases involving these big tech firms and propose minimal penalties for offenses. This has led the ICCL to sue the IDPC, on the grounds that RTB complaints dating as far back as 2018 are still pending investigation.

John Gunn, CEO of Token, takes issue with the framing of RTB as a “data breach” but believes there is ample room for legal action: “It is highly misleading to label this as a data breach. It is a clear violation of GDPR and would be alarming and upsetting to many consumers if they knew, but it is not a data breach or a hacking attack. Like many evolving technologies (AI and biometrics are others), it has real benefits for consumers but can also be misused in harmful ways. Ultimately, it should always be up to the party being tracked if they want to opt-in.”