Targeted advertising is often criticized as being privacy-invasive and a nuisance, but the United States Senate is now evaluating ad exchanges as a potential threat to national security. The concern stems from digital ad auctions conducted in foreign countries; a bipartisan group of senators is questioning whether the personal data collected for tracking is available to foreign agents and threat actors posing as legitimate buyers.
Screening of ad auction participants questioned by Congress
Ad exchanges deal in a variety of sensitive personal data: demographic qualities, location (sometimes specific) and web browsing history among other possibilities. The Senate wants to know exactly what bidders might have access to during ad auctions, and what the companies running them are doing to identify and screen out potential bad actors.
The senators have sent letters to the companies running some of the biggest ad exchanges (Google, AT&T, Twitter and Verizon among them) asking exactly what measures they have in place to ensure that their customers are not accessing data for purposes other than targeted advertising.
An example of one of these letters was posted online. It inquires specifically about “bidstream” data profiles and the possibility of sale to hedge funds, political campaigns and government agencies. Some ad exchanges use bidstream data as a secondary revenue source, creating packages of information siphoned off during the ad auction process that are sold relatively freely. The letter notes that federal agencies have purchased this type of data in the past year. Companies that have received these letters have been asked to provide a list of clients that have received bidstream data in the past three years (with a special note made of any foreign or foreign-owned entities), and any contractual restrictions that limit use of bidstream data by these other parties.
Business model of ad exchanges faces serious tests
Setting bidstream options aside, the central purpose of ad exchanges is to facilitate the “just in time” delivery of an ad to a member of the exact demographic the advertiser wants to reach. This process can be done while anonymizing the user, and some ad auction services limit user identification to a unique device ID. Not all have equally rigorous privacy processes in place, however.
A central issue with the ad auction process is that it is not just the winning bidder that gets access to this information, but potentially hundreds of other bidders interested in that particular demographic. The senators raise concerns about threat actors tied to foreign intelligence services positioning themselves among these bidders to gather data used to “supercharge” targeted hacking attempts, blackmail and influence campaigns.
The coalition of Republicans and Democrats making the inquiry is headed up by Senator Ron Wyden (D-Ore.), who made news in 2019 with one of the more broadly supported attempts at creating federal-level privacy legislation that compares with the EU’s General Data Protection Regulation. However, this is not the first time that the US government has turned its attention to the use of bidstream data. In October, Congress and the FCC questioned a number of these same ad exchanges about the implications for American privacy and abuse by businesses. The Interactive Advertising Bureau, a prominent trade association made up of about 650 companies involved in digital advertising, faced intense questioning after a member (Mobilewalla) had profiled Black Lives Matter protestors and traced the locations of some. Lawmakers have asked the FTC to open a probe into ad auction practices, something that may be on hold until the Biden administration finalizes its new appointments to the agency.
Though this level of scrutiny from the United States is relatively new, ad exchanges have been facing regulatory pressure around the world for several years now. The central source is the GDPR, which has not banned ad exchanges from Europe outright but has done much to constrain and chip away at them. The GDPR strongly limits procedures such as bidstreaming, centered as they are on creating profiles containing personal information without the end user’s knowledge or informed consent. Users also have certain rights to access stored data, make changes to it, request that it be removed and opt out of collection.
The ad auction business is also facing serious pressure from one of the world’s two largest mobile operating systems. Apple will soon be requiring any app that incorporates targeted advertising to notify the end user upon download and collect affirmative consent to make use of the device’s unique identifying number. App publishers will also not be allowed to use alternative tracking methods that identify individuals, such as fingerprinting, and will face a ban from the App Store if they choose to do so. Given that there are no real functional alternatives for ad exchanges, the majority of Apple device users may soon be out of their reach.