Have you ever wondered who can access your personal data during the real-time bidding auctions that drive personalized advertising? 

According to the Irish Council for Civil Liberties’ (ICCL) newly released report into the scale of real time bidding data broadcasts in the US and Europe, which is attracting headlines globally: “Europeans and U.S. Internet users’ private data is sent to firms across the globe, including to Russia and China, without any means of controlling what is then done with the data.”

TechCrunch did a thorough breakdown of the ICCL report and says: “Per the report, Google, the biggest player in the RTB system, allows 4,698 companies to receive RTB data about people in the U.S., while Microsoft — which ramped up its involvement in RTB in December last year when it bought ad tech firm Xandr from AT&T — says it may send data to 1,647 companies.”

The ICCL warns big numbers like those might in fact be bigger: “The figures presented for RTB broadcasts are a low estimate. The industry figures on which we rely do not include Facebook or Amazon RTB broadcasts.”

TechCrunch reports RTB data is broadcast across the internet, “meaning it’s ripe for interception and exploitation by non-officially listed RTB ‘partners’, such as data brokers whose businesses involve people farming by compiling dossiers of data to reidentify and profile individual web users for profit, using info like device IDs, device fingerprinting, location etc. to link web activity to a named individual, for example.”

The ICCL concludes: “There is no way to restrict the use of RTB data after it is broadcast.” 

If this fills you with dread, you can protect your personal data with MySudo, particularly our private browsers with ad/tracker blockers by default. New to MySudo? Start here.

What is RTB bidding?

We’ve talked a lot about real time bidding and personalized ads here, here and here. 

Real time bidding is an exchange that happens in the milliseconds between you clicking on a link to a web page and that page loading. It uses information about your activity and your device, often stored in cookies, to serve you ads specifically tailored to your search history (interests), demographics and location.

What’s a cookie?

Cookies are the most common form of website user tracking. A cookie is a small file that a web site you’ve accessed sends to your computer so you can use their site. Some cookies are necessary for sites to function (e.g. to remember that you’ve logged in) but others (most, according to a 2020 study by Cornell University) are used for tracking and recording your activity on a site. Sites can store the data a long time.

Cookies come in two types: first party cookies, which the web site owner places on their own site, and third party cookies, which third parties place and the site owner uses to extract more user data. 

What’s in an RTB data broadcast?

The data broadcast during the RTB process relates to what you’re viewing and doing online and where you’re located. A bid request, which is a piece of code executed as soon as you load a web page, records data about you and your device. The information in a bid request includes: 

• a unique advertising identifier
• your device type, model, operating system, ISP etc.
• information about you personally including your location, age, gender, preferences, and browsing history. 

The ICCL summarizes with this: “RBT is a $117+ billion industry that operates behind the scenes on websites and apps. It tracks what you are looking at, no matter how private or sensitive, and it records where you go. Every day it broadcasts this data about you to a host of companies continuously, enabling them to profile you.” 

What are the privacy concerns around RTB?

If you’re still unsure how having your online behavior and location data tracked and exposed is bad for privacy, think about this: 

• Thousands of companies can participate in the RTB process, and each company involved in the bidding can access the bid stream data even without bidding. Remember, TechCrunch said Google lets nearly 5,000 companies anywhere in the world access RTB data and, while many of those companies might be legitimate participants in the ad process, there’s no way to restrict the use of RTB data after it is broadcast.
• Barriers to entry to these digital ad auctions are low, and while there are penalties for misusing bid stream data, simply parsing the data is still highly valuable to participants.  
• Bid stream data can be harvested even without third party cookies so recent efforts by Apple and Google to ban them do nothing to stop the privacy risks. Google has delayed its third party cookie phase-out until late 2023. 
• The bid stream data is usually anonymized but it’s relatively easy to match a user to their information.  
• Data brokers  package the bid stream data (particularly valuable location data) and sell it to other companies and even governments with little oversight—the key point of the US senators’ concerns who last year raised the national security risks of RTB.

We’re not saying personalized ads are all bad. They can be convenient and, in fact, if you’re using MySudo for compartmentalization—one of its many benefits—being tracked for ads can be a good thing. We’re simply saying that there’s a seedier side to the process behind personalization, and if you’d like to limit your exposure to it, MySudo is the all-in-one privacy app for you. Learn more.