The global digital advertising spend is set to hit nearly USD 390 billion in 2021. But in yet another blow to the big tech companies reaping the rewards, a bipartisan group of US senators has raised national security concerns over the automated process that makes personalized ads possible.
Specifically, their concerns relate to what’s known as “real time bidding”, the split-second automated auction process used to rapidly place personalized ads on web pages, and the “bid stream data”, comprising a users’ personal data, that is used in the bidding process.
There are three important things to understand here:
- What the senators want to know and why
- How real time bidding works
- The privacy issues that potentially risk the safety of US citizens.
What the senators want to know and why
On April 1, 2021, six US senators sent a letter to AT&T, Index Exchange, Google, Magnite, OpenX, PubMatic, Twitter and Verizon demanding to know, by May 4, 2021, every “foreign-headquartered or foreign-majority owned company” to whom the companies had given the personal data of US users over the pastthree years. In addition, they want to know:
- The specific data about users, their devices and the websites and apps they’re using that these companies are sharing with ad auction participants
- Every foreign and domestic company that has received bid stream data in the past three years thatisn’t contractually prohibited from using that data in any way unrelated to the bid process
- Any contractual restrictions in place prohibiting the sharing, sale, or secondary use of bid stream data and all compliance audit efforts and results.
The senators fear that the easy access to bid stream data during the real time bidding process allows foreign governments to profile US citizens. To wrap your head around that risk, it’s important to understand real time bidding and the significant data privacy issues that result.
How real time bidding works
Real time bidding is an exchange that happens in the milliseconds before a web page loads. It automates the process of buying and selling ad space online and makes personalized ads possible. It’s often difficult for non-tech people to believe this data exchange and ad placement can happen in milliseconds of real time, but it does.
Real time bidding works like an auction in that advertisers bid on available space on web pages and the space typically goes to the highest bidder. It’s a four-part process:
- Once a user clicks on a link to open a web site, the site’s publisher sends the dimensions of its available ad space to what’s known as a supply side platform (SSP), a technology platform (like WebFX) that automates the process of web publishers selling their ad space to advertisers.
- The SSP then analyzes the user’s cookies to gather as much data as possible about the user. This is known as bid stream data and typically includes URL, device type, model, screen size, CPU, operating system and connection, web browsing activity and interests, IP address and ZIP code location, as well as age and gender. This data determines the most relevant ad for the user.
- Next, a demand side platform (e.g. Google Ad Manager) uses the bid stream data from the SSP to assign a dollar value to the user’s impression (display of the ad on the user’s screen) and place bids from relevant advertisers on the ad space.
- Finally, the SSP receives the bids and awards the ad space to the highest bidder. The web page then loads with the ad in the contested slot. The publisher has sold their ad for profit, the advertiser has got its product in front of its highly targeted audience, and the user is none the wiser that their profiledata was up for grabs only moments before.
5 significant privacy issues of the process
You guessed it: the process is fraught with significant data privacy issues:
- Hundreds of companies can participate in the real time bidding process. Every auction participant gets access to the bid stream data and they don’t even have to bid.
- Most anyone can participate in the auction: barriers to entry are low. And while there are penalties for misusing bid stream data, parsing the data is still highly valuable to participants.
- Bid stream data can be harvested even without third party cookies so recent efforts by Apple and Google to ban third party cookies do nothing to mitigate the privacy risks.
- The bid stream data is usually anonymized but, as we’ve recently covered, it’s relatively easy to match a user to their information.
- Data brokers readily package the bid stream data (particularly valuable location data) and sell it to other companies and even governments with little oversight — the key point of the senators’ concerns.
Sen. Ron Wyden, D-Ore., who led the senators in writing to the eight ad exchange firms, says: “Few Americans realize that some auction participants are siphoning off and storing ‘bid stream data’ to compile exhaustive dossiers about them. In turn, these dossiers are being openly sold to anyone with a credit card, including to hedge funds, political campaigns and even to governments.”
The concern of course is that the information ends up with foreign governments who could create digital profiles of US citizens. “This information would be a goldmine for foreign intelligence services that could exploit it to inform and supercharge hacking, blackmail and influence campaigns,” the senators say.
It’ll be interesting to see which companies reply, what they say, and what happens next. It’s definitely yet another reason to put a US national privacy law in place and to proactively protect your users’ personal data while we wait.