Fraud Management & Cybercrime , Governance & Risk Management , Privacy
Senators Raise Security Concerns Over Selling Personal DataLetter to Twitter, Google, Others Asks About Selling Information to Foreign Governments
A bipartisan group of U.S. senators has sent a letter to Google, Twitter, Verizon, AT&T and online advertising firms and networks raising national security concerns about the selling of citizens' personal data, which could end up in the hands of foreign governments.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
In the letter, the lawmakers question these firms about the practice of "real-time bidding" - part of the digital advertising process used to place targeted, personalized ads across websites and other online services.
While only one company can win the bidding process when it comes to placing ads on websites, other firms that participate in the process can also gain access to the personal information of consumers targeted by these ads. This can sometimes include data such as device identifiers and cookies, web browsing and location data, and IP addresses, as well as age and gender information. While the data is usually anonymized, it's possible to match a specific user to the information.
These personal details, referred to as bidstream data, can then be packaged by data brokers and sold to companies - and sometimes governments - with little or no oversight, the senators write in their letter.
"Few Americans realize that some auction participants are siphoning off and storing 'bidstream' data to compile exhaustive dossiers about them. In turn, these dossiers are being openly sold to anyone with a credit card, including to hedge funds, political campaigns and even to governments," Sen. Ron Wyden, D-Ore., who led the senators in raising the issues to these firms, says in the letter.
Wyden and the other senators note that this information could end up in the hands of foreign governments and be used to create digital profiles of American citizens.
"This information would be a goldmine for foreign intelligence services that could exploit it to inform and supercharge hacking, blackmail and influence campaigns," the letter notes.
The letter demands that the companies provide names of every "foreign-headquartered or foreign-majority owned company to whom your firm has provided bidstream data from users in the United States and their devices in the past three years."
Data for Sale
Some U.S. agencies have taken advantage of the bidstream data process, according to earlier news reports.
For example, Motherboard reported in October 2020 that U.S. Customs and Border Protection bought location data from a private company, which raised questions about whether the agency was conducting warrantless surveillance of American citizens.
Scott Shackelford, chair of Indiana University's cybersecurity program, notes that the real-time digital bidding process and bidstream data have been problematic for years. This points to the need for comprehensive, nationwide legislation to protect U.S. citizens' data and privacy, he says (see: Federal Privacy Bill Reintroduced in Congress).
"In the aftermath of data breaches, including at Equifax and Anthem, it’s true that much of this data may already be available. … But we should not be making it this easy for anyone, or any organization, with a credit card number to purchase personal information at this scale," Shackelford says.
Others have also pointed to the large amount of personal data that online and digital advertisers and their networks can collect about consumers with little or no consent.
Time to read up on RTB (real-time bidding). One of the best resources: https://t.co/CSA4k9FKyH pic.twitter.com/gVxNFFYLrH— Thomas Rid (@RidT) April 6, 2021
Chris Pierson, CEO and founder of the security firm BlackCloak, notes that even with some security measures put in place, it's nearly impossible to block the collection of personal data from digital ad networks.
"While the marketplace is crowded with numerous apps that block tracking, VPNs that are used intermittently, or devices that also strip ads and tracking from users, they all suffer from a 'whack-a-mole 'approach," Pierson says.
Commenting on the senators' letter, an AT&T spokesperson tells Information Security Media Group: "We received the letter and will respond as requested, but we have thorough processes in place to protect the data referenced in the letter."
A spokesperson for Google notes: "Privacy and transparency are core to how our ads services work. We never sell people's personal information and all ad buyers using our systems are subject to stringent policies and standards, including restrictions on the use and retention of information they receive."
ISMG could not immediately reach representatives for the other firms who received the letter for comment on Tuesday.
Besides Wyden, the letter is signed by Democrats Kirsten Gillibrand of New York, Mark Warner of Virginia, Sherrod Brown of Ohio and Elizabeth Warren of Massachusetts and Republican Bill Cassidy of Louisiana.