What you need to know:

• A report by the Irish Council for Civil Liberties reveals a widespread trade in data about sensitive Australian personnel and leaders that exposes them to blackmail, hacking, and compromise, and undermines the security of their organisations and institutions.
• This data flows through Real-Time Bidding (RTB), the pipes and wires of the programmatic digital advertising industry which sends sensitive data about people using websites and apps to large numbers of other entities, billions of times a day. 
• According to the authors, their examination of tens of thousands of pages of RTB data reveals that Australian military personnel and political decision-makers are targeted using RTB.
• Even secure devices do not prevent the leakage of sensitive data, as information can flow from personal devices, friends, and family members.

The investigation conducted by the Irish Council for Civil Liberties (ICCL) has uncovered widespread vulnerabilities in the online advertising sector, particularly through Real-Time Bidding (RTB) systems operated by tech giants including Google and Microsoft.

In a report called "Australia’s hidden security crisis" written by Johnny Ryan and Wolfie Christl reveals that RTB technology, which is embedded in nearly all websites and apps, facilitates the broadcast of personal data about users to numerous third parties — billions of times a day. This data can include intimate details about individuals, such as their location, online behavior, and even psychological profiles, making it a goldmine for foreign intelligence agencies seeking to exploit vulnerabilities for blackmail or hacking purposes. 

Google disputed the claims. According to a company spokesperson, "To protect people's privacy, we have the strictest restrictions in the industry on the types of data we share in real-time bidding. This report makes misleading and inaccurate claims about Google. Our real-time bidding policies and technical protections simply don't allow bad actors to compromise people's privacy and security.” 

The company says that it does not send big requests to AiData, as it says the report suggests, although the report appears to be referring to past practice. Furthermore, Google says it shares no personally identifiable information (PII) in big requests. It also says advertisers are prohibited from targeting sensitive interest categories to target ads.

Google also noted that since 2022 it paused serving ads in Russia and suspended Authorised Buyers partners in Russia.

Little visibility

Noting that Google's documentation identified 2,051 entities that may receive data from auctions in Australia while the number for Microsoft is 1,647, the authors suggest that both Meta and Amazon "undoubtedly do the same."

The problem however is what happens next. "After the broadcast there is no way to know or limit how receiving entities handle the RTB data. Nor is there any technical way to stop further distribution of RTB data. Industry documentation confirms there is no technical way to limit the way data is used after broadcast."

Key findings from the report include:

• Foreign states and non-state actors can access compromising information about sensitive personnel and key leaders across Australia using RTB.
• Google sends Australian RTB data to many companies in China. The 2021 Data Security Law of the People's Republic of China allows the Chinese state to access Australian RTB data once it is in the hands of Chinese companies.
• Before sanctions, Google sent Australian RTB data to Russian companies. Russian law allows the FSB and other security services to access any data, including Australian RTB data, collected by companies on Russian soil.
• Russian companies that received RTB data from Google include AiData, which sells profiles about Russians who visit Russian political opposition websites.
• Microsoft also sends Australia RTB data to Chinese20 entities, and sent data to Russian entities before sanctions. Other RTB firms are likely to be equally careless.

According to the report, "Foreign and non-state actors can obtain Australian RTB data by operating their own DSPs to receive RTB broadcasts directly. There is no control over who can operate a DSP. For example, a foreign private surveillance company (Rayzone) owns a DSP, which allows it to directly receive RTB broadcasts from ad exchanges and SSPs. RTB data powers Rayzone’s 'Echo' surveillance tool, which is 'a fully stealth method of collection on any internet user' and offers “mass collection of all internet users in a country”. Another private intelligence company (Near Intelligence) obtained masses of RTB data directly from three ad exchanges through its own DSP."

Furthermore, the report warns that even secure devices do not prevent the leakage of sensitive data, as information can flow from personal devices, friends, and family members. This means that intelligence agencies could gain insights into the financial difficulties, mental health issues, and other compromising aspects of targeted individuals' lives.

Massive exposure

With the average Australian exposed to RTB broadcasts nearly 450 times a day, the report estimates that the online advertising industry subjects Australians to a staggering 3.7 trillion data exposures annually. This alarming trend not only poses a threat to the individuals targeted but also compromises national security by endangering the institutions and organisations they serve.

In response to these findings, the ICCL has called for immediate action, urging the Australian government to update its Privacy Act to prohibit the broadcasting of personal information. The report emphasises the urgent need for an investigation into the practices of ad exchanges that may have inadvertently shared data pertaining to key figures in Australia’s defence and national security sectors.

RTB’s vulnerabilities have been understood since at least as early as 2017, according to the report.

At the time researchers proved that for just $1,000 USD they could conclusively track targeted individuals’ physical movements and the sensitive (including religious and sexual) apps they used using RTB.

Big questions

"The next logical question all businesses should be asking over the next few weeks is 'who was legally responsible for disclosing this into the ecosystem in the first place?’” according to Chris Brinkworth, managing partner of data compliance consultancy, Civic Data.

He said the firm routinely finds “major Australian entities” at risk of third parties “harvesting the very same sensitive information that is being used in this report”, and has been highlighting how these breaches occur for years.

With the first round of a major review of Australia’s Privacy Act now before Parliament, Brinkworth said the leakage identified by the ICCL could ultimately “tick every box of what we call the new 'tri-factor' of tort, civil penalties and infringement notices ' introduced in last month's draft legislation”.

For now, however, the legislation has not yet passed into law.

But it’s coming – and the problem for most organisations connected to the sprawling and opaque data supply chain, per Brinkworth, is “it may be challenging for individuals to even know when their privacy has been breached”.