The investigation conducted by the Irish Council for Civil Liberties (ICCL) has uncovered widespread vulnerabilities in the online advertising sector, particularly through Real-Time Bidding (RTB) systems operated by tech giants including Google and Microsoft.

In a report called "Australia's hidden security crisis" written by Johnny Ryan and Wolfie Christl reveals that RTB technology, which is embedded in nearly all websites and apps, facilitates the broadcast of personal data about users to numerous third parties - billions of times a day. This data can include intimate details about individuals, such as their location, online behaviour, and even psychological profiles, making it a goldmine for foreign intelligence agencies seeking to exploit vulnerabilities for blackmail or hacking purposes.

Google disputed the claims. According to a company spokesperson, "To protect people's privacy, we have the strictest restrictions in the industry on the types of data we share in real-time bidding. This report makes misleading and inaccurate claims about Google. Our real-time bidding policies and technical protections simply don't allow bad actors to compromise people's privacy and security.” 

The company says that it does not send big requests to AiData, as it says the report suggests, although the report appears to be referring to past practice. Furthermore, Google says it shares no personally identifiable information (PII) in big requests. It also says advertisers are prohibited from targeting sensitive interest categories to target ads.

Google also noted that since 2022 it paused serving ads in Russia and suspended Authorised Buyers partners in Russia.

Little visibility

Noting that Google's documentation identified 2,051 entities that may receive data from auctions in Australia while the number for Microsoft is 1,647, the authors suggest that both Meta and Amazon "undoubtedly do the same."

The problem however is what happens next. "After the broadcast there is no way to know or limit how receiving entities handle the RTB data. Nor is there any technical way to stop further distribution of RTB data. Industry documentation confirms there is no technical way to limit the way data is used after broadcast."

Key findings from the report include:

• Foreign states and non-state actors can access compromising information about sensitive personnel and key leaders across Australia using RTB.
• Google sends Australian RTB data to many companies in China. The 2021 Data Security Law of the People's Republic of China allows the Chinese state to access Australian RTB data once it is in the hands of Chinese companies.
• Before sanctions, Google sent Australian RTB data to Russian companies. Russian law allows the FSB and other security services to access any data, including Australian RTB data, collected by companies on Russian soil.
• Russian companies that received RTB data from Google include AiData, which sells profiles about Russians who visit Russian political opposition websites.
• Microsoft also sends Australia RTB data to Chinese20 entities, and sent data to Russian entities before sanctions. Other RTB firms are likely to be equally careless.

Read the full coverage from Andrew Birmingham here.