Unlock the Editor’s Digest for free
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
Internet browsing data is being collected and sold in much greater detail than previously thought, increasing the likelihood that individuals’ identities in sensitive professions can be ascertained from the anonymised information, according to a report
Web users have for years been grouped by data brokers by traits such as their broad professional sector or interests, inferred from their browsing history. This anonymised information is then sold to advertisers so they can target specific categories, or segments, with personalised marketing.
An investigation by the non-profit Irish Council for Civil Liberties to be published on Tuesday shows data on many specific influential professions that was not previously known is now being sold in this way.
Data has been put into segments to target judges, elected officials, military personnel and “decision makers” working in national security, it found.
Privacy campaigners argue that these more specific professional categories mean that information from different data points can be easily combined with location data and time stamps to identify people.
This could be used for surveillance or exploited by hostile actors, they added, noting that the data is available for a broad range of entities to purchase.
“This data about political leaders, judges and military personnel shows that the [real-time bidding] industry’s security problem is in fact a national security problem too,” said Johnny Ryan, senior fellow at ICCL. Real-time bidding is the process by which advertising is bought and sold based on data segments.
A document seen by the Financial Times showed that segments marketed by US data broker firm Eyeota include decision makers in government, national security and counter-terrorism.
They also included categories such as military personnel, military families, judges and elected officials.
Dun & Bradstreet, which owns Eyeota, said “it offers audience data segments in a privacy-compliant and globally consistent way” and that the segments are “pseudonymised, which means that they do not contain any identifiable data elements”.
Other data available through the broker highlights personal information, including whether an individual is likely to have an interest in “erectile disfunction [sic]”, their sexual orientation, job satisfaction and financial circumstances.
Carissa Veliz, an associate professor at Oxford university, specialising in digital ethics, said that “although platforms claim data is anonymised, it is actually very hard to do in practice; you only need two or three data points to identify somebody”.
“Platforms know the anonymisation they are doing is so fragile, and they know what they are doing is identifying sensitive information that could endanger people and society,” she added. “Identifying sensitive jobs opens those people up to harms like extortion or blackmail, which can also impact democracy.”
Google and Microsoft send data about users in the US and Europe to hundreds of companies that then use it to buy personalised advertising slots.
This has included sending the data to Chinese and Russian companies, either directly or through brokers. These companies are bound by local laws that permit state security agencies to access such information.
“To protect people’s privacy, we have the strictest restrictions in the industry on the types of data we share in real-time bidding,” Google said.
“Our real-time bidding policies simply don’t allow bad actors to compromise people’s privacy and security,” it added.
Microsoft-owned Xandr facilitates the sale of segmented information on its data marketplace, which has included categories such as whether a person suffers from depression or anxiety, as well as whether individuals have been searching for support on sexual abuse.
“We take these matters seriously, and we regularly evaluate [privacy policies] to ensure compliance with applicable data protection laws,” Microsoft said.
One example identified by the ICCL from a Russian data broker included people who visit “political opposition websites”.
“That is particularly worrying because it would expose a person who is visiting such a website to the unfriendly attentions of the Russian government and adds to the questions over why Google sees fit to broadcast this data about the online activities of people in this manner,” Ryan said.
Google said it paused serving ads in Russia and suspended RTB partners based in Russia in early 2022. It said that describing its RTB programme as “broadcasting” data “misrepresented” its policies and practices as it does not share sensitive personal data and prohibits advertisers from using such categories to target ads.
Read the full article here