How an ad tech firm co-opted IAB Europe’s Transparency and Consent Framework to collect fingerprinting data

McCrae declined to name the company behind the exploit — which Confiant has dubbed “Voldrakus” — beyond describing it as a small ad tech company based in Eastern Europe. She did, however, detail the mechanics of the exploit and explained how the data collected by the company — including devices’ geolocations, battery levels and motions — could be used to target people working in corporate buildings and government offices with misinformation and malware.

However, the risks extend beyond this specific exploit. Voldrakus provides an example of how a privacy framework can be co-opted and, as a result, put other companies at risk of violating privacy laws. 

“The brand is responsible for any type of tracking technology that is on its site,” said Daniel Goldberg, partner and chair of the privacy and data security group at law firm Frankfurt Kurnit Klein & Selz. He added, “The brand is the gatekeeper. So Voldrakus somehow or another is able to get data from the site, and so under the law, very technically speaking, the brand could be held liable for the data that is collected and pass to Voldrakus.”

For more about the Voldrakus exploit, watch the video below.