How an ad tech firm co-opted IAB Europe’s Transparency and Consent Framework to collect fingerprinting data
IAB Europe’s heavily scrutinized Transparency and Consent Framework was designed to help companies respect people’s privacy and comply with European privacy law, the General Data Protection Regulation. But earlier this year, ad security monitoring company Confiant detected an ad tech company exploiting the framework to collect information on potentially millions of people in the U.S.
“What makes this case especially odd is that it was taking place in the United States, which is not a GDPR jurisdiction. And TCF is a framework for GDPR compliance,” said Kaileigh McCrea, a privacy engineer at Confiant.
McCrae declined to name the company behind the exploit — which Confiant has dubbed “Voldrakus” — beyond describing it as a small ad tech company based in Eastern Europe. She did, however, detail the mechanics of the exploit and explained how the data collected by the company — including devices’ geolocations, battery levels and motions — could be used to target people working in corporate buildings and government offices with misinformation and malware.
However, the risks extend beyond this specific exploit. Voldrakus provides an example of how a privacy framework can be co-opted and, as a result, put other companies at risk of violating privacy laws.
“The brand is responsible for any type of tracking technology that is on its site,” said Daniel Goldberg, partner and chair of the privacy and data security group at law firm Frankfurt Kurnit Klein & Selz. He added, “The brand is the gatekeeper. So Voldrakus somehow or another is able to get data from the site, and so under the law, very technically speaking, the brand could be held liable for the data that is collected and pass to Voldrakus.”
For more about the Voldrakus exploit, watch the video below.
More in Marketing
Future of Marketing Briefing: Memes used to be a joke. Now they’re a strategy
This Future of Marketing Briefing covers the latest in marketing for Digiday+ members and is distributed over email every Friday at 10 a.m. ET. More from the series → Last month, a U.S. Special Forces soldier was indicted for insider trading — not on stocks, but on a prediction market. He had detailed knowledge of […]
Digiday+ Research: Marketers’ AI use rises, but tech skills stall
Marketers’ adoption of AI technology has risen significantly in recent years, but training employees on using these tools lags behind overall adoption.
Possible expands to Lisbon in 2027, keeping its focus on marketing, tech, culture and creativity
Digiday caught up with Carolina Cespedes of GoGo Squeez, Remy Stiles of agency Kepler and Oz Etzioni of Clinch, as well as Possible’s co-founder and owner.