As ad tech firms reveal data flows to foreign adversaries, Sen. Ron Wyden preps bill to restrict data exports

Now — despite the fact that most of the eight firms in the inquiry provided little or no detail about the companies they send ad data to — information from Magnite and Twitter reveals that they have partners based in countries of concern such as China, Turkey, Russia and the United Arab Emirates. 

Because governments in those countries could access programmatic ad data about people in the U.S. and use it in ways that threaten national security, Wyden’s staff believes the information validates legislation he expects to propose in the coming months that could place restrictions on ad-tech data flows outside the country and penalize violators.

“There’s a misunderstanding in the [advertising] industry of the dangers posed by ad tech,” said Margaret Hu, professor of law and international affairs at Penn State Law and School of International Affairs and part of the school’s College of Engineering Institute for Network and Security Research faculty. 

According to letters sent in response to the Senate inquiry obtained by Digiday, Magnite listed partners including China’s Mobvista International, Turkey’s Turkticaret and U.A.E.’s AdFalcon. In Twitter’s response, the company pointed to a publicly available list of firms that partner with its mobile ad network MoPub and said it works with Russian firm Hybrid as well as China-based firms MobVista and Pangle, which is run by TikTok’s owner ByteDance.

“There’s a clear national security risk whenever Americans’ private data is sent to high-risk countries like China and Russia, which can use it for online tracking as well as to target hacking and disinformation campaigns,” said Wyden in a statement sent to Digiday. “Advertising companies have shown little restraint or judgement when it comes to putting their own profits over Americans’ privacy and our national security. That needs to end. I’ll be introducing legislation in the coming months to address this threat and prohibit exports of Americans’ data to high-risk countries.”

The senator also admonished Google, AT&T, Pubmatic and Verizon — none of which provided any names of ad tech partners or countries where those partners are based. “No U.S. company should be sharing Americans’ sensitive information with our adversaries, but it’s especially outrageous that AT&T, Google, PubMatic and Verizon are concealing their foreign partners from Congress and the American public,” said Wyden. 

Two other firms included in the inquiry, Index Exchange and OpenX, also failed to cough up any names of firms they partner with. However, Index Exchange did list all the countries in which its partner companies are located, and OpenX provided a partial country list. Some companies that did not reveal names of partner firms, including Google, said non-disclosure agreements prevented them from doing so. 

Data anonymization may not be good enough 

As part of a broader effort to rein in the dissemination of personal data from commercial enterprises to foreign governments or other entities for whom that data may not originally be intended, Wyden plans to formally introduce the Protecting Americans’ Data From Foreign Surveillance Act of 2021. The legislation, made available in April in draft form, would amend the Export Control Reform Act of 2018 and restrict the export of certain personal data of U.S. nationals and individuals in the U.S. The bill calls on appropriate federal agencies to determine a list of data categories, a threshold for data quantity and time parameters for personal data export to ensure that it is not exploited for intelligence purposes by foreign governments to the detriment of U.S. national security or redistributed to other countries. If formally introduced and passed, the bill would subject violators to criminal penalties or private right of legal action.

The digital ad industry often relies on data anonymization as a shield from regulations on personal data, but notably, the draft of the legislation states that anonymized personal data cannot be treated differently than identifiable personal data “if the persons to which the anonymized personal data relates could reasonably be identified using other sources of data.”

The bill serves as an extension of export regulations that prevent trafficking of tech and tech knowledge to foreign countries that could leave the U.S. at a disadvantage and create national security vulnerabilities, said Hu. “Wyden is trying to shift the legal framework of what is being regulated from the tech and tech knowledge to the data itself — the sale of the data, who is going to have control over the data in these foreign countries,” she said.

The limits of contractual limitations

In their responses to the Senate inquiry, most of the ad tech companies stressed that contractual agreements with foreign partner firms prohibit any use of bidstream data for anything other than serving digital ads or purposes like enabling caps on ad frequency.

Magnite — the most forthcoming of all the companies that were sent questions about their bidstream data practices — stated in its response that the real-time data it passes along the bidstream includes user identifiers and specific geographic latitude-longitude coordinates. “Magnite has consistently prohibited the sale of its data by bidders and has never waived the provision of its contracts prohibiting the sale of such data,” the firm wrote. Like some other respondents, the company also said it has obstacles in place to deter entities with no intention to place ads from siphoning bidstream data for ulterior purposes. “Magnite has historically imposed an access fee on advertising buyers that do not satisfy a minimum monthly spend requirement,” said the firm.

While some of the companies said they have internal auditing processes in place to detect contract violations, Hu and others argued that legal contracts among ad tech partners are not enough to stop the potential use of bidstream data for foreign surveillance purposes. “The problem is the enforceability,” said Hu. “Who does the investigation? Who’s responsible for the oversight that the contract is being properly adhered to? I think that blind faith and just accepting in good faith that these contracts are being honored is potentially naive.”

Why bidstream data could threaten human rights and civil liberties

Legislators, human rights advocates and others worry that foreign governments could compel, coerce or pay someone in another country to disclose data, such as location information, that might be used to trace someone’s whereabouts. In China, for example, a new initiative calls on private firms and government agencies to exchange data; according to a Protocol report published earlier this month, firms including Baidu and state-owned telcos have set up data exchange platforms to facilitate data distribution.

When people like Hu want to illustrate the national security and civil liberties risks of data flowing through ad tech systems, they allude to a well-known quote from retired four-star General Michael Hayden, who served as director of the Central Intelligence Agency and the National Security Agency under the George W. Bush administration. “We kill people based on metadata, but that’s not what we do with this metadata,” Hayden said during a 2014 debate about NSA data use exposed by intelligence agency subcontractor Edward Snowden. Hayden added a caveat: “One could make the argument that it may or may not be legal.”

The Senate inquiry letters to ad tech firms noted, “few Americans realize that some auction participants are siphoning off and storing ‘bidstream’ data to compile exhaustive dossiers about them. In turn, these dossiers are being openly sold to anyone with a credit card, including to hedge funds, political campaigns, and even to governments,” stated the senators’ letter sent in April to the ad tech firms. That same language showed up in a July 2020 letter sent to the Federal Trade Commission by a bipartisan group of legislators including Wyden asking the agency to determine whether ad tech data practices violate the FTC act. 

And now, the entire real-time bidding industry is under fire from the Irish Council for Civil Liberties. Earlier in June, the nonprofit organization filed a lawsuit against the industry’s global trade body, the Interactive Advertising Bureau, arguing that the RTB industry has enabled “the world’s biggest data breach” and is responsible for “building secret dossiers about every person.”

The ad industry does not realize the risks of data dissemination through RTB systems, said Hu. She noted that Snowden’s revelations about the NSA’s use of telco metadata showed how seemingly benign information — such as location data intended to geographically target an ad in one instance — can be used to find the location of a targeted individual and even be used for targeted killing. “Increasingly, actionable intelligence is based on this type of metadata and geolocational data,” she said, adding, “The intelligence potential cannot be underestimated of having the geolocation pinpointing that is made possible through ad tech.”