Each time you open an app on your phone or browse the web, an auction for your eyeballs is taking place behind the scenes. A new report shows Google transmits the browsing habits of Americans and Europeans more than 70 billion times daily.
Wowza 😳
BY:
Eric De Grasse
Chief Technology Officer
PROJECT COUNSEL MEDIA
16 May 2022 (Dublin, Ireland) – Along with the Pixel phones, watches and earbuds at Google’s annual showcase of software and devices last week came a pair of nifty-looking translation glasses. Put them on and real-time “subtitles” appear on the lenses as you watch a person speaking in a different language. Very cool. But the glasses aren’t commercially available. It’s also unlikely they will make anywhere near as much money as advertising does for Google’s parent, Alphabet Inc. Of the company’s $68 billion in total revenue from the quarter ending March 31, 2022, about $54 billion came from advertising.
Each time you open an app on your phone or browse the web, an auction for your eyeballs is taking place behind the scenes thanks to a thriving market for personal data. The size of that market has always been hard to pin down, but a new report from the Irish Council for Civil Liberties (ICCL), which has aggressively campaigned for years in the U.S. and Europe to put limits on the trade of digital data, has now put a figure to it.
NOTE: as we have noted before, if you are in the eDiscovery business or data protection/data privacy business, the work of the Irish Council for Civil Liberties is on your “must read” list. Their work is unsurpassed when it comes to explaining how web users’ information is used for tracking and ad targeting, the high velocity/surveillance-based ad systems, and the embedded processing and “pass on” of people’s data – escaping GDPR and all other data protection legislation.
As ICCL notes in its latest report, RTB is the biggest data breach ever recorded
Real-time bidding ( RTB) is a subcategory of programmatic media buying. It refers to the practice of buying and selling ads in real time on a per-impression basis in an instant auction. This is usually facilitated by a supply-side platform (SSP) or an ad exchange. Those of you who subscribe to our advertising/media service can access our monograph that explains all of this.
The ICCL report notes that RTB tracks and shares what people view online and their real-world location 294 billion times in the U.S. and 197 billion times in Europe every day. This latest report, which is based on industry figures that the rights organization says it obtained from several confidential sources, was officially released today but we received an advance copy over the weekend. The report offers an estimate of RTB per person per day across US states and European countries which suggests that web users in Colorado and the UK are among the most exposed by the system – with 987 and 462 RTB broadcasts apiece per person per day. Further, the report notes that ad platforms transmit the location data and browsing habits of Americans and Europeans about 178 trillion times each year. According to the report, Google transmits the same kind of data more than 70 billion times daily, across both regions.
It is hard for humans to conceptualize such numbers, even if machines calculate them comfortably everyday – but if the exhaust of our personal data could be seen in the same way pollution can, we’d be surrounded by an almost impenetrable haze that gets thicker the more we interact with our phones. Quantified another way: by way of online activity and location, a person in the U.S. is exposed 747 times each day to real-time bidding, according to the data.
NOTE: The ICCL noted one of its unnamed source has special access to a manager of an ad campaign run by Google. That source noted the figure doesn’t include personal data transmitted by Meta Platform Inc.’s Facebook or Amazon.com Inc.’s ad networks, meaning the true measure of all broadcast data is probably much larger.
And that exhaust of our personal data can take it to 2,500+ data vendors/data collectors. It is a big reason why EU citizens are struggling with “Data Privacy and Data Subject Access Requests” (DSARs) mandated under the GDPR: if you don’t know where your data is going, how can you ever hope to keep it private?
Our view: DSARs are a sham but data privacy vendors and law firms will not tell you that because they need to make money from their services. As we note in our monograph “The Good, the Bad and the Ugly of DSARs” you need special software to track all of this stuff.
Why does any of that matter? Apps are mostly free and useful after all, and there are no obvious negative consequences to being digitally mined for data.
Except, there have been. At least one large advertising network has admitted to passing user data on to the Department of Homeland Security and other government entities to track mobile phones without warrants, according to a recent Wall Street Journal report. The precise movements of people who used the gay-dating app Grindr were also made publicly available to buy from a mobile-advertising company, until Grindr stopped sharing location data with ad networks two years ago. But last year, a Catholic news publication The Pillar was still able to track the location of a priest on Grindr using “commercially available records” of data from the app, and watched him travel between his office, home and various gay bars before publishing a story about his “serial sexual misconduct.” It’s still unclear how The Pillar got that information, but Grindr said at the time that an advertising partner could have been the source. And if you read our recent piece on data brokers, there are over 5,000 data vendors world-wide that have access to your data exhaust.
The stakes are now even higher with the prospect of a widespread abortion ban in the US. There are already stories of state prosecutors using phone data to root out supporters of abortion or even women who order abortion pills online.
Capturing sensitive data is possible thanks to the wild and messy world of real-time bidding, a hugely popular approach to digital advertising and part of the lifeblood of companies like Google and Facebook, and the embedded networks of which the average web/mobile user has little or no knowledge. Here’s how it works: Each time a smartphone user opens an app or website that shows ads, their device shares data about that user to help show them a targeted ad. The advertiser with the highest bid for the available ad space wins.
The data can go to dozens or even hundreds or even thousands of companies for each auction. Google says it transmits the data of American users to about 4,700 companies in total across the world. Each “broadcast” – as they are called in the industry – typically shares data about a person’s location including “hyperlocal” targeting, according to Google own pitch to advertisers : personal characteristics and browsing habits to help ad firms build user profiles. The ad industry also has a lengthy taxonomy that the networks use to categorize people, including sensitive labels like “anxiety disorders” and “legal issues,” or even “incest” and “abuse support,” according to a public document published by the ad network consortium that sets standards for the industry.
The complex and murky nature of the multibillion-dollar online ad business makes it difficult to know precisely what data Google is sharing about us. For what it’s worth, Google tends to broadcast less personal data about people than other smaller advertising networks do, according to Jonny Ryan, a senior fellow at the ICCL who oversaw the compilation of the latest data. But Google also makes up the biggest share of broadcast data, he added
The sheer size of data broadcast each day is not a fun fact: It underscores the reality that we are surrounded by devices that collect information, ostensibly to make our lives better but which is then sold to the highest bidder. Smart speakers, fitness trackers and augmented-reality glasses are just a few examples of the growing trend of ambient computing. The data collected by those devices can be exploited in ways we don’t know. Last week, Vice reported that the San Francisco Police Department had sought footage from General Motors Co.-owned Cruise, a self-driving car company, to help with investigative leads. The SFPD denied it wanted to use that footage for ongoing surveillance. But in a Tweet this morning, it appears the data was turned over.
Even so, more data broadcasting means greater data misuse. It is just the name of the game. Even when the purpose is as innocuous as advertising, ambient computing turns into ambient surveillance.
As we have said ad nauseam, this stuff is so embedded and intertwined in the web and mobile infrastructure, it is impossible to track and extricate. As we have detailed in numerous posts, broadcast and location tracking data collection is just baked into the web’s modern data collection regime. It is a complicated regime to understand. You need to take the time and get into the pipes and see how it all works.