Online Advertising's Massive Data Breach

Real-Time Bidding (RTB) is $117+ billion industry.²Market estimate in “Programmatic advertising spend in Europe 2019”, October 2020 https://web.archive.org/web/20220825205917/https://iabeurope.eu/wp-content/uploads/2020/10/Programmatic-Market-Advertising-Spend-2019-Report.pdf, slide 8; and "Brand Disruption 2020", IAB https://web.archive.org/save/https://s3.amazonaws.com/media.mediapost.com/uploads/IABBrandDisruption2020.pdf, p. 66. Estimate of value based on € to $ exchange rate of mid 2019 (€1=$1.1292). It tracks and shares what people view online and their real-world location 178 Trillion times every year in U.S. & Europe.³For detail on the scale of RTB see our report "The Biggest Data Breach ICCL report on the scale of Real-Time Bidding data broadcasts in the U.S. and Europe", ICCL, May 2022 https://www.iccl.ie/digital-data/iccl-report-on-the-scale-of-real-time-bidding-data-broadcasts-in-the-u-s-and-europe/ RTB is the biggest data breach ever recorded.

Almost every time you load a page on a commercial website or use an app an RTB auction occurs behind the scenes to determine what ad will appear in front of you. RTB auctions broadcast private information about what you are doing online, and where you physically are, to many other companies in order to solicit their bids for the opportunity to show you their ad. According to IAB Europe’s documentation, “thousands” of companies may receive data from a single RTB broadcast about a single person for a single ad.⁴"Pubvendors.json" (see documents section) uses the word "thousands". RTB companies documentation is indicative. For example, Microsoft (Xandr) allows 1,647 companies to receive RTB data about people. See "Third party providers which may receive Platform Data and other information", Microsoft Xandr, 2021, in the documents section, below. Google is no better.See "Ad technology providers" including "commonly used list" of companies that receive Google RTB data by default, Google, August 2022. As a result, your private data is broadcast to firms across the globe, including Russia and China, without any means of controlling what is then done with the data.⁵Industry documents confirm that there are no technical measures to limit what companies can do with this information, nor who they pass it on to. For example, see "pubvendors.json", IAB TechLab, in the documents section, below. This document attests that there are "no technical measures" to control the data.

The data broadcast about you includes things like what you are reading or watching or listening to, inferences about your sexual preferences, religious faith, ethnicity, health conditions, your political views, and where you physically are - sometimes right up to your GPS coordinates.⁶See for example the sample RTB bid requests from IAB and Google documentation, in the documents section, below. It also includes ID codes about you that help tie together many pieces of RTB data over time, so that very intimate profiles can be maintained about you and where you go and what you do.

Consent Spam  

In 2018 the tracking industry trade body IAB Europe worked with major RTB companies⁸AppNexus Inc.; Conversant, LLC; DMG Media Limited; Index Exchange, Inc.; MediaMath, Inc.; Oath, Inc.; Quantcast Corp.; and, Sizmek, Inc. are named in the copyright notice of the TCF. See IAB Europe, “Transparency & Consent Framework, Cookie and Vendor List Format, Draft for Public Comment, v1.a”, IAB Europe, 7 March 2018 (URL: https://github.com/Vindico-LR/GDPR-Transparency-and-Consent-Framework/blob/master/Draft_for_Public_Comment_Transparency%20%26%20Consent%20Framework%20-%20cookie%20and%20vendor%20list%20format%20specification%20v1.0a.pdf), p. 3. to develop consent popups that, they hoped, would prevent the GDPR from disrupting the RTB industry. This compliance charade did nothing to address the underlying illegality of RTB.

IAB Europe calls this system the "Transparency & Consent Framework" (TCF), and claims it gives people “control and transparency over their personal data”.⁹IAB Europe, “What is the Transparency & Consent Framework?”, IAB Europe (URL: https://iabeurope.eu/transparency-consent-framework/).

However, the lack of protection of personal data broadcast by the RTB system means that the TCF’s claim of transparency and control is illusory. IAB Europe established no technical or organisational means to actually protect the enormous volumes of personal data about Internet users that is broadcast by RTB. It's own documentation acknowledges that “there is no technical way to limit the way data is used after the data is received”.¹⁰IAB Europe, json v1.0: Transparency & Consent Framework, 25 April 2018 (URL: https://github.com/InteractiveAdvertisingBureau/GDPR-Transparency-and-Consent-Framework/blob/master/pubvendors.json%20v1.0%20Draft%20for%20Public%20Comment.md#liability The TCF is merely an honour system in which over a thousand companies are assumed to respect data protection law and to abide by terms & conditions. In other words, the 1,058 companies that participated in the TCF received personal data through it, could do with that data whatever they wish, and share it with whoever they wish. It does not matter what people click on these messages.

IAB says that TCF consent pop-ups are active on 80% of the European internet.¹¹See "IAB & IAB Tech Lab Respond with Support for OpenRTB and IAB Europe’s Transparency & Consent Framework", October 19 2020 https://www.iab.com/news/iab-iab-tech-lab-respond-with-support-for-openrtb-and-iab-europe-transparency-consent-framework/ This consent spam has plagued Europeans countless times a day for years. 

A year before unleashing this wave of consent popup spam across Europe, IAB Europe's CEO acknowledged in writing to the European Commission that RTB was "incompatible" with consent under the GDPR.¹²"As it is technically impossible for the user to have prior information about every data controller involved in a real-time bidding (RTB) scenario, programmatic trading, the area of fastest growth in digital advertising spend, would seem, at least prima facie, to be incompatible with consent under GDPR". See e-mail and page 3 of attached lobbying paper from IAB Europe CEO Townsend Feehan to European Commission, 26 June 2017.