Your data's auctioned off up to 987 times a day, NGO reports

Irish Council on Civil Liberties said this is first time the scope of real-time bidding is being measured


The average American has their personal information shared in an online ad bidding war 747 times a day. For the average EU citizen, that number is 376 times a day. In one year, 178 trillion instances of the same bidding war happen online in the US and EU.

That's according to data shared by the Irish Council on Civil Liberties in a report detailing the extent of real-time bidding (RTB), the technology that drives almost all online advertising and which it said relies on sharing of personal information without user consent. 

The RTB industry was worth more than $117 billion last year, the ICCL report said. As with all things in its study, those numbers only apply to the US and Europe, which means the actual value of the market is likely much higher. 

Real-time bidding involves the sharing of information about internet users, and it happens whenever a user lands on a website that serves ads. Information shared with advertisers can include nearly anything that would help them better target ads, and those advertisers bid on the ad space based on the information the ad network provides. 

That data can be practically anything based on the Interactive Advertising Bureau's (IAB) audience taxonomy. The basics, of course, like age, sex, location, income and the like are included, but it doesn't stop there. All sorts of websites fingerprint their visitors - even charities treating mental health conditions - and those fingerprints can later be used to target ads on unrelated websites.

Google owns the largest ad network that was included in the ICCL's report, and it alone offers RTB data to 4,698 companies in just the US. Other large advertising networks include Xandr, owned by Microsoft since late 2021, Verizon, PubMatic and more. 

Not included in ICCL's report are Amazon or Facebook's RTB networks, as the industry figures it used for its report don't include their ad networks. Along with only surveying part of the world that likely means that the scope of the RTB industry is, again, much larger.

Also, it's probably illegal

The ICCL describes RTB as "the biggest data breach ever recorded," but even that may be giving advertisers too much credit: Calling freely-broadcast RTB data a breach implies action was taken to bypass defenses, of which there aren't any. 

So, is RTB violating any laws at all? Yes, claims Gartner Privacy Research VP Nader Henein. He told The Register that the adtech industry justifies its use of RTB under the "legitimate interest" provision of the EU's General Data Protection Regulation (GDR).

"Multiple regulators have rejected that assessment, so the answer would be 'yes,' it is a violation [of the GDPR]," Henein opined. 

As far back as 2019, Google and other adtech giants were accused by the UK of knowingly breaking the law by using RTB, a case it continues to investigate. Earlier this year, the Belgian data protect authority ruled that RTB practices violated the GDPR and required organizations working with the IAB to delete all the data collected through the use of TC strings, a type of coded character used in the RTB process.

Johnny Ryan is no stranger to lawsuits: He left Brave, maker of the privacy-centric browser, to take his position at the ICCL, where he spearheaded several cases against the IAB and the practice of RTB. 

According to the ICCL, it is currently involved in three ongoing cases involving RTB: One in Hamburg against Microsoft's Xandr advertising exchange, an Irish High Court case against the Data Protection Commission for failing to investigate RTB violations, and a third case in Brussels working against an IAB appeal against the earlier Belgian ruling. 

The Brussels case, arguably the largest ruling against RTB thus far, centers around the IAB's Transparency and Consent Framework (TCF), which it developed in response to the passage of the GDPR. In the initial public comment version of the TCF, one section indicates that advertising publishers are worried about their liability around user data. In it, the IAB explicitly states it can't control the data that ad networks serve to bidders.

"Publishers recognize there is no technical way to limit the way data is used after the data is received by a vendor for decisioning/bidding on/after delivery of an ad," the document reads.

Newer versions of the TCF have added similar wording to the framework's disclaimer, which said that vendors themselves are responsible for compliance with the TCF, and the IAB makes no claims that following the framework will mean advertisers are in compliance with local laws.

Beating RTB: A game of "wait and see?"

Research from by Gartner and Forrester both predict the same near-term future for the adtech world: Regulations. With that in mind, the end of RTB may come soon.

Henein said that the IAB hasn't presented an alternative to RTB that preserves effectiveness and privacy. He said that Google's move to deprecate all third-party cookies in its Chrome browser – aka Privacy Sandbox – was a direct response; Google has since delayed the change until 2023.

Firefox, Henein said, has already done the same, and Chrome's control of the browser market could be the final nail if and when Google decides to kill third-party cookies. 

Henein said that Google's alternative hasn't made the advertising industry entirely comfortable, as using it involves putting more control in Google's hands. He said that Microsoft's Parakeet is a better alternative to Google's because it protects user identity with a system roughly equivalent to a proxy that represents user likes and serves ads itself based on what it knows about users. 

Henein said he doesn't believe that the EU will be able to take more action since the target is a type of technology, and he doesn't believe that the US has the necessary regulatory environment to do anything about it. Henein told us that he's an ardent privacy advocate, but still doesn't think the adtech industry should be demonized. 

"It's a $500 billion a year industry that pays for a free internet and allows people of diverse backgrounds unbiased access to millions of services … surely we can find a way of addressing both the industries' needs to deliver the right ad to the right person AND protecting that person's rights to privacy," he added. ®


Other stories you might like

  • Microsoft postpones shift to New Commerce Experience subscriptions
    The whiff of rebellion among Cloud Solution Providers is getting stronger

    Microsoft has indefinitely postponed the date on which its Cloud Solution Providers (CSPs) will be required to sell software and services licences on new terms.

    Those new terms are delivered under the banner of the New Commerce Experience (NCE). NCE is intended to make perpetual licences a thing of the past and prioritizes fixed-term subscriptions to cloudy products. Paying month-to-month is more expensive than signing up for longer-term deals under NCE, which also packs substantial price rises for many Microsoft products.

    Channel-centric analyst firm Canalys unsurprisingly rates NCE as better for Microsoft than for customers or partners.

    Continue reading
  • Google to pay $90m to settle lawsuit over anti-competitive behavior on the Play Store
    US developers that qualify could receive more than $200,000

    Google is to pay $90 million to settle a class-action lawsuit with US developers over alleged anti-competitive behavior regarding the Google Play Store.

    Eligible for a share in the $90 million fund are US developers who earned two million dollars or less in annual revenue through Google Play between 2016 and 2021. "A vast majority of US developers who earned revenue through Google Play will be eligible to receive money from this fund," said Google.

    Law firm Hagens Berman announced the settlement this morning, having been one of the first to file a class case. The legal firm was one of four that secured a $100 million settlement from Apple in 2021 for US iOS developers.

    Continue reading
  • Start using Modern Auth now for Exchange Online
    Before Microsoft shutters basic logins in a few months

    The US government is pushing federal agencies and private corporations to adopt the Modern Authentication method in Exchange Online before Microsoft starts shutting down Basic Authentication from the first day of October.

    In an advisory [PDF] this week, Uncle Sam's Cybersecurity and Infrastructure Security Agency (CISA) noted that while federal executive civilian branch (FCEB) agencies – which includes such organizations as the Federal Communications Commission, Federal Trade Commission, and such departments as Homeland Security, Justice, Treasury, and State – are required to make the change, all organizations should make the switch from Basic Authentication.

    "Federal agencies should determine their use of Basic Auth and migrate users and applications to Modern Auth," CISA wrote. "After completing the migration to Modern Auth, agencies should block Basic Auth."

    Continue reading

Biting the hand that feeds IT © 1998–2022