Tech Giants Won’t Name Foreign Companies They Give US ‘Bidstream’ Data To

Tech giants and ad companies are likely divulging sensitive data on U.S. web users that can sometimes include their precise GPS location, browsing history, and device identifiers, as part of how the ad industry works. These companies have refused to say which foreign companies it provides the data to.

Motherboard contacted Google, Twitter, Verizon, AT&T, and several other lesser-known ad companies and asked them how many foreign companies they provide so-called bidstream data from U.S. users to, and for the names of those foreign companies. Only Twitter provided a statement and declined to answer the specific question.

Motherboard asked these companies for comment after lawmakers called the data a "goldmine for foreign intelligence services" earlier this month.

"It matters," Johnny Ryan, a fellow at the Irish Council for Civil Liberties and formerly chief policy officer of the Brave web browser, told Motherboard in an online chat referring to the answer to these basic questions. Ryan has followed the bidstream market extensively, testifying to regulators and lawmakers about the industry. "Data about (almost) everyone online, where they are and where they have been, what they are reading, watching, and listening to, is being broadcast to thousands of companies without any control at all," Ryan added.

Before an advertisement is shown inside an app or a web browser, a process called real-time bidding (RTB) takes place, where different companies bid to have their own ad displayed. As participants in that process, companies obtain sensitive data on the user, even if the company ultimately does not win the ad placement. The result is that a swath of companies obtain the generated bidstream data, with some even using it explicitly for surveillance. Venntel, a government contractor that sells location data to Immigration and Customs Enforcement, uses bidstream data, Motherboard previously reported.

Examples of the sort of data that can be transferred as part of real-time bidding include GPS coordinates, IP addresses, the webpage a user is viewing, their unique advertising identifier, and inferred information about their interests, according to examples Ryan pointed Motherboard to from Google's own documentation.

Besides Google, Twitter, Verizon, and AT&T, Motherboard also contacted Index Exchange, Magnite, OpenX, and PubMatic, which are other companies in the ad industry. Only Twitter replied. (After publication of this piece, Index Exchange said it did not receive the request for comment).

"Protecting the safety and privacy of the people who use Twitter remains a top priority for us. We operate under a robust privacy policy, and launched the Twitter Privacy Center to provide a centralized place for information about the data we collect, and the processes we have in place to protect that data. We adhere to rigorous privacy standards, including third-party audits of key products and services, and proactive enforcement of our policies," a Twitter spokesperson told Motherboard in an email.

When asked explicitly if Twitter was not answering the question because it declines to do so, or if the company does not know the answer, the spokesperson said they had "nothing more to share at this time."

Twitter has published a file on the website of MoPub, its mobile advertising subsidiary, outlining organizations that may receive this sort of data, Zach Edwards, a researcher who has closely followed the bidstream supply chain, told Motherboard in an online chat. Google has published a similar but much more limited list, consultancy firm Jounce Media said last year.

The questions Motherboard asked were similar to ones that members of Congress sent to the companies in letters earlier this month.

"This information would be a goldmine for foreign intelligence services that could exploit it to inform and supercharge hacking, blackmail, and influence campaigns," the letter, signed by Senators Ron Wyden, Mark Warner, Kirsten Gillibrand, Sherrod Brown, Elizabeth Warren, and Bill Cassidy, read.

Google is currently facing a class action lawsuit related to the transfer of bidsteam data.

Update: This piece has been updated to include more information from Motherboard’s email exchange with a Twitter spokesperson, and a response from Index Exchange.

Subscribe to our cybersecurity podcast CYBER, here.