The report from the Irish Council for Civil Liberties (ICCL) highlights how an advertising technology present in almost all websites and apps, distributes sensitive data about EU leaders and personnel that could leave them vulnerable to bad actors.
A new report from an Irish civil liberties watchdog has highlighted what they call a "European Security Crisis" related to the distribution of sensitive data about leaders and personnel that could undermine organisations and institutions.
The issue relates to a widely used online advertising technology called Real-Time Bidding (RTB) which is present across almost all websites and apps.
Real-time bidding refers to the automated buying and selling of online ad impressions through instant auctions. The process typically takes place in the time it takes for a webpage to load and determines which ads appear to the user.
The problem, according to the ICCL, is that this system involves the "broadcasting of sensitive data about people using those websites and apps to large numbers of other entities, without security measures to protect the data".
The data in question often includes location data or timestamps, which can be used to easily link them to individuals.
The ICCL analysed tens of thousands of pages of RTB data, revealing that it was being used to target EU military personnel and political decision-makers.
"Foreign states and non-state actors can use RTB to spy on target individuals’ financial problems, mental state, and compromising intimate secrets," the report said.
"Even if target individuals use secure devices, data about them will still flow via RTB from personal devices, their friends, family, and compromising personal contacts," it continued.
The report pointed out that surveillance technologies such as PATTERNZ, a tool built by a private company called the I.S.A. Israeli Security Academy & technologies, use RTB data in their product.
On its website the firm states that the program "allows national security agencies to utilise real-time and historical user advertising generated data to detect, monitor and predict users actions, security threats and anomalies based on users’ behaviour, location patterns and mobile usage characteristics".
In a summary of its key findings, the ICCL claimed that Google and other RTB firms sent data about individuals in the US to Russia and China, where local laws permit security agencies to access the data.
In addition, they claimed that RTB data was traded within the EU in a "free-for-all", meaning foreign and non-state actors could obtain them too.
According to the report, Google, the largest player in the RTB system, lists 1,102 ad technology providers that potentially receive data from its RTB auctions, which include Russian and Chinese entities.
The report also highlighted that Microsoft’s advertising and analytics subsidiary, Xandr, lists 1,647 firms among its ad server partners that may receive RTB data from its auctions.
Google said in response that the list of vendors did not represent authorised buyers in the RTB programme and that it was incorrect to assume they receive data directly from Google.
"The RTB industry’s data free-for-all has created a serious national threat," Dr Johnny Ryan, a Senior Fellow of the ICCL, said in a press statement.
"We call on the US Federal Trade Commission, European data protection authorities, and the European Commission to urgently act. The industry can not be allowed to put our elected leaders and military personnel at risk," he added.
In an emailed statement, a Google spokesperson pushed back against several of the assertions outlined in the report.
“To protect people's privacy, we have the strictest restrictions in the industry on the types of data we share in real-time bidding. This report makes misleading and inaccurate claims about Google. Our real-time bidding policies simply don't allow bad actors to compromise people's privacy and security”, the spokesperson said.
Google also emphasised that they do not share precise location or sensitive personal data relating to health, race, religion, political affiliation, precise location, location history or browsing history with RTB Buyers.
They added that no Personally Identifiable Information (PII) is shared in bid requests and added that since early 2022 Google has paused ads serving in Russia, as well as suspending all Authorised Buyers partners based in Russia.
Microsoft has not yet responded to a request for comment on this story.
This story has been updated to include comments from Google.