Advertisers sharing data about you with… intelligence agencies

Advertising firms’ extensive collection of personal data is becoming of great use to intelligence agencies. So how to guard against mass surveillance?

How to prevent surveillance through banner ads

The industrial scale of surveillance of internet users is a topic we keep returning to. Every click on a website, every scroll in a mobile app, and every word you type into a search bar is tracked by dozens of tech companies and advertising firms. And it affects not only phones and computers, but also smart watches, smart TVs and speakers — even cars. As it turns out, these motherlodes of information are used not only by advertisers offering vacuum cleaners or travel insurance. Through various intermediary companies, this data is snapped up by security agencies of all stripes: police, intelligence, you name it. See here for the latest investigation into such practices, focusing on the Patternz platform and the “advertising” firm Nuviad. Previously, similar investigations probed Rayzone, Near Intelligence, and others. These companies, their jurisdictions of incorporation, and their client lists vary, but the general formula is always the same: collect and save proprietary information generated by advertising, then resell it to law enforcement agencies worldwide.

Behind the scenes of contextual advertising

We’ve already described in detail how data is collected on web pages and in apps — but not how it gets put to use. In overly simplified terms, behind every banner display or advertising link in today’s online world, there is some lightning-fast, super-complex trading. Advertisers upload their ads and audience requirements to a demand-side platform (DSP), which finds suitable sites or apps to display such advertising. The DSP then takes part in an auction for the types of advertising (banner, video, and so on) to be displayed on these sites and apps. Depending on who views the ads and how well they match the advertiser’s requirements, a particular type of ad may win the auction. This process is known as real-time bidding (RTB). During the bidding, participants receive information about the potential ad consumer: previously collected data on the individual is condensed into a brief description card. Depending on the platform, the composition of this data may vary, but a fairly typical set would be the consumer’s approximate or precise location, the device in use, the OS version, as well as “demographic and psychographic attributes” — that is, gender, age, family members, hobbies, and other topics of interest to the user.

How RTB data is used for surveillance

A 404 Media investigation found that the Patternz platform advertised to clients that it processed 90 terabytes of data daily, covering the actions of around five billion user IDs. Note that there are far fewer real users than IDs since each person can have several IDs. Because advertising is global — so too is the scope of data collection.

Collecting and analyzing the above data allows precision tracking of:

  • potential consumers’ movements
  • times when they leave or visit certain places
  • times when they are located close to certain people
  • their interests and search queries
  • history of changing interests
  • affiliation to certain segments, for example, “recently had a baby” or “just went on vacation”

This information makes it possible to discover lots of curious things: where the person is during the day and at night, who they like to spend time with, who they travel with by car and where, and masses of other personal information. As stated by the U.S. Office of the Director of National Intelligence (ODNI), such depth of data collection was previously only possible through physical surveillance or targeted wiretapping.

Is such data collection legal? Although laws vary greatly from country to country, in most cases intelligence agencies’ carrying out mass surveillance — especially with the use of commercial data — finds itself in a gray area.

Bonus game: surveillance through push notifications

There’s another unrelated, but no less unpleasant method of centralized surveillance of users. In this case, the role of treasure trove falls to Apple and Google, which send centralized push notifications to all iOS and Android devices, respectively. To save power on smartphones, almost all app notifications are delivered through Apple or Google servers; and depending on the app’s architecture, a notification may contain information that’s easy to see and of interest to third parties. It turns out that some intelligence agencies have tried to gain access to notification data. What’s more, a recent study found that a significant number of apps abuse notifications to collect data about the device (and the user) at the time the notification is received — even if the user is not in the relevant app at that moment or on their phone at all.

How to guard against surveillance through advertising

Since all of the above-mentioned companies collect data using central hubs in the shape of large ad exchanges, no amount of denylisting apps and sites will protect you from being tracked. Any banner ad, video insert, or social network advertising generates events for trackers.

The only way to achieve any meaningful reduction in the scale of surveillance is with quite radical anti-advertising measures. Not all of them are convenient or suitable for everyone, but the more tips from the list you can apply, the fewer “events” involving you will end up on the servers of Rayzone or other such companies. In a nutshell:

  • Use apps that don’t display ads. This doesn’t guarantee the absence of web beacons and tracking, but will at least reduce the intensity.
  • Block ads and tracking in web browsers. Mozilla Firefox and Safari have built-in anti-surveillance protection, while anti-spyware and anti-advertising add-ons are available for all popular browsers in the official add-on stores.
  • For maximum protection, turn on Private Browsing in Kaspersky Standard, Kaspersky Plus, or Kaspersky Premium.
  • Disable auto-downloading of images in emails.
  • Configure secure DNS on your smartphone, computer, and home router by specifying an ad-blocking server, say, BlahDNS.
  • Check your smartphone’s privacy settings. Make it a habit to reset your advertising ID at least once a month. Prevent apps from collecting data for personalized ads and showing location-based ads (Apple, Google);
  • Revoke permissions to access location and other sensitive data from all apps that do not require it for their primary function.
  • Completely disable push notifications in your smartphone settings for all apps that can do without it.
Tips