We've all had that mildly creepy experience. You're shopping online for, I don't know, a coffeemaker, and suddenly an ad for that very same coffeemaker pops up on every website you visit for the next week.
You didn't know you were in an audience, but you are. You're the audience for this industry.
So yeah, by now we know we're being tracked. But the truth is most of us don't know the half of it. I'm West Kesova today on the big Take. What online ad brokers and now governments can really find out about you? Bloomberg cybersecurity reporter Ryan Gallagher writes in Business Week about an Israeli company that markets information about people's online travels to law enforcement and intelligence agencies around the world.
What Raison has done is found a way too basically purchase this information on mass on an absolutely gigantic scale, and repurpose it and to a system that uses the same advertising information but for other purposes.
He'll tell us what they're using that info for in just a bit. First, though, let's hear from doctor Johnny Ryan on exactly what's being vacuumed up about you as you click around the web each day. He's a Senior Fellow at the Irish Council for Civil Liberties and he's an expert in online tracking. Johnny, you've said the system that targets adds to us online is the biggest data breach ever recorded, and it's repeated every day.
What do you mean by that it's the world's biggest data breach with because when you visit a website or app, almost any website or app that has advertising information about what you're watching, reading, and listening to and where you physically are is very likely to be broadcast out to tens or maybe more of companies who then do god knows what with it. That is happening all the time. Now,
it's a simple, simple idea. The websites want to show ads, and often when you turn up on a website, whereas you'll notice there are empty rectangles just for a split second around the editorial that you want to read, And sometimes even as you're looking at the page loading, the ad appears and it bumps the.
Editorial content down.
Now, what has happened in that tiny moment of time is that information about you is sent out to at least one auction this is an auction for the opportunity to show you an AD And how does it work. The way it works is you go to a website. The publisher of the website sends information about you to a company that it has contracted with called a supply side platform an SSP. The SSP if he gets any data it can about you that the website has exposed to it, and it puts it together in what is
called a bid request. I will tell you what can be in a bit request. In a moment, that bid request is sent to at least one auction called an ad exchange. Often there is an auction of auctions, multiple ad exchanges, and that request for bids or bid requests then is sent by each ad exchange out to tens or hundreds of companies. So publisher of website or app goes to SSP, goes to AD exchange, one or more
goes to multiple they're called demand side platforms DSPs. They work on behalf of advertisers and they are keeping their eyes open monitoring for the right kind of person, in the right kind of context and place, who their advertiser is trying.
To reach, what kind of information is being collected, How specific is it.
It includes tags like I'll quote you, the technical number IAB seven hyphen two eight, and that denotes a person who is categorized as incest slash abuse support. The word support is important there. That is a person who has been a victim. Similarly, code IAB seven hyphen three is AIDS slash HIV. This clearly should not be being broadcast about people based on what they're reading. Why would you
broadcast it? And what happens when it's broadcast. Well, there's another industry standard, which is called the audience taxonomy.
This is the Rosetta.
Stone for the data broker industry. The data broker industry exists to sell information about people. Now, you've got plenty of players in that industry, and they need to reconcile what they know about you, and they need some way to do that.
And how are these determining these various classification code?
Now those codes I've just given you come from anywhere they can get the data. The data broker industry is certainly a big consumer in online advertising, but it does not confine itself to that. If you take the example of one that should be particularly concerning a so called purchase intent, what is this person intending to buy there's a code for aerospace and defense that's IAB code eight
eighty five. Now, presumably this is someone who works in the defense industry and is visiting procurement websites, but the information about them being present on the site is then being broadcast out to innumerable parties, and often the advertiser can tell the auction I'm looking for this particular code, person, this number, this string of numbers and letters. What can be in a bit request is totally benign, things like is this a video ad what size is the rectangle?
What technology should it use? Should have any issue I think with that side of it. But the rest of the information is about the person or their device, And of course, when you know enough about a device, you can find out that it's the same person you saw last time on that same device, and then you can stitch together multiple devices by finding out about the person and their behavior. The information about the person includes where they are that can be literally their GPS coordinates. The
bit request will also say what you're looking at. Now, sometimes that's just the name of the website, but often it's website slash, category slash name of article and Beyond that, then it'll have the long ID code that is assigned by the SSP, that is the publisher's tech firm. It's assigned to you as you go out into this auction, but it may also include identifiers that prospective buyers have
for you too. That is called pre matching, so the buyers who've expressed an interest in this person get a good shot at showing him an AD And of course all of this entices a higher bid for your attention.
So as you're looking at different things online, these codes are automatically assigned to you depending on the content you see. Every facet of what you're looking at has another code that follows around with you.
That's a good way to put it.
Yes, and it's legal for them to collect this information because whether we quite realize it or not, we consent to it when we click on those little windows that pop up.
Well, it depends on the jurisdiction. We unfortunate Europeans have been inundated with consent spam. It's meaningless spam because it doesn't really matter whether you say yes or no to any particular thing. There is behind that system, no means of controlling what happens to the data once they're broadcast out. Why is that Well, because the end of decided not to go the route of protecting the data. We know what we know, often very often because the industry's standards,
which are very very dry. Documents are public documents. It's not covered up. You can find this online instantly.
Now, are all of these various codes aggregated so that the various aspects of your life are put together into a comprehensive profile, or do they exist as separate strands that go different places.
In the online advertising industry, there is a user ID code. It can have different names for everybody. Now, different companies will have different codes and they will then have to match them. This practice of matching often involves cookies, but there are other ways of doing it. And when you visit a web page, often there will be a large number of companies who are just loading a single pixel
which is often transparent. You can see it from each other's servers, so that they are getting asked for that pixel by your machine. It allows them to cross reference you in a very very clear way and know that they're both talking about the same person. So I know you as as ABC two five seven and someone else knows you as two, three, four, five, six wys, but you're actually the same guy, and we have a commercial deal to match up what we know about you.
That's how we might do it.
So all of us, in our daily lives, we have so many devices. Do all of these come together or does each of these create its own profile?
Cross device targeting is the holy grail for online advertising. If you are a marketer, there is no end of tech people who will walk into your office and show you diagrams of how you can reach someone at every stage of their journey to buy your product. All of those devices they probably end up somewhere in your house, So even if you're just looking at location alone, the fact that they keep ending up at the same place is the first hint. But there are going to be
many others. Another question is how many people get to try to do this about you and then can sell what they've learned back into the scrum. And then the next question is how many times does this happen to you. We got industry data from one of the big systems that coordinates auctions of auctions, and we have it by state before I give you the numbers. This doesn't include Amazon, which has its own system. It doesn't include Meta, which
has its own system, So these numbers are low. If you're in Arizona, on average per day, based on thirty days of numbers, this will happen to you seven hundred and eighty two times. If you're in Colorado, it's nine hundred and eighty seven.
Where information about you is sent out to someone who then uses that information in one way or another.
Yes, we don't know what the information is for each particular broadcast, but it will almost certainly include at least ideas and stuff about your device, so it's building up a picture of you over time. All of this adds up to a really big number. You asked at the beginning, why would we describe this as the biggest data breach? Ever, the answer is because Americans are exposed in this manner one hundred and seven trillion times per year, So there is no other data breach that even comes close to
that scale. And when you think about the sensitivity of the data that it is about what you are looking at. You're on embarrassingwebsite dot com for whatever category of thing you like looking at on your own, that's what we're talking about.
You talked about these codes that are assigned to people. Does it include your name? Does it include who you are?
No, it doesn't need to. The identification codes specified in the industry documents are far longer than your Social Security number. If we're talking about where someone lives, everything that they're reading, watching, and listening to, there is no question that this is anonymous. And by the way, the industry stopped using that defense a long time ago. It's just not open to question. These are definitely data that you can use to find out about an individual after the break, What if anything,
can we do to protect our privacy online? Are there dangers to this information being collected for individuals that you can be found out that this information can be used against you.
Absolutely.
We've had cases where DHS, the Department of Homeland Security, was found to be buying this data for example. There are other cases where different security services were buying it as well. But let me give you a more prosaic but I suspect more terrifying example. When you next apply for your dream job, imagine you're at an earlier stage in your career. Was you can't remember what you did online last week, last month, or last year. You put
in an application for your dream job. There are a whole lot of clever, bright, young prospects just like you as who are applying for that job. You're competing against them, and because there are so many of them, the company will almost certainly have some automated filtering of those cvs, probably some so called AI system that sifts them and tries to figure out what else it can find out
about them and score them in some way. If, however, your CV ends up associated with the tag for drug use bankruptcy, you know, whatever it is, or the politics don't align, it's pretty clear your CV is not actually going to be seen by a human. You pull that out, that idea of sifting through people's private lives and then using it to filter their futures, you pull that out across society and you get a very bleak picture.
All of this, of course, raises the question what can we do to protect ourselves so that our information isn't being used in this way, that profiles about us aren't being compiled wherever we go.
Well, I've got some bad news. The bad news is the individual I don't think can or should be expected to wear a tinfoil hat and protect themselves. I just don't believe that that is a sensible solution. It is clearly the job of lawmakers and law enforcers. Credit to the completely transformed and invigorated FTC Federal Trade Commission, because they are currently considering how to introduce new rules that
would act on this kind of problem. In fact, on the problem I believe in particular as well, think about where the responsibility lies here was Is it your job to protect yourself back in the middle of the last century against a chemicals industry that just dumps stuff in the rivers and lakes.
No, it's not.
There's very little that you can do. That is a systemic problem. It is up to the legislator and the enforcer to take action to protect you. And although you might decide to boil every cup of water and change how you live, the general population.
Won't do that.
So you said that the Federal Trade Commission is looking into this. If you were to say to them, here's what you need to do to make people's data more secure, what would you tell them?
The FDC can enforce where they can find on fairness and deception. I think they have a pretty good case to make there. The other thing that they can do is introduce new rules, so the FDC has rule making ability. Unfortunately, Congress and Senate in the US have had various attempts to introduce a sensible federal privacy law and have failed to do so. But in the interim, the FTC can use its rule making power. Now it'll be challenged, of
course by the industry. This is a multi billion dollar industry, but I think they're in a pretty good place where they can do this.
What we need is for everyone to be protected.
So what are we to take away from this? When you think about the future, what do you see?
I see two possible futures. I see one future where we keep treating personal data as a kind of a lubricant for part of the economy. I think that's one very likely future, and it's a blique one because individual human liberty and agency, our democracy, our media, our individual prospects are at hazard. And that sounds like a very grim statement to make, but it's the statement I'm making having been in that industry. The other future sees something
called law being applied in some jurisdictions. The law will have to be written. But we've been here before this happens something harmful happens, it goes unnoticed for quite a while, but then the problems it causes ultimately galvanize action. What we need to have a brighter future for everyone, I think is a serious effort at a federal privacy law, and part of that law needs to give individuals a private right of action because enforcers do not always get the jobs done.
Doctor Johnny Ryan, thanks so much for coming on the show.
Thanks.
Wez enjoy using the internet now.
So now we know that kind of information that's being collected about us and what's being done with it. And as I mentioned at the top of the show, it's not just advertisers who want to get to know us. Bloombers. Rank Allegher is here with that part of the story.
Ran.
We've been talking about how your travels across the Internet are being watched by people who want to sell you stuff. But it's not only that you've reported an Israeli company called Raizone. Can you tell us about them?
Raizone is a company based out of Tel Aviv in Israel, and one of their key or their flagship products, is the tool they call Echo and this technology essentially repackages information gathered from the advertising industry and then sells it
to governments to help governments track people. The data that they buy from the advertising industry is really basic information about websites that you have visited, geal location associated with your device, and this information is supposed to be used by marketers and advertisers to sell you products that are more relevant to you based on where you live, based on the types of websites that you visit, your interest.
But what Raizon has done is found a way to basically purchase this information on mass on an absolutely gigantic scale and repurpose it into a system that uses the same advertising information but for other purposes to track people. So governments can essentially monitor people they're interested in, where they're going, who they're associating with, going back months in time up to even like six months back in time.
And they refer to this echo tool as like it being like a time machine because it allows governments to look back in time.
Exactly what kind of information are they collecting.
It's just quite generic basic information such as like an IP address, which is a series of numbers that everyone
has whenever you connect to the internet. Also a unique advertising ID that's also would be connected to your individual phone, and this is a code the advertising industry uses to basically identify particular devices and so they can know, Okay, this person has a visit to these websites, they are possibly interested in buying this product, and so they can then target you with those adverts and also geolocation like sometimes GPS data that your phone will routinely share with
websites or apps that you're using in isolation. This kind of data is pretty meaningless. It doesn't really reveal your name, it doesn't reveal much information about you, maybe accept a
particular website that you visited. The power of what raizone is doing here with its technology is is taking these individual records and building them up into this huge repository of literally billions or trillions of these records that will be connected to entire countries, and then governments can then use this data in bulk to basically de anonymize it to find out who.
These people are.
They can essentially reverse engineer the advertising ID and link it to a particular person and see where they've been going, where they live, the people that they are associating with
based on the gal location. So that's essentially the power of it is when they take these individual records and build them up, and build them up over months and weeks, you know, and they can see patterns of people's behavior and their activities, and their friends and their relationships, and where they work, where they live, these sorts of details.
When we come back, who's paying up for this information? Let's talk a little bit more about this idea of D and nanimizing the data. Is this difficult to do? How much effort does it take to identify individual people from this giant pile of data.
Through this reporting.
We actually got internal documentation showing how this system works, and Raizon is very clear in the documents that it has produced on this echo technology that they use this advertising data to produce what they call profiles on individual people, showing not just their name, their age, where they live, but also their hobbies, their interests, granular details about a
person's character, almost in their personality. The way they're able to do this is because they're collecting so much data that eventually, if you have just one record of you know, I visited this website in this place on this particular day, in this minute, it doesn't mean much. But once you've got that over months weeks. You know, every hour on a particular person, you're able to see, Okay, every night, this person goes back to that building, so that's probably
their home. Every day they go to this location, they probably work there, and over time you can see learn a lot about a person and also fusing that advertising information with other sources of data that a government will have access to. It seems, at least from the documents I've seen, fairly trivial for them to then make the leap from this supposedly anonymous data to actually a person's name and who they are and identity.
So how does the product work if government uses Echo?
What happens usually will be the government or like the law enforcement agency or intelligence agency, We'll go to Raizon and say, look, we want to use your system and we are interested in let's just say again hypothetically France. So what raizone will then do is that they can make a custom installation. They will start harvesting data from the advertising industry through supply side platforms and industry jargon.
It's basically like an ad exchange that people can purchase data from, and then they will start buying the data on France and they will harvest. You know, the government says we want data between January and March on the entire nation of France. Raizon can then purchase and harvest that data and put it together in the system and what the government ultimately gets.
It's essentially just like.
A Google like system, you know, where they just go in into what's just an interface and they can then begin to search for particular locations that they're interested in on X date and find out who was at that cafe on Tuesday at three pm and narrow it down like that and see all of the people who were there, and then they can drill it down, Okay, where did this person go after the cafe. That's kind of how it works, and it will be very depending on what the government's interested in.
When you went to Raison and asked them about their business and the Echo product, what did they say?
They're on the record response was very brief and to the point, and basically they just said that they sell their technologies to help governments fight crime and terrorism and they didn't really want to go beyond that, so they like to stay under the radar this company, that's for sure.
You said the price of their product varies depending on what the government wants. How expensive is this.
What we were told is that if it was like a major installa like a big you know, they're looking at maybe a few different countries and a lot of data, it will be up to about ten million dollars. Looking at a smaller country, smaller number of people, it will be down near like two million, So that the sort
of price band was like two to ten million. Was we were told about regular sales that they're making, and we were told also that it's been quite successful in so far as they have dozens of law enforcement and intelligence agencies. You're buying this across the world, you know, and most continents across Europe, North America, Asia, Middle East, Africa, I believe also, and they have a few different products that they sell, but this is their main product that's
bringing the most money in for them. Is quite a powerful tool for the budget of a major intelligence agency, not a lot of money.
And also I think one of.
The appeals of it is that it doesn't involve hacking into a person's phone or installing any equipment within a telecommunication network, so in a way it kind of has a lower profile.
It's less likely to be detected.
Ryan, is there any regulation against the company like Raizone selling this kind of data?
The Israeli Export Control system regulates the sale of particular surveillance technologies that involve hacking into phones or placing equipment within a network. This technology Echo doesn't involve either of those two things, so therefore it isn't regulated through the Export control which gives Raizone a lot of latitude to just sell essentially to however it wants without much oversight.
And also you know within individual countries that we'll be purchasing this, there isn't much regulation because this isn't data that is being obtained directly from like a telco. It's not been like wire tapped or anything like that. So the agencies that are using it aren't having to go and get like a search warrant to obtain it. It's commercially purchased data. Certainly, I know, like there are regulators
in Europe and also in the United States. There have been several US senators who've expressed concerns about this kind of marketplace for this data. Because of the reasons I've outlined, it's a very unregulated space.
Raizone is marketing this Echo product to governments and intelligence agencies. But are any companies using it.
Not as far as I know, And they do say that they won't sell it to private companies. They say that it's only a tool that they will sell to governments. You know, we don't really know ultimately how it's being used, but it's supposed to be used to fight crime and terrorism.
Ryan, thanks so much for coming on the show.
My pleasure, Thanks for having me on.
Thanks for listening to us here at The Big Take. It's a daily podcast from Bloomberg and iHeartRadio. For more shows from iHeartRadio, visit the iHeartRadio app, Apple Podcasts, or wherever you listen, and we'd love to hear from you. Email us questions or comments to Big Take at Bloomberg. The supervising producer of The Big Take is Vicky Vergalina. Our senior producer is Katherine Fink. Rebecca Shasson is our producer. Our associate producer is Sam Gebauer. Raphael mcili is our engineer.
Our original music was composed by Leo Sidrin. I'm West Kasova. We'll be back tomorrow with another Big Take.