Google allowed sanctioned Russian ad company to harvest user data for months

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.

The day after Russia’s February invasion of Ukraine, Senate Intelligence Committee Chairman Mark Warner sent a letter to Google warning it to be on alert for “exploitation of your platform by Russia and Russian-linked entities,” and calling on the company to audit its advertising business’s compliance with economic sanctions.

But as recently as June 23, Google was sharing potentially sensitive user data with a sanctioned Russian ad tech company owned by Russia’s largest state bank, according to a new report provided to ProPublica.

Google allowed RuTarget, a Russian company that helps brands and agencies buy digital ads, to access and store data about people browsing websites and apps in Ukraine and other parts of the world, according to research from digital ad analysis firm Adalytics. Adalytics identified close to 700 examples of RuTarget receiving user data from Google after the company was added to a US Treasury list of sanctioned entities on Feb. 24. The data sharing between Google and RuTarget stopped four months later on June 23, the day ProPublica contacted Google about the activity.

RuTarget, which also operates under the name Segmento, is owned by Sberbank, a Russian state bank that the Treasury described as “uniquely important” to the country’s economy when it hit the lender with initial sanctions. RuTarget was later listed in an April 6 Treasury announcement that imposed full blocking sanctions on Sberbank and other Russian entities and people. The sanctions mean US individuals and entities are not supposed to conduct business with RuTarget or Sberbank.

Of particular concern, the analysis showed that Google shared data with RuTarget about users browsing websites based in Ukraine. This means Google may have turned over such critical information as unique mobile phone IDs, IP addresses, location information, and details about users’ interests and online activity, data that US senators and experts say could be used by Russian military and intelligence services to track people or zero in on locations of interest.

Last April, a bipartisan group of US senators sent a letter to Google and other major ad technology companies warning of the national security implications of data shared as part of the digital ad buying process. They said this user data “would be a goldmine for foreign intelligence services that could exploit it to inform and supercharge hacking, blackmail, and influence campaigns.”

Google spokesperson Michael Aciman said that the company blocked RuTarget from using its ad products in March and that RuTarget has not purchased ads directly via Google since then. He acknowledged the Russian company was still receiving user and ad buying data from Google before being alerted by ProPublica and Adalytics.

“Google is committed to complying with all applicable sanctions and trade compliance laws,” Aciman said. “We’ve reviewed the entities in question and have taken appropriate enforcement action beyond the measures we took earlier this year to block them from directly using Google advertising products.”

Aciman said this action includes not only preventing RuTarget from further accessing user data, but from purchasing ads through third parties in Russia that may not be sanctioned. He declined to say whether RuTarget had purchased ads via Google systems using such third parties, and he did not comment on whether data about Ukrainians had been shared with RuTarget.

Krzysztof Franaszek, who runs Adalytics and authored the report, said RuTarget’s ability to access and store user data from Google could open the door to serious potential abuse.

“For all we know they are taking that data and combining it with 20 other data sources they got from God knows where,” he said. “If RuTarget’s other data partners included the Russian government or intelligence or cybercriminals, there is a huge danger.”

In a statement to ProPublica, Warner, a Virginia Democrat, called Google’s failure to sever its relationship with RuTarget alarming.

“All companies have a responsibility to ensure that they are not helping to fund or even inadvertently support Vladimir Putin’s invasion of Ukraine. Hearing that an American company may be sharing user data with a Russian company—owned by a sanctioned, state-owned bank no less—is incredibly alarming and frankly disappointing,” he said. “I urge all companies to examine their business operations from top to bottom to ensure that they are not supporting Putin’s war in any way.”

Google’s initial failure to fully enforce sanctions on RuTarget highlights how money and data can flow through its market-leading digital advertising systems with little oversight or accountability. An April report from Adalytics showed that Google had continued serving ads on Russian websites that had been on the Treasury sanctions list for years. In June, ProPublica reported that Google helped place, and earned money from, more than 100 million gun ads, despite the company’s strong public stance against accepting such ads.

The findings about RuTarget also come as Google and other tech companies face intense scrutiny from legislators about their handling of personal data.

Sen. Ron Wyden, D-Ore., who sits on the Senate Intelligence Committee, criticized Google for its failure last year to provide him and his colleagues with a list of the foreign-owned companies it shares ad data with.

“Google has refused to disclose [to senators] whether its ad network makes Americans’ data available to foreign companies in Russia, China, and other high-risk countries,” he said in a statement to ProPublica. “It is time for Congress to act and pass my bipartisan bill, the Protecting Americans’ Data From Foreign Surveillance Act, which would force Google and other networks to radically change how they do business and ensure unfriendly foreign governments don’t have unfettered access to Americans’ sensitive information.”

Wyden and his colleagues introduced the bipartisan bill last week to prevent sensitive data about Americans from being sold or transferred to “high-risk foreign countries.” Wyden and a different group of Senate colleagues also sent a letter to Federal Trade Commission Chair Lina Khan last week asking her to investigate Google and Apple for enabling mobile advertising IDs in cellphones. These unique IDs can be combined with other data to personally identify users.

Wyden’s letter cited mobile IDs as one way that Google and Apple transformed “online advertising into an intense system of surveillance that incentivizes and facilitates the unrestrained collection and constant sale of Americans’ personal data.”

Aciman of Google said that the mobile advertising ID was created to give users control and privacy and that Google does not allow the sale of user data.

“The advertising ID was created to give users more control and provide developers with a more private way to effectively monetize their app,” he said. “Additionally, Google Play has policies in place that prohibit using this data for purposes other than advertising and user analytics. Any claims that advertising ID was created to facilitate data sales are simply false.”

Bidstream data under scrutiny

At the heart of both the senators’ concerns and the Adalytics report is the data collected on global Internet users that gets passed between companies as part of the digital ad buying process. This treasure trove of information can include a person’s unique mobile ID, IP address, location information, and browsing habits. When passed between companies to facilitate ad buying, the trove is called bidstream data. And it’s essential to the roughly half a trillion-dollar digital ad industry that is dominated by Google.

Many digital ads are placed as a result of a real-time auction in which the seller of ad space, such as a website, is connected with potential buyers, like brands and agencies. An auction starts when a user visits a website or app. Within milliseconds, data collected about this user is shared with potential ad buyers to help them decide whether to bid to show an ad to the user. Regardless of whether they bid or not, ad buying platforms like RuTarget receive and store this bidstream data, helping them automate the amassing of rich repositories of data over time.

The auction process is run by ad exchanges. They connect buyers and sellers and facilitate the sharing of bidstream data between them in conjunction with a process called cookie syncing. Google operates the world’s largest ad exchange, and RuTarget is one of many companies it shares bidstream data with. The more RuTarget connects with ad exchanges like Google, the more information it can gather and combine with data collected from other online and offline sources.

Justin Sherman, a fellow at Duke’s Sanford School of Public Policy who runs a project focused on data brokers, said bidstream data is largely unregulated and can be highly sensitive, even if it does not include personal information such as names or emails.

“There’s growing attention to the ways in which our data ecosystem and our ecosystem of data brokers and advertisers gives away or sends or sells highly sensitive information on Americans to foreign entities,” he said. “There is also concern about foreign entities illicitly accessing that information.”