Google failed to disclose bidstream data partners
Fears over the ill-usage of the information led Warner, Wyden, and four colleagues to ask Google and six other ad exchanges in April 2021 to list the domestic and foreign partners they shared bidstream data with in the past three years. They warned that this data could have serious implications for US national security.
“Few Americans realize that some auction participants are siphoning off and storing ‘bidstream’ data to compile exhaustive dossiers about them. In turn, these dossiers are being openly sold to anyone with a credit card, including to hedge funds, political campaigns, and even to governments,” they wrote in letters to AT&T, Index Exchange, Google, Magnite, OpenX, PubMatic, Twitter, and Verizon.
Google responded a few weeks later but refused to list the companies it shares bidstream data with, citing “non-disclosure obligations.”
Franaszek’s research reveals concerns about the accuracy of Google’s response. He identified eight pages on Google’s support website that list hundreds of foreign and domestic companies that are eligible to receive bidstream data from it. One list contains over 300 companies, of which 19 are Chinese owned or headquartered and 16 are based in Russia, including RuTarget.
Franaszek also found that some of these companies publicly disclosed their relationship with Google. And, as reported by Vice, some of Google’s competitors disclosed to the senators the foreign partners they share data with.
This raises questions as to what Google was referring to when it said nondisclosure obligations prevent it from naming its partners, according to Franaszek.
“Google was publicizing, on its own website, lists of foreign [partners] months before they told the senators that,” he said.
Google’s Aciman said the lists on Google’s website do not disclose the nature of its relationship with the companies, and he reiterated that it has nondisclosure obligations with companies who act as bidders.
One of the lists on Google’s site (“Ad Manager Certified External Vendors”) includes a column that describes what each Google vendor does. At least 13 of the companies are publicly identified as “RTB bidders,” meaning they act as bidders in Google’s real-time ad auction process.
Publishers sharing data with RuTarget
The user data shared by Google with RuTarget and other potential bidders is drawn from millions of websites and apps that rely on the Silicon Valley giant to help them earn money from ads. And many would likely be surprised to learn that a sanctioned Russian ad company was until two weeks ago able to harvest information about its visitors.
Because of its relationship with Google, RuTarget is publicly listed as a recipient of user data by major publishers including Reuters and ESPN. This means RuTarget can receive data from these companies about the millions of people who visit their online properties each month. Like other publishers, ESPN and Reuters list RuTarget as a recipient of user data in cookie consent popups shown to users browsing their sites from the EU and other jurisdictions with data privacy laws requiring such disclosures.
A spokesperson for Reuters said the companies shown in its consent popup, including RuTarget, come from a list of vendors provided by Google.
“This list of vendors is managed by Google, and Reuters uses Google’s list of vendors on our website. We understand that Google suspended buyers and bidders based in Russia, and we have no record of any transactions with RuTarget since April 6,” Heather Carpenter of Reuters said.
ESPN did not respond to a request for comment. As a Google partner, it’s possible that data about users browsing ProPublica’s website has at some point been shared with RuTarget. The opaque and technical nature of digital advertising makes it difficult to know for sure.
Jason Kint, head of the digital publisher trade group Digital Content Next, said Google’s market power leaves publishers with little choice except to work with the company.
“Premium publishers have to trust Google for a significant number of services that they depend on,” he said. “This is another example of misplaced trust. I’m just incredibly disappointed in Google.”
RuTarget’s website also lists an impressive group of global brands among its clients, including Procter & Gamble, Levi’s, Mazda, MasterCard, Hyundai, PayPal, and Pfizer. This suggests the companies have worked with RuTarget to purchase ads, likely in an effort to target Russian-speaking audiences.
A spokesperson for Pfizer said the company is not currently working with RuTarget. “Following investigation with colleagues we have established we do not have any current working relationship with the organisation you mention, and have no recent record of any relationship,” Andrew Widger, the Pfizer spokesperson, said in an email.
The remaining companies did not respond to a request for comment.
Sherman of Duke said RuTarget’s connections to Google and so many other entities show how the “ecosystem of digital advertising and of data collection and data brokers is a mess and a really thorny web to untangle.”
You must login or create an account to comment.