Welcome back to BRANDED, the newsletter uncovering how adtech companies fund hate and disinformation.
Here’s what’s new with us:
- Cool Hunting just dropped a new profile on Check My Ads Institute [Adtech Watchdog “Check My Ads” Fights Disinformation + Hate Speech]
- Nandini spoke to AdWeek about Lush’s decision to shut down its Facebook accounts [Life After Facebook: Inside the Platform Strategy for Cosmetics Company Lush]
- Nandini spoke to ProPublica about Google’s ties to Steve Bannon [How Steve Bannon Has Exploited Google Ads to Monetize Extremism]
- Publisher Desk (a dark pool sales house) appears to have dropped Steve Bannon-affiliated Populist Press ahead of the publication of the ProPublica article
- SendGrid (a Twilio company) terminated disinformation outlet Revolver News’s email marketing account.
This May, Magnite wrote a letter to Congress with a singular assertion: “Magnite does not sell data to either foreign companies or foreign governments.”
They were responding to a group of senators — including Sens. Elizabeth Warren and Ron Wyden — who wanted to know which foreign entities Magnite (along with the ad exchanges AT&T, Index Exchange, Google, OpenX, PubMatic, Twitter, and Verizon) had been sharing bidstream data with. (Here’s the letter.)
We can understand why the senators would be concerned. Bidstream data — the personal, identifiable data that helps marketers target you with personalized ads — also enables foreign adversaries to build extremely detailed profiles of U.S. citizens.
It’s also no surprise that when Congress requested information from these companies, everyone but Magnite totally panicked at the idea of disclosing their foreign partners to the Senate. Twitter flat out refused. Verizon actually sold off its ad business on May 3rd, the day before the deadline to respond. Most just ignored the request. Very normal and not sketchy at all!
But Magnite did the right thing: they actually wrote back to the lawmakers and provided a list of their foreign partners. In the letter, they assured the senators that they not only don’t sell data, but they prohibit their partners from selling it too.
“Magnite is committed to cooperating with your collective efforts to safeguard the United States and our national security,” they wrote.
What they didn’t mention is that while Magnite doesn’t sell bidstream data, they do give it out like it’s Halloween candy to a number of foreign shell companies and anonymous LLCs that sign up with them. They also didn’t mention that Magnite — just like every other ad exchange — collects enough data to build a detailed dossier on nearly every person in America. And, they don’t even know who they’re giving it away to.
In today’s BRANDED, we’re exploring how Magnite’s (and everyone else’s) loose standards are risking it all — our elections, our democracy and the safety of the American public. It’s a crisis of Cambridge Analytica proportions taking place right under our noses.
Wait, what’s bidstream data?
To be terrified that our bidstream data is being handed out like it’s a free sample at Costco, we must understand what bidstream data is.
Right now as you use your phone or computer, the apps you have open are “compressing your life into a series of codes,” and transmitting that data to thousands of data brokers.
This is your bidstream data. It includes (but is not limited to):
- Your IP address: Where you are connected to the internet
- Your mobile ID (The unique ID associated with your device): Apps use this to target and track what other apps and websites you’re visiting.
- Your current location: Where you are right now. (The U.S. military has already bought the “granular movement data” of people around the world.)
- Everything else that should be your own damn business: Your dating life, your mental health, your menstrual cycle, your personal and business debts, and whether you’re a closeted gay priest.
In pieces, it’s not so apocalyptic. But when merged, this data connects the dots on where you live, where you work, who your partner is, who your friends are, who you’re cheating on your partner with and where you went for dim sum on Thursday night. (Read this jaw-dropping 2018 NYT investigation for more.)
In theory, all this surveillance is supposed to help marketers build profiles on you to serve you with more relevant ads. But there’s someone else who wants it.
As Vice reports, this is the kind of multi-billion dollar spying program that foreign governments would be extremely happy to pay for — but adtech companies are letting them just have it for free:
Before an advertisement is shown inside an app or a web browser, a process called real-time bidding (RTB) takes place, where different companies bid to have their own ad displayed. As participants in that process, companies obtain sensitive data on the user, even if the company ultimately does not win the ad placement. The result is that a swath of companies obtain the generated bidstream data, with some even using it explicitly for surveillance.
That’s right. Any person — or government — in the world can plug into Magnite’s bidstream and skim off whatever data they want, like it’s a chocolate fountain at the Ritz.
It’s easy to see why data brokerage is such a booming industry. For many of these advertising platforms, selling your data is more lucrative than serving ads. It’s free beer and no cops, baby.
Where does it end? Nowhere!
It’s against Magnite’s Terms of Service for its partners to sell bidstream data, but if someone did… who would know? And who would stop them? Magnite and its adtech peers operate within a gray area here. They don’t have to address what they don’t know.
Here’s the list of Magnite’s foreign partners, who as far as we know, have full access to Magnite’s bidstream data. This is the first line of vulnerability. Many of these companies can (and do!) sell the data they obtain through Magnite to other data brokers. Those data brokers can resell it from there.
There are no safeguards to keep this from happening.
Remember when Cambridge Analytica siphoned off the data of 87 million Americans to influence the deciding vote? Magnite is currently broadcasting personal data that can be exploited in exactly the same way.
But with this data freely available to anyone, they’re actually making it possible for hundreds of Cambridge Analytica-style shops to pop up around the world.
The next election is going to be a bidstream free-for-all
If you’re reading this email and you’re a member of Congress, you’re being tracked by foreign state actors through your online activity. The unlocked bidstream opens up government officials and your networks to an array of data vulnerabilities.
But maybe you’re not a member of Congress. Maybe you’re just a normal person who wants to live in a democracy where your vote counts and isn’t influenced by foreign governments. In that case, you’re shit out of luck.
Magnite is already positioning itself for the upcoming elections as a “one-stop shop” for political advertisers. They’re gathering an enormous amount of data about voters and there is no indication that they plan to keep their political advertising capabilities out of the hands of foreign entities.
So we’re calling it now: This is a full-blown national security crisis.
What we need to do next
Magnite is just one of countless ad exchanges that are trading away Americans’ data and our right to free and fair elections. And, they’re arguably the most transparent about it — remember that ad exchanges AT&T, Index Exchange, Google, OpenX, PubMatic, Twitter, and Verizon refused to give their list of foreign entities to the United States Senate.
So what can we do?
- Demand transparency. Who are the foreign companies who work with ad exchanges like Magnite? And, who are their beneficial owners? This would look a lot like a Know Your Customer law. Our personal data should not be ending up with anonymous shell companies.
- Call for studies on the efficacy of ad targeting and surveillance marketing. What are we trading our privacy and our national security for? Is the ROI even worth it to the advertisers who bankroll the industry?
- Create a foreign data broker registration requirement. Vendors should be required to register to obtain the data of U.S persons. If they know who we we are, we should know who they are.
This is a national security emergency. We are going to continue raising the alarm on this and advocating for free and fair elections.
On a side note — this is our last BRANDED issue of the year. We are spending the month gearing up for a big campaign in the first week of January.
As we ramp up for 2022, you can support us by becoming a Checkmate. Every Checkmate makes a huge difference for us. We are in the first few months of operating as a non-profit and your support buys us time.
As always, thanks for reading. See you in the new year!
Nandini and Claire
Did you like this issue? Then why not share! Please send tips, compliments and complaints to @nandoodles and @catthekin.
To support this work, sign up as a Checkmate!