A new threat to the privacy of billions of users has just come to light. In its report “Europe’s hidden security crisis”, the Irish Council for Civil Liberties (ICCL) has denounced the existence of Patternz, a sophisticated spy tool that operates in the shadows of the Internet and that he had already managed to steal confidential information on an unprecedented scale.
Patternz is a surveillance system that can be fed with Real Time Bidding (RTB) data to generate detailed profiles of more than five billion people globally. These profiles, which reveal information from locations to intimate secrets, are then marketed to data brokers.
What’s disturbing about Patternz is its ability to track movements, even children’s travel routes, and deduce aspects as delicate as financial problems or psychological states of individuals. This tool represents not only a massive violation of privacy, but also a potential threat to individual security.
Wolfie Christl, cybersecurity researcher at Cracked Labs and co-author of the report, states in a Mastodon thread that in internal Patternz documents to which he has had access,
“[documentos] I can’t publish, they also explain that mobile phones “are always with the users”, that they “grant access to applications voluntarily”, so the smartphone becomes a “de facto tracking bracelet”.
The public documents underline that the Patternz system can also be used for offensive purposes by sending “targeted messages, advertisements or Trojans directly through the advertising technology.”
But what is Real Time Bidding (RTB)?
RTB is a method that allows advertisers to bid in real-time for online advertising space. This mechanism, although efficient for advertising management – since it allows the ads are extremely specific and directed—, becomes a double edged tool when it comes to user security and privacy.
It works in the following way:
- Automation: When a user visits a web page that contains advertising spaces, information about the user and the advertising space are automatically sent to an ad marketplace.
- Auction: In milliseconds, an auction is held between several advertisers who bid to display their ad in that specific space, based on the user’s available information (such as location, browsing behavior, interests, etc.).
- Choice of winning advertiser: The advertiser who bids the highest price wins the auction and their ad is shown to the user.
RTB is a key component of programmatic advertising – one that the ICCL claims is present on almost all web platforms – but it also raises privacy concerns as it involves the collection, circulation and use of large amounts of personal information.
RTB, a huge hole in our privacy
As the ICCL states in its report:
“Foreign countries and non-state actors can also obtain RTB data [procedentes] from the EU indirectly: by purchasing them from some of the many companies that receive RTB transmissions.
For example, another surveillance company (ISA) acknowledged that it obtains RTB data indirectly through large RTB companies, which feeds its Patternz surveillance system.”
Thus, the ICCL warns that the trade of RTB data could compromise the security of the European Union, by providing sensitive information on political and military figures… and These data may be transferred to entities located in foreign powers. where authorities can access them under national laws.
Christl points to the online advertising industry as an “accomplice” in this scenario– Every time someone visits a website or uses a mobile application that displays digital ads, profile data is transmitted to dozens or hundreds of companies and other entities in an uncontrolled manner, which would mean that processing is illegal under the GDPR.
The report also criticizes the Deliberate decision to create the RTB advertising system in this way and the data industry’s continued effort to keep it running, resorting to lobbying and attempts to delay the implementation of the GDPR. In Christl’s words,
“In Europe, GDPR enforcement has failed. Otherwise, the uncontrolled sharing of personal data via the RTB bidding stream would have been shut down years ago. GDPR regulators must take action now, launch a high-priority investigation, order prohibitions on processing.”
Image | Marcos Merino through AI
