Unique mobile phone IDs, IP addresses, location information, and details about users’ interests and online activity.
By Craig Silverman
Reporter
ProPublica
The day after Russia’s February invasion of Ukraine, Senate Intelligence Committee Chairman Mark Warner sent a letter to Google warning it to be on alert for “exploitation of your platform by Russia and Russian-linked entities,” and calling on the company to audit its advertising business’s compliance with economic sanctions.
But as recently as June 23, Google was sharing potentially sensitive user data with a sanctioned Russian ad tech company owned by Russia’s largest state bank, according to a new report provided to ProPublica.
Google allowed RuTarget, a Russian company that helps brands and agencies buy digital ads, to access and store data about people browsing websites and apps in Ukraine and other parts of the world, according to research from digital ad analysis firm Adalytics. Adalytics identified close to 700 examples of RuTarget receiving user data from Google after the company was added to a U.S. Treasury list of sanctioned entities on Feb. 24. The data sharing between Google and RuTarget stopped four months later on June 23, the day ProPublica contacted Google about the activity.
RuTarget, which also operates under the name Segmento, is owned by Sberbank, a Russian state bank that the Treasury described as “uniquely important” to the country’s economy when it hit the lender with initial sanctions. RuTarget was later listed in an April 6 Treasury announcement that imposed full blocking sanctions on Sberbank and other Russian entities and people. The sanctions mean U.S. individuals and entities are not supposed to conduct business with RuTarget or Sberbank.
Of particular concern, the analysis showed that Google shared data with RuTarget about users browsing websites based in Ukraine. This means Google may have turned over such critical information as unique mobile phone IDs, IP addresses, location information and details about users’ interests and online activity, data that U.S. senators and experts say could be used by Russian military and intelligence services to track people or zero in on locations of interest.
Last April, a bipartisan group of U.S. senators sent a letter to Google and other major ad technology companies warning of the national security implications of data shared as part of the digital ad buying process. They said this user data “would be a goldmine for foreign intelligence services that could exploit it to inform and supercharge hacking, blackmail, and influence campaigns.”
Google spokesperson Michael Aciman said that the company blocked RuTarget from using its ad products in March, and that RuTarget has not purchased ads directly via Google since then. He acknowledged the Russian company was still receiving user and ad buying data from Google before being alerted by ProPublica and Adalytics.
“Google is committed to complying with all applicable sanctions and trade compliance laws,” Aciman said. “We’ve reviewed the entities in question and have taken appropriate enforcement action beyond the measures we took earlier this year to block them from directly using Google advertising products.”
Aciman said this action includes not only preventing RuTarget from further accessing user data, but from purchasing ads through third parties in Russia that may not be sanctioned. He declined to say whether RuTarget had purchased ads via Google systems using such third parties, and he did not comment on whether data about Ukrainians had been shared with RuTarget.
Krzysztof Franaszek, who runs Adalytics and authored the report, said RuTarget’s ability to access and store user data from Google could open the door to serious potential abuse.
“For all we know they are taking that data and combining it with 20 other data sources they got from God knows where,” he said. “If RuTarget’s other data partners included the Russian government or intelligence or cybercriminals, there is a huge danger.”
In a statement to ProPublica, Warner, a Virginia Democrat, called Google’s failure to sever its relationship with RuTarget alarming.
“All companies have a responsibility to ensure that they are not helping to fund or even inadvertently support Vladimir Putin’s invasion of Ukraine. Hearing that an American company may be sharing user data with a Russian company — owned by a sanctioned, state-owned bank no less — is incredibly alarming and frankly disappointing,” he said. “I urge all companies to examine their business operations from top to bottom to ensure that they are not supporting Putin’s war in any way.”
Google’s initial failure to fully enforce sanctions on RuTarget highlights how money and data can flow through its market-leading digital advertising systems with little oversight or accountability. An April report from Adalytics showed that Google had continued serving ads on Russian websites that had been on the Treasury sanctions list for years. In June, ProPublica reported that Google helped place, and earned money from, more than 100 million gun ads, despite the company’s strong public stance against accepting such ads.
The findings about RuTarget also come as Google and other tech companies face intense scrutiny from legislators about their handling of personal data.
Sen. Ron Wyden, D-Ore., who sits on the Senate Intelligence Committee, criticized Google for its failure last year to provide him and his colleagues with a list of the foreign-owned companies it shares ad data with.
“Google has refused to disclose [to senators] whether its ad network makes Americans’ data available to foreign companies in Russia, China and other high-risk countries,” he said in a statement to ProPublica. “It is time for Congress to act and pass my bipartisan bill, the Protecting Americans’ Data From Foreign Surveillance Act, which would force Google and other networks to radically change how they do business and ensure unfriendly foreign governments don’t have unfettered access to Americans’ sensitive information.”
Wyden and his colleagues introduced the bipartisan bill last week to prevent sensitive data about Americans from being sold or transferred to “high-risk foreign countries.” Wyden and a different group of Senate colleagues also sent a letter to Federal Trade Commission Chair Lina Khan last week asking her to investigate Google and Apple for enabling mobile advertising IDs in cellphones. These unique IDs can be combined with other data to personally identify users.
Wyden’s letter cited mobile IDs as one way that Google and Apple transformed “online advertising into an intense system of surveillance that incentivizes and facilitates the unrestrained collection and constant sale of Americans’ personal data.”
Aciman of Google said that the mobile advertising ID was created to give users control and privacy, and that Google does not allow the sale of user data.
“The advertising ID was created to give users more control and provide developers with a more private way to effectively monetize their app,” he said. “Additionally, Google Play has policies in place that prohibit using this data for purposes other than advertising and user analytics. Any claims that advertising ID was created to facilitate data sales are simply false.”
Bidstream Data under Scrutiny
At the heart of both the senators’ concerns and the Adalytics report is the data collected on global internet users that gets passed between companies as part of the digital ad buying process. This treasure trove of information can include a person’s unique mobile ID, IP address, location information and browsing habits. When passed between companies to facilitate ad buying, the trove is called bidstream data. And it’s essential to the roughly half a trillion dollar digital ad industry that is dominated by Google.
Many digital ads are placed as a result of a real-time auction in which the seller of ad space, such as a website, is connected with potential buyers, like brands and agencies. An auction starts when a user visits a website or app. Within milliseconds, data collected about this user is shared with potential ad buyers to help them decide whether to bid to show an ad to the user. Regardless of whether they bid or not, ad buying platforms like RuTarget receive and store this bidstream data, helping them automate the amassing of rich repositories of data over time.
The auction process is run by ad exchanges. They connect buyers and sellers and facilitate the sharing of bidstream data between them in conjunction with a process called cookie syncing. Google operates the world’s largest ad exchange, and RuTarget is one of many companies it shares bidstream data with. The more RuTarget connects with ad exchanges like Google, the more information it can gather and combine with data collected from other online and offline sources.
Justin Sherman, a fellow at Duke’s Sanford School of Public Policy who runs a project focused on data brokers, said bidstream data is largely unregulated and can be highly sensitive, even if it does not include personal information such as names or emails.
“There’s growing attention to the ways in which our data ecosystem and our ecosystem of data brokers and advertisers gives away or sends or sells highly sensitive information on Americans to foreign entities,” he said. “There is also concern about foreign entities illicitly accessing that information.”
Google Failed to Disclose Bidstream Data Partners
Fears over the ill-usage of the information led Warner, Wyden and four colleagues to ask Google and six other ad exchanges in April 2021 to list the domestic and foreign partners they shared bidstream data with in the past three years. They warned that this data could have serious implications for U.S. national security.
“Few Americans realize that some auction participants are siphoning off and storing ‘bidstream’ data to compile exhaustive dossiers about them. In turn, these dossiers are being openly sold to anyone with a credit card, including to hedge funds, political campaigns, and even to governments,” they wrote in letters to AT&T, Index Exchange, Google, Magnite, OpenX, PubMatic, Twitter and Verizon.
Google responded a few weeks later but refused to list the companies it shares bidstream data with, citing “non-disclosure obligations.”
Franaszek’s research reveals concerns about the accuracy of Google’s response. He identified eight pages on Google’s support website that list hundreds of foreign and domestic companies that are eligible to receive bidstream data from it. One list contains over 300 companies, of which 19 are Chinese owned or headquartered and 16 are based in Russia, including RuTarget.
Franaszek also found that some of these companies publicly disclosed their relationship with Google. And, as reported by Vice, some of Google’s competitors disclosed to the senators the foreign partners they share data with.
This raises questions as to what Google was referring to when it said nondisclosure obligations prevent it from naming its partners, according to Franaszek.
“Google was publicizing, on its own website, lists of foreign [partners] months before they told the senators that,” he said.
Google’s Aciman said the lists on Google’s website do not disclose the nature of its relationship with the companies, and he reiterated that it has nondisclosure obligations with companies who act as bidders.
One of the lists on Google’s site (“Ad Manager Certified External Vendors”) includes a column that describes what each Google vendor does. At least 13 of the companies are publicly identified as “RTB bidders,” meaning they act as bidders in Google’s real-time ad auction process.
Publishers Sharing Data With RuTarget
The user data shared by Google with RuTarget and other potential bidders is drawn from millions of websites and apps that rely on the Silicon Valley giant to help them earn money from ads. And many would likely be surprised to learn that a sanctioned Russian ad company was until two weeks ago able to harvest information about their visitors.
Because of its relationship with Google, RuTarget is publicly listed as a recipient of user data by major publishers including Reuters and ESPN. This means RuTarget can receive data from these companies about the millions of people who visit their online properties each month. Like other publishers, ESPN and Reuters list RuTarget as a recipient of user data in cookie consent popups shown to users browsing their sites from the EU and other jurisdictions with data privacy laws requiring such disclosures.
A spokesperson for Reuters said the companies shown in its consent popup, including RuTarget, come from a list of vendors provided by Google.
“This list of vendors is managed by Google, and Reuters uses Google’s list of vendors on our website. We understand that Google suspended buyers and bidders based in Russia, and we have no record of any transactions with RuTarget since April 6,” Heather Carpenter of Reuters said.
ESPN did not respond to a request for comment. As a Google partner, it’s possible that data about users browsing ProPublica’s website has at some point been shared with RuTarget. The opaque and technical nature of digital advertising makes it difficult to know for sure.
Jason Kint, head of the digital publisher trade group Digital Content Next, said Google’s market power leaves publishers with little choice except to work with the company.
“Premium publishers have to trust Google for a significant number of services that they depend on,” he said. “This is another example of misplaced trust. I’m just incredibly disappointed in Google.”
RuTarget’s website also lists an impressive group of global brands among its clients, including Procter & Gamble, Levi’s, Mazda, MasterCard, Hyundai, PayPal and Pfizer. This suggests the companies have worked with RuTarget to purchase ads, likely in an effort to target Russian-speaking audiences.
A spokesperson for Pfizer said the company is not currently working with RuTarget. “Following investigation with colleagues we have established we do not have any current working relationship with the organisation you mention, and have no recent record of any relationship,” Andrew Widger, the Pfizer spokesperson, said in an email.
The remaining companies did not respond to a request for comment.
Sherman of Duke said RuTarget’s connections to Google and so many other entities shows how the “ecosystem of digital advertising and of data collection and data brokers is a mess and a really thorny web to untangle.”
Originally published by ProPublica, 07.01.2022, under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 United States license.