April 5, 2021

Cassidy, Bipartisan Senators Question Online Ad Exchanges on Sharing Americans’ Data with Foreign Companies

WASHINGTON – U.S. Senator Bill Cassidy, M.D. (R-LA) questioned eight digital advertising exchanges about the possible sale of Americans’ personal information to foreign-owned companies, in a letter sent with Senators Ron Wyden (D-OR), Kirsten Gillibrand (D-NY), Mark Warner (D-VA), Sherrod Brown (D-OH), and Elizabeth Warren (D-MA).

The senators are seeking information about the sharing of Americans’ data through “real time bidding” – the auction process used to place many targeted digital advertisements. For most online ads, although only one company wins the auction, hundreds of firms participating receive information about the potential recipient of the ad, including device identifiers and cookies, web browsing and location data, IP addresses, and age and gender. The letter was sent to AT&T, Index Exchange, Google, Magnite, OpenX, PubMatic, Twitter and Verizon.

In the letter, the Senators wrote: 

“Few Americans realize that some auction participants are siphoning off and storing ‘bidstream’ data to compile exhaustive dossiers about them. In turn, these dossiers are being openly sold to anyone with a credit card, including to hedge funds, political campaigns, and even to governments.

“This information would be a goldmine for foreign intelligence services that could exploit it to inform and supercharge hacking, blackmail, and influence campaigns.”

Read the Senators’ full letter here or below.

We write to seek information about your company’s sharing of Americans’ personal data in order to understand how that information may be obtained and exploited by foreign governments to the detriment of our national security. 

Many of the ads we see on our phones, computers, and smart TVs are curated through a process called real time bidding. In the milliseconds before digital ads are displayed, an auction takes place in which hundreds of companies are able to bid for their ad to be shown. While only one company will win the auction, hundreds of firms participating receive sensitive information about the potential recipient of the ad—device identifiers and cookies, web browsing and location data, IP addresses, and unique demographic information such as age and gender. Your company operates a major advertising auction service. 

Few Americans realize that some auction participants are siphoning off and storing “bidstream” data to compile exhaustive dossiers about them. In turn, these dossiers are being openly sold to anyone with a credit card, including to hedge funds, political campaigns, and even to governments. 

Over the past year, multiple reports have indicated that a number of federal agencies have purchased personal data derived from mobile apps and other online services, in ways that potentially merit closer scrutiny. But the United States is not the only government with the means and interest in acquiring Americans’ personal data. This information would be a goldmine for foreign intelligence services that could exploit it to inform and supercharge hacking, blackmail, and influence campaigns. As Congress debates potential federal privacy legislation, we must understand the serious national security risks posed by the unrestricted sale of Americans’ data to foreign companies and governments. To that end, please provide us with answers to the following questions by May 4, 2021: 

  1. Please identify the specific data elements about users, their devices, the websites they are accessing, and apps they are using that you provide to auction participants. 
  2. Please identify each company, foreign or domestic, to whom your firm has provided bidstream data in the past three years that is not contractually prohibited from sharing, selling, or using the data for any purpose unrelated to bidding on and delivering an ad. 
  3. If your firm has contractual restrictions in place prohibiting the sharing, sale, or secondary use of bidstream data, please detail all efforts to audit compliance with these contractual restrictions and the results of those audits. 
  4. Please identify each foreign-headquartered or foreign-majority owned company to whom your firm has provided bidstream data from users in the United States and their devices in the past three years. 

Thank you for your attention to this important matter. 

###

Print 
Email 
Share 
Share