![](\"https:\/\/media.wired.com\/photos\/6786e992fe724dac1d295aba\/master\/pass\/security_googlechina_GettyImages-1332530636.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Dell Cameron, Dhruv Mehrotra| Date: Thu, 20 Feb 2025 12:21:41 +0000<\/strong><\/p>\n A WIRED investigation<\/span> into the inner workings of Google\u2019s advertising ecosystem reveals that a wealth of sensitive information on Americans is being openly served up to some of the world\u2019s largest brands despite the company\u2019s own rules<\/a> against it. Experts say that when combined with other data, this information could be used to identify and target specific individuals.<\/p>\n Display & Video 360 (DV360), one of the dominant marketing platforms offered by the search giant, is offering companies globally the option of targeting devices in the United States based on lists of internet users believed to suffer from chronic illnesses and financial distress, among other categories of personal data that are ostensibly banned under Google\u2019s public policies.<\/p>\n Other lists of American users accessible for a price across the platform raise serious national security concerns, experts say, as they reveal data brokers striving to isolate millions of mobile devices carried by government workers\u2014from US judges and military service members to executive agency staff and employees on Capitol Hill.<\/p>\n First reviewed by WIRED, an internal spreadsheet obtained from a US-based data broker shows the DV360 platform currently hosting hundreds if not thousands of restricted or otherwise sensitive \u201caudience segments,\u201d each containing a large tranche of data that points to countless mobile devices and online profiles of people in the US. The segments are generated not by Google, but by DV360 customers who upload them to the system, where others can use them to target ads at specific audiences.<\/p>\n The data\u2014first obtained by the Irish Council for Civil Liberties (ICCL), Ireland's oldest independent human rights body\u2014reveals segments targeting hundreds of millions of device users based exclusively on health conditions, from chronic pain and menopause to, among others, fibromyalgia, psoriasis, arthritis, high cholesterol, and hypertension.<\/p>\n \u201cAs with other demand-side platforms, advertisers are able to upload audience lists to Display & Video 360, based either on their own first-party data or from segment providers,\u201d says Erica Walsh, a Google spokesperson. \u201cOur policies do not permit audience segments to be used based on sensitive information like employment, health conditions, financial status, etc.\u201d<\/p>\n Despite this, numerous segments contained in the data are clearly targeted at households and businesses based purely on data suggesting they\u2019re experiencing financial hardship\u2014aiming, for instance, to help advertisers identify people who are in the process of bankruptcy or burdened by long-term debt.<\/p>\n Allison Bodack, another Google spokesperson, tells WIRED that when the company detects \u201cnon-compliant audience segments, we will take action.\u201d Asked to explain why Google had not detected segments with descriptions such as \u201cIndividuals likely to have a Cardiovascular condition,\u201d or \u201cParents of children likely to have a respiratory disease, like Asthma,\u201d Bodack did not respond.<\/p>\n Segments accessible through DV360 that target Americans with asthma contain at least hundreds of millions of mobile IDs\u2014among them, a list simply titled, \u201cPeople who have asthma.\u201d Hundreds of millions more were found on lists for no other reason than the fact that their users are believed to have diabetes. A vast number of devices and user profiles are spread out across lists that target users determined likely to need specific medications, including some controlled substances, such as Ambien. One list links more than 140 million mobile IDs to opioid usage, suggesting the users need relief from a common "opioid-induced" side effect.<\/p>\n Google did not respond when asked whether a data broker had violated its rules by offering advertisers access to a list of people \u201clikely to have an Endocrine disorder.\u201d (The company only stated that its policies \u201cdo not permit\u201d such segments \u201cto be used.\u201d) Asked to explain whether it assigns any level of risk to audience segments that target US government employees working in national security jobs, or contractors with access to restricted US defense-related technologies, Google\u2019s spokespeople did not respond.<\/p>\n Among a list of 33,000 audience segments obtained by the ICCL, WIRED identified several that aimed to identify people working sensitive government jobs. One, for instance, targets US government employees who are considered \u201cdecision makers\u201d working \u201cspecifically in the field of national security.\u201d Another targets individuals who work at companies registered with the State Department to manufacture and export defense-related technologies, from missiles and space launch vehicles to cryptographic systems that house classified military and intelligence data.<\/p>\n Sources with firsthand knowledge of Google\u2019s platform, granted condition of anonymity to protect against retaliation on the job, confirmed the segments were actually accessible to Google\u2019s ad buyers. Unlike Google Ads, which is free and typically used by individuals and small businesses, DV360 is a paid platform primarily aimed at companies that spend over $50,000 in ad buys per month. Google\u2019s DV360 partners include the likes of Disney and NBCUniversal.<\/p>\n \u201cThis is exactly the kind of seemingly obscure data that would pique a foreign adversary's interest,\u201d says Justin Sherman, CEO of Global Cyber Strategies, and author of the upcoming book Navigating Technology and National Security<\/em>. \u201cIt\u2019s not necessarily held in every dataset, but it speaks to a medical condition, it speaks to use of a powerful drug, and it speaks to something that could potentially be exploited in an intelligence context.\u201d<\/p>\n Over the last decade or so, online advertising has evolved to include technologies capable of \u201cmicro-targeting\u201d individuals based on surveillance data gathered from a wide variety of sources. Users are grouped into \u201csegments\u201d by data brokers who aim to isolate individuals with the help of unique mobile identifiers\u2014alphanumeric strings that are assigned to mobile devices and are widely shared across the advertising ecosystem. These mobile IDs are employed to not only track a user\u2019s movements but their online habits, including which apps they use, and are regularly combined with \u201ccookies\u201d that track web browsing behavior and purchasing information.<\/p>\n While the purpose of mobile IDs and other ad-based identifiers is, ostensibly, to help shield users\u2019 identities, it is no secret that when combined with other datasets, it can become trivial to re-identify people whose information has been \u201canonymized.\u201d<\/p>\n A government report<\/a> declassified by the US Office of National Intelligence in June 2023 notes that commercial data may be combined to \u201creverse engineer identities or deanonymize various forms of information.\u201d Advisers to the nation\u2019s top spy at the time, Avril Haines, added in the report: \u201cIn the wrong hands, sensitive insights gained through [commercially available information] could facilitate blackmail, stalking, harassment, and public shaming.\u201d<\/p>\n Demonstrating the point, many data brokers that exist on the periphery of Google\u2019s advertising exchange work to assist marketers by crafting complex dossiers on individual consumers, \u201cenriching\u201d anonymized profiles with information drawn from a range of public and government sources. Frequently this includes credit card transactions, social media posts, bankruptcy filings, vehicle registration records, employment records, and hoards of web tracking data quietly amassed from websites, apps, and IoT devices.<\/p>\n With such access, data brokers aim to craft customized lists of potential targets, such as people who have \u201ccareers in the armed forces\u201d and enjoy \u201cgambling in general,\u201d or those who are an \u201cactive conservative voter\u201d likely to \u201cparticipate in a civil protest,\u201d according to the ICCL-provided data.<\/p>\n The manner in which the data was originally acquired by the ICCL provides a quintessential example of the ease with which rival foreign intelligence agencies can gain access to Americans\u2019 data with minimal effort. Johnny Ryan, director of Enforce, ICCL\u2019s investigative branch, says he was surprised by how easy the access came. \u201cI was prepared for a complex process that would test my cover story,\u201d he says, \u201cbut when I signed up there was no questions asked whatsoever.\u201d<\/p>\n To gain access to the data broker\u2019s segments, Ryan created a website for a fake \u201cdata analytics\u201d firm. The \u201ccompany\u201d isn\u2019t registered anywhere officially, but exists solely as a handful of web pages. On them, Ryan placed an image of a Russian soldier, apparently in the midst of combat, alongside a map of Ukraine. The firm\u2019s work is vaguely described as helping \u201cselect clients\u201d obtain \u201creal-time\u201d awareness of \u201ctargets\u201d in the field. Ryan used this implausible cover while approaching data brokers based in the US.<\/p>\n \u201cI could have been anybody,\u201d he says.<\/p>\n To protect the integrity of ongoing research, WIRED agreed to delay identifying any data brokers being monitored by the ICCL.<\/p>\n Ryan\u2019s research into ad-tech abuse informed a Federal Trade Commission lawsuit brought in 2024 against Mobilewalla, a data broker that, the FTC claims, widely offered access to segments used \u201cspecifically\u201d to target \u201cpregnant women and young mothers,\u201d while also selling mobile IDs that tracked people visiting medical facilities and domestic abuse shelters<\/a>. (Similarly, WIRED identified segments in the ICCL\u2019s data that linked millions of mobile devices to expectant mothers, as well as more than 140 lists that referenced a \u201cpropensity\u201d for \u201cdisease.\u201d Fifty-one million mobile IDs belong to a segment aimed specifically at women likely to lack preventive care.)<\/p>\n According to the FTC government complaint<\/a>, Mobilewalla collected more than 183 million mobile IDs in 2021 alone. Between 2018 and 2020, the company sourced roughly 60 percent of its data directly from real-time bidding (RTB) exchanges, marketplaces where advertisers compete for online ad space in lightning-fast auctions.<\/p>\n A complaint<\/a> filed by Enforce and the Electronic Privacy Information Center (EPIC) last month urges the FTC to launch an investigation into whether Google\u2019s RTB tools have allowed sensitive data to be made available to foreign adversaries\u2014information that Ryan, along with other experts, says includes vast troves of personal data tied to \u201cactive military, intelligence personnel, and key leaders.\u201d<\/p>\n Many of the conditions, behaviors, and traits reflected in the data, such as a likelihood of financial debt, propensity for high alcohol use, and certain medical conditions, are criteria that can adversely affect<\/a> a federal employee\u2019s eligibility to access classified information\u2014illustrating the potential of its use for blackmail purposes.<\/p>\n EPIC and Enforce allege that Google both \u201cdirectly\u201d and \u201cindirectly\u201d provides foreign adversaries, including China, with \u201cextraordinarily sensitive\u201d commercial data concerning \u201cAmerica\u2019s leaders and sensitive defense personnel,\u201d while pointing the finger at Google as the predominant commercial entity behind a vast and widely ignored \u201cnational security crisis<\/a>.\u201d<\/p>\n \u201cGoogle\u2019s purported self-regulation cannot protect us,\u201d says EPIC senior counsel Sara Geoghegan, whose complaint points to restrictions on data broker deals cemented last year under a new federal law, the Protecting Americans\u2019 Data from Foreign Adversaries Act (PADFAA). According to Geoghegan, Google\u2019s advertising tools pose a unique national threat, one that Congress has specifically charged the FTC with eliminating.<\/p>\n Google\u2019s spokesperson Erica Walsh denies any wrongdoing on the part of the company, saying that, for instance, while Google\u2019s ad exchanges continue to accept business from Chinese companies, it has long since ceased sharing data with Russian entities. Last year, she says, Google introduced a new system designed to identify companies with ties to China in order to restrict the types of information they receive about US consumers. \u201cThis means we never share data tied to a specific user in the US for bid requests to those known entities,\u201d she says.<\/p>\n While the FTC has yet to introduce any cases based on PADFAA\u2014and also declined to comment for this story\u2014the law notably extends far beyond data that is merely \u201ctied to a specific user.\u201d Google and other US companies are now forbidden under law from providing companies with ties to hostile nations with any information that, no matter how anonymized, can be tied back to a specific user when combined \u201cwith other data.\u201d<\/p>\n China is reported to have the world\u2019s largest security and intelligence apparatus, employing a veritable army of hackers that have spent decades infiltrating US corporations and agencies to steal data, most recently compromising at least 11 of the nation\u2019s telecommunications networks.<\/p>\n \u201cIt would be a joke for the Chinese government to link a mobile ad ID to a person's name,\u201d says Sherman of Global Cyber Strategies.<\/p>\n Walsh notes that under Google\u2019s new rules, mobile IDs are automatically stripped from RTB data served to Chinese entities. Along with other identifiers, Google also redacts the location data of devices being served the ads, limiting what Chinese companies can see to the name of a city. Google will provide the URL of a web page or the name of an app that an American is using, it says, but only in real time.<\/p>\n To ensure compliance, Walsh says, Google employs an independent company to \u201cregularly\u201d audit its authorized RTB buyers. Google declined to reveal more about the audits, but its public documentation<\/a> suggests they are conducted at Google\u2019s expense, \u201cno more than once during each 12 month period.\u201d<\/p>\n Zach Edwards, a longtime advertising-industry researcher and senior threat researcher at cybersecurity firm Silent Push, says Google\u2019s efforts to limit the flow of data to China may ultimately have little effect. When a company wins a bid and its ad is served on a web page, he says, it becomes possible to acquire much of the same data that Google preemptively redacts, including a user's full IP address and detailed information about the device they are using. Chinese hackers have reportedly used this technique<\/a> in the past to execute malicious code on millions of users\u2019 devices\u2014a threat known as \u201cmalvertising.\u201d<\/p>\n \u201cRedacting the bid request is totally moot,\u201d Edward says. \u201cIf you take tens of millions of dollars from Chinese advertisers and don\u2019t blink at them buying every impression, they outbid everyone and are able to get on the page.\u201d According to recent reports, Chinese companies are spending \u201chuge sums<\/a>\u201d on ads targeting US consumers, netting major profits for Meta, X, YouTube, and similar Silicon Valley firms that dominate the digital advertising market. In a February 2024 earnings call, Meta said<\/a> that \u201cChina-based advertisers represented 10 percent of our overall revenue\u201d for 2023, which totaled $133 billion.<\/p>\n \u201cEven if Google were to change its practices and only initially broadcast RTB data to entities in the United States,\u201d EPIC\u2019s complaint says, the data would \u201cinevitably\u201d fall into foreign actors\u2019 hands. \u201cGoogle has no way to control what happens to the data that it broadcasts so freely,\u201d it alleges. This was also the contention of the organization that develops technical standards for the advertising industry. Known as the Interactive Advertising Bureau (IAB), the organization acknowledged<\/a> in 2018 that there is \u201cno technical way to limit the way data is used after the data is received by a vendor.\u201d<\/p>\n Foreign actors and private surveillance firms have been caught routinely exploiting RTB systems by creating shell advertising companies in order to access bid-stream data: information on users broadcast between the demand and supply sides of an RTB auction. In 2022, Adalytics, a digital ad analysis firm, published a report<\/a> alleging that Google was sharing RTB data with RuTarget, an ad-tech firm owned by Russia\u2019s largest state bank; activity that Google says it ceased<\/a> in response. In 2023, Bloomberg reported that, by operating its own demand-side platform, an Israeli surveillance company called Rayzone had gained direct access to Google\u2019s RTB data<\/a>.<\/p>\n