36 comments

[ 3.0 ms ] story [ 81.6 ms ] thread
The linked paper goes into some of the more-technical details about how the multicast ad exchanges work. Very much worth a read. The number of avenues for capturing this information, legally or otherwise, is intense. Though I disagree with the conclusion of the paper that it's remotely fixable through abstract walls -- that's really just moving the goalpost.

https://www.iccl.ie/wp-content/uploads/2023/11/Europes-hidde...

It’s also irrelevant if one can cross reference just a few pieces of data: phone did, address, location geo associated known associates, multiple locations (school, work, home), demographic info, one can de-anonymize data relatively painlessly. And that is a lot easier if I’m targeting a single person and know some of those data points to start.

And how much of this applies to the companies that aren’t buying the data but generating it themselves?

RTB is just one vector of many, and while it’s useful to expose how much data is constantly leaking, it’s just the tip of the iceberg.

Well, yes. Yes.

The more we can understand this stuff, the better. Not many journalists are working on these issues, and it's nice to see it get more coverage by folk dedicated to it. I've personally had an exceptionally difficult time pitching this sort of story to outlets -- they want something big and juicy. But the reality of it all is boring, subtle and routine. Then made much worse by the army of lawyers who will argue to the bone about what "private" and "consent" means in the favor of privacy damning systems like what we see here.

How big and juicy do we need to get?

https://www.thebignewsletter.com/p/the-insufferable-bros-who...

You’d think someone like the ICIJ would be doing a panama-papers style expose, but I don’t know if there’s a trove of data to build on. It’s more of a business model than a conspiracy these days. As you say it’s boring and routine.

Yea the legal community is complicit and often actually actively involved in this entire transformation. There are quite a few law firms “in the game” that are data brokers themselves.

Googol's response is incredibly amusing. "The government can't be trusted with all that info! We have to cut them off! Only we can be trusted with all that info!"
(comment deleted)
Most companies seem to be of the opinion that spying is bad except when they're the ones doing it.
Most companies also have a professional and ethical obligation to protect the privacy of their users. With the advent of AI and LLM, it will be interesting to see how the field of ethics evolve in the coming years.
> Most companies also have a professional and ethical obligation to protect the privacy of their users.

Well, except companies don't tend worry about protecting the privacy of their users from themselves. That was pretty much my point.

Regardless, at least in the tech space, companies don't actually seem to take that professional and ethical obligation very seriously. Just look at how common it is for tech companies to sell their user's data or allow targeted ad companies in.

It feels as if there's some kind of scale at which this ethical obligation evaporates, and it's likely at that same scale where automated 'ban' rules are implemented where only in exceptional circumstances does any appeal reach the notice of a human.

There's probably some crossover at which respecting the privacy of the customer goes from being a positive differentiator in maintaining customer relationships to being an inhibitor to an additional non-trivial revenue stream.

This obligation comes, historically, second to the obligation to reward investors and is only considered in terms of “ratio” and return. They (corps) don’t actually “care” in the way a human with a heart may.

They only ever see numbers and a “fine” for instance is just a “cost.”

Exactly because spying, to a corporation, is a profit opportunity. They are built to see any opportunity in terms of ROI; spying using data, which is relatively cheap, is a great ROI.

Even if it is deplorable.

Theory being google doesn't directly possess the use of force against people.
Split functions enabling close collaboration between Government and private corporate defense contracts to create plausible arms-length deniability? They’d never do that.
This is political theatre. Goverment is a preferential customer for Google (and others).
This has been known for years. I’m not sure why it’s only now getting attention.

Section 702 was just renewed, so maybe it’s out the issue on people’s radar?

https://www.nationalreview.com/news/house-passes-annual-defe...

Until we have a privacy bill or rights or equivalent, attached to the individual, privacy will be exploited by every nation and business imaginable. And the efforts to try to make it more difficult to tap data without an warrant are asinine… all it does is push the databases to public/private partnership models, and these models can generally easily de-anonymize data by cross referencing data.

It’s strange to see an article on the subject published a month after the section 702 renewal, as if fisa and warrants weren’t the issue but commercial collection sources somehow are.

Besides… It’s not some big secret: the website is easily Googleable as is the deck.

http://isasecurity.org/patternz

https://sovsys.co/wp-content/uploads/2020/04/PATTERNZ-NATION...

AND Forbes also covered this exact system back in November of last year.

https://www.forbes.com/sites/emmawoollacott/2023/11/14/web-b...

The real scoop would be looking at how new AI systems are being used to mine this data. This is the real problem national security agencies have to solve: how to consistently gain useful and actionable insights at scale and decide what’s not worth paying attention to because the absolutely colossal volumes of data generates huge amounts of review.

Anyone know why this article is dropping now? Odd timing.

Semi rhetorical question: is it too late to introduce legislation protecting this kind of private data?

Discussion point one: is the industry profiting from gathering, shifting, mining, selling this data large enough that it would cause an employment problem for any country that may enact such legislation? (probably a much bigger problem for the US than any other country).

Discussion point two: is it likely that, even if the legislation doesn't have favouritism carve-outs for specific groups/companies, the industry would find ways around it, with the end game being: nothing changes.

I think gdpr style legislation can work - but the price (and purpose) would be making most types of surveillance capitalism illegal.

People can bug your house with fiber optics today, but only the government and perhaps your family can do it legally.

(comment deleted)
If you have an iPhone aren't you safe from this with tracking protections enabled (including iCloud Private relay)?
Although I don’t know for sure, I doubt the iPhone is safe from this.

Considering there were multiple zero days found within malware targeting Kaspersky employees recently, and the zero days used vulnerable secret api’s only known to Apple themselves, I would assume that Apple users (like myself) are not any more protected from anything.

Ah yea I guess when you get into nation state levels of defense I guess that makes sense, but as far as I can tell most laypersons using Apple's slightly above normal settings would be immune to this sort of thing by virtue of not being important enough for the amount of time it would take?

I'm sure the five eyes have some tool that could decrypt my iPhone's Keychain, but they're probably not gonna use that on some nobody who didn't pay his parking ticket.

You should read carefully the Apple TOS.
Why on earth would you assume that?
It's funny how Apple will add lots of privacy protections in Safari, but apps in their App-store have much more access to the users PII's.. They are always trying to nerf the web it seems
No. Not even remotely unfortunately.
(comment deleted)
So if I get it correctly, foreign spy company sign up for one of the many real time bidding ad networks, pretends to bid on many many adverts, and starts to de-anonymise ad bids - starts unpicking the 45 yo male who has a gym app that locates him next to the military base, but also drinks in the Wetherspoons pub on the base and visits the cycle-maniac website and suddenly you are tracking the colonel at the base

Every minute his own phone is telling everyone “looking at Facebook page on X, 25-35 male single

I did wonder how the data was exfiltrated out of FB or google - but it’s just published …

Facebook claims that unlike most services, they don't sell your data outside. Instead the advertiser comes to them saying 'show this ad to X target group', and all the matching is done internally by facebook, so it data never leaves facebook.

...that's the theory at least. In practice, afaik facebook does provide some informations about how the audience interacted with your ads.

So perhaps with enough effort and precise targetting you could effectively match given info to specific people? But dunno

Thank you for reposting this. I had forgotten how good a write up it was, and also just what social commentary about de-anonymization it is.

The relevant part for that is right here:

> EDIT: Facebook has since changed its policies and won’t allow you to market to any audience with less than 20 people. If you want to try this yourself, there’s a loophole. Let’s say you want to target one of your guy friends, add his email to a .CSV along with the emails of 19 female friends before uploading it to Facebook. You can then target anyone in that custom audience who is also male (thus eliminating the 19 women and effectively targeting a single person).

This is the problem with audience segmentation. While there has been a lot of emphasis on protecting the export of audiences to disable bad actors and their use cases, it doesn’t apply to the data brokers themselves. So, the whole system of a data brokerage is available to anyone who owns a data brokering business or consumes raw data from DMPs and other data providers: a use case I am sure is used by threat actors.

Good comment!

In that sense, Facebooks way feels better.
I'm just hearing more reasons to push for proper Linux on phones and to be extremely sceptical of installing apps full of ads from corps.

You wouldn't have installed a dedicated app for some specific site on your PC twenty years ago, but that's it now normalized is really weird. BonziBuddy, anyone?

The less proprietary crap installed, the better.