Data about consumers that's compiled and exchanged by ad tech companies engaged in real-time bidding could pose a national security risk, a group of U.S. senators say in letters to AT&T, Google and other companies.
“Few Americans realize that some auction participants are siphoning off and storing 'bidstream' data to compile exhaustive dossiers about them,” Sens. Ron Wyden (D-Oregon), Bill Cassidy (R-Louisiana), Kirsten Gillibrand (D-New York), Mark Warner (D-Virginia), Sherrod Brown (D-Ohio) and Elizabeth Warren (D-Massachusetts) write. “This information would be a goldmine for foreign intelligence services that could exploit it to inform and supercharge hacking, blackmail, and influence campaigns.”
The lawmakers add: “As Congress debates potential federal privacy legislation, we must understand the serious national security risks posed by the unrestricted sale of Americans’ data to foreign companies and governments.”
The letters were sent late last week to nine companies, including AT&T, Google, Twitter and Verizon.
The letter comes around seven months after Wyden, Cassidy and other senators asked the Federal Trade Commission to investigate the practices of ad-tech companies and data brokers engaged in real-time bidding.
Wyden and the others are now asking the companies for detailed information about their real-time bidding platforms, including “the specific data elements about users, their devices, the websites they are accessing, and apps they are using” that are provided to auction participants.
Wyden and the others are also asking the letter recipients how they enforce contractual obligations on recipients of bidstream data, and to identify any foreign-owned company that received bidstream data about U.S. users.
An AT&T spokesperson says the company received the letter and will respond, adding that AT&T has "thorough processes in place to protect the data referenced in the letter."
A Google spokesperson says the company never sells people's personal information, and that all ad buyers using its systems “are subject to stringent policies and standards, including restrictions on the use and retention of information they receive.”
Privacy advocates and tech companies often have different definitions of “personal information,” as well as “sale.”
Consumer advocates often argue that data that can potentially be traced back to identifiable individuals should be considered personal, including the type of pseudonymous information the ad-tech industry relies on for ad targeting.
But tech companies tend to say pseudonymous data, like device identifiers or IP addresses, aren't in themselves personal information. Tech companies also often contend that not all data transfers should be considered sales.
The lawmakers have given the companies until May 4 to respond.