Nearly every second of the day the sensitive private data of Australians is exposed to hundreds of unknown third-party actors as part of a shady targeted advertising scheme that is putting individuals at risk of scams and jeopardising national security, according to a new report.
A report by ResetTech investigated the practice of real-time bidding (RTB), an online system that sees virtual auctions instantly performed every time a user visits a website or app to determine what ads are served to them.
The report found there are virtually no rules on who can access this personal data, and that it is potentially accessible by hackers and foreign states.
“A huge number of entities receive extraordinarily sensitive RTB data about Australians, and there is no way to control what they then do with the data,” the ResetTech report said.
“This creates an enormous free-for-all of very sensitive data about everyday Australians.”
The data shared during the RTB process includes location data, movements over time, sexual interests, financial concerns, banking and utility providers, personal problems, and recent online purchases.
“Your location and other attributes about you, where you go and what you do online is broadcasted hundreds of times daily to countless unknown companies,” a foreword to the report by Electronic Frontiers Australia said.
“This isn’t science fiction; it’s the chilling reality of RTB where deeply personal details about Australians, including financial health, shopping habits and even health issues, are constantly broadcasted in a digital free-for-all auction, to bombard you with precisely targeted ads when online.
“All without your knowledge and express consent.”
These RTB auctions are run by ad-exchange companies such as Google or Microsoft. Thesey provide troves of consumer data to advertisers to help them to determine which ad space they should bid on.
According to the report, Google has listed more than 2,000 entities that it may share this user data with in RTB auctions in Australia, while Microsoft said that more than 1,600 firms can access data.
‘Dirty little secret’
On average, the RTB system broadcasts where a person is in Australia to such an entity 449 times each day, the report found.
“The nature of the RTB process is a dirty little secret that has flown under the public radar for too long,” ResetTech Australia executive director Alice Dawkins said.
“We hope with this report…we can encourage public debate on this pernicious market none of us signed up for.”
This data is highly targeted and personal.
One such dataset investigated in the report had more than 17,500 unique data categories about Australians up for grabs, including people who “overeat to cope with stress”.
The transfer of this data puts individuals at a much-heightened risk of being scammed, according to ResetTech, as nefarious online actors may be able to access specific information on individuals.
For example, a scammer may be able to find out what bank an individual uses to then personalise a phishing text message to them.
“Data about potential victims is key to scamming networks, and much of the data made available about Australians via the RTB process creates vulnerabilities,” the report said.
The report also raised significant concerns that the RTB process could see the personal data of Australians, such as their locations, handed over to foreign states.
Google and Microsoft have confirmed that they provide RTB data to China-based companies, and these firms are subject to national security laws that require them to hand over data to the government upon request.
“The RTB system provides both Chinese and Russian state actors with a secure pipeline to access data about everyday Australians if they want,” the ResetTech report said.
ResetTech pushed for the looming reforms to the Privacy Act to address these concerns, and reform the RTB system and the process of obtaining clear consent from users.
The collection of location data on users by large tech firms has been controversial for several years.
In 2021, Google was fined $60 million after it lost a Federal Court case that found it had misled the owners of 1.3 million Android devices in Australia about how they could stop their phones from tracking their locations.