By Patience Haggin
A bipartisan group of lawmakers is asking questions about the inner workings of digital advertising amid worries the industry's user-targeting capabilities could pose a threat to national security.
When anyone loads a webpage, a digital-ad auction occurs in seconds to determine which personalized ads the person will see. During that auction, the user's personal data -- including location, browsing history and demographic details -- may be sent to hundreds of companies bidding on the ad slots. The barriers to join these auctions are low, and any company participating in the auction can access user information without having to bid.
On Friday, a group of U.S. senators led by Senate Finance Committee Chairman Ron Wyden (D., Ore.) sent a letter to the largest companies running these auctions -- AT&T Inc., Index Exchange Inc., Alphabet Inc.'s Google, Magnite Inc., OpenX Software Ltd., PubMatic Inc., Twitter Inc. and Verizon Communications Inc. -- asking them what steps they take to make sure companies joining the auctions do so for the sole purpose of buying ad slots.
They also asked the companies to provide the names of all foreign clients who had access to user data through auctions over the past three years.
"As Congress debates potential federal privacy legislation, we must understand the serious national security risks posed by the unrestricted sale of Americans' data to foreign companies and governments," the senators said in the letter, a copy of which was reviewed by The Wall Street Journal. Beyond Sen. Wyden, the letter was signed by Sens. Kirsten Gillibrand (D., N.Y.), Sherrod Brown (D. Ohio), Bill Cassidy (R., La.), Mark Warner (D., Va.) and Elizabeth Warren (D., Mass.).
The information gathered during the ad-auction process -- known in the industry as "bidstream" data -- can be packaged by data brokers, which resell it to companies and governments. Even though all user information available through these auctions is anonymized, it is possible to identify specific individuals by cross-referencing it with other data.
Political campaigns, for instance, have successfully paired location data with voter files to advertise to individuals who have attended certain rallies.
Federal agencies have purchased this personal data and used it to track down suspects without seeking warrants. The nation's Defense Intelligence Agency, the Department of Homeland Security and the Internal Revenue Service have used this data -- without a warrant -- to monitor the locations of individuals through their mobile devices.
"The United States is not the only government with the means and interest in acquiring Americans' personal data," the senators wrote in the letter. "This information would be a goldmine for foreign intelligence services that could exploit it to inform and supercharge hacking, blackmail, and influence campaigns."
Several U.S. government agencies have warned that foreign actors could use data gathered from these auctions to spy on users who work for the military and intelligence community. Last year, the National Security Agency advised military and intelligence-community personnel to disable location-sharing services and turn off advertising permissions on their mobile devices.
Many companies accessing user data during auctions do so under contractual agreement that they won't use the data for any purpose other than bidding on and delivering the ad. In the letter, the senators asked the ad-auction companies how they enforce those contractual restrictions, and requested a list of all companies to whom they had provided data in the past three years who weren't under such restrictions.
In addition, the lawmakers requested a list of every foreign-headquartered or foreign-majority-owned company to whom the ad-auction operators had provided bidstream data in the past three years. They asked the eight companies to answer their questions by May 4.
In a statement Friday, an Index Exchange spokeswoman said the company voluntarily abides by high industry standards. "We look forward to our active involvement in this important process with the US Senate as we continue to evaluate the requests for information outlined," the spokeswoman said.
"PubMatic has been at the forefront of consumer privacy and transparency initiatives and is committed to the promotion of integrity in the digital advertising ecosystem," a spokesman for the company said.
An AT&T spokesman said, "We received the letter and will respond as requested, but we have thorough processes in place to protect the data referenced in the letter."
A Google spokeswoman said the company never sells people's personal information. "And all ad buyers using our systems are subject to stringent policies and standards, including restrictions on the use and retention of information they receive," she said.
A Twitter spokeswoman said the company had received the letter and intended to respond.
Magnite and Verizon didn't respond to requests for comment. OpenX didn't provide comment.
Write to Patience Haggin at email@example.com
(END) Dow Jones Newswires
April 02, 2021 17:57 ET (21:57 GMT)Copyright (c) 2021 Dow Jones & Company, Inc.