Marketing companies have been discovered to utilize sensitive information gathered by Google Ads despite existing policies against this. They can use this to target increasingly specific segments of individuals.
A WIRED investigation into the inner workings of Google’s advertising ecosystem reveals that a wealth of sensitive information on Americans is being openly served up to some of the world’s largest brands despite the company’s own rules against it. Experts say that when combined with other data, this information could be used to identify and target specific individuals.
Display & Video 360 (DV360), one of the dominant marketing platforms offered by the search giant, is offering companies globally the option of targeting devices in the United States based on lists of internet users believed to suffer from chronic illnesses and financial distress, among other categories of personal data that are ostensibly banned under Google’s public policies.
Other lists of American users accessible for a price across the platform raise serious national security concerns, experts say, as they reveal data brokers striving to isolate millions of mobile devices carried by government workers—from US judges and military service members to executive agency staff and employees on Capitol Hill.
First reviewed by WIRED, an internal spreadsheet obtained from a US-based data broker shows the DV360 platform currently hosting hundreds if not thousands of restricted or otherwise sensitive “audience segments,” each containing a large tranche of data that points to countless mobile devices and online profiles of people in the US. The segments are generated not by Google, but by DV360 customers who upload them to the system, where others can use them to target ads at specific audiences.
Of course, state-sponsored actors can easily associate mobile IDs with real-world identities. There has been several instances where shell advertising companies were created to access Google’s bid-stream data.
Foreign actors and private surveillance firms have been caught routinely exploiting RTB systems by creating shell advertising companies in order to access bid-stream data: information on users broadcast between the demand and supply sides of an RTB auction. In 2022, Adalytics, a digital ad analysis firm, published a report alleging that Google was sharing RTB data with RuTarget, an ad-tech firm owned by Russia’s largest state bank; activity that Google says it ceased in response. In 2023, Bloomberg reported that, by operating its own demand-side platform, an Israeli surveillance company called Rayzone had gained direct access to Google’s RTB data.
Micro-targeting has gone way too far. It’s sad to see a lack of accountability in this space, especially regarding data brokers and the broader ad-tech industry.