An ongoing investigation by the Irish Council for Civil Liberties has exposed how Google and IAB have continued to exploit EU and GDPR Law in sharing User Privacy Details with nearly 1,000 affiliated companies for further customer exploitation - and wholly without Explicit Consent as required by GDPR and EU Law.
It of course doesn’t help matters here that the UK’s regulator - the Information Commissioner’s Office (ICO) has effectively placed itself on hiatus for the duration of the Covid-19 pandemic - "The ICO announced earlier this year that it had “paused ” its investigation into the industry’s processing of internet users’ personal data — owing to disruption to businesses as a result of the COVID-19 pandemic."
In fact the only active case of significance seems to have been the British Airways one which was opened in September of 2018 and exposed an attack which is believed to have potentially accessed the personal data of approximately 429,612 customers and staff. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers.
The ICO initially announced a record fine of £183,393,000 but on appeal this has been lowered most recently to £20m and with the full impact of Covid19 on the airline industry - BA’s lawyers might yet be able to wangle their way out of paying anything at all. In fact lots of fines have been threatened - but it seems that the vast majority have been dodged on appeal. As with any enforcement programme - if you don’t implement the penalties, then the perpetrators will be encouraged to carry on with and even ramp up their levels of exploitation.
At the root of the Irish investigation is Google and IAB's Real-Time Bidding (RTB) element - which is a core part of their Programmatic Advertising Solutions. This RTB system is automatically and insecurely sharing Personally Identifiable Privacy Details to around 1,000 affiliated companies that buy into those services.
These same RTB systems share around 120 billion data broadcasts each day - where there is no Explicit Consent obtained from the Privacy owners for sharing those details at all.
This same form of data exploitation has already been used to influence Polish Parliamentary elections, target victims of substance abuse, track people's movements during Covid-19 lockdown, and to profile Black Lives Matter protestors - all illicitly and wholly in flagrant violation of the law. And while we're all aware of the Facebook Cambridge Analytica scandal - still relatively few are aware of the very significant problems posed by Google in this regard.
Just three ad exchanges (OpenX, IndexExchange and PubMatic) have made around 113.9 trillion RTB broadcasts (info shares) in the past year.
The Internet Advertising Bureau (IAB) - which is also to a degree the arbiter and regulator for the online advertising industry is actually wholly guilty of presiding over these evident advertising abuses. It kind of undermines their credibility in trying to set up a new standard for cookie-tracking as its lack of responsibility towards the end user, and would likely lead to further exploitation.
The Data Regulators and Commissioners seem to be wholly incapable of policing their areas of accountability in a suitably expedient or impactful manner. The glacial pace at which they react to flagrant ongoing exploitations means that the damage is multiplying on their watch - while they do little or nothing about it.
GDPR was always going to be a difficult challenge to monitor and regulate, and there of course would be some cases that slipped through the net. While nowadays it seems as if most everything is slipping through the net - and as a result those unscrupulous parties have sort of been given carte blanche to do their worst.
GDPR will only ever work if it is properly monitored and enforced - and the correct penalties dealt out to offenders - which really just doesn't seem to be happening at the moment.
A recent article on TechRadar revealed how the details of 186 million US voters had been discovered on hacker forums - including RaidForums.com. Security firm Trustwave was one of the first to validate this data breach where this essentially entire US Electorate Database was on sale to all and sundry for exploitation.
To put this in context there were only 126 million ballots cast in the 2016 US election which for a variety of reasons represented a 20 year low in turnout.
The leaked databases are said to contain a wealth of highly personal information, including names, addresses, age, gender, contact details and even political affiliation. It is another example of how the US administration has totally failed the electorate in counteracting known interference in the last and current election.
With data being used to illicitly influence and swing so many elections - it's more important than ever that enough is done to make the electorate process as safe and secure as possible. And we know that there has been interference in several recent elections including in the UK and USA - and the respective administrations have done nothing about it - in fact they have rather tried to bury the evidence.
In some ways it's all rather remarkable that governments don't seem to be doing anything to safeguard the election process. You would have thought it would have been one of their key responsibilities to protect their population from any untoward foreign interference!