Malvertising and consumer privacy

Jamie Moles at ExtraHop explains how opaque ad bidding makes firms unwitting spies

The internet runs on advertisements, and the rise of ad blockers has forced many large websites to shift to subscription models and other forms of revenue generation. 

However, for the majority of websites, hosting ads is the primary way to recoup costs. The infrastructure that makes this possible has elevated companies like Google and Facebook into some of the largest firms in the world, with their main product being users’ attention. 

At the heart of this infrastructure are real-time bidding (RTB) platforms, technology that facilitates the programmatic buying and selling of digital advertising. These processes are almost entirely removed from regular users, and increasingly humans, with bots bidding and placing advertisements based on the anonymised data that ad providers collect.

These tools are designed to make sure ads are targeted effectively, but they have the potential for exploitation. 

A recent espionage case has shown how, despite the anonymised nature of the data, bad actors can focus their ad delivery on individuals of interest. The ad buyer specifies the target audience for an advertisement to such an extent that the target audience could only contain one person. 

If you have some simple information, such as place of work, age and interests, it is enough to survey an individual almost full-time. While the ad platform will never give a name, it is so specific that it could only be one person. 

This Personally Identifiable Information (PII) data can then be used to track movements and associations remotely. The threat for users is that their privacy is being directly threatened. For businesses, the threat is that advertising networks are being used for open spying, and this may eventually lead to the collapse of the business model that supports their site. In addition, hackers that aren’t interested in using ad bidding for espionage can still abuse these networks to deliver malware.

Hidden powers of ad-bidding platforms

Cookies, while finally on the way out, remain one of the most common tracking devices. These bits of code stick with users across sites and sessions, gathering data on browsing activity.

However, location data via GPS and network triangulation also allows for gathering insights on user movements over time, as well as the targeting of hyper-local ads. Fingerprinting browsers and devices via screen sizes, operating systems, and other signals enable users to be followed across multiple browsers and gadgets. 

More sophisticated hackers are now connecting these techniques to build detailed user profiles and targets across platforms. Data brokers match cookies and ad IDs across smartphones, laptops and smart TVs, enabling cross-device tracking, whilst sophisticated algorithms infer demographics and interests, pigeonholing users into categories attractive to advertisers, whether they like it or not. 

Real-time bidding now auctions off user data for instant ad targeting based on their activity in that precise moment. Far more than showing relevant ads, this transforms web browsing into a platform for real-time behavioural monitoring of citizens on a vast scale. 

Though awareness is growing, the average consumer remains largely ignorant of these practices. As digital advertising marches on unfettered, urgent questions remain about the ethics and privacy implications of corporate surveillance. Users are right to demand transparency, choice and consent, in an ecosystem where their data is harvested and sold to the highest bidder.

Policymakers also have a duty to shape stricter regulation around what is acceptable in ad tech’s data free-for-all. Failing to do so risks normalising a culture of ubiquitous yet hidden tracking that users neither comprehend nor meaningfully consent to.

Staying off the advertising radar 

As online advertising grows ever more invasive, many feel uneasy at the extent of surveillance by faceless firms tracking their every move. While accepting ads as the price for free online services, users still value privacy and wish to limit the reach of advertisers into their digital lives.

A number of techniques can help reclaim some control over privacy from the ad tech juggernauts. Ad blockers are a first line of defence. Software like uBlock Origin prevents many ads and tracking scripts from loading on pages visited. Disabling cookies from advertiser domains in browser settings is another step, preventing the storage of browsing history across sites. 

For the privacy-conscious, so-called anti-tracking browsers offer stronger safeguards by default, blocking hidden trackers that lurk across the modern web. Options like Brave and Firefox Focus aim to neuter the snooping capacity of advertisers at the network level. A similar protection applies to using VPN services, which mask one’s IP address and location.

However, Brave itself has come under scrutiny for its cryptocurrency system, which trades privacy and advertising time for a currency of dubious value.

Location, location, location

Even without enterprise-grade tools, there are still steps individuals can take to protect themselves. Switching off location services on smartphones prevents apps and platforms from tracking user movements unless strictly necessary, although this can interrupt functionality for maps and other location-dependent services.

Opting out of real-time bidding, where data is auctioned off to target ads in real time, is another approach on platforms that permit it. Where possible, disabling personalised ads also limits profiling. There are services available that periodically search for data mining sites and submit data deletion requests on your behalf; for the most privacy conscious users, these more than merit the fee.

More broadly, minimising account logins across sites restricts advertisers’ ability to connect the dots between browsing sessions to build unified profiles. Frequently clearing cookies and cache also helps remove tracking objects websites have already stored. And private browsing modes, while far from foolproof, make tracking more difficult compared to normal browser windows.

While inconvenient, making such privacy-preserving measures routine makes life harder for the unseen data miners of the advertising world. For those who value their privacy, these tips, while onerous, are integral to protecting yourself from bad actors.

Most individuals are aware that modern technologies make their lives less private. Mobile advertising has highlighted that phone microphones are no longer just for making calls; the wealth of data they collect has become a threat to safety and liberty. 

You might be okay with Meta knowing you want to take a skiing holiday, but shady government backed entities knowing which resort you are staying at is a step too far.

Jamie Moles is Senior Technical Manager at ExtraHop

Main image courtesy of iStockPhoto.com