Conversation

Notices

1. Embed this notice
   Wolfie Christl (wchr@mastodon.social)'s status on Wednesday, 15-Nov-2023 05:24:07 JST Wolfie Christl

   • Johnny Ryan

   As part of a new report on digital advertising as a security threat published today by @johnnyryan and me (https://www.iccl.ie/wp-content/uploads/2023/11/Europes-hidden-security-crisis.pdf), and previously unreported:

   We reveal 'Patternz', a global mass surveillance system that harvests digital advertising data on behalf of 'national security agencies'.

   Patternz is operated by a company based in Israel and/or Singapore. It claims to collect data about 5 billion users from 87 ad exchanges and SSPs via 6 data centers around the world.

   Thread:

   • Aral Balkan repeated this.
   • Embed this notice
     Wolfie Christl (wchr@mastodon.social)'s status on Wednesday, 15-Nov-2023 05:24:51 JST Wolfie Christl

     in reply to

     Some time ago, I came across this website, which describes Patternz as an 'advertising-based intelligence platform' offered by ISA Security, an Israeli firm:
     http://isasecurity.org/patternz
     https://web.archive.org/web/20210622100652/http:/isasecurity.org/patternz

     Here's another publicly available doc from Sovereign Systems, a Singapore-based firm with offices in UAE, New Zealand and Ireland, which also describes Patternz:
     https://sovsys.co/wp-content/uploads/2020/04/PATTERNZ-NATIONAL-SECURITY-PATTERN-DETECTION.pdf
     https://web.archive.org/web/20231003181009/https:/sovsys.co/wp-content/uploads/2020/04/PATTERNZ-NATIONAL-SECURITY-PATTERN-DETECTION.pdf

     In addition, I received internal docs from the company.

     Aral Balkan repeated this.
   • Embed this notice
     Wolfie Christl (wchr@mastodon.social)'s status on Wednesday, 15-Nov-2023 05:25:30 JST Wolfie Christl

     in reply to

     Here's how Patternz can be used to monitor and profile individuals based on data from digital advertising.

     The 'dashboard' shows detailed information about a person based on 5,273 activity records.

     The profile includes the person's location history, home address, work location, information about 'people nearby', 'co-workers' and even 'family members', device details, demographic information, 'profile keywords' and 'hobbies and interests' (the latter of which may refer to RTB segment info).

     Aral Balkan repeated this.
   • Embed this notice
     Wolfie Christl (wchr@mastodon.social)'s status on Wednesday, 15-Nov-2023 05:26:06 JST Wolfie Christl

     in reply to

     Most digital advertising today is based on real-time bidding (RTB), which involves uncontrolled data flows to many entities who bid on user profiles.

     Patternz claims to operate a "fully commercial and operational AdTech arm that actually trades in media" to obtain the data. It claims to have "extensive knowhow of operating a Realtime bidding platform for the last 5 years".

     An earlier version of its website named Google, Yahoo and adtech firms like MoPub, AdColony, OpenX as data sources (!).

     Aral Balkan repeated this.
   • Embed this notice
     Wolfie Christl (wchr@mastodon.social)'s status on Wednesday, 15-Nov-2023 05:26:41 JST Wolfie Christl

     in reply to

     I've seen internal Patternz docs which describe the IAB's OpenRTB protocol in digital advertising in detail.

     These docs, which I cannot publish, also explain that mobile phones are 'always with the users', who 'grant apps access voluntarily', which is why the smartphone becomes a 'de-facto tracking bracelet'.

     The publicly available docs emphasize that the Patternz system can also be used for offensive purposes by sending "targeted messages, ads or trojans directly through the AdTech stack".

   • Embed this notice
     Wolfie Christl (wchr@mastodon.social)'s status on Thursday, 23-Nov-2023 08:01:36 JST Wolfie Christl

     in reply to

     Ok, received a tip. It appears that 'Patternz' is closely affiliated or even identical to NUVIAD, an Israeli adtech firm, DSP and consumer data broker.

     ...not only because of the apparent similarity of their promotional materials:
     https://web.archive.org/web/20200511011617/https://nuviad.com/

   • Embed this notice
     Wolfie Christl (wchr@mastodon.social)'s status on Thursday, 23-Nov-2023 08:01:36 JST Wolfie Christl

     in reply to

     In 2020, Nuviad listed the following surveillance advertising companies as data sources:

     Google, MobPub (back then owned by Twitter), AOL/Yahoo, Smaato, OpenX, Amobee, Pulsepoint, Rubicon, Inneractive/Fyber (Digital Turbine), Avocarrot/MobFox (Glipsa, Germany), Axonix, Altitude Digital, Opera Mediaworks.
     https://web.archive.org/web/20200511011617/https://nuviad.com/

     As of today, Google lists Nuviad as a vendor "eligible to receive bid requests compliant with US states privacy laws", i.e. sends data to them:
     https://support.google.com/adsense/answer/10634320?hl=en

   • Embed this notice
     Wolfie Christl (wchr@mastodon.social)'s status on Thursday, 23-Nov-2023 08:01:36 JST Wolfie Christl

     in reply to

     Some more pointers.

     In 2017, the president of NUVIAD joined the board of Ability Inc. (https://sec.gov/Archives/edgar/data/1652866/000121390017005243/f6k051517ex99i_abilityinc.htm), a spytech vendor that specialized in tapping phones via SS7 (https://forbes.com/sites/thomasbrewster/2017/09/27/ability-inc-ss7-hackers-fail-to-sell-surveillance/), which then soon went down (employee arrests, NASDAQ delisting).

     The CEO of Singapore-based Sovereign Systems, who sells Patternz according to its website, is quoted to have said that Sovereign Systems was a "front" for Israeli spytech firm PICSIX (https://haaretz.com/world-news/asia-and-australia/2021-02-02/ty-article/bangladesh-bought-israeli-spytech-despite-lack-of-ties-al-jazeera-reports/0000017f-e096-d568-ad7f-f3ffe6e90000, https://pic-six.com).

   • Embed this notice
     Wolfie Christl (wchr@mastodon.social)'s status on Thursday, 23-Nov-2023 08:01:37 JST Wolfie Christl

     in reply to

     As such, the digital advertising industry systemically enables the worst possible kind of decontextualized misuse of everyone's personal information.

     In Europe, GDPR enforcement has failed. Otherwise, uncontrolled personal data sharing via the RTB bidstream would have been shut down years ago. GDPR regulators must take action now, start a high-priority investigation, mandate processing bans.

   • Embed this notice
     Wolfie Christl (wchr@mastodon.social)'s status on Thursday, 23-Nov-2023 08:01:37 JST Wolfie Christl

     in reply to

     RTB undermines the privacy and data rights of billions of people, and it undermines trust into digital technology at large.

     RTB is also a national security threat, because of course the data sharing doesn't stop for political leaders, sensitive personnel, military staff and their families.

     In our report published today we call for the European Commission, ENISA and EEAS to take action:
     https://www.iccl.ie/wp-content/uploads/2023/11/Europes-hidden-security-crisis.pdf

     We also call for the US FTC and Congress to take action:
     https://www.iccl.ie/wp-content/uploads/2023/11/Americas-hidden-security-crisis.pdf

   • Embed this notice
     Wolfie Christl (wchr@mastodon.social)'s status on Thursday, 23-Nov-2023 08:01:38 JST Wolfie Christl

     in reply to

     It was a deliberate decision to create the RTB advertising system in this bad way, and even worse, the data industry has since then been fighting hard to keep it running, for years, at any cost, from lobbying policymakers to trying to delay GDPR enforcement.

     Anyway, thousands of adtech firms and a much larger number of publishers and advertisers have NO CONTROL over who they share personal data with.

     Which means they cannot have a legal basis to do so under the GDPR. Which means it's illegal.

   • Embed this notice
     Wolfie Christl (wchr@mastodon.social)'s status on Thursday, 23-Nov-2023 08:01:38 JST Wolfie Christl

     in reply to

     To my knowledge, this 2020 Forbes article provided evidence for the first time that a firm who sells surveillance tech to governments was running its own DSP to harvest personal data from RTB bid requests in digital advertising. There was not a lot of detail, but it has been a known issue for years:
     https://www.forbes.com/sites/thomasbrewster/2020/12/11/exclusive-israeli-surveillance-companies-are-siphoning-masses-of-location-data-from-smartphone-apps/

     Of course, it's ridiculous to believe that only 'Western' state actors would access RTB bidstream data. I'm sure several state and malicious actors do.

   • Embed this notice
     Wolfie Christl (wchr@mastodon.social)'s status on Thursday, 23-Nov-2023 08:01:39 JST Wolfie Christl

     in reply to

     Although we cannot verify their claims, the docs and web sources suggest that Patternz turns the intrusive global surveillance infrastructure that has been built for digital advertising into a system for mass and targeted surveillance for national security agencies, and perhaps also other actors.

     It's now the best-documented example of how personal data that is routinely processed to provide consumer services and digital advertising can be exploited for completely unrelated purposes at scale.

   • Embed this notice
     Wolfie Christl (wchr@mastodon.social)'s status on Thursday, 23-Nov-2023 08:01:39 JST Wolfie Christl

     in reply to

     The commercial data industry is complicit. Google, the IAB, adtech firms, data brokers, publishers and advertisers are complicit.

     Whenever someone visits a website or uses a mobile app that displays digital ads, profile data is broadcasted to dozens or hundreds of companies and other entities in uncontrolled ways.

     This occurs billions and billions of times a day. Billions of people are affected globally, hundreds of millions in Europe.

     (see our report: https://www.iccl.ie/wp-content/uploads/2023/11/Europes-hidden-security-crisis.pdf)

   • Embed this notice
     Wolfie Christl (wchr@mastodon.social)'s status on Thursday, 23-Nov-2023 08:02:15 JST Wolfie Christl

     in reply to

     Xandr/Microsoft also lists Nuviad as a "partner which may receive Platform Data":
     https://docs.xandr.com/bundle/service-policies/page/third-party-providers.html

     Here's Nuviad boasting about '2.5 billion user profiles' and 'analyzing over 700k ad opportunities every second'. From an Amazon AWS event in 2018:
     https://de.slideshare.net/AmazonWebServices/success-has-many-query-engines-tel-aviv-summit-2018