Google faces security complaint over real-time bidding data practices

Two prominent privacy organizations filed a formal complaint with the Federal Trade Commission on January 16, 2025, alleging that Google's real-time bidding (RTB) system exposes sensitive data about Americans to foreign adversaries. The Electronic Privacy Information Center (EPIC) and the Irish Council for Civil Liberties (ICCL) Enforce unit submitted the first-ever complaint under the Protecting Americans' Data from Foreign Adversaries Act (PADFAA).

According to the complaint, Google's RTB system operates on 35.4 million websites, 91% of Android apps, and 75% of iOS apps. The system processes bid requests containing detailed personal information during automated advertising auctions that occur in under 100 milliseconds whenever users load web pages or applications.

Internal Google communications reveal that senior executives, including CEO Sundar Pichai, were aware of security vulnerabilities in the RTB system for at least a decade. The complaint cites a 2014 internal discussion where a senior Google executive questioned whether bidders were reselling data, concluding that determining what buyers do with transmitted data was "tough because we mostly send data, not ingest."

The technical specifications detailed in the complaint show that Google's RTB system shares multiple types of identifying information:

• Exchange-specific user IDs meant for retargeting
• Buyer-specific user IDs enabling profile updates
• Mobile advertising identifiers (MAIDs)
• Publisher-provided identifiers
• High-precision location data
• Detailed device information

Security researchers discovered that this data reveals sensitive characteristics about individuals, including:

• Employment with military and intelligence agencies
• Work in defense logistics and procurement
• Service as judges or national security decision makers
• Health conditions and medical treatments
• Financial status and difficulties
• Political views and activities
• Religious affiliations
• Sexual orientation

The complaint points to Google's own documentation showing it maintains a public list of 2,365 certified companies that receive RTB bid requests. This list includes multiple companies based in foreign adversary countries, with twelve companies having "Beijing" in their names. Additionally, Google lists "Shenzhen Tencent Computer Systems Company Limited" as a certified recipient.

According to the Department of Justice estimates cited in the complaint, Google dominates the RTB market with 87% of the U.S. publisher ad serving market and 88% of the ad buyer market. The system broadcasts data about United States individuals approximately 31 billion times per day.

The organizations argue that Google violates PADFAA by functioning as a data broker that transfers personally identifiable sensitive data to foreign adversaries both directly and indirectly. The law prohibits data brokers from making such transfers to North Korea, China, Russia, Iran, or entities controlled by these nations.

The complaint requests that the FTC:

• Impose civil penalties
• Halt Google's sharing of personally identifiable sensitive data with foreign adversaries
• Require removal of identifying data fields from RTB protocols
• Implement ongoing monitoring through random sampling of bid requests
• Mandate effective data protection programs with FTC oversight

In a related development, the Dutch Government's 2024 cybersecurity assessment specifically identified RTB as a national security threat, noting that "state actors can also be part of data trade through front companies."

The complaint follows previous concerns raised by U.S. lawmakers. In July 2020, ten members of Congress urged the FTC to investigate RTB privacy violations. In April 2021, six senators requested that advertising exchanges, including Google, disclose which foreign firms received Americans' RTB data.

The FTC recently took action against another company, Mobilewalla, for violations related to RTB data collection. In that case, the majority commissioners cited the risks of foreign adversaries gathering sensitive data on Americans through the advertising technology ecosystem.