A new report warns that the personal data of Australia’s national security officials is at risk of being sold to foreign entities, prompting calls for urgent action from the federal opposition.
The investigation, conducted by the Irish Council for Civil Liberties (ICCL), highlights how the online advertising industry is exposing sensitive personal details of Australian politicians and intelligence personnel, leaving them vulnerable to blackmail and hacking. The report explains how the Real Time Bidding (RTB) system sells detailed, and sometimes compromising, data to thousands of businesses globally, some of which have ties to foreign governments and non-state actors.
This data could include sensitive information such as gambling habits, bankruptcy status, sexual preferences, mental health conditions, physical health issues, precise location data, and even daily commuting routes.
Led by Dr. Johnny Ryan, the ICCL research underscores that both Google and Microsoft send Australian RTB data to numerous companies in China, which are required by law to share this information with the Chinese government if requested.
“Google has a public list of over 2,000 companies it can send RTB data about Australians to, and on that list, 12 companies have ‘Beijing’ in their name,” Dr. Ryan said.
“Now, there are many other Chinese companies on that list, which is a clear indication of just how overt this is,” Dr. Ryan said.
Google responded to ABC, clarifying that it does not directly sell RTB data to thousands of companies. However, the “authorized buyers” list it shared with ABC did include several Chinese firms.
Opposition Home Affairs spokesman James Paterson expressed concern, stating, “These revelations are deeply disturbing, but sadly not surprising.”
“Our intelligence agencies have been warning us for some time that foreign interference and espionage are at record levels, with the Chinese Communist Party (CCP) being the primary culprit.”
How personal secrets can become public property
The Real Time Bidding (RTB) system is responsible for determining the personalized ads you see whenever you browse online.
Each time someone opens a webpage or app, an automated auction is instantly triggered for every available ad slot on their screen. To personalize these ads, an intricate network of advertising companies gathers user data, such as browsing history and precise location, to craft and sell psychographic profiles of their preferences and personal details, similar to the methods used by Cambridge Analytica.
“[The RTB system] operates 24/7, sending information about what an Australian is reading, watching, and where they are approximately 449 times a day,” explained Dr. Ryan, adding that the actual figure is likely higher since data from Meta and Amazon could not be analyzed by the researchers.
RTB segments users into hundreds of thousands of categories, capturing everything from political views and mental health status to whether they are survivors of sexual abuse or simply prefer Fanta over Sprite.
“We discovered that this data was available for purchase when we posed as a business attempting to buy it,” Dr. Ryan added.
In addition to classifying internet users based on their beliefs, backgrounds, and preferences, RTB data also targets their professions.
“We identified decision-makers in political organizations and individuals working in sectors such as ‘aerospace and defense,’ ‘defense, logistics, and transport,’ and even ‘military spouses and families,'” Dr. Ryan explained.
The ICCL’s research focused specifically on RTB data provided by Google. In response, Google stated that it neither provides nor infers sensitive personal information in RTB data, and its policies instruct buyers not to use any sensitive data that may be provided.
A Google spokesperson criticized the ICCL’s findings as misleading and inaccurate, stating, “To protect people’s privacy, we have the strictest restrictions in the industry regarding the data shared in real-time bidding.”
The spokesperson further emphasized, “Our real-time bidding policies and technical safeguards simply don’t allow bad actors to compromise people’s privacy and security.”
Anonymous unless in the wrong hands
RTB data may not include a person’s name or contact details, but researchers warn that the information is so detailed that skilled operators can easily identify individuals.
“What makes it so dangerous is the presence of a unique ID code—a very long string of numbers and letters—which is specific to each individual,” Dr. Ryan explained.
This unique ID allows RTB clients to perform “long-term monitoring and dossier building” on anyone in the dataset.
“Keep in mind,” Dr. Ryan added, “if your location is being shared several times per minute throughout the day, it becomes clear where you sleep, where you work, which medical clinics you visit, or which religious buildings you frequent.”
Signs ad data is already being used by foreign intelligence
There is evidence suggesting that intelligence agencies are already leveraging RTB data. A declassified report from the U.S. Director of National Intelligence outlines how U.S. agencies make use of this data.
One example cited in the report is the commercial surveillance tool “Patternz,” which claims to have created profiles for 5 billion people. According to its marketing materials, the company “helps national security agencies detect audience patterns and user behavior using digital advertising, data mining, and analytics.”
“It’s essentially a surveillance system,” Dr. Ryan explained, “that promises to reveal your target individual, their most frequent driving routes, as well as identifying their children and colleagues.”
How changing the Privacy Act could help
The federal government has recently proposed changes to The Privacy Act, but tech policy advocates at Reset Tech argue that the current proposals fall short of addressing key issues.
“What we need are proactive obligations on the industry that establish clear boundaries for data collection and trading,” stated Alice Dawkins, the group’s executive director.
She recommends implementing a long-considered “fair and reasonable” test for the collection and use of Australians’ data, akin to the protections provided by EU regulations.
The federal government has indicated potential future amendments to the Privacy Act, particularly regarding data privacy rules, though a specific timeline has not been established.
“It would be beneficial to see commitments from both parties before the next election, as Australia risks becoming one of the most insecure places globally,” Ms. Dawkins asserted.
“It’s imperative that we update and review the Privacy Act,” Dr. Ryan emphasized.
“Australians deserve to navigate the internet without their personal information being widely shared and sold.”
A spokesperson for Mr. Dreyfus stated that the government is “committed to ensuring the Privacy Act is appropriate for the digital era.”
“The Albanese government’s significant legislation currently before parliament aims to enhance privacy protections for all Australians, including the introduction of a statutory tort for serious privacy breaches,” the spokesperson mentioned in a statement to the ABC.