© Adrià Voltà

Your most intimate data is being sold to the highest bidder – who might be a spy

Personal data trading on the digital ad market has grown into a billion-dollar industry. Intimate data – such as someone’s sexual preference or medical condition – is spread across the world in the blink of an eye and ends up with the highest bidder: from intelligence agencies to private individuals. This puts us at risk of being spied on and blackmailed and could have far-reaching consequences.

This article in 1 minute
  • In many countries, such as the Netherlands, Denmark and the United Kingdom, government officials are no longer allowed to use the Chinese application TikTok.
  • Experts warn that this measure is not nearly enough. Apps like TikTok are not the only way sensitive data ends up in China and Russia; real-time bidding on online advertising spaces also leaves us vulnerable to espionage.
  • Almost every time you visit a website or app, your intimate data is collected and bundled with other previously stored data about you. A profile of you is thus built based on your desires, preferences, the places you’ve been, and your browsing history.
  • To fill the advertising space on your screen, your profile travels through an automated auction system to, for example, advertisers and data merchants around the world. Your attention is sold in milliseconds to the highest bidder in a multi-billion dollar industry that is virtually unregulated.
  • Because no one knows whom the data ends up with or what happens to it, privacy experts are calling it the ‘biggest data breach in history’.
Read more

Monsignor Jeffrey Burrill, Secretary General of the US Conference of Catholic Bishops, was an influential and respected man. But then the US Catholic news website The Pillar revealed in July 2021 that the priest led a not-so-religious nightlife.

The site revealed that Burrill used gay dating apps like Grindr, frequented gay bars, and had visited the Entourage bathhouse in Las Vegas – where the hot guys go.

Burrill submitted his resignation; the case stirred up a lot of controversy in the US and abroad. While conservative Catholics were outraged by the cleric’s ‘despicable’ behaviour, more liberal circles raised ethical questions: wasn’t Burrill entitled to privacy? And how did The Pillar get its hands on all this intimate data?

The only explanation the editorial office gave was that an analysis had been done on commercially available datasets of mobile-app data.

But The Washington Post revealed in March 2023 that Burrill had been the victim of a targeted attack by a group of highly conservative Colorado Catholics. The foundation is backed by wealthy philanthropists. One of its aims is to ‘help the clergy adhere to their celibacy’ and sets its sights primarily on gay priests.

The Washington Post also revealed that the foundation had forked out four million dollars for a database containing tracking data from dating apps, including those specifically intended for gay users. The data came from ad exchanges: auction platforms where online advertising space is traded using real-time bidding (RTB).

Location data, search behaviour, app usage, it contained it all. Although the data was anonymised, the foundation managed to bypass that problem by cross-referencing it with, for example, church locations. Through this process, it noticed that the user of a specific phone was at a parsonage in Wisconsin during the day, used hookup apps like Grindr and visited gay meeting places at night, and slept at Burrill’s house. Bingo.

‘Everyone is being profiled’

American civil rights groups call the Burrill case the first in which private individuals have bought commercial data to spy on others.

The amount of personal data we share online daily is immense, and there is zero monitoring of the global trading of such data. Intelligence agencies, criminals or private individuals: anyone willing to pay for it can buy it.

Johnny Ryan, ICCL researcher

The things that make you tick: what you listen to, watch, read and do

Western governments are increasingly concerned about the large-scale collection and international dissemination of personal data, as evidenced by the measures taken against TikTok in several countries in recent weeks.

Experts, however, argue for more stringent measures − not only for apps from China but for the online ad industry and big tech companies in general.

‘Everyone is being profiled,’ privacy expert Johnny Ryan told Follow the Money, the things that make you tick, what you listen to, watch, read and do.’

This Irish researcher, who used to work in the ad industry, has been trying for years to convince European policy and lawmakers that the way in which big tech companies handle our data is illegal. He currently does so as a senior fellow of the Irish Council for Civil Liberties (ICCL), a Dublin-based civil rights institute.

On behalf of ICCL, Ryan is involved in several international lawsuits against the online ad industry in general and the IAB industry association and Google in particular. In 2021, Die Zeit called him ‘Google’s biggest headache’.

Ryan’s complaints primarily focus on real-time bidding (RTB), a fully automated auction system through which online advertising space on websites and apps is sold to the highest bidder. Think of the boxes on your smartphone screen in which ads appear when you visit a website.

Cookies and tracking cookies

A cookie is a small file stored on your computer by a website or app. Each time you visit the website, it personalises your user experience. A cookie contains details about a visitor’s activity on a website, such as the pages they view, but it can also save you from having to log in on each visit.

A tracking cookie is a unique identifier that allows websites or apps to track your behaviour, even when you are on other websites. That enables advertisers and website owners to collect information about your browsing habits and location. This then allows them to create behavioural profiles that are used, for example, to show targeted ads. It’s being done on a massive scale.

Larry Ellison, one of the founders of software giant Oracle, boasted in a 2016 keynote that his company owns the profiles of five billion people. Oracle sells the personal data it collects back into the RTB chain.

Read more Fold in

As soon as you visit a website or use an app, your data, stored in cookies [see the frame below], is almost always sent to hundreds and sometimes thousands of advertisers, marketers and social media platforms via all sorts of intermediaries. The highest bidder eventually gets to fill the blank space with an ad and ‘wins’ your attention. The whole process takes milliseconds.

This online ad market involves hundreds of billions of dollars. A good portion of that is earned by trading in personalised ads.

‘If you read the economics section of a quality newspaper like The Irish Times and then visit sites of car companies, car manufacturers are happy to pay double-digits for a spot on your screen,’ Ryan tells us.

​‘Biggest data breach in history’

The idea behind targeted advertising is that advertisers can reach their desired audience relatively cheap. Conversely, users get to see ads for products they are interested in. So, in theory, everyone wins. But the system can easily be abused. No one monitors what happens to all that data and where it eventually ends up. Advertisers who buy your data through RTB can resell, supplement, or retain it.

Personal data profiles are shared with the system on average 376 times a day in Europe, and approximately 747 times in the US

‘Realtime bidding is the biggest data breach ever recorded,’ according to Ryan. The ICCL says that consumers’ online behaviour and location data in the United States and Europe are captured and shared 178 trillion times per year. The personal data of Americans is shared with the RTB ecosystem – home to advertisers, marketers, ad agencies, online publishers, auction platforms and social media networks – approximately 747 times a day. For Europeans, the average is 376 times a day.

The intimate nature of this data is evidenced by the categories used by the Interactive Advertising Bureau (IAB). This global trade association for online advertisers developed a framework for processing personal data in flash auctions that virtually the entire European advertising industry uses. Google, eBay, Amazon, Oracle and SalesForce: they are all registered members of IAB Europe.

Data analysts can taxonomically classify individuals in much the same way as biologists pin insects to a sheet of paper and classify them by their external features.

The latest version of ‘The Content Taxonomy’ divides intimate personal characteristics into categories with a matching code, such as mental health (code 301), infertility (304), Islamic (461), sensitive social issues (27rJBM), drug use (pg0WhF) or terrorism (8FD8nl). Older versions of the framework, modified after public outcry, went even further.

‘Based on commercially available data, we were able to identify some 200 individuals in Ireland who were victims of sexual abuse,’ Ryan states.

Digital gates

The possibilities that data brokers and advertisers offer their clients are almost endless and rather disturbing.

Mobilewalla, a company originating in Singapore, engages in personal data trading. In a 2017 podcast, CEO Anindya Datta said he puts data on very specific target groups up for sale, such as ‘women in their third trimester of pregnancy’.

He also explains in the podcast how ‘his’ data was used to influence the 2016 US presidential election – won by Donald Trump. For example, his company captured evangelical voters by placing ‘digital gates’ around thousands of churches in America.

Mobilewalla also placed digital gates around all polling stations in swing states in the US on Election Day to observe who had not yet been there – and thus had not voted. That information was used to find people with the ‘right’ political preference and convince them to go vote. In the podcast, Datta does not state which candidate he helped in this way, but he does say that his client was satisfied. ‘We played a key role in the outcome of that election.’

National secret services are clients, too

Such use of ad data is not limited to ad companies and political parties. US Democratic Senator Ron Wyden investigated data trading in 2021 and received a letter in which Datta confessed that his company also sold data – through intermediaries – to US intelligence agencies.

And it happens more often. In 2020, a former employee of Babel Street, a US company that develops digital surveillance tools, confirmed that US intelligence agencies use tools like Datta’s. Thanks to software like Locate X, they can see which mobile devices have been in a particular area in the past few months – and where else those devices have all been. The software uses data from the online ad market for this purpose.

Commercial data sometimes provide intelligence agencies ‘more and more valuable information than internet tapping’

The Dutch Intelligence and Security Services also use such data. Follow the Money previously wrote about the use of advertisement-based intelligence (ADINT), following a report by the Review Committee on the Intelligence and Security Services (Dutch: CTIVD) on open-source intelligence (OSINT). The report showed that the services consider this data to be just as ‘public’ as what people post on Facebook, and thus they feel free to buy it. CTIVD chair Nico van Eijk told Follow the Money that such intelligence sometimes provides ‘more and more valuable information than Internet tapping’.

​Ironically, intelligence agencies were quite shocked when they started using ad data, Irish researcher Ryan says. ‘When the US Secret Service started using Locate X, it found out that its own employees were also easy to track.’

New rules, better monitoring?

Data sold to the highest bidder can end up anywhere, even in countries like China and Russia.

‘America’s adversaries are leveraging this commercial data,’ according to a report by US government-funded research firm MITRE, dated 9 January 2023. ‘That information is a goldmine for intelligence agencies that could misuse it to fuel hacking, blackmail and influence campaigns,’ Senator Wyden said in an earlier statement.

​The digital advertising ecosystem is different in Europe, according to Rob van Eijk. He is the Managing Director of The Future of Privacy Forum in Europe, a nonprofit think tank for digital privacy issues. In 2019, he completed his PhD at Leiden University on privacy protection in RTB.

Rob van Eijk, privacy think tank FPF

The system’s transparency is so poor that you have no idea who is profiling you

​‘In the US, there are no legal restrictions because there is no overarching privacy law. In Europe, we do have such a law: the General Data Protection Regulation (GDPR), and new laws and regulations are forthcoming. These limit, for example, profiling using specific categories of personal data, such as religion and sexual orientation, advertising targeted at children and the use of trackers around online political campaigns.’

Under those new rules, which include the Digital Services Act (DSA) from Brussels, enforcement will be shifted to the European Commission. ‘That is in fact where it went wrong previously,’ Dutch MEP Paul Tang (PvdA) explained. ‘The GDPR already offers many of the possibilities that the new rules provide, but national authorities hardly enforced them.’ 

According to Tang, the Irish Data Protection Authority in particular did virtually nothing for years. And because many big tech companies are based in Ireland for tax purposes, that negatively impacted enforcement of the rules across the entire Union. ‘That’s why we opted for centralised monitoring under the new rules,’ Tang adds.

The DSA is already in effect, yet Tang says users will have to wait at least until next year before they notice any improvements.

‘What happened to that priest in the US is technically possible in Europe as well’

Meanwhile, European citizens’ sensitive data is being forwarded to thousands of companies around the world every millisecond. According to Van Eijk, that poses risks: ‘I can’t predict whether it will happen, but what happened to that priest in the US is technically possible in Europe as well.’

He continues: ‘The system’s transparency is so poor that you have no idea who is building profiles, and you can’t gauge how it will ultimately affect you. The fundamental right to protection of your private life also applies to your mobile phone. Surveillance marketing, where profiles are built without your knowledge, is very difficult to square with that.’

‘It’s also unnecessary,’ he continues, ‘because there are alternatives to targeted advertising that don’t require user data or profiling.’


‘The online ad industry should use personal data only if they properly protect it,’ Ryan says. ‘But instead, intimate secrets are freely available to everyone. On top of that, the industry has added a thin layer of pseudo-legality.’ That thin layer is embedded in the user’s consent to process their data.

The industry knew already in 2017 that real-time bidding is incompatible with European privacy laws

This consent is one of the legal bases on which data processing may occur, but  conditions apply. For example, consent must be given unambiguously and without any form of pressure, and the purposes for which data is processed must be made clear in advance.

According to Ryan, however, this legal basis does not fit the practice of real-time bidding: ‘The apps that transmit data ask for consent. But you can only ask someone for permission if you know what will happen with that data and properly inform that person about it.’ And it is precisely this that is nearly impossible within RTB, as the IAB industry association itself wrote to advertisers years ago:

‘As it is technically impossible for the user to have prior information about every data controller involved in a real-time bidding (RTB) [..] RTB would seem, at least prima facie, to be incompatible with consent under GDPR.’

Apple en Google promise to do (slightly) better

Multiple complaints have been filed by parties such as Ireland’s ICCL against IAB and other prominent players in the online advertising arena. In part due to those lawsuits, things appear to be shifting.

In early 2022, the Belgian Data Protection Authority (GBA) – the central regulator of an international deluge of complaints against IAB Europe’s said framework – ruled that the interest group violated the GDPR and fined it 250,000 euros. It also ordered IAB to come up with an improvement plan. That improvement plan materialised and was approved in January 2023. The GBA has not revealed any information about its content, ‘due to ongoing legal proceedings’. The latest news is that IAB Europe has appealed, suspending the implementation of this improvement plan.

It seems that Apple and Google – giants in this industry, because of their app platforms – want to make amends. For example, Apple no longer allows third-party applications like Facebook to track its devices unless users explicitly permit it. Researchers said this allowed fewer parties to collect data from Apple users. Furthermore, Google announced the Sandbox project, which weeds out third-party cookies from Chrome and introduces a new targeted ad system that does not rely on user data.

FPF-expert Rob van Eijk welcomes these changes but considers them to be lacking: ‘The problem lies in the construction of those profiles. The memory about people derived from a whole network must be heavily reduced or disappear altogether. The question is whether that will work in this ecosystem.’

MEP Tang adds: ‘Moreover, the disadvantage is that it is practically impossible to retrieve data from the clutches of the industry once it has been shared. That has to be resolved, and in the meantime, we have to prevent data collection as much as possible.’

Read more Fold in

‘This goes beyond TikTok’

On 23 March 2023, Dutch State Secretary Alexandra van Huffelen (D66) announced that civil servants will only be allowed to install apps on their work phones that have been approved in advance. Apps from countries with an offensive cyber scheme against the Netherlands, such as China and Russia, will no longer be permitted. Van Huffelen said this in response to the international discussion about TikTok.

Several western countries and the European Commission recently banned officials from using the Chinese ByteDance app on their work devices, saying it could jeopardise national security and the safety of those involved, and enable espionage.

Other countries have since realised that the problem goes beyond TikTok: the free trade in ad surveillance data poses just as much danger.

Paul Tang, Dutch MEP

If you want to track or influence a specific individual, there are numerous opportunities – and thus risks

Hence, employees of security agencies in America use ad blockers, which makes it harder to track users across the internet. This is supposed to protect the agencies themselves from espionage, hacking and surveillance via ad tracking. In France, the government announced that it will ban its 2.5 million civil servants from using apps like Netflix and Twitter on their work phones, as these apps do not comply with security regulations.

Tang thinks it’s a good development: ‘The problem goes well beyond TikTok, so France’s move is logical and desirable. Anyone can buy data from the ad ecosystem, including intelligence services. If you want to track or influence a specific individual, there are numerous opportunities – and thus risks.’

Much to the industry’s dismay, the use of ad blockers has been increasing for years. But this is mainly at the initiative of private citizens themselves. The Dutch government now seems to be aware of the dangers for citizens and is working on a plan to increase ‘data processing awareness’, according to State Secretary Van Huffelen. She expects to provide Parliament with further information before the summer.

For now, it is up to ordinary users to figure out how to protect themselves from possible misuse of their data. Installing an ad blocker would be a good start.

That advice is too little too late for Jeffrey Burrill. After a ‘sincere and prayerful period of absence’, he is back at work, albeit as a regular priest in Wisconsin. Hopefully, he is now using an old Nokia.

Translation: Delia Burggraaf

What about Follow the Money and cookies?

Follow the Money does not place advertisements on its site; our income is based on the contributions of paying members. We thus do not share personal data with other companies.

We use Google Analytics to measure how often an article is read and how many visitors FTM.eu has per week. We don’t know who those visitors are; the information left by visitors to the site is stored anonymously with Google Analytics. Follow the Money does not share any personal data with this system.

In July 2023 we will move away from Google Analytics and switch completely to Matomo (being in the transition phase, we are temporarily running both systems). Matomo is comparable to Google Analytics in terms of service, but an important difference is that we run it ourselves. From July 2023, Follow the Money will no longer place third-party cookies. A cookie notification on our site will therefore no longer be necessary.

We also store the preferences of our (trial) members, so that we can send them a weekly overview email if they opted for that, or alert them if an author they follow has published something new. We use Active Campaign to store those preferences and to send these newsletters.

Read more Fold in
Responses and reactions

The Dutch Data Protection Authority (AP) declined to comment to FTM in general terms on real-time bidding and the data trading hidden behind it. Regarding the IAB Group’s framework, a spokesperson says the AP shares the concerns expressed by the Belgian GBA in its decision from early 2022, because a lack of transparency makes it unclear to a user what happens to their personal data. It also points to the approved improvement plan and notes that its implementation will have to wait in order to assess whether the framework might still be compatible with the GDPR. Until then, the AP’s original objections stand, according to the spokesperson.

​Follow the Money asked the Dutch Intelligence and Security Services whether they take or recommend measures similar to those taken by the US for government officials. A spokesperson stated in a joint response that the Services do not comment on such matters. When asked whether they use information obtained through the RTB process, they came up with the same answer.

Read more Fold in