Monsignor Jeffrey Burrill, Secretary General of the US Conference of Catholic Bishops, was an influential and respected man. But then the US Catholic news website The Pillar revealed in July 2021 that the priest led a not-so-religious nightlife.

The site revealed that Burrill used gay dating apps like Grindr, frequented gay bars, and had visited the Entourage bathhouse in Las Vegas – where the hot guys go.

Burrill submitted his resignation; the case stirred up a lot of controversy in the US and abroad. While conservative Catholics were outraged by the cleric’s ‘despicable’ behaviour, more liberal circles raised ethical questions: wasn’t Burrill entitled to privacy? And how did The Pillar get its hands on all this intimate data?

The only explanation the editorial office gave was that an analysis had been done on commercially available datasets of mobile-app data.

But The Washington Post revealed in March 2023 that Burrill had been the victim of a targeted attack by a group of highly conservative Colorado Catholics. The foundation is backed by wealthy philanthropists. One of its aims is to ‘help the clergy adhere to their celibacy’ and sets its sights primarily on gay priests.

​The Washington Post also revealed that the foundation had forked out four million dollars for a database containing tracking data from dating apps, including those specifically intended for gay users. The data came from ad exchanges: auction platforms where online advertising space is traded using real-time bidding (RTB).

Location data, search behaviour, app usage, it contained it all. Although the data was anonymised, the foundation managed to bypass that problem by cross-referencing it with, for example, church locations. Through this process, it noticed that the user of a specific phone was at a parsonage in Wisconsin during the day, used hookup apps like Grindr and visited gay meeting places at night, and slept at Burrill’s house. Bingo.

‘Everyone is being profiled’

American civil rights groups call the Burrill case the first in which private individuals have bought commercial data to spy on others.

The amount of personal data we share online daily is immense, and there is zero monitoring of the global trading of such data. Intelligence agencies, criminals or private individuals: anyone willing to pay for it can buy it.

Western governments are increasingly concerned about the large-scale collection and international dissemination of personal data, as evidenced by the measures taken against TikTok in several countries in recent weeks.

Experts, however, argue for more stringent measures − not only for apps from China but for the online ad industry and big tech companies in general.

‘Everyone is being profiled,’ privacy expert Johnny Ryan told Follow the Money, ‘the things that make you tick, what you listen to, watch, read and do.’

This Irish researcher, who used to work in the ad industry, has been trying for years to convince European policy and lawmakers that the way in which big tech companies handle our data is illegal. He currently does so as a senior fellow of the Irish Council for Civil Liberties (ICCL), a Dublin-based civil rights institute.

On behalf of ICCL, Ryan is involved in several international lawsuits against the online ad industry in general and the IAB industry association and Google in particular. In 2021, Die Zeit called him ‘Google’s biggest headache’.

Ryan’s complaints primarily focus on real-time bidding (RTB), a fully automated auction system through which online advertising space on websites and apps is sold to the highest bidder. Think of the boxes on your smartphone screen in which ads appear when you visit a website.

As soon as you visit a website or use an app, your data, stored in cookies [see the frame below], is almost always sent to hundreds and sometimes thousands of advertisers, marketers and social media platforms via all sorts of intermediaries. The highest bidder eventually gets to fill the blank space with an ad and ‘wins’ your attention. The whole process takes milliseconds.

This online ad market involves hundreds of billions of dollars. A good portion of that is earned by trading in personalised ads.

‘If you read the economics section of a quality newspaper like The Irish Times and then visit sites of car companies, car manufacturers are happy to pay double-digits for a spot on your screen,’ Ryan tells us.

​‘Biggest data breach in history’

The idea behind targeted advertising is that advertisers can reach their desired audience relatively cheap. Conversely, users get to see ads for products they are interested in. So, in theory, everyone wins. But the system can easily be abused. No one monitors what happens to all that data and where it eventually ends up. Advertisers who buy your data through RTB can resell, supplement, or retain it.

Personal data profiles are shared with the system on average 376 times a day in Europe, and approximately 747 times in the US

‘Realtime bidding is the biggest data breach ever recorded,’ according to Ryan. The ICCL says that consumers’ online behaviour and location data in the United States and Europe are captured and shared 178 trillion times per year. The personal data of Americans is shared with the RTB ecosystem – home to advertisers, marketers, ad agencies, online publishers, auction platforms and social media networks – approximately 747 times a day. For Europeans, the average is 376 times a day.

The intimate nature of this data is evidenced by the categories used by the Interactive Advertising Bureau (IAB). This global trade association for online advertisers developed a framework for processing personal data in flash auctions that virtually the entire European advertising industry uses. Google, eBay, Amazon, Oracle and SalesForce: they are all registered members of IAB Europe.

Data analysts can taxonomically classify individuals in much the same way as biologists pin insects to a sheet of paper and classify them by their external features.

The latest version of ‘The Content Taxonomy’ divides intimate personal characteristics into categories with a matching code, such as mental health (code 301), infertility (304), Islamic (461), sensitive social issues (27rJBM), drug use (pg0WhF) or terrorism (8FD8nl). Older versions of the framework, modified after public outcry, went even further.

‘Based on commercially available data, we were able to identify some 200 individuals in Ireland who were victims of sexual abuse,’ Ryan states.

Digital gates

The possibilities that data brokers and advertisers offer their clients are almost endless and rather disturbing.

Mobilewalla, a company originating in Singapore, engages in personal data trading. In a 2017 podcast, CEO Anindya Datta said he puts data on very specific target groups up for sale, such as ‘women in their third trimester of pregnancy’.

He also explains in the podcast how ‘his’ data was used to influence the 2016 US presidential election – won by Donald Trump. For example, his company captured evangelical voters by placing ‘digital gates’ around thousands of churches in America.

Mobilewalla also placed digital gates around all polling stations in swing states in the US on Election Day to observe who had not yet been there – and thus had not voted. That information was used to find people with the ‘right’ political preference and convince them to go vote. In the podcast, Datta does not state which candidate he helped in this way, but he does say that his client was satisfied. ‘We played a key role in the outcome of that election.’

National secret services are clients, too

Such use of ad data is not limited to ad companies and political parties. US Democratic Senator Ron Wyden investigated data trading in 2021 and received a letter in which Datta confessed that his company also sold data – through intermediaries – to US intelligence agencies.

And it happens more often. In 2020, a former employee of Babel Street, a US company that develops digital surveillance tools, confirmed that US intelligence agencies use tools like Datta’s. Thanks to software like Locate X, they can see which mobile devices have been in a particular area in the past few months – and where else those devices have all been. The software uses data from the online ad market for this purpose.

Commercial data sometimes provide intelligence agencies ‘more and more valuable information than internet tapping’

The Dutch Intelligence and Security Services also use such data. Follow the Money previously wrote about the use of advertisement-based intelligence (ADINT), following a report by the Review Committee on the Intelligence and Security Services (Dutch: CTIVD) on open-source intelligence (OSINT). The report showed that the services consider this data to be just as ‘public’ as what people post on Facebook, and thus they feel free to buy it. CTIVD chair Nico van Eijk told Follow the Money that such intelligence sometimes provides ‘more and more valuable information than Internet tapping’.

​Ironically, intelligence agencies were quite shocked when they started using ad data, Irish researcher Ryan says. ‘When the US Secret Service started using Locate X, it found out that its own employees were also easy to track.’

New rules, better monitoring?

Data sold to the highest bidder can end up anywhere, even in countries like China and Russia.

‘America’s adversaries are leveraging this commercial data,’ according to a report by US government-funded research firm MITRE, dated 9 January 2023. ‘That information is a goldmine for intelligence agencies that could misuse it to fuel hacking, blackmail and influence campaigns,’ Senator Wyden said in an earlier statement.

​The digital advertising ecosystem is different in Europe, according to Rob van Eijk. He is the Managing Director of The Future of Privacy Forum in Europe, a nonprofit think tank for digital privacy issues. In 2019, he completed his PhD at Leiden University on privacy protection in RTB.

​‘In the US, there are no legal restrictions because there is no overarching privacy law. In Europe, we do have such a law: the General Data Protection Regulation (GDPR), and new laws and regulations are forthcoming. These limit, for example, profiling using specific categories of personal data, such as religion and sexual orientation, advertising targeted at children and the use of trackers around online political campaigns.’

Under those new rules, which include the Digital Services Act (DSA) from Brussels, enforcement will be shifted to the European Commission. ‘That is in fact where it went wrong previously,’ Dutch MEP Paul Tang (PvdA) explained. ‘The GDPR already offers many of the possibilities that the new rules provide, but national authorities hardly enforced them.’ 

According to Tang, the Irish Data Protection Authority in particular did virtually nothing for years. And because many big tech companies are based in Ireland for tax purposes, that negatively impacted enforcement of the rules across the entire Union. ‘That’s why we opted for centralised monitoring under the new rules,’ Tang adds.

The DSA is already in effect, yet Tang says users will have to wait at least until next year before they notice any improvements.

‘What happened to that priest in the US is technically possible in Europe as well’

Meanwhile, European citizens’ sensitive data is being forwarded to thousands of companies around the world every millisecond. According to Van Eijk, that poses risks: ‘I can’t predict whether it will happen, but what happened to that priest in the US is technically possible in Europe as well.’

He continues: ‘The system’s transparency is so poor that you have no idea who is building profiles, and you can’t gauge how it will ultimately affect you. The fundamental right to protection of your private life also applies to your mobile phone. Surveillance marketing, where profiles are built without your knowledge, is very difficult to square with that.’

‘It’s also unnecessary,’ he continues, ‘because there are alternatives to targeted advertising that don’t require user data or profiling.’

Pseudo-legality

‘The online ad industry should use personal data only if they properly protect it,’ Ryan says. ‘But instead, intimate secrets are freely available to everyone. On top of that, the industry has added a thin layer of pseudo-legality.’ That thin layer is embedded in the user’s consent to process their data.

The industry knew already in 2017 that real-time bidding is incompatible with European privacy laws

This consent is one of the legal bases on which data processing may occur, but  conditions apply. For example, consent must be given unambiguously and without any form of pressure, and the purposes for which data is processed must be made clear in advance.

According to Ryan, however, this legal basis does not fit the practice of real-time bidding: ‘The apps that transmit data ask for consent. But you can only ask someone for permission if you know what will happen with that data and properly inform that person about it.’ And it is precisely this that is nearly impossible within RTB, as the IAB industry association itself wrote to advertisers years ago:

‘As it is technically impossible for the user to have prior information about every data controller involved in a real-time bidding (RTB) [..] RTB would seem, at least prima facie, to be incompatible with consent under GDPR.’

‘This goes beyond TikTok’

On 23 March 2023, Dutch State Secretary Alexandra van Huffelen (D66) announced that civil servants will only be allowed to install apps on their work phones that have been approved in advance. Apps from countries with an offensive cyber scheme against the Netherlands, such as China and Russia, will no longer be permitted. Van Huffelen said this in response to the international discussion about TikTok.

Several western countries and the European Commission recently banned officials from using the Chinese ByteDance app on their work devices, saying it could jeopardise national security and the safety of those involved, and enable espionage.

Other countries have since realised that the problem goes beyond TikTok: the free trade in ad surveillance data poses just as much danger.

Hence, employees of security agencies in America use ad blockers, which makes it harder to track users across the internet. This is supposed to protect the agencies themselves from espionage, hacking and surveillance via ad tracking. In France, the government announced that it will ban its 2.5 million civil servants from using apps like Netflix and Twitter on their work phones, as these apps do not comply with security regulations.

Tang thinks it’s a good development: ‘The problem goes well beyond TikTok, so France’s move is logical and desirable. Anyone can buy data from the ad ecosystem, including intelligence services. If you want to track or influence a specific individual, there are numerous opportunities – and thus risks.’

Much to the industry’s dismay, the use of ad blockers has been increasing for years. But this is mainly at the initiative of private citizens themselves. The Dutch government now seems to be aware of the dangers for citizens and is working on a plan to increase ‘data processing awareness’, according to State Secretary Van Huffelen. She expects to provide Parliament with further information before the summer.

For now, it is up to ordinary users to figure out how to protect themselves from possible misuse of their data. Installing an ad blocker would be a good start.

That advice is too little too late for Jeffrey Burrill. After a ‘sincere and prayerful period of absence’, he is back at work, albeit as a regular priest in Wisconsin. Hopefully, he is now using an old Nokia.

Translation: Delia Burggraaf