How a simple advertising ID reveals more information about you than your name and personal address.
The U.S. Federal Trade Commission (FTC) recently expressed its concern about how data brokers identify sensitive information. Examples included the recent cases of Avast, Outlogic, and InMarket , where each company secretly shared customer data without their knowledge.
The Commission stated that data about the web pages visited and the location of users should be considered sensitive and not shared with third parties. Research shows that even without explicit personally identifiable information (PII), such datasets can contain sensitive information.
"Data about web sites viewed and location paints an intimate picture of a person's life, including their religious affiliation, health status, financial status, and sexual orientation," according to representatives of the federal commission.
Ryan Paterson, president of Unplugged, a personal data protection company, gave an example in which he personally contacted a data broker and requested all advertising IDs in several geographically limited regions — for example, in areas around a certain house, school, and restaurant-for a certain period of time.
Armed with this data, any individual or organization can create a map of the movement of a particular advertising identifier, which can often be used to identify the person using this device.
If, for example, a certain ID is often found in a certain house in the evenings, it is probably associated with that household. And if they also frequently show up at a particular place of work during office hours, that person probably works there.
Screenshot from Google Earth with the exact route of a specific person based on their ad ID
Despite the possibility of such accurate identification, many data brokers continue to sell advertising data, threatening the privacy of users.
"Collecting, storing, using, and sharing people's confidential information without their informed consent violates their privacy and exposes them to significant secondary harms such as stigmatization, discrimination, physical abuse, and emotional distress," the federal commission said. "The FTC will not tolerate this. The Commission will use all of its tools to continue to protect Americans from data misuse and illegal commercial surveillance, " the FTC added.
In Europe, for example, the Open Rights Group filed a complaint against local data broker LiveRamp for "pervasive identity tracking for marketing purposes", demanding that the company's activities be checked for compliance with the GDPR and UK data protection laws.
LiveRamp, formerly known as Acxiom, was also listed in a 2021 Duke University report for advertising data on U.S. military personnel, as well as for selling data on U.S. citizens to foreign companies.
Experts point out that efforts to anonymize data must meet strict standards, since even unique identifiers in today's digital world can be even more identifying than a person's name and personal address.
Most users don't disable ad IDs, largely because they don't even know how to do it, or don't see it as a direct threat. Advertisers and data brokers have successfully used this approach to create extensive user profiles and combine different data sources for more targeted tracking.
Therefore, companies need to exercise great care and responsibility when processing any data related to the identity and behavior of users, even if they do not contain explicit personal information.
Data anonymization must meet strict standards, and users must be able to consciously control what data is collected and used about them.
The U.S. Federal Trade Commission (FTC) recently expressed its concern about how data brokers identify sensitive information. Examples included the recent cases of Avast, Outlogic, and InMarket , where each company secretly shared customer data without their knowledge.
The Commission stated that data about the web pages visited and the location of users should be considered sensitive and not shared with third parties. Research shows that even without explicit personally identifiable information (PII), such datasets can contain sensitive information.
"Data about web sites viewed and location paints an intimate picture of a person's life, including their religious affiliation, health status, financial status, and sexual orientation," according to representatives of the federal commission.
Ryan Paterson, president of Unplugged, a personal data protection company, gave an example in which he personally contacted a data broker and requested all advertising IDs in several geographically limited regions — for example, in areas around a certain house, school, and restaurant-for a certain period of time.
Armed with this data, any individual or organization can create a map of the movement of a particular advertising identifier, which can often be used to identify the person using this device.
If, for example, a certain ID is often found in a certain house in the evenings, it is probably associated with that household. And if they also frequently show up at a particular place of work during office hours, that person probably works there.
Screenshot from Google Earth with the exact route of a specific person based on their ad ID
Despite the possibility of such accurate identification, many data brokers continue to sell advertising data, threatening the privacy of users.
"Collecting, storing, using, and sharing people's confidential information without their informed consent violates their privacy and exposes them to significant secondary harms such as stigmatization, discrimination, physical abuse, and emotional distress," the federal commission said. "The FTC will not tolerate this. The Commission will use all of its tools to continue to protect Americans from data misuse and illegal commercial surveillance, " the FTC added.
In Europe, for example, the Open Rights Group filed a complaint against local data broker LiveRamp for "pervasive identity tracking for marketing purposes", demanding that the company's activities be checked for compliance with the GDPR and UK data protection laws.
LiveRamp, formerly known as Acxiom, was also listed in a 2021 Duke University report for advertising data on U.S. military personnel, as well as for selling data on U.S. citizens to foreign companies.
Experts point out that efforts to anonymize data must meet strict standards, since even unique identifiers in today's digital world can be even more identifying than a person's name and personal address.
Most users don't disable ad IDs, largely because they don't even know how to do it, or don't see it as a direct threat. Advertisers and data brokers have successfully used this approach to create extensive user profiles and combine different data sources for more targeted tracking.
Therefore, companies need to exercise great care and responsibility when processing any data related to the identity and behavior of users, even if they do not contain explicit personal information.
Data anonymization must meet strict standards, and users must be able to consciously control what data is collected and used about them.
