Today's digital advertising based on selling user data to the highest bidder has been called the 'largest data breach ever', and yes:

Two firms who sell targeted+mass surveillance to governments are hoovering phone location data from the ad/rtb bidstream: https://www.forbes.com/sites/thomasbrewster/2020/12/11/exclusive-israeli-surveillance-companies-are-siphoning-masses-of-location-data-from-smartphone-apps

One of the players, Bsightful, is part-owned by the US surveillance giant Verint, who reportedly supplied phone tapping tech to the NSA.

The other, Rayzone, sells a "Global Virtual SIGINT" system that promises "wide, diverse and in-depth information on global internet users".

According to Forbes, Bsightful is "hoovering up app location data by running what’s known as a Demand Side Platform (DSP)".

That way, they can collect "location and other phone data the app developers are willfully providing, the data passing through [the so-called] bidstream".

Here's how personal data on website visitors and app users is being constantly leaked to myriads of data companies within milliseconds in today's online advertising ecosystem.

Digital profiles based on this data are used for all kinds of purposes.

Visualization by @johnnyryan.

In 2019, the UK data protection authority stated that most of today's online advertising in the EU is illegal at a "general, systemic" level because it's based on thousands of websites+apps sharing personal data on millions without a legal basis every day. https://twitter.com/WolfieChristl/status/1141686504076562432

Since then, nothing has changed.

Surveillance advertising must be shut down now.

I'm sorry for publishers who are still relying on it, but they had years to fix it. Authorities do not enforce the GDPR because they don't want to interfere with their business but it's enough now.

While we have the GDPR in the EU that *could* end this deliberately designed, ongoing, large-scale data breach, if enforced, there is no appropriate federal privacy/dataprotection law in the US at all.

At least, some members of US Congress care about it: https://twitter.com/WolfieChristl/status/1289264818952613888

To be precise, what Forbes/ @iblametom found is that:

- Bsightful (affiliated with Verint) is running a white-label DSP to harvest data from bid requests, according to two sources, and packages it "for government customers, allowing them to search whole areas or for individuals"

- Rayzone promises to provide intelligence and law enforcement agencies with "wide, diverse and in-depth information on global internet users" including "location data collected from smartphone ads" and/or "mobile apps", according to Forbes' sources. Further details are not known

Forbes' sources also said that the two are among "a handful" of surveillance firms who are targeting the mobile advertising ecosystem.

I'm pretty sure they use both RTB and mobile SDK data, also obtained from other data brokers, probably in addition to cell tower and other data.

In recent months, we have learned about US government contractors and suppliers based in the EU doing similar things.

Anyway, to my knowledge, this Forbes report provides evidence for the first time that a company who sells surveillance to governments is running its own DSP.

Web and app publishers should be aware that they are (legally) responsible if personal data on their visitors and users they share with unknown parties in the context of digital advertising and marketing is being misused.