Is Google sharing data from Americans and Europeans with sanctioned Russian adtech companies?

Executive Summary

On April 6th, 2022, the United States Department of the Treasury, Office of Foreign Assets Control (OFAC) added several Russian entities to its list of Specially Designated Nationals (SDN). In an April 6th, 2022 press release titled “U.S. Treasury Escalates Sanctions on Russia for Its Atrocities in Ukraine”, the Treasury Department sanctioned a “web-based automated advertising software developer in Russia” called “Rutarget” (also known as Segmento). Rutarget was acquired in 2015 and is owned by Sberbank, Russia’s largest state-owned bank, which itself is under “full blocking sanctions” by the Treasury. Sberbank was also sanctioned by the UK Treasury’s Office of Financial Sanctions Implementation (OFSI). 

According to OFSI, “The Government of Russia has a controlling share in PJSC Sberbank, meaning that PJSC Sberbank also carries on business as a Government of Russia-affiliated entity.”

Despite RuTarget’s inclusion on the US Treasury SDN list, as of June 24th, 2022, Google’s ad tech platforms appeared to continue to provide services and exchange consumer related data with RuTarget.

Disclaimer: Adalytics is reporting what it has observed & cannot make any conclusions regarding the legality of any data it has observed and is reporting. For example, some of the entities mentioned in this research may well have obtained specific waivers, and/or licenses, from the US or UK government to continue to work together despite sanctions.

  1. Executive Summary
  2. Introduction
    1. Senators ask Google & other ad tech companies about which foreign entities receive access to data about Americans
    2. Senator asks Google to be vigilant about US Treasury sanctions compliance with regards to Russia
    3. Google faces class action lawsuit about “selling personal user info” in real time ad auctions
  3. Background about digital advertising
    1. What is ‘programmatic advertising’?
    2. What is ‘real-time bidding’?
    3. What is ‘user ID syncing’?
    4. What is ‘bidstream data’?
  4. Research Methodology
  5. With which foreign entities could Google be sharing bidstream data about Americans & Europeans with?
    1. Chinese ad technology partners
    2. Russian ad technology partners
  6. Google may be exchanging user-related data with a sanctioned Russian ad tech platform
  7. Media publishers may be sharing data with a sanctioned Russian ad tech platform
  8. Brands listed as clients of a sanctioned Russian ad tech company
  9. Why did Google say: “the identity of bidders is subject to non-disclosure obligations”?
  10. Conclusion
    1. Caveats & limitations
    2. Discussion
    3. Take-away points

Introduction

Senators ask Google & other ad tech companies about which foreign entities receive access to data about Americans

In April 2021, a bipartisan group of Senators including Ron Wyden (Chair of the Senate Finance Committee), Bill Cassidy, Mark Warner (Chair of the Senate Intelligence Committee), Elizabeth Warren, Kirsten Gillibrand, and Sherrod Brown wrote a letter to the CEOs of several American ad tech platforms, including Google, AT&T, Magnite, and Verizon.

In the letter sent to Google’s CEO Sundar Pichai, the six senators asked:

We write to seek information about your company’s sharing of Americans’ personal data in order to understand how that information may be obtained and exploited by foreign governments to the detriment of our national security.”

Many of the ads we see on our phones, computers, and smart TVs are curated through a process called real time bidding [...] hundreds of firms participating receive sensitive information about the potential recipient of the ad—device identifiers and cookies, web browsing and location data, IP addresses, and unique demographic information such as age and gender.”

Few Americans realize that some auction participants are siphoning off and storing “bidstream” data to compile exhaustive dossiers about them.” 

In the letter, the Senators asked Google and other ad tech CEO’s to provide a list of foreign-owned or headquartered companies that have received bidstream data about Americans. Only one of the ad tech companies - Magnite (formerly known as Rubicon Project) - responded with a detailed list of the foreign recipients of user data from their ad platform.

Google told the Senators: “The identity of bidders is subject to non-disclosure obligations.”

Cybersecurity journalist Joseph Cox from Motherboard also reached out in April 2021 to Google, inquiring how “many foreign companies they provide so-called bidstream data from U.S. users to, and for the names of those foreign companies.” Google did not provide a statement or list of companies.

Senator asks Google to be vigilant about US Treasury sanctions compliance with regards to Russia

On February 25th, 2022, a day after Russian armed forces invaded Ukraine, the Chairman of the US Senate Intelligence Committee, Senator Mark Warner, wrote a letter to Sundar Pichai, the CEO of Alphabet (Google’s parent company). Senator Warner said in his letter:

I write to encourage your company to assume a heightened posture towards exploitation of your platform by Russia and Russian-linked entities. [...] Unfortunately, your platforms continue to be key vectors for malign actors – including, notably, those affiliated with the Russian government – to not only spread disinformation, but to profit from it. [..] Google even continues to serve ads for sanctioned influence actors like Southfront – a matter that I have separately referred to the Department of Treasury and Department of Justice for their attention. [..] Given the gravity of this situation, I would encourage you to, at a minimum, take immediate steps to: [...] Conduct an audit of Google and YouTube’s advertising business, including its compliance with sanctions.”

Despite the US Senate Intelligence Committee’s requests to Google, Google’s ad exchange appeared to, as recently as April 13th, 2022, to serve digital ads on websites that were explicitly listed on the US Treasury’s Office of Foreign Assets Control (OFAC) sanctions list. In some cases, the relationship Google has had with these sites has extended for ~7 years.

Ads from brands such as Citibank, Facebook, and NBCUniversal, were served via Google’s ad exchange on websites that were on the OFAC sanctions. Furthermore, it appeared that in one instance, Google’s own product advertisements were serving on a domain that had been on the Treasury sanctions list since 2015.

In response to a request for comment from Business Insider about the observations, Senator Mark Warner said:

"At a time when so many American companies are acting boldly to withdraw from Russia and ensure that their business operations are not — directly or indirectly — fueling Russia's war, it's incredibly worrying that Google continues to monetize a range of questionable sites and businesses, even after it was revealed to be directing ad dollars to sanctioned Russian entities [...] This demonstrates yet again that the digital ad market Google dominates is dangerously opaque and unsupervised."

Google faces class action lawsuit about “selling personal user info” in real time ad auctions

On June 14th, 2022, Courthouse News Service reported that Google is facing a class action lawsuit in the District Court for the Northern District of California. According to the news outlet, the lawsuit alleges that Google is  “illegally selling users’ personal information in auctions for ad space.

Courthouse News Service reported that

The customers accused the company of having violated state and federal law by promising that it does not sell account holders’ personal information to third parties, while repeatedly selling the data through real-time bidding auctions to advertisers.

The plaintiffs allege Google solicits participants to bid on sending an ad to people, using data about each person in a bid request provided to the auction. This includes data that identifies people through device identifiers, geolocation and IP address and highly detailed personal profile information about peoples’ interests, race, religion, sexual orientation and health.”

One of the documents from the lawsuit claims that “Google does not tell Account Holders which companies are bidding on, and therefore accessing, their personal information”. 

As previously mentioned, when asked by US Senators as to whom Google is sharing bidstream data with, Google responded: “The identity of bidders is subject to non-disclosure obligations”.

Background about digital advertising

What is ‘programmatic advertising’?

In the early years of the internet, several companies developed software that automated the process of purchasing digital ads. This enabled a media agency to place ads on many different websites without interacting with them directly, and with the ability to specify details about the time, location, and format in which the ads would appear on consumers’ computers or screens.

This process was further automated and refined, leading to a broad term known as “programmatic advertising”. As the programmatic advertising has matured, innumerable middlemen have emerged to serve as agents for ad buyers and sellers, and to inform ad buyers on the personal details of the consumers who may view their ads.

According to Clearcode, “Programmatic advertising is defined as the process of automating the purchase, sale, delivery, and measurement of digital advertising campaigns via advertising technology (AdTech) platforms. These AdTech platforms allow advertisers, publishers, and agencies to create, run, and optimize ad campaigns with minimal human involvement.” 

What is ‘real-time bidding’?

In modern day programmatic advertising, a significant portion of ad slots are not purchased in advance, but rather, within a few hundred milliseconds of a user browsing to a website or mobile app.

For example, when a consumer opens a website like nytimes.com or cnn.com, the website is configured to send data to a server run by an ad tech company. The ad tech platform then runs an ad auction, where various media agencies and advertisers can submit bids for how much they are willing to pay to show that consumer a banner ad. If a media buyer wins the auction, their ad gets served on the consumer’s computer screen while they browse nytimes.com or cnn.com.

This process occurs billions of times per day across the internet, and each auction occurs very quickly, within the time it takes a user to load a website.

clear-code-real-time-bidding-diagram.pngSource: https://clearcode.cc/blog/real-time-bidding/

According to Clearcode, real-time bidding is “The process of purchasing and selling digital ad space through real-time auctions that occur in the time it takes a webpage to load.

In Real-time bidding (RTB) auctions, advertisers (via Demand-side platform (DSP)s) bid on individual impressions put forward from publishers (via Supply-side platform (SSP)s and Ad exchanges).”

When a real time bidding auction occurs, various pieces of information may be sent by the ad exchange to the prospective media buyers and advertisers. These can include:

  • The URL, website, or app the consumer is on
  • Information about the consumer’s device
  • The consumer’s geo-location
  • The consumer’s IP address
  • Various demographic or behavioral attributes about the consumer (as supplied by the ad exchange or third party data brokers), such as gender, age range, or job occupation

One of the ad tech platforms contacted by the 6 US Senators in April 2021 - Magnite - explained that the following attributes may be sent by the ad exchange to other entities: “information about the publisher, the application environment, the video content, and the end-user may be passed in a bid request to the demand side platform (“DSP”) by Magnite”. The list included:

  • Site Name
  • Domain
  • User ID (Device IDFA) 
  • IP Address (Zip; Country; Metro; Lon; Lat; Region) 
  • User Agent (Device Type; Make; OS; Model; Language) 
  • Other Opt-in User Identifiers (UID, IDL, SharedID, Custom)

What is ‘user ID syncing’?

Modern web browsers store small text files called cookies on the user’s device. These text files can store unique pieces of information that help identify a particular device - for example, to enable a website to recognize the user is a logged-in subscriber or that they have visited the website three times so far today.

According to Ad Tech Explained: “Cookie syncing is a process that enables all members of an ad transaction on desktop or mobile web to have a common understanding of who they are targeting. Cookie syncing ensures that SSPs, DMPs, DSPs, and all ad tech partners can match up the users they have in their separate databases so that custom-tailored ads specific to each user can be delivered.”

Cookie syncing is also known as: cookie matching, cookie mapping, ID syncing, ID matching, or user-ID mapping.

According to ClearCode, the “process of sharing a user identifier stored in a Cookie between platforms in order to exchange information about the user. The main goal of Cookie syncing is to improve Ad targeting.”

“in order to accurately target an audience, advertisers need to incorporate user data from various domains and sources, which happens as part of data-buying agreements and partnerships between different companies.

Advertisers are able to achieve this by mapping user IDs from one system to another.

An example of this would be mapping a user’s ID from a demand-side platform (DSP) to a data management platform (DMP). This process is known as cookie syncing.

The cookie-syncing process is used by most advertising technology (AdTech) platforms, including ad networks, demand-side platforms (DSPs), data-management platforms (DMPs), ad exchanges, supply-side platforms (SSPs), and various other platforms and data providers.”

How cookie syncing works between two different AdTech platforms, for example, between a DSP and a DMPSource: https://clearcode.cc/blog/cookie-syncing/

With regards to Google specifically, Google’s documentation states that:

At a high-level, cookie matching is the process by which an advertiser or vendor associates cookies in their domain with cookies in Google's domain. Matching these cookies allows you to connect first-party data that you own with Google ad data (tracked via Google, DoubleClick, and YouTube IDs) on that same user, allowing you to incorporate CRM data and better understand user behavior.”

Google’s documentation states that the specific domain used for the purposes of cookie matching with Google is: cm.g.doubleclick.net/pixel

The documentation further states: “In the context of digital advertising, Google identifies users with cookies that belong to the doubleclick.net domain, and bidders participating in Real-Time Bidding may have their own domain where they identify some set of users they would like to show ads. Cookie Matching enables the bidder to match their cookies with Google's, such that they can determine whether an impression sent in a bid request is associated with one of users being targeted, they will receive either their own cookie data or a bidder-specific Google User ID that is an encrypted form of the doubleclick.net cookie in the bid request.”

In user matching, ad tech platforms create “match tables” that enable them to sync cookies and identify users across multiple platforms. Google provides “hosted match table” services to other ad tech platforms who choose to integrate with Google.

What is ‘bidstream data’?

According to Epom, “bidstream data is the information that a supply-side (publisher) passes to the demand side (advertisers) to decide on whether they want to bid on this piece of inventory.”

According to Sortable, “​​This information is usually shared for ad-targeting purposes, and regardless of whether the advertiser wins the impression, any bidstream data that has been exchanged” may get stored in a receiving ad tech platform’s databases until manually deleted.

What are the dangers & risks of ‘bidstream data’?

While bidstream data is unlikely to explicitly contain individual people’s names or emails, previous research has explored that it may be sufficient to identify individuals, or used for malicious purposes.

One ad adtech CEO explained in an interview: “If you think about what’s attached to the bid request, there’s a user ID but also the URL the person was visiting, together with other data the publisher might have attached to upsell; for example, if the person is high earner, male or female. You can’t control who can listen to the bid stream; it’s a free for all and there’s lots of companies who listen to the bid stream.

[...] Imagine your entire browser history being shared with pretty much everyone in the world with a user ID. There are lots of companies offering cross device graphs which can take the cookie ID, which is attached to the bid request that can be translated into a real person’s name, email address and address. Most people don’t know this but essentially everyone’s entire browsing history is being transmitted all the time and, if someone wanted to do, it can be linked back to a person.”

The types of pseudonymous meta-data that are transmitted (and stored by some entities) in the bidstream can be used by governments and militaries. 

For example, one intelligence agency reportedly uses Google’s ad targeting cookie to “pinpoint targets for hacking”, according to the Washington Post in 2013. Another government official reported that “metadata absolutely tells you everything about somebody’s life.” A retired four star general asserted that: “We kill people based on metadata”.

In a bipartisan letter urging the FTC to investigate the adtech industry, lawmakers noted that few Americans realize that companies are siphoning off and storing . . . ‘bidstream’ data to compile exhaustive dossiers about them.”

Research Methodology

This study relied on two distinct methodologies:

  1. Careful review of Google’s own documentation, particularly that which is provided in the context of various technology partner integrations and privacy laws, such as California’s CCPA, Europe’s GDPR, and Brazil’s LGPD
  2. Observation of client-side HTTPS requests and network packet captures obtained from sources such as Common Crawl, Internet Archive, URLScan.io, and DeepSee.io. In this case, special attention was devoted to HTTPS requests involving cookie syncs with Google’s cookie matching domain: cm.g.doubleclick.net/pixel

When this match pixel is invoked, Google’s documentation states that: “the match tag will cause Google's Cookie Matching Service to receive a request from the user's browser, which will issue an HTTP 302 redirect to the bidder's Cookie Matching URL. The redirect will include query parameters specifying the Google User ID and its version number in the URL, and the bidder will also receive their cookie included in the request headers.”

Further attention was devoted to the query string parameter known as “google_nid”, and with which domain the doubleclick.net endpoint triggers a HTTP 302 redirect.  The “google_nid” parameter is the “Network ID (NID) for the bidder account.

For example, in the screenshot below, one can observe an HTTP redirect chain, where the cm.g.doubleclick.net cookie matching pixel is invoked, and it redirects to a domain owned by Yahoo Japan. The “google_nid” parameter is equal to “yahoo_japan_ads.”

google-nid-sync-example.png

In this example, Google and Yahoo Japan appear to be engaging in the cookie matching process to exchange some information.

Which foreign entities could Google be sharing bidstream data about Americans & Europeans with?

As mentioned previously, when asked in April 2021 by six US Senators to disclose which foreign companies are receiving bidstream data from Google, Google told the Senators: “The identity of bidders is subject to non-disclosure obligations.”

However, several pages in Google’s technical documentation list various information about some of Google’s ad tech partners.

Here is a list of links in Google’s documentation pages (as well as archived versions thereof), which list various partners:

  1. EU user consent policy - Ad Manager and Ad Exchange program policies - Ad technology providers
    1. https://support.google.com/admanager/answer/9012903?hl=en
    2. https://urlscan.io/result/76071d4b-5af5-4ec9-9c1e-7174540037b3/
    3. https://archive.ph/wip/EKRRZ
  2. California Consumer Privacy ACT (CCPA) - Ad Manager and Ad Exchange program policies - Vendors eligible to receive CCPA bid requests
    1. https://support.google.com/admanager/answer/10634320?hl=en
    2. https://urlscan.io/result/7b447273-8616-4614-b091-9329c786c90b/
  3. EU user consent policy - AdMob & AdSense program policies - Ad technology providers
    1. https://support.google.com/admob/answer/9012903?hl=en
    2. https://urlscan.io/result/db6a5d8e-9c4a-462b-8993-9a18db68fb8f/
    3. https://archive.ph/wip/oOdDe
  4. DV360 - Ad technology providers
    1. https://support.google.com/displayvideo/answer/9030625?hl=en
    2. https://urlscan.io/result/affc0351-5a95-4ea0-9d26-022b5df26cc9/
    3. https://archive.ph/rmvZH
  5. California Consumer Privacy ACT (CCPA) - AdMob & AdSense program policies - Vendors eligible to receive CCPA bid requests
    1. https://support.google.com/admob/answer/10634320?hl=en
    2. https://archive.ph/wip/iyfy4
    3. https://urlscan.io/result/bd4b459a-4fbb-49b7-8d9c-09fb69c31346/
  6. Ad Technology Providers for the LGPD
    1. https://support.google.com/authorizedbuyers/answer/9931967?hl=en
    2. https://urlscan.io/result/81ddf9cd-1785-41d8-98bb-041c78c2498a/
  7. EU user consent policy - Ad technology providers
    1. https://support.google.com/adsense/answer/9012903?hl=en
    2. https://urlscan.io/result/9c2ae17e-f022-4884-a312-73b983e3263b/
  8. Ad Manager Certified External Vendors
    1. https://developers.google.com/third-party-ads/adx-vendors
    2. https://archive.ph/nZcwc#selection-589.0-592.0
    3. https://web.archive.org/web/20220701020940/https://developers.google.com/third-party-ads/adx-vendors
    4. https://urlscan.io/result/8d13c861-8722-4736-b63c-dbae3036ceb8/

Some of the aforementioned lists and resources are offered as guidance to “provide publishers with controls to select which ad technology providers are allowed to serve and measure ads”. The list of companies mentioned in  “EU user consent policy - Ad Manager and Ad Exchange program policies - Ad technology providers” includes approximately 1064 vendors, and includes names such as Russia based AdSniper, the IAB Tech Lab, and IronNet Cybersecurity, a Virginia based company whose Chairman (General Keith Alexander), was the director of the National Security Agency and US Cyber Command from 2010 to 2014.

The link titled: Google “Ad Manager Certified External Vendors”,  includes “the following vendors can serve third-party ads on the Google Ad Manager platform in all regions unless otherwise noted below.” The resource labels companies by “Vendor Type”, which includes various categories, such as “Demand Side Platform”. The Trade Desk, a major ad buying platform, is listed as follows:

google-adx-certified-vendors-trade-desk-screenshot.png

Given that Google reported to US Senators that “The identity of bidders is subject to non-disclosure obligations”, it is not clear why Google is able to publish “the full list of bidders” - including various foreign “bidders” - publicly on its documentation website.

The list of Google “Certified External Vendors” is included here for the reader’s consideration:

The list of companies listed on the “Ad Manager and Ad Exchange program policies - Vendors eligible to receive CCPA bid requests” was analyzed and annotated to determine where various 3rd party vendors are geographically located. The motivation behind this exercise was to obtain a rough approximation in response to Senator Wyden and Warner’s questions about how many foreign entities may receive bidstream data from Google’s ad platforms.

The list of “Vendors eligible to receive CCPA bid requests” from Google Ad Manager and Google Ad Exchange includes 307 entities from approximately 40 countries. Of these, approximately 105 are headquartered primarily in the United States, and approximately 202 appear to be based outside of the US. 

At least 19 are in China, 16 in Russia, 8 in India, 4 in the United Arab Emirates, 4 in Ukraine, 2 in Nigeria, 2 in Vietnam, 1 in Tanzania, and 1 in Kenya.

There is opacity as to who some of these companies are: for several of the list vendors, such as EchoSearch and AppGrowth, no public information could be readily found. Several of the vendors also appear to have gone out of business. For example, Russia based OMNIscienta no longer appears to be in business.

Chinese ad technology partners

Approximately 19 of the ”Vendors eligible to receive CCPA bid requests” from Google Ad Manager and Google Ad Exchange appear to be based in China.

Russian ad technology partners

As mentioned above, approximately 16 of the ”Vendors eligible to receive CCPA bid requests” from Google Ad Manager and Google Ad Exchange appear to be based in Russia.

Google may be exchanging user-related data with a sanctioned Russian ad tech platform

One of the Russian companies mentioned in “Vendors eligible to receive CCPA bid requests” from Google Ad Manager and Google Ad Exchange is RuTarget, also known as Segmento.

RuTarget is also listed as a “Demand Side Platform” on Google’s “Ad Manager Certified External Vendors” as of June 30th, 2022.

google-third-party-ads-adx-vendors-rutarget-2.pngSource: https://developers.google.com/third-party-ads/adx-vendors; archived https://archive.ph/QCCn9

On April 6th, 2022, the United State Treasury Office of Foreign Assets Control (OFAC) added several Russian entities to its list of Specially Designated Nationals (SDN). In an April 6th, 2022 press release titled “U.S. Treasury Escalates Sanctions on Russia for Its Atrocities in Ukraine”, Treasury sanctioned a “web-based automated advertising software developer in Russia” called “Rutarget” (also known as Segmento). Rutarget was acquired in 2015 and is owned by Sberbank, Russia’s largest state-owned bank, which itself is under “full blocking sanctions” by the Treasury. Sberbank was also sanctioned by the UK Treasury’s Office of Financial Sanctions Implementation (OFSI).

RuTarget-OFAC-Sanctions-SDN-List.pngSource: https://sanctionssearch.ofac.treas.gov/Details.aspx?id=36421

The sanctioned company RuTarget owns several domains, including rutarget[.]ru and segmento[.]ru.

rutarget-doubleclick-redirect-chain-1.png

In the screenshot above from URLScan.io, one can observe a HTTPS redirect chain similar to the one described in Google’s Cookie Matching documentation. The cm.g.doubleclick.net pixel is invoked with a specific “google_nid=” query string parameter (first request not shown in screenshot). 

The first HTTPS request is to cm.g.doubleclick.net/pixel?google_nid=segmentoru, and the “google_nid” parameter, which according to Google’s documentation is the “Network ID (NID) for the bidder account”, is set to “segmentoru”. 

Next, this request triggers a browser redirect, which causes the user’s browser to send a follow-up request to google-sync.rutarget.ru

The HTTPS request to google-sync.rutarget.ru contains several query string parameters, including “google_gid=”, which is the Google User ID according to Google’s documentation. The request to RuTarget also contains “google_push=”, a query string parameter that Google’s documentation states encodes pixel match data.

google-cookie-matching-query-string-parameters-documentation-screenshot-1.png

The HTTPS request sent to cm.g.doubleclick.net/pixel?google_nid=segmentoru and google-sync.rutarget.ru occurred with an iframe that was served inside of an ad slot. The iframe was called “cookie_push_onload.html”.

Dr. Johnny Ryan, a fellow at the Irish Council For Civil Liberties and former privacy officer for the ad blocking browser company Brave, previously published research on the subject of ‘cookie push pages’, including a detailed sequence graphic illustrating the cookie push pages process.

According to a document published in 2019, Dr. Ryan wrote: “Google Push Pages display no visible content. These pages have URLs (page names) that are unique to the Data Subject. This in turn allows companies to pseudonymously identify the Data Subject, in circumstances where this would not otherwise be possible. Thus, the network traffic triggered by these Google Push Pages provides a hidden mechanism for the sharing of the Data Subject’s personal data between Google and RTB companies.

HTTPS requests to cm.g.doubleclick.net with the google_nid=segmentoru query string parameter have been observed several thousand times, according to URLScan.io. Some of these occurred on popular websites, such as on yahoo.com on April 4th, 2022 and on a quora.com article titled “Can you get spyware by just searching in Google?” on January 15th, 2022. 683 instances were observed in URLScan.io from February 25th, 2022 to June 25th, 2022.

Several hundred examples of user matching syncing chains occurring between cm.g.doubleclick.net/pixel?google_nid=segmentoru and google-sync.rutarget.ru have been observed since April 6th, 2022, when RuTarget was placed under US Treasury OFAC sanctions.

Some of the sync chains and push pages were observed within ad creatives that contained references to Google seller IDs. Google publishes a list of publishers and vendors with whom they transact on https://storage.googleapis.com/adx-rtb-dictionaries/sellers.json. These are publishers and entities which Google has created accounts for to enable serving digital advertisements. Google publisher seller IDs generally follow a format of pub-[16 numerical digits]. For example, the Google publisher seller ID for nytimes.com is pub-4177862836555934.

On June 23, 2022, an ad served on gardening website gardeniaorganic.com via Google Ad Manager domain securepubads.g.doubleclick.net/gampad. This ad loaded an iframe from pagead2.googlesyndication.com/pagead/s/cookie_push_onload.html, which triggered further HTTPS requests. Those requests include network calls to cm.g.doubleclick.net/pixel?google_nid=segmentoru and google-sync.rutarget.ru, with the “google_push=” parameter that is defined as containing pixel match data.

rutarget-doubleclick-redirect-chain-1.png

This particular ad creative, which served on gardeniaorganic.com, included references to Google seller ID “pub-5902083285302779”. This specific Google seller ID is registered to “Ezoic UK Limited”, which describes itself as a “Google award-winning platform for publishers”. The specific seller ID is found in Google’s Sellers.json file.

In another example, an ad served on rhythmic.fm via Google Ad Manager domain securepubads.g.doubleclick.net/gampad/ on June 22, 2022. The ad creative invoked ​​pagead2.googlesyndication.com/pagead/s/cookie_push_onload.html, which then triggered an HTTPS request chain to cm.g.doubleclick.net/pixel?google_nid=segmentoru and google-sync.rutarget.ru. The ad creative contained references to “pub-6396844742497208”, which is listed as a Google seller ID for Ezoic AI.

google-seller-id-within-ad-creative-with-rutarget-user-sync.png

In another instance, an ad served via securepubads.g.doubleclick.net/gampad/ on kylonpowell.com on June 16th, 2022. The ad also triggered a user sync with RuTarget, and contained references to a Google seller ID for Ezoic.

It is not clear why, months after the US Treasury explicitly sanctioned RuTarget in a press release titled “Sanctions on Russia for Its Atrocities in Ukraine”, there appear to be cookie matching requests occurring between Google’s servers and RuTarget’s. It is not clear why Google lists RuTarget, as of June 27th, 2022, as one of its “Vendors eligible to receive CCPA bid requests” or on its “Certified External Vendor Lists”. If anyone at Google could provide further insight or comment on this matter, that would be kindly appreciated.

Adalytics previously posed the question “Is digital advertising exempt or subject to US Treasury sanctions?” to Stewart Baker, a lawyer who heads the homeland and cybersecurity practices at Steptoe & Johnson LLP. Baker was previously the General Counsel of the National Security Agency (NSA) and the Assistant Secretary for Policy at the Department of Homeland Security (DHS). 

Baker responded: “US sanctions do not apply to informational materials, but they do apply to services. I’m pretty sure that the US Treasury would treat advertising on a Russian or Iranian website as a service that is barred by sanctions.”

Adalytics also reached out to Senator Mark Warner, the Chair of the US Senate Intelligence Committee, regarding the observations in this research study. Senator Warner told Adalytics:

All companies have a responsibility to ensure that they are not helping to fund or even inadvertently support Vladimir Putin’s invasion of Ukraine. Hearing that an American company may be sharing user data with a Russian company – owned by a sanctioned, state-owned bank no less – is incredibly alarming and frankly disappointing. I urge all companies to examine their business operations from top to bottom to ensure that they are not supporting Putin’s war in any way.

Microsoft owned ad tech platform Xandr also appeared to list RuTarget as one of its “third-party partners which may receive Platform Data and other Information (as defined in Xandr’s Platform Privacy Policy) as a result of their partnership with Xandr”.

Media publishers may be inadvertently sharing data with a sanctioned Russian ad tech platform

The previous section focused on Google’s possible exchange of user metadata with a sanctioned Russian ad tech company - RuTarget. This section will discuss the potential consequences of Google adding sanctioned companies, such as RuTarget, to their list of authorized ad technology partners. Particularly, we will examine how this list is used by Consent Management Platforms when it comes to deciding with whom a visitor’s data shall be shared.

Many news and media websites monetize via digital ads, including programmatic advertising and real time bidding. These publishers set up consent banners or modals, which pop up when a user (particularly in Europe) visits a website for the first time, asking if the user consents to cookies being placed on their browser by various third party vendors involved in the ad tech process. Oftentimes, the publishers will work with an external vendor who specializes in cookie consents (known as a Consent Management Platform or CMP), such as OneTrust or Cookiebot.

Some of the publishers integrate extensively with Google’s ad serving platforms. Furthermore, they are indirectly integrated (via Google) with additional 3rd parties and vendors, who are eligible to buy or transact through Google. 

For example, if a user (particularly in Europe), visits reuters.com for the first time, they see a consent modal appear asking the user for permission to collect and share some data. The consent modal is powered by OneTrust, and includes a list of 3rd party vendors that Reuters is asking for permission to share data with.

reuters-vendor-list-screenshot.png

These vendors include participants in the Interactive Advertising Bureau’s Transparency & Consent Framework, as well vendors that work primarily through an integration with Google, listed as “Google Vendors” in the screenshot above.

It appears the list of vendors that Reuters integrates with via Google is invoked from a JSON file - https://cdn.cookielaw.org/vendorlist/googleData.json.

This file includes references to some of the vendors listed in previous sections of this research paper. Included in that list was the US Treasury sanctioned vendor RuTarget.

cookie-pro-consent-management-platform-google-vendors-list-rutarget.png

RuTarget also appears visually in the list of Google Vendors presented to the consumer for consent opt-in.

reuters-onetrust-google-vendors-rutarget.png

It is not clear why Reuters is asking consumers for permission to share data about them with a Russian entity that is under US and UK government sanctions. It is quite likely that this is an inadvertent and unintentional inclusion - Reuters relies on OneTrust to populate its consented vendor lists, and OneTrust may rely on Google’s ad technology partners to populate its own vendor list. If anyone at Reuters could provide further comment or insight on this matter, that would be warmly appreciated.

In addition to Reuters, several other major publishers and media organizations were observed asking consumers for permission to share data with RuTarget.

These included:

  1. the Italian publisher la Repubblica (repubblica.it)
  2. ESPN.com (owned by Disney and Hearst)
  3. dailycaller.com
  4. complex.com
  5. weather.com
  6. theatlantic.com
  7. transfermarkt.com (partially owned by Axel Springer SE)
  8. nationalgeographic.com
  9. campaignlive.co.uk (owned by Haymarket)
  10. Investing.com
  11. Tripadvisor.co.uk
  12. ign.com (owned by Ziff Davis)
  13. express.co.uk

espn-onetrust-google-vendors-rutarget.pngweather-com-rutarget-vendor-consents.pngnational-geographic-rutarget-vendor-consents.png

It is not clear why ESPN, TripAdvisor, express.co.uk, or other publishers are asking consumers for permission to share data about them with a Russian entity that is under US and UK government sanctions.

According to a document published by Dr. Johnny Ryan in 2019: 

Google has a default: “If a publisher doesn't engage with these controls to choose their own list, we will apply a list of commonly used Ad Technology Providers.” What the publisher is unlikely to realise is that there are 199 companies on this list. See “Ad Manager and Ad Exchange program policies”, Google Ad Manager Help (URL: https://support.google.com/admanager/answer/9012903?hl=en).

It is ostensibly possible that these publishers (or their Consent Management Platforms) are not engaging Google’s controls to configure their own list of 3rd party vendors with whom to share data with, and that the publishers are choosing to share with all of Google’s 3rd party vendors or the default listed assembled by Google.

One major American consent management platform which is used by several major publishers - Quantcast - ask users for consent to share their data with RuTarget when the users visit Quantcast’s own website.

quantcast-google-vendors-rutarget.png

Adalytics reached out to Jason Kint, the CEO of Digital Content Next (DCN), a media publisher trade group, about some of these observations. Mr. Kint responded:

"Publishers rely and depend on Google due to its market ubiquity. Any premium publishers will be incredibly disappointed if Google failed to catch this US Treasury sanctioned company in its systems."

Brands listed as clients of a sanctioned Russian ad tech company

RuTarget’s website, segmento.ru, has a section where it lists some of the Russian company’s advertiser clients.

procter-gamble-segmento-ru-website-screenshot.png

The Segmento.ru landing page included brands such as:

  1. Procter & Gamble
  2. Acer
  3. AliExpress
  4. Audi
  5. BBK
  6. BMW
  7. Bayer
  8. BonduelleADanone
  9. Ferrero
  10. Master Card
  11. Lego
  12. Mazda
  13. Michelin
  14. Porsche
  15. Sony
  16. Nintendo

It is not clear whether these brands or advertisers are aware that their logos are listed on the website of a Russian company that is under US and UK sanctions. It is ostensibly possible that these vendors never truly worked with RuTarget, that the brands worked with RuTarget in the past but not currently, or that the brands only work with RuTarget through the Russian subsidiaries or affiliates.

Why did Google say: “the identity of bidders is subject to non-disclosure obligations”?

When the bipartisan group of Senators, including Ron Wyden, Mark Warner, Elizabeth Warren, Bill Cassidy, Kirsten Gillibrand, and Sherrod Brown, wrote to Google in April 2021, asking:

Please identify each foreign-headquartered or foreign-majority owned company to

whom your firm has provided bidstream data from users in the United States and their devices in the past three years.”

Mark Isakowitz, Google’s Vice President of Government Affairs & Public Policy who previously served as a staffer for Senator Rob Portman from Ohio, responded in writing:

The identity of bidders is subject to non-disclosure obligations.”

google-wyden-letter-2021-screenshot.png

However, both Google, as well as several of Google’s bidder and demand side platform (DSP) ad tech partners, seem to have already publicly disclosed that they work together. Let’s take a look at the publicly-available records with respect to “bidders.” Before we start, note that the term “bidder”--when discussing ad exchanges–generally refers to the wholesale partner (the demand side platform), rather than a media agency or brand, such as Nike, BMW, or McDonalds.

Firstly, Google’s public documentation pages list “bidders” who are eligible to receive ad auction requests targeted to consumers in the state of California. A public page on Google’s developer documentation, titled: “California Consumer Privacy ACT (CCPA) - Ad Manager and Ad Exchange program policies - Vendors eligible to receive CCPA bid requests,” lists at least several dozen foreign companies. This public Google page explicitly uses the term “bidders”.

ccpa-eligible-bidders-screenshot.png

Another page in Google’s public facing documentation, titled “Certified External Vendors”, listed several foreign companies as “RTB Bidder”. The documentation states that these “Third-party vendors undergo a business review.” The public list includes companies such as Russia-based AdRiver RTB as a “Bidder.” This list was publicly accessible on Google’s website in November 2020 and before; months before the Senators sent their letter to Google in April 2021.

google-adx-rtb-partners-screenshot.png

Secondly, many of Google’s foreign demand side platform (DSP) partners also appear to list their relationship with Google. If Google is acting as an ad exchange or “supply source” in industry parlance, several DSP or bidder companies may want to publicly advertise to their prospective media buying clients that these foreign DSPs can purchase ad slots from Google’s ad exchange.

Indeed, Criteo, a French bidder ad tech platform, lists Google as one of its supply-side platform partners:

criteo-google-screenshot.png

LiquidM, a Germany based DSP, also lists Google’s DoubleClick ad exchange as one of its supply side partners publicly.

liquidm-dsp-google-screenshot.png

Mintegral is a Chinese based DSP company, headquartered in Guangzhou, China. Mintegral publicly and explicitly lists Google’s Double Click Ad Exchange as an inventory partner.

mintegral-google-screenshot.png

Denmark based AdForm, another DSP company, also publicly discloses Google Ad Manager as one of its ad “inventory” supply partners.

adform-google-screenshot.png

Admatrix, a DSP company based in Japan, also publicly discloses Google as one of its supply side partners.

admatrix-google-screenshot.png

Given that Google and some of its foreign partners publicly disclose their mutual relationships on their websites (both before and after April 2021), it is not clear why Google told the 6 US Senators that “the identity of bidders is subject to non-disclosure obligations.”

Thirdly, one of the other ad exchanges contacted by Senator Wyden and colleagues, Magnite (formerly known as Rubicon Project), did transparently respond with a detailed list of several hundred foreign companies that had received bidstream data from Rubicon Project. Several of the foreign partners mentioned by Magnite in their letter, such as Criteo or AdForm, are companies that also appear to work with Google’s ad exchange in the US.

If anyone at Google or one of the foreign bidder companies could help us better understand this observation, any input or clarification would be kindly appreciated.

Conclusion

Caveats & Limitations

Interpreting the results of this observational study requires a lot of nuance and caution.

This study should not be construed as a legal commentary or opinion. This study does not allege that any entities knowingly or intentionally violated US or UK Treasury sanctions. This study did not make any extensive consultations with sanctions law experts. The study is meant to be viewed as a highly preliminary observational analysis of publicly available information and empirical data.

Furthermore, this study was entirely based on client-side browser observations and publicly available documents, such as those of the US Treasury OFAC website and various technical documentation pages. 

This study cannot draw any definitive conclusions about data that may be exchanged purely server to server. The study cannot identify what specific types of user data, if any, were exchanged in any cookie or user ID matching processes. Furthermore, just because ad tech vendors have client-side information, does not necessarily signify that large amounts of additional data are being exchanged server-side. For example, whilst cookie ID matches could be occurring, it’s possible that no additional user metadata is exchanged between ad tech platforms server side.

It is also possible that RuTarget does not receive access to server side bidstream data, or only receives access to that data in select geographies.

With specific regards to Google’s documentation, just because a company is listed as “eligibible” does not mean it is actively receiving data or bid requests. In fact, some of the companies that are listed as “eligible” by Google’s documentation or vendor lists appear to either no longer exist or have gone out of business.

If anyone from Google or the other mentioned ad tech companies or publisher entities would like to help contextualize the data observed in this research, please reach out.

Lastly, it is possible that Google, Microsoft, Ezoic, media publishers, brands, or RuTarget itself have applied for and received special licenses or exemptions from sanctions from the US Treasury or UK Treasury.

Discussion

The primary concerns raised by this study are not that Google AdX or Adsense share demographic attributes about its users with third parties. Much of that demographic information is Google’s ‘proprietary’ data advantage as an advertising platform - part of its ‘moat’, so to speak.

The primary concern is that the user-related metadata that could be shared as part of the real time bidding process and user ID syncing. Google may truncate all IP addresses to protect its users. But if Google invokes user ID syncs with its partners, then the partner’s servers will get access to a user’s full, un-redacted IP address and User Agent via an HTTPS request. A company can thus still glean a fair amount of meta-information about a user. Google may not be exchanging user-related metadata server side with a sanctioned company such as RuTarget. However, there can be value in user ID syncing even if no additional data is exchanged - e.g. RuTarget can learn that what it thinks are two different users are actually the same user, because Google uses the same ID for both. At a high level, this study may illustrate the complexity of auditing and obtaining visibility into real time bidding ad auctions. Consumers, publishers, advertisers, and even ad tech platforms themselves may find it challenging to identify and keep track of all of the entities with whom they share money or data with - either directly or indirectly.

In 2021, when 6 US senators asked Google’s CEO to provide a list of foreign-owned companies who have received bidstream data about Americans, Google responded: “The identity of bidders is subject to non-disclosure obligations.”

When Cybersecurity journalist Joseph Cox from Motherboard reached out in April 2021 to Google, inquiring howmany foreign companies they provide so-called bidstream data from U.S. users to, and for the names of those foreign companies” Google did not provide a statement or list of companies.

In the ongoing class action lawsuit in California, the plaintiffs allege thatGoogle does not tell Account Holders which companies are bidding on, and therefore accessing, their personal information”. 

It is unclear why so many US Senators, journalists, and consumers have been unable to easily elicit detailed responses from Google’s staff. However, those challenges notwithstanding, it appears that Google publishes lists of vendors eligible to receive bid requests and data on several pages within its website. Furthermore, this study showed how careful examination of client-side network requests from Google cookie matching endpoints can help illustrate who Google’s servers may be syncing user related metadata with.

In this study, hundreds of foreign entities were found listed in Google’s documentation or within network HTTP traffic sync requests. Some of those entities are in China, Russia, and other locations. One of those companies has been under US and UK Treasury sanctions since April 6th, 2022.

The average consumer reading this research may not care for the technical intricacies of user ID syncing between ad tech platforms. However, many readers may be surprised to learn that when they previously visited some of their favorite news or sports sites, they were asked if their data can be shared with a Russian company that is under sanctions. 

While companies like Google or Rubicon Project include clauses within their contracts that govern the use of bidstream and user data they share with external vendors, the enforcement or auditing of those contractual terms may prove difficult in certain conditions. This could be particularly true if the receiving company is located in a country that is engaged in active warfare, is already taking other US-owned assets such as aircraft, or where diplomatic and trade relations are affected by ongoing geopolitical crises. Many media publishers tell consumers that they “care about your privacy”. However, consumers may lose trust in media organizations and resort to ad blockers, if their metadata is inadvertently shared with entities in foreign countries where they would have little legal recourse to ensure the protection of their personal information.

On June 23rd, 2022, Senator Wyden and colleagues announced "The Protecting Americans’ Data from Foreign Surveillance Act”, partially in response to “a bipartisan investigation into the online advertising industry’s data practices, which revealed that major U.S. online advertising companies are sharing Americans’ web browsing data with foreign companies, including firms in China and Russia.”

Furthermore, for individuals living in Eastern Europe or Ukraine in particular, the sharing of ad tech related user data can prove particularly concerning.

The US Army Cyber Institute released a paper titled “Microtargeting as Information Warfare”, which discusses the potential for ad tech related consumer datasets to be used to influence behavioral changes, enable profiling, or sow civic discord. In April 2021, Director of National Intelligence Avril Haines warned that the “transfer of personal [commercially-acquired] information to foreign adversaries represents a security threat”. According to the Washington Post, Intelligence agencies have already been known to use “Google cookies to pinpoint targets for hacking”. A former four-star general asserted that: “We kill people based on metadata”.

This threat was further highlighted by the Wall Street Journal, which demonstrated that U.S. troops overseas could be tracked using location data sold by data brokers that integrate with the digital advertising ecosystem.

If Russian state owned entities are receiving access to bidstream data about individuals in Ukraine or Eastern Europe, that could theoretically be utilized to direct military, intelligence, or disinformation efforts against them.

When Adalytics shared the observations from this study with the Chairman of the US Senate Intelligence Committee, Senator Mark Warner responded:

All companies have a responsibility to ensure that they are not helping to fund or even inadvertently support Vladimir Putin’s invasion of Ukraine. Hearing that an American company may be sharing user data with a Russian company – owned by a sanctioned, state-owned bank no less – is incredibly alarming and frankly disappointing. I urge all companies to examine their business operations from top to bottom to ensure that they are not supporting Putin’s war in any way.”

When the US Senators asked Google about their contractual enforcement and audit practices, Google responded that:

Google operates an annual audit program to assess bidders’ compliance with this and other policies” and that “In 2020, we audited 40 Authorized Buyers”.

It is unclear how RuTarget, a Russian-state controlled, US Treasury sanctioned company, has continued to be listed as a “Certified External Vendor” given Google’s audit program. 

Furthermore, it is not clear what happens to user databases when a company who receives bidstream data goes out of business, is acquired, or is in a country where the government is considering seizing “intellectual property and assets of companies leaving the country”.

If neither regulators, consumers, publishers, advertisers, or ad tech platforms themselves have the ability to closely monitor how ad auction and user data is being used, can one truly sayPrivacy and transparency are core to how” ads services work?

Receive future blog posts

Subscribe below to get new articles