Any Buyer Accepted: Unregulated data markets create personal security risks

The way data is collected and used for most advertising online — called the Real-Time Bidding (RTB) process — sees deeply sensitive data about Australians shown to and shared with unknown parties thousands of times a day. Through RTB, foreign states and nefarious actors can collect massive data hauls on everyday Australians.

Sensitive data about Australians is broadcast widely in a free-for-all manner each and every day. The RTB system broadcasts where a person in Australia is 449 times a day to an unknown, and uncontrolled number of companies. One dataset alone — the Australian Eyeota (Dun & Bradstreet) data — shows 17,501 unique data categories being broadcast.

This creates risks of:

• Scams: There are no effective controls on who can see or access this data, meaning it is readily available to nefarious actors, such as scammers. This report documents the trading of data about people likely to have used toll booths, which can be used to personalise scam messages about ‘fake road tolls’. It also documents the trading of data about people likely to be expecting a parcel, which can be used to personalise fake ‘Australia Post’ parcel delivery scams, for example.
• Foreign interference: Google and other RTB firms send RTB data about Australians to Chinese and Russian firms, where national laws enable security agencies to access the data.

We urgently need reforms to the Privacy Act to protect Australians from these unnecessary risks, which are beyond the control of individuals to manage. Even if people use secure devices, data will still flow via RTB from personal devices, friends, family, and personal contacts. Stronger data protections to regulate the flow of this information is required.

This report builds on the evidence and analysis from the Irish Council of Civil Liberties (ICCL), who released a compelling report — Australia’s Hidden Security Crisis — documenting how the RTB process creates national security risks resulting from the widespread broadcasting of data about Australian military personnel and security staff. The widespread broadcasting of personal data does not stop with our leaders, and ‘kompromat’ is not the only risk. Details about everyday Australians are also broadcast, creating personal security risks such as scams and ID theft. This report builds on the ICCL analysis to focus on personal security risks. We are indebted to the ICCL for their analysis.

Forewords from John Pane at Electronic Frontiers Australia and Chandni Gupta at Consumer Policy Research Centre