A recent investigation by WIRED has unveiled troubling insights into Google’s advertising ecosystem, revealing that a significant amount of sensitive information about American consumers is being made accessible to some of the largest global brands. Despite Google’s stated policies prohibiting the use of such data, experts warn that this information can, when aggregated with other data points, facilitate the identification and targeting of specific individuals.
The findings highlight that Google’s Display & Video 360 (DV360), a prominent marketing platform, provides companies around the world the ability to target U.S. consumers based on lists that include individuals believed to be facing chronic illnesses or financial hardship—categories expressly restricted under the company’s public policies. Such practices raise valid concerns regarding data privacy and ethical advertising.
Moreover, there are alarming implications for national security, as some of the lists available on DV360 allow advertisers to pinpoint numerous mobile devices associated with government employees, including judges, military personnel, and congressional staff members. This level of access to classified data raises red flags about potential vulnerabilities that could be exploited by malicious actors.
An internal document reviewed by WIRED, obtained from a U.S.-based data broker, reveals that DV360 currently hosts numerous audience segments that contain sensitive information about countless U.S. citizens. These segments are not generated by Google but are uploaded by DV360 customers, thereby compromising adherence to existing policies and allowing others to leverage this sensitive information for targeted advertising.
Information obtained by the Irish Council for Civil Liberties (ICCL) indicates that these audience segments target vast numbers of individuals based solely on their health conditions, which include ailments like chronic pain, menopause, fibromyalgia, and more. Such targeting breaches ethical advertising standards and poses significant privacy risks.
A Google representative stated that advertisers can upload audience lists based on first-party data or external segment providers. However, they reiterated that their policies prohibit the use of segments created from sensitive information, such as health or financial status. This contradiction raises questions about the effectiveness of Google’s oversight mechanisms, particularly when segments targeting distressed households—those likely experiencing bankruptcy or debt—are so prevalent.
When questioned about the failure to identify non-compliant segments with alarming descriptions—such as those suggesting an individual’s likelihood of having cardiovascular conditions—Google did not provide a clear explanation. The extent of data accessible for such targeted marketing remains extensive, with hundreds of millions of mobile IDs associated with conditions like asthma and diabetes.
The potential for misuse of this data underscores the importance of robust cybersecurity practices. Cybersecurity professionals are encouraged to consider MITRE ATT&CK tactics that could be leveraged in data exploitation, such as initial access through compromised data repositories or privilege escalation to gain greater access to sensitive target information. As the landscape of data usage and advertising continues to evolve, business owners must remain vigilant and aware of the implications surrounding data privacy and the security risks posed by advanced targeting techniques.
