A branch of the Interactive Advertising Bureau (IAB) and others are being sued by the Irish Council for Civil Liberties (ICCL) over its part in what is described as the ‘world’s largest data breach’.
The New York-based IAB Tech Lab finds itself in the cross hairs of campaigner Johnny Ryan, senior fellow at the ICCL, for its part in a process known as real-time bidding, where personal data is passed between hundreds of ad brokers and related firms during an auction process in the moments before a website loads on behalf of paying brands.
During the milliseconds between clicking on a page and it subsequently loading, everything from the type of device in use to limited location data and browsing history can be shared with brokers to better target that person.
While advertisers insist that information that could be used to identify specific individuals is never shared, critics fear that the sheer quantity of data routinely passed remotely is tantamount to an invasion of privacy. On the other hand, proponents argue that revenues generated during these transactions are the lifeblood of free-to-use internet services.
However, Ryan contends that the process is immoral, as most remain oblivious to the amount of personal data being shared online and with whom.
He explained: “Every time we load a page on a commercial website or use an app, the website or app tells tens or hundreds of companies all about us so that their clients can decide whether to bid on the opportunity to show you an ad.
“These bid requests include inferences of your sexual orientation, religion, what you’re reading, watching and listening to, and your location.”
Underpinning this activity is the IAB Tech Lab, which has been singled out for its role in preparing the numerical codes that bracket people online by their sexuality, religious views and even whether they may be a debtor.
A spokeswoman for the IAB told the BBC that it was aware of the claim, which was now in the hands of its lawyers: “We are reviewing the allegations in conjunction with our legal advisers and will respond in due course, if appropriate.”
Duplicate complaints have been filed with multiple EU nations to adjudicate on the case, which will decide whether such data can be shared even if no formal consents are in place. Progress is likely to be slow, however, with a similar complaint filed with the Irish Data Protection Commissioner’s Office in 2018 still bogged down in legal limbo.
One company that isn’t hanging around for a consensus to emerge is Apple, which has unilaterally taken matters into its own hands to position itself as a champion of consumer rights and a paragon of privacy.