How Mobile Advertisers Help the NSA Gather User Data
Whether they want to admit it or not, mobile advertisers and the ecosystem in which they operate facilitate data harvesting by the National Security Agency. U.K. newspaper The Guardian reported recently that mobile apps including Rovio's popular Angry Birds game leak gender, age and location information about users, and that such information has been intercepted by the NSA and British intelligence agency Government Communications Headquarters.
The Guardian story also suggested mobile ad networks play a role in data dissemination, and mentioned mobile ad firm Millennial Media in particular.
"Let us be very clear: Millennial Media has not and does not work with, nor pass information to, the NSA, GCHQ, or any other such agencies," stated a Millennial spokesperson who said the company did not want to be interviewed for this story.
The news also prompted a swift response from Rovio, which stressed it "does not share data, collaborate or collude with any government spy agencies such as NSA or GCHQ anywhere in the world." The app developer went on to blame third-party ad networks for the alleged data transmission.
Firms like Rovio and Millennial may not be in cahoots with government spy agencies. But like it or not, the information they rely on to target advertising -- the lifeblood of the ad-supported mobile application sector -- is obtainable by such entities.
"The idea of, 'Is it Rovio or is it an ad network?' in my mind, is completely irrelevant," said Duncan McCall, CEO and co-founder of PlaceIQ, a mobile location-tracking and ad-targeting company.
The average mobile app addict often overlooks privacy notifications requiring approval of data collection before apps can be downloaded. Yet most apps require opt-ins that let companies gather and share information including location data, which is used to geographically target ads based on where people are at the moment an ad is delivered, or based on location history.
Rovio itself noted the ubiquity of app data collection and dissemination for advertising in its January 28 statement. "If advertising networks are indeed targeted, it would appear that no Internet-enabled device that visits ad-enabled web sites or uses ad-enabled applications is immune to such surveillance. Rovio does not allow any third-party network to use or hand over personal end-user data from Rovio's apps."
Before anyone can download Angry Birds, a prompt asks for permission to access the device phone number, device ID and approximate location. The app also requires "the list of accounts known by the phone. This may include any accounts created by applications you have installed."
By enabling location tracking, devices become location aware. "It is absolutely constantly sending that location information over the Internet to a server," said Mr. McCall, who said PlaceIQ -- which geographically delivers mobile ads on behalf of clients such as Mazda -- spots tens of thousands of ad requests each second. Ad-supported apps typically ping ad network and exchange servers such as PlaceIQ's with ad requests every 30 to 40 seconds, he said.
"Every time an ad request is made…the location may be sent in that ad request," he said. The information could be retrieved via a variety of touchpoints, such as ad networks, other apps, ad exchanges or demand-side platforms, added Mr. McCall. "And a lot of this is unencrypted."
Companies including PlaceIQ also gather attitudinal and search data to form more complete pictures of people who typically are then categorized into audience segments such as SUV Owners.
"I guess it's a risk built into that system that players or bad-guy hackers might game it a little bit and masquerade as legitimate companies," said Joe Laszlo, senior director at the Interactive Advertising Bureau's Mobile Marketing Center of Excellence.
"This is a place where the industry certainly needs to be very proactive because there is the risk…that consumer trust erodes and consumers curtail usage of these apps that really help them," he said.
The NSA is not tapping the contextualized data inside PlaceIQ's internal system, claimed Mr. McCall. "We don't have any back door for anybody to get into our systems," he said. The data that PlaceIQ produces and uses for ad targeting "doesn't necessarily leave our system in a format that [NSA] could make sense of," he added, noting the NSA's data gathering practices are a sign of the times. "We live in a digital society that in my opinion is not going backwards," he said.
Rovio already indicated plans to change the way it works with ad-network partners. In its response to the Guardian story, the firm stated, "In order to protect our end users, we will, like all other companies using third-party advertising networks, have to re-evaluate working with these networks if they are being used for spying purposes."