1/ [thread] Just presented with Tor E Bjørnstad, from security firm mnemonic, at Sikkerhetssymposiet today. We talked about our work on #adtech and the out of control data collection & sharing event.dnd.no/siksymp/progra… #privacy #GDPR

2/ Tried to explain how tracking happens on our phone via our apps, with unique identifiers (such as Google ID) being passed on with other personal information to a wide range of actors. Details in our report is available here: forbrukerradet.no/out-of-control/ #adtech #privacy

3/ They combine this data with information taken from a large number of different sources. These profiles, which can be compared to a «digital twin» may have thousands of data points about who you are, what you like, how you feel, and how you are predicted to behave.

4/ This is now a billion-dollar industry that includes an enormous amount of companies, most of which we have never heard of. They all fulfill different roles in the ecosystem, although the lines between data broker, data supplier, and data user is often blurred.

5/ The data collected and profiles made about us, are then used to categorise us. Here are just some examples of categories advertisers can use to "reach" us. Or manipulate or discriminate us. Source: iabtechlab.com/standards/audi…

6/ mnemonic conducted the technical testing, with help from @WolfieChristl & @thezedwards. Some results:
- 135 identified advertising companies in the data
- 20 ad companies receiving GPS data
- 16 different situations where apps shared user data such as gender, age, sexual pref

7/ Many companies receive data from many apps. Google & Facebook very much present, but so are also lots of more "unknown" companies. This is line with findings with other research (eg: research by @acccgovau & @AppCensusInc accc.gov.au/system/files/1…). Just the tip of the iceberg

8/ For example: the technical analysis by mnemonic showed that @okcupid was sharing very personal information with a commercial third party.

9/ Another pretty shocking finding was the makeup app, @Perfect365 that:
- Shared data with 72 online advertising companies
- Shared the users location continuously

Location data is extremely sensitive data and the potential for misuse is enormous: nytimes.com/interactive/20…

10/ However, of the ten apps we researched, @Grindr, shared advertising ID, location data and in some cases sexual preferences, with commercial third parties. Needless to say, but most people want to keep such information private.

11/ What made matters worse, was their lack of proper consent & legal base for sharing. As an example, if you follow just one of the trails, this would be the potential sharing of this data

12/ Working with @maxschrems & @NOYBeu we filed legal complaints against @Grindr, @mopub, @OpenX @AppNexus @AdColony @Smaato for breaching the #GDPR - the adtech industry is #OutOfControl