We observed that a Sky Bet gambling site transmitted extensive personal data on gambling activities to FB, Google, Microsoft, Adobe and to the TransUnion subsidiaries Signal and Iovation.
When asked about it under the GDPR, they mostly failed to disclose what data they process.
For example, when a user deposited cash at Sky Bet, the website immediately informed FB, Google, Microsoft, Adobe, MediaMath and Signal (TransUnion) about the exact amount deposited.
Several third-party data companies including Google and FB received data on almost every click.
In total, we observed 2,154 data transmissions to 44 third-party companies during only 37 visits to Sky Bet gambling sites.
The TransUnion subsidiary Signal created an extensive digital profile about a person who was a heavy Sky Bet user and lost a lot.
The gambling industry has long been exploiting data on players - the games played, times, frequencies, amounts spent, won and lost - to influence their behavior, get them to spend more, make them return more often, and maximize profit.
We analyzed 186 Signal profile attributes including customer value scores, promo influence scores or predictions about how much more a player might be able to spend.
Did they use those to influence players or make decisions? We still don't know.
Did FB, Google or Microsoft use the data we observed them to receive to profile or target gamblers? Did Sky Bet or others make use of the data sent to those companies in any way?
We don't know.
Without technical testing, we wouldn't even know that they received personal data.
These are some of the results of a massive investigation into data flows in online gambling. I worked on it together with @RaviNa1k's data rights agency AWO, commissioned by @cleanupgambling.
1) We analyzed how companies responded to GDPR access requests sent by a decade-long Sky Bet user 2) We analyzed how Sky Bet processes data in the browser when another person uses it 3) We analyzed how companies responded to access requests sent by the second person
• • •
Missing some Tweet in this thread? You can try to
force a refresh
I took another look at Snowden docs that mention browser/cookie IDs.
It's breathtaking how the surveillance marketing industry has still managed to claim for many years that unique personal IDs processed in the web browser are somehow 'anonymous', and sometimes still does.
Another 2011 doc indicates that the GCHQ operated a kind of probabilistic ID graph that aims to link cookie/browser IDs, device IDs, email addresses and other 'target detection identifiers' (TDIs) based on communication, timing and geolocation behavior:
Btw. What inspired me to revisit these docs is @ByronTau's book Means of Control, which not only details how US agencies buy commercial data from digital marketing but also provides deep historical context, tracing back to early-2000s debates on Total Information Awareness (TIA).
Die digitale Werbeindustrie verkauft Smartphone-Standortdaten und Bewegungsprofile von Millionen Menschen in Deutschland, darunter Privatpersonen und sensibles Personal.
Große Recherche von und BR, die einen riesigen Datensatz als "Muster" erhalten haben. netzpolitik.org
Sie haben Menschen identifiziert, die Entzugskliniken, Swinger-Clubs oder Bordelle besucht haben, aber auch Personal von Ministerien, Bundeswehr, BND, Polizei.
Fast alle Smartphone-Apps sind heute mit zwielichtigen Datensammeltechnologien "verwanzt".
Völlig unkontrollierte Datenmarktplätze, u.a. die Firma Datarade mit Sitz in Berlin, bieten Standort- und andere Verhaltensdaten über ganze Bevölkerungen aus vielen Ländern zum Verkauf an.
So, Microsoft exploits activity data from Outlook, Teams, Word etc across customers for its own promotional purposes, including on meetings, file usage and the seconds until emails are read.
Microsoft states that the analysis on the seconds until emails were read excludes EU data. Activity data from Outlook, Teams, Word etc, however, seems to include EU data.
What's their legal basis? This is also personal data on employees. And, are business customers fine with it?
Should cloud-based software vendors exploit personal data on users of their services, including private persons and employees of business customers, how they see fit?
I don't think so.
Not even for public-interest research, at least not without academic process and IRB review.
Some more findings from our investigation of LiveRamp's ID graph system (), which maintains identity records about entire populations in many countries, including name, address, email and phone, and aims to link these records with all kinds of digital IDs:crackedlabs.org/en/identity-su…
Identity data might seem boring, but if a company knows all kinds of identifying info about everyone, from home address to email to device IDs, it is in a powerful position to recognize persons and link profile data scattered across many databases, and this is what LiveRamp does.
LiveRamp aims to provide clients with the ability to recognize a person who left some digital trace in one context as the same person who later left some trace elsewhere.
It has built a sophisticated system to do this, no matter how comprehensive it can recognize the person.
As part of our new report on RTB as a security threat and previously unreported, we reveal 'Patternz', a private mass surveillance system that harvests digital advertising data on behalf of 'national security agencies'.
5 billion user profiles, data from 87 adtech firms. Thread:
'Patternz' in the report by @johnnyryan and me published today:
Patternz is operated by a company based in Israel and/or Singapore. I came across it some time ago, received internal docs. Two docs are available online.
Here's how Patternz can be used to track and profile individuals, their location history, home address, interests, information about 'people nearby', 'co-workers' and even 'family members', according to information available online:
, a 'social risk intelligence platform' that provides digital profiles about named individuals regarding financial strain, food insecurity, housing instability etc for healthcare purposes.
"It calculates risk scores for each risk domain for each person", according to the promotional video, and offers "clarity and granularity for the entire US".
Not redlining, though. They color it green.
Making decisions based on these metrics about individuals and groups seems to be highly questionable and irresponsible bs.