Wolfie Christl Profile picture
Nov 14, 2023 30 tweets 14 min read Read on X
As part of our new report on RTB as a security threat and previously unreported, we reveal 'Patternz', a private mass surveillance system that harvests digital advertising data on behalf of 'national security agencies'.

5 billion user profiles, data from 87 adtech firms. Thread: Image
'Patternz' in the report by @johnnyryan and me published today:


Patternz is operated by a company based in Israel and/or Singapore. I came across it some time ago, received internal docs. Two docs are available online.

Some more details in this thread. iccl.ie/wp-content/upl…
Image
Here's how Patternz can be used to track and profile individuals, their location history, home address, interests, information about 'people nearby', 'co-workers' and even 'family members', according to information available online:

isasecurity.org/patternz
web.archive.org/web/2021062210…
Image
Most of today's digital advertising is based on real-time bidding (RTB) which involves uncontrolled data flows to many entities who bid on user profiles.

Patternz states its system is "built on the extensive knowhow of operating a Realtime bidding platform for the last 5 years". Image
Patternz claims to operate a "fully commercial and operational AdTech arm that actually trades in media" to obtain RTB data from 87 ad exchanges and SSPs.

An earlier version of its website named Google, Yahoo and adtech firms like MoPub, AdColony and OpenX as data sources. Image
According to the source linked above, the Patternz system is sold by ISA Security, an Israeli firm.

Here's another publicly available doc from Sovereign Systems, a Singapore-based firm with offices in UAE, New Zealand and Ireland:

sovsys.co/wp-content/upl…
web.archive.org/web/2023100318…
Image
Patternz claims to operate "6 data centers around the world" for real-time data collection.

I've seen internal Patternz docs which describe the IAB's OpenRTB protocol in digital advertising in detail. They also explain that the smartphone became a 'de-facto tracking bracelet'. Image
Although we cannot verify the claims, the documents suggest that Patternz turns the intrusive global surveillance infrastructure that has been built to serve digital advertising into a system for mass+targeted surveillance for national security agencies and perhaps other actors.
I think it's the best-documented example of how personal data that is routinely processed to provide consumer services and enable digital advertising is exploited for completely unrelated purposes at scale.

The commercial data industry, publishers and advertisers are complicit.
Whenever someone visits a website or uses a mobile app that displays digital ads, profile data is broadcasted to dozens or hundreds of companies and other entities.

This occurs billions and billions of times a day. Billions of people are affected, hundreds of millions in Europe. Image
It was a deliberate decision to create the RTB system in this way, and even worse, to delay GDPR enforcement and lobby hard against criticism for years.

Thousands of adtech firms and myriads of publishers and advertisers have no control over who they share personal data with.
As such, the digital advertising industry, and specifically Google and the IAB, enable the worst possible kind of decontextualized misuse of everyone's personal information.

Of course, it's ridiculous to believe that only 'Western' state actors would access RTB bidstream data. Image
When they have no control over who they share data with they cannot have a legal basis to do so under the GDPR.

GDPR enforcement is broken. Otherwise, uncontrolled personal data sharing via the RTB bidstream would have been shut down years ago. Regulators must take action now.
RTB does not only undermine the rights of hundreds of millions of Europeans and trust into digital tech at large, but is also a national security threat.

In our report published today we call for the European Commission, ENISA and EEAS to take action:
iccl.ie/wp-content/upl…

Image
Image
To my knowledge, this 2020 Forbes article provided evidence for the first time that a firm who sells surveillance tech to governments was running its own DSP to harvest personal data from RTB bid requests in digital advertising. Not much detail, though:
This recent Bloomberg article provided more detail about Rayzone, a shady surveillance vendor that reportedly acquired data from the RTB bidstream by operating a DSP and directly owns two adtech firms (, ):
impulsedsp.com
oxillon.com
bloomberg.com/news/articles/…
This recent WSJ article by @ByronTau found that a shady consumer data broker accessed bidstream data via SSPs and ad exchanges like OpenX, AdColony and Smaato and sold it to surveillance contractors who sold it to US defense/intel agencies:
This Haaretz investigation addresses a number of firms that exploit advertising data for surveillance purposes and for targeted attacks on devices.

The article states that some surveillance firms are 'connected to ad firms' or even 'operate an ad firm':
haaretz.com/israel-news/20…
Ok, received a tip. It appears that 'Patternz' is closely affiliated or even identical to NUVIAD, an adtech firm, DSP and consumer data broker based in Israel.

Not only because of the apparent similarity of their promotional materials:
web.archive.org/web/2020051101…
Image
Firms listed as Nuviad's data sources in 2020:

Google, MobPub (back then: Twitter), AOL/Yahoo, Smaato, OpenX, Amobee, Pulsepoint, Rubicon, Inneractive/Fyber (Digital Turbine), Avocarrot/MobFox (Glipsa, Germany), Axonix, Altitude Digital, Opera Mediaworks.
web.archive.org/web/2020051101…
As of today, Google lists Nuviad as a vendor "eligible to receive bid requests compliant with US states privacy laws":
support.google.com/adsense/answer…
Btw. Patternz does not only offer monitoring based on advertising data, but also targeted attacks by sending "targeted messages, ads or trojans directly through the AdTech stack".

And, these 'profile keywords' and 'hobbies and interests' sections may refer to RTB segment info.
Image
Image
Some more pointers.

In 2017, the president of NUVIAD joined the board of Ability Inc. (), a spytech/surveillance firm specializing in tapping phones via SS7 (), which soon went down (employee arrests, NASDAQ delisting) /cc @iblametomsec.gov/Archives/edgar…
forbes.com/sites/thomasbr…
@iblametom The CEO of the Singapore-based firm Sovereign Systems, who sells Patternz according to its website, is quoted to have said that Sovereign Systems was a "front" for PICSIX (), an Israeli firm that sells all kinds of surveillance tech.
haaretz.com/world-news/asi…
pic-six.com



Image
Image
Image
Image
Xandr/Microsoft also lists Nuviad as a "partner which may receive Platform Data":


Here's Nuviad boasting about '2.5 billion user profiles' and 'analyzing over 700k ad opportunities every second'. From an Amazon AWS event in 2018:
docs.xandr.com/bundle/service…
de.slideshare.net/AmazonWebServi…
Image
Investigative journalist? Would be great to get more solid evidence on who operates Patternz, links to other firms (spytech/adtech/Nuviad), resellers, clients.

You have insights into Nuviad or other firms (adtech, 'adint')? Reach out to trustworthy journalists, e.g. @josephfcox
Another public source confirms that Nuviad, the digital advertising firm, and Patternz, the secretive global mass surveillance tool, are identical.

In this video, Rafi Ton, the CEO of the adtech firm Nuviad, introduces himself as the 'CEO of Patternz':

Image
The video includes a Patternz demo. An archived version should be soon available here:


It seems to be a sales pitch to a Peruvian firm and the government for covid tracking but it also addresses 'homeland security'.

Weird that this is publicly available.
Image
There's talk about Peru's 'state of emergency' (2020/21/22?) and its military as a potential client.

The Patternz/Nuviad CEO also states that the Israeli 'security forces' were 'running' the platform, and an 'East European' country even linked Patternz with mobile operator data.
According to the video, Patternz was originally 'designed and built' as a 'homeland security platform', for 'anti-riot and protesting'.

The system also shows apps which the location/profile data comes from. As behaviors from >100k apps are analyzed, it cannot be mobile SDK data.


Image
Image
Image
Image

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Wolfie Christl

Wolfie Christl Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @WolfieChristl

Sep 5
I took another look at Snowden docs that mention browser/cookie IDs.

It's breathtaking how the surveillance marketing industry has still managed to claim for many years that unique personal IDs processed in the web browser are somehow 'anonymous', and sometimes still does.
Another 2011 doc indicates that the GCHQ operated a kind of probabilistic ID graph that aims to link cookie/browser IDs, device IDs, email addresses and other 'target detection identifiers' (TDIs) based on communication, timing and geolocation behavior:
Btw. What inspired me to revisit these docs is @ByronTau's book Means of Control, which not only details how US agencies buy commercial data from digital marketing but also provides deep historical context, tracing back to early-2000s debates on Total Information Awareness (TIA).
Read 19 tweets
Jul 16
Die digitale Werbeindustrie verkauft Smartphone-Standortdaten und Bewegungsprofile von Millionen Menschen in Deutschland, darunter Privatpersonen und sensibles Personal.

Große Recherche von und BR, die einen riesigen Datensatz als "Muster" erhalten haben. netzpolitik.org


Image
Image
Image
Sie haben Menschen identifiziert, die Entzugskliniken, Swinger-Clubs oder Bordelle besucht haben, aber auch Personal von Ministerien, Bundeswehr, BND, Polizei.

Die Recherche auf netzpolitik (7 Artikel):


Visuell aufbereitet vom BR:
netzpolitik.org/tag/databroker…
interaktiv.br.de/ausspioniert-m…
Image
Fast alle Smartphone-Apps sind heute mit zwielichtigen Datensammeltechnologien "verwanzt".

Völlig unkontrollierte Datenmarktplätze, u.a. die Firma Datarade mit Sitz in Berlin, bieten Standort- und andere Verhaltensdaten über ganze Bevölkerungen aus vielen Ländern zum Verkauf an.
Image
Image
Read 12 tweets
May 30
So, Microsoft exploits activity data from Outlook, Teams, Word etc across customers for its own promotional purposes, including on meetings, file usage and the seconds until emails are read.

Aggregate analysis but based on massive personal data processing
microsoft.com/en-us/worklab/…

Image
Image
Microsoft states that the analysis on the seconds until emails were read excludes EU data. Activity data from Outlook, Teams, Word etc, however, seems to include EU data.

What's their legal basis? This is also personal data on employees. And, are business customers fine with it?
Should cloud-based software vendors exploit personal data on users of their services, including private persons and employees of business customers, how they see fit?

I don't think so.

Not even for public-interest research, at least not without academic process and IRB review.
Read 4 tweets
Feb 29
Some more findings from our investigation of LiveRamp's ID graph system (), which maintains identity records about entire populations in many countries, including name, address, email and phone, and aims to link these records with all kinds of digital IDs:crackedlabs.org/en/identity-su…
Identity data might seem boring, but if a company knows all kinds of identifying info about everyone, from home address to email to device IDs, it is in a powerful position to recognize persons and link profile data scattered across many databases, and this is what LiveRamp does.
LiveRamp aims to provide clients with the ability to recognize a person who left some digital trace in one context as the same person who later left some trace elsewhere.

It has built a sophisticated system to do this, no matter how comprehensive it can recognize the person.
Read 12 tweets
Nov 6, 2023
, a 'social risk intelligence platform' that provides digital profiles about named individuals regarding financial strain, food insecurity, housing instability etc for healthcare purposes.

Incredibly intrusive, horrifying that this can exist in the US. sociallydetermined.com
Image
"It calculates risk scores for each risk domain for each person", according to the promotional video, and offers "clarity and granularity for the entire US".

Not redlining, though. They color it green. Image
Making decisions based on these metrics about individuals and groups seems to be highly questionable and irresponsible bs.

Safegraph, a shady location data firm, is among the data providers:
safegraph.com/customers/soci…
Read 6 tweets
Oct 16, 2023
Bazze, a US data broker that purchases smartphone location data from mobile apps and advertising firms, and sells to the US Dept of Defense, according to the WSJ (), openly promotes a commercial location mass surveillance system for 'government customers'. wsj.com/tech/cybersecu…
Image
I extracted information about mobile location data they claim to sell per country from their website:


Japan: 920m records, 5.5m devices
Brazil: 370m records, 6.3m devices
Australia: 280m records, 1.7m devices

...and data on people in 200 other countries. bazze.io/cdi
Image
explains that it does not 'collect or sell data from individuals within the United States, Canada, and European Economic Area countries'.

So, global commercial location data except US/Canada/Europe, for national security (and finance, as a side business). bazze.io

Image
Image
Read 19 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(