Some more findings from our investigation of LiveRamp's ID graph system (), which maintains identity records about entire populations in many countries, including name, address, email and phone, and aims to link these records with all kinds of digital IDs:crackedlabs.org/en/identity-su… Identity data might seem boring, but if a company knows all kinds of identifying info about everyone, from home address to email to device IDs, it is in a powerful position to recognize persons and link profile data scattered across many databases, and this is what LiveRamp does.

As part of our new report on RTB as a security threat and previously unreported, we reveal 'Patternz', a private mass surveillance system that harvests digital advertising data on behalf of 'national security agencies'.

5 billion user profiles, data from 87 adtech firms. Thread: 'Patternz' in the report by @johnnyryan and me published today:


Patternz is operated by a company based in Israel and/or Singapore. I came across it some time ago, received internal docs. Two docs are available online.

Some more details in this thread. iccl.ie/wp-content/upl…

, a 'social risk intelligence platform' that provides digital profiles about named individuals regarding financial strain, food insecurity, housing instability etc for healthcare purposes.

Incredibly intrusive, horrifying that this can exist in the US. sociallydetermined.com
"It calculates risk scores for each risk domain for each person", according to the promotional video, and offers "clarity and granularity for the entire US".

Not redlining, though. They color it green.

Bazze, a US data broker that purchases smartphone location data from mobile apps and advertising firms, and sells to the US Dept of Defense, according to the WSJ (), openly promotes a commercial location mass surveillance system for 'government customers'. wsj.com/tech/cybersecu…
I extracted information about mobile location data they claim to sell per country from their website:


Japan: 920m records, 5.5m devices
Brazil: 370m records, 6.3m devices
Australia: 280m records, 1.7m devices

...and data on people in 200 other countries. bazze.io/cdi

New WSJ report found that 'Near', a consumer data broker based in India, Singapore and the US with an office in France, obtained massive location data via digital advertising firms like OpenX, Smaato and AdColony and sold it to US defense/intel agencies:
wsj.com/tech/cybersecu…
Near's general counsel and chief privacy officer:

The US govt "gets our illegal EU data twice per day", a "massive illegal data dump".

"We sell geolocation data for which we do not have consent to do so", "we sell data outside the EU for which we do not have consent to do so"

Yesterday, I published a case study that examines enterprise software for process mining, workflow automation and algorithmic management.

I identified a list of mechanisms that involve personal data processing and can affect workers individually (right) or collectively (center). I guess rarely anyone has ever examined this kind of software at such a level of detail, from a worker perspective.

The case study explores how employers can exploit worker data based on enterprise software docs. The chart is an excerpt from section 7:
crackedlabs.org/en/data-work/p…

NEW by me: "Monitoring Work and Automating Task Allocation in Retail and Hospitality"

A case study on software systems and technologies for worker surveillance, performance monitoring and algorithmic management in retail stores, restaurants and hotels: crackedlabs.org/en/data-work/p… …the second in a series of case studies, which are part of a larger project that aims to maps how companies use personal data on (and against) workers in Europe, led by Cracked Labs, together with @algorithmwatch, @JeremiasPrassl, @UNI_Europa, funded by Austrian @Arbeiterkammer.

In this thread, I want to share some additional details about what the file from Xandr/Microsoft, which was reported yesterday (themarkup.org/privacy/2023/0…), reveals about how hundreds of consumer data brokers trade personal information on billions of people at a global level.⬇️ The file, dated 2021 describes 650,000 'segments', most of which are lists of IDs that refer to people with certain characteristics. The lists are sold via the 'data marketplace' of Xandr, now a Microsoft company, for ad targeting.

The file reveals 93 distinct 'data providers'.

A while back, I stumbled upon a file I consider the largest piece of evidence revealing how hundreds of data brokers trade personal data on everyone, including very sensitive data, globally.

Massive investigation by @themarkup and German @netzpolitik_org:
themarkup.org/privacy/2023/0… @themarkup @netzpolitik_org Dated 2021, the file describes 650,000 'segments', most of which are lists of IDs that refer to people with certain characteristics. The lists are sold via the 'data marketplace' of Xandr, now a Microsoft company, for ad targeting.

For example people diagnosed with 'depression'.

Arbeitslos? Krebs? Schwanger? Ein Dokument gibt Einblicke in den globalen Datenhandel und zeigt, wie hunderte Firmen mit 650.000 digitalen Listen von Menschen mit bestimmten Eigenschaften handeln.

Große Recherche von @netzpolitik_org und @themarkup (USA):
netzpolitik.org/2023/microsoft… @netzpolitik_org @themarkup Das Dokument, eine Excel-Datei, beschreibt die 2021 auf dem "Datenmarktplatz" der nunmehrigen Microsoft-Tochterfirma Xandr für "Werbezwecke" verkauften Profilkategorien und nennt hunderte Datenlieferanten, u.a. Tochterfirmen von ProSiebenSat1 und Telekom:
netzpolitik.org/2023/adsquare_…

In-depth report by @reedalexander on JPMorgan Chase's "Workforce Activity Data Utility", a near-total surveillance system that observes what hundreds of thousands of employees are doing at work, from communication to desks to app usage, for many purposes:
businessinsider.com/jpmorgan-chase… @reedalexander The article mentions data from badge swipes, desk attendance, MS365/Outlook/Excel, Zoom, Citrix and Blackberry phones; reports about individual workers; and many vague purposes from compliance to safety to 'business efficiency', which seem to creep into employment decisions.

Just saw this in my Android Chrome.

'Got it' and everything 'on' by default.

It's depressing that we let Google with its $280bn surveillance business and extreme infrastructural power unilaterally push its new 'privacy'-branded profiling tech directly into the dominant browser. We let Google turn the web, mobile and other digital services into spaces with ubiquitous tracking and profiling. We let them delay the long overdue end of 3rd party cookies and advertising IDs forever.

And now we let them impose their replacement profiling tech to Chrome users.

The French data protection authority CNIL fined the French health website doctissimo.fr €280k for GDPR infringements plus €100k for ePrivacy infringements.

This is good, but. A few comments.
cnil.fr/en/health-data… It's good they took action against a web publisher, which European regulators rarely do.

And the fine may represent a considerable amount of the site's revenue (according to internet sources). It's still not much for Reworld Media though, which appears to own the site.

Largely unknown to a wider public, some of the biggest employers include so-called 'business process outsourcing' firms.

They run call centers and provide everything from sales and customer services to back-office work and content moderation, with several 100k workers.

Thread: The French outsourcing giant Teleperformance, for example, employs 420,000 people across 88 countries, many of them working from home.

…as detailed in my case study on worker surveillance and algorithmic control in the call center published yesterday: crackedlabs.org/en/data-work/p…

NEW: "Surveillance and Algorithmic Control in the Call Center", a case study on contact center software and automated management.

It explores technologies that are used to monitor, rate, rank and micromanage workers in call centers and similar workplaces:
crackedlabs.org/en/data-work/p… This case study is part of a larger project led by Cracked Labs, which examines and maps how companies use personal data on (and against) workers in Europe, together with @algorithmwatch, @JeremiasPrassl, @UNI_Europa and others, funded by @Arbeiterkammer:
crackedlabs.org/en/data-work

Publications like this recently published "AI Index Report" (Stanford, Google, OpenAI, Microsoft, McKinsey) shape industrial policy.

Key 'AI' investment areas identified by them: healthcare, data/cloud, finance, cybersecurity, retail, industrial automation. Chatbots not so much. Of course there's also marketing and multimedia content, and I guess this crazy LLM hype will make money flow hard. Nevertheless, media debates on 'AI' seem to miss a lot.

Anyway, because such reports affect policy it's also interesting what is considered as an 'AI' investment.

In 2019, the Czech antivirus/cybersecurity firm Avast was caught selling browsing data on millions to data brokers.

I did not hear about any real consequences. Instead, as I just learned, Avast was acquired by Gen Digital (formerly NortonLifeLock/Symantec) for 8 billion in 2021. So you can do the worst thing a cybersecurity firm can do, secretly selling consumer data, and instead of facing harsh regulatory measures, being shut down or at least having your reputation downrated to zero, you get rewarded with $ 8 billion.

This digital economy is broken.

T-Mobile US, a data broker partly owned by Deutsche Telekom and by the German government, now boasts to commercially exploit "billions of data signals" on 50m households, 110m customers and 230m devices about how they use apps, "what they do, where they go, and what they buy". T-Mobile US also claims to have "35+ industry leading, vetted data partners" (see screenshot above), which most likely means that T-Mobile US is re-selling personal information from dozens of other data brokers.

Putting processing that is "necessary" for "direct marketing" as a valid legitimate interest directly into Article 6 of the UK's GDPR Brexit, which has been officially "co-designed with business", really looks disastrous (irrespective of / in combination with the other changes). And the phrase "The Secretary of State may" appears 84 times oh my 🥴

...not mentioning the identifiability stuff, the further processing / purpose stuff, the "recognized legitimate interests" stuff, the records-of-processing" stuff, the SAR firewall etc.
publications.parliament.uk/pa/bills/cbill…

I came across a system that predicts sales of retail workers, i.e. employee performance, based on gender, age, disability status, language and other attributes.

Q: Would it be lawful for an US employer to make any kind of decision that affects workers based on these predictions? As I understand it, it would be illegal to make hiring decisions based on a model that uses input variables such as gender, age, disability, language (proxy).

Would it also be illegal to make e.g. decisions about e.g. shift allocation or the type of work assigned to an employee?

A part of the adtech industry, which has long been harvesting user data, extracting value and misleading everyone, is now posing as an angry populist movement claiming to defend the small-business guy against 'privacy extremists', 'academics' and 'elites':
startedwithatweet.substack.com/p/notes-on-pri… "The [adtech] middlemen are flying high, taking a cut of the ad tech tax, and desperately afraid that even the smallest amount of regulation might reveal the majority of the more than 10k ad tech companies are built on top of extremely unstable sand."

@Chronotope on fire.