Zach Edwards Profile picture
privacy & data supply chain research // Using this less - email me @ privacy@victorymedium.com for Signal // politico // #build🔥🕸 ρᔕ𝐞ỮĎ𝔬Ňʸ๓Øᵘ丂
3 subscribers
Nov 14, 2022 16 tweets 7 min read
Last year, while conducting audits on SDKs installed in mobile apps for @SafeTechLabs, a popular SDK installed in thousands of apps called “Pushwoosh” started to raise some odd questions, was it secretly Russian? Reuters has an explosive story out today: reuters.com/technology/exc…🧵 This is a complex but important story for folks to understand -- this is the start of the discussion about these types of risks.

There was a SDK company -- "Pushwoosh" -- pretending to be based in Washington, D.C., but was really based in Russia, and has been the ~entire time.
Nov 10, 2022 6 tweets 3 min read
I have some really disappointing & horrifying news about how Twitter ads is ingesting + storing advertiser credit cards. They have a ~new "reviewData" field that is a plain text ingestion (CC fields are encrypted) which includes the "firstSix" and "lastFour" #'s of your CC.🌩️⚖️🧵 Twitter ads screenshot - this is a plain text JSON payload sCredit card form submit pushing plain text credit card numbe I want to make sure it's clear that storing credit card numbers in plain text in a "reviewData" field is maybe used for fraud and abuse, potentially for the Twitter ads fraud and abuse vendor Sift which you agree to share data with. But the data is stored on Twitter's side.👀🥵🌩️ Twitter advertiser add a new credit card form plain text credit card fields ingested into twitter infrastr
Aug 24, 2022 15 tweets 7 min read
I've gone through mudge's redacted whistleblower complaint and there are some really spicy sections that relate to ad tech + privacy + foreign intelligence... brief thread of what I think is most interesting (link to documents in tweet below)🌶️🐦🌩️⚖️🧵 First up... folks have known for awhile that tons of Chinese advertisers were/are buying Twitter ads... But no one had pieced it together that those Chinese advertisers would be using ***Twitter Custom Audiences to doxx VPN users who verified with real contact info...** 🚨🥵🥵🚨 "Twitter executives opted to allow Twitter to become mo
Aug 5, 2022 7 tweets 4 min read
Reminder: @WhiteHouse has done nearly nothing to hold Yandex accountable for their Putin War propaganda via Yandex News, no comment about the massive Yandex Appmetrica SDK data collection straight to Moscow.

But leaders within women's hockey (PWHPA) fought back against Yandex🧵 ICYMI in April 2022 the PWHPA decided to *not* move forward w/ a partnership w/ the PHF due to the connections to Yandex Chair John Boynton, "It’s believed Boynton will be an issue when it comes to attracting major sponsors moving forward." 🧐🌩️⚖️👏🏻👏🏻👏🏻

thehockeynews.com/news/report-pw…
Jul 31, 2022 9 tweets 3 min read
Google's "automatic ads" w/ the new "Anchor / Vignette Ads" = full-screen between-page-loading interstitial @ support.google.com/adsense/answer… @ "Auto ads will then scan your site and automatically place ads where they’re likely to perform well and potentially generate more revenue."👀 Auto ads offer a simple and... This is going to be a complex product to audit how it performs / users are impacted, and while I'm a big fan of "easy deployments" - I can only imagine what would happen if this process for "auto ads will then scan your site and automatically place ads" went a little wrong.😅🥵
Jul 31, 2022 8 tweets 2 min read
One of the saddest parts about understanding how politicians use their email lists, is that if you signup for *official* newsletters from members of Congress, the updates are very informative, some bs but tons of policy. Campaign email updates have ~zero policy, all bs & $$ asks. And it's *illegal* for the official Congressional / elected officials office to promote the campaign email newsletter/accounts, but it's totally legal (IANAL) for the campaign to promote the official office website / newsletters -- yet it's super rare for campaigns to do this.
May 23, 2022 15 tweets 8 min read
Sometimes you find something so disturbing during an audit, you've gotta check/recheck because you assume that *something* must be broken in the test.

But I'm confident now.

The new @DuckDuckGo browsers for iOS/Android don't block Microsoft data flows, for LinkedIn or Bing.🧵 DuckDuckGo has browser extensions & their own browsers for iOS / Android @ duckduckgo.com/app

iOS @ apps.apple.com/us/app/duckduc…

Android @ play.google.com/store/apps/det…

Both versions of the DDG browser claims to use tools which
"automatically blocks hidden third-party trackers" 👀 DuckDuckGo promise @ "Privacy, simplified"Escape Website Tracking — Tracker Radar automatically bloc• Escape Website Tracking - Tracker Radar automatically bl
Oct 22, 2021 27 tweets 9 min read
And now we know what Google has been actually doing to slow down ePrivacy..

The unredacted documents between Google & Facebook @ storage.courtlistener.com/recap/gov.usco… are outrageous. There are going to dozens of important ad tech, digital privacy stories from all the details we can now see. Facebook had minimum spends & quotas via Facebook's header bidding. Google considered a "nuclear option" of reducing Google's exchange fees down to zero to kill header bidding.

Google documented it could not avoid "competing with [Facebook's Audience Network"
Jun 19, 2021 19 tweets 13 min read
Does everyone realize that this is almost assuredly @Merck using the Ad ID Consortium to target ads to cancer patients? BOK's former company left this data-co-op (adexchanger.com/online-adverti…)

I'll do a thread on this, explaining how you can audit a website like keytruda.)com ⚖️⛈️🧵 Image First, BOK's old company used to own the domain facilitating these data flows "adnxs.com" - this domain was used in the Ad ID Consortium & was the most popular. AT&T bought appnexus, pulled out of the AD ID C, & seemingly "gave the domain up"
admonsters.com/universal-id-a… Image
May 26, 2021 20 tweets 11 min read
UID 2.0 made their code open source, and now we know with certainty (github.com/UnifiedID2/uid…) that this ad tech data breach code purposefully strips the ability for GMAIL users to add a "+" to the back of their email to protect themselves from shared email user graphs. 🧵 Image All initial email address payloads are *encoded in base64* - no encryption as emails are sent from a UID 2.0 vendor/website/app participating in this data breach scheme now housed as "open source" and controlled by the IAB Tech Lab.

@TheTradeDesk built this base64 data breach⤵️ Image