Adversaries amass vast amounts of our data via commercial surveillance


Huge chunks of our data are collected by means of commercial surveillance that is scanning our apps and devices. We should be worried as America’s adversaries are eager to buy this information in bulk, a digital surveillance expert told Cybernews.

Advertising technology (AdTech) today generates a whole lot of data – it includes our identity, locations, and connections. All this information is collected, repackaged, and made readily available for purchase by companies around the world. They want to know everything about their clients, after all.

But it’s not only the largest firms that are interested in the monetized packages of this sort, says Kirsten Hazelrig, Cyber Policy Lead at the MITRE Corporation, a federally funded US research and development nonprofit organization – and that’s worrying.

ADVERTISEMENT

America’s adversaries – be it China, Russia, or other countries and organizations, obviously do not need the data to better tune advertising. But, according to Hazelrig, the data generated by the AdTech ecosystem uniquely supports granular intelligence on the US population at large – and can be leveraged by unfriendly regimes.

After getting their hands on these commercial capabilities, America’s rivals can target influential individuals for blackmail, physically map and target sensitive sites and high-risk personnel, or target offensive cyber operations.

“The data that flows through AdTech is poorly understood and the risk exposure is complex, especially when considered comprehensively across the whole of government and civil society. To protect the American people from these threats, the US government needs to understand potential adversarial weaponization and national security impact,” Hazelrig wrote.

We asked the expert, who specializes in deception, digital surveillance, and influence operations, how concerned she is about the current state of play.

Could you give some specific examples of how these adversarial countries or regimes are leveraging AdTech data? How does this trove of personal information help them? Could we be entering the territory of possible blackmail? It's not a perfect analogy because the times were different but the Israelis had information about US President Bill Clinton's affair with Monica Lewinsky and tried to use it to get Jonathan Pollard, the spy, released. Are there examples of powerful, influential individuals being targeted nowadays with the help of collected AdTech data?

It's not speculation that the data collected through apps and then sold commercially could be used for blackmail.

As an example, in 2021, “anonymized” commercially available location data, readily purchased from an unnamed vendor, was analyzed to determine that a high-ranking Catholic official had visited both gay bars and private residences while using the app Grindr.

"There must be a way to communicate the most important threats to those outside of national security circles, to the regulators and members of the industry that can enact change."

Kirsten Hazelrig, Cyber Policy Lead at MITRE Corporation.
ADVERTISEMENT

This official was forced to resign. While this event was notable due to its publicity, there is nothing uniquely difficult in its execution.

What kind of data needs to be collected if one wants to establish links with, say, sensitive political or military targets and direct, for example, malware to them? Is this data freely collected or harvested now?

How an individual might be targeted depends on the intent and preferences of an adversary, but it is easy to demonstrate the world of possibility.

In December 2022, the conservative think tank Heritage Foundation was able to identify at least 30,000 cell phones as presumptively belonging to illegal immigrants visiting both non-government migrant aid shelters and Customs and Border Protection (CBP) facilities. They used that correlated information to identify a list of organizations throughout the country that were “actively facilitating the Biden border crisis.”

Although that designation is concerning given our time of heightened political divisions, it also gives a clear indication of what is possible even using “anonymized” data that has been linked to a government site.

In 2022, the media covered a US firm that was allegedly able to identify members of the US intelligence community through AdTech-based geolocation. Later that same year, the same firm was targeted by sites known to espouse Russian propaganda, blaming the technology for enabling Ukrainian missile targeting.

We can see an example of AdTech-derived data being used to target the US defense sector as far back as 2014. In this case, the threat actor used IP address ranges, geolocation, and interests of the user to target specific companies, company types, and user interests or preferences with malicious advertising links.

invincea-data
Malvertisers use real time ad bidding to target you. Courtesy of Invincea.

Do the US policymakers, to your knowledge and understanding, grasp the risks and understand what kind of information is collected?

The complexity and rapid evolution of this ecosystem make it difficult for researchers and professionals to understand this issue and what the resultant risks may be. It wouldn’t be reasonable to expect a policymaker, or for that matter, a member of the industry or the public, to understand what a determined adversary could do.

ADVERTISEMENT

It is for exactly this reason that the 2023 US National Defense Authorization Act has tasked the Director of National Intelligence to prepare an intelligence assessment of the threat from the weaponization of advertising technology.

In my opinion, an intelligence assessment is an excellent start but does not go far enough. There must be a way to communicate the most important threats to those outside of national security circles, to the regulators and members of the industry that can enact change.

In your paper, you say the US could reduce the impact, but how exactly? You mention regulation and industry collaboration, yet, surely, many large tech companies want to make a stand, so to speak, and project their independence, right? What does a comprehensive response strategy look like?

The scathing words from January’s Interactive Advertising Bureau’s Leadership meeting – “political opportunists who’ve made it their mission to cripple the advertising industry and eliminate it from the American economy and culture” – do not give me high hopes for a warm collaboration.

There are both technical and regulatory ways to move the bar forward, though. The US Federal Trade Commission is currently looking at options for reducing harm from collected data.

Ensuring that this group has insights into unclassified threat reporting on adversarial weaponization would be critical to incorporating national security considerations into future regulation.

Another path could be to develop the vulnerability and threat information necessary to enable privacy-aware industry members, such as some device manufacturers or app distributors, to prioritize data harvesting mitigations.

Commercial surveillance tech is, of course, sold to law enforcement legitimately, but some vendors don't shy away from selling their tools to adversaries – even if not directly. How does one limit this?

The proliferation of purpose-built surveillance capabilities, as well as offensive capabilities, has been long debated and has no easy answers.

ADVERTISEMENT

However, the data and technologies that we’re talking about here aren’t “law enforcement” capabilities. They are fully commercial, and available for purchase or harvesting from thousands of companies and services.

Does America stand out in terms of commercial intelligence? Europe has to play under the GDPR rules – do they help, and how? Why is it problematic for the US to have similar regulations, do you think?

Americans quantitatively have a greater exposure of their personal data than Europeans. GDPR and other European data regulations inarguably have had a hand in this.

While GDPR is imperfect, and some have gone so far as to call it a functional failure, it has forced companies to rethink their collection needs and invest more in the protection of the data that they have. However, both Americans and Europeans still have massive amounts of data being collected, bought, and sold.

I am not a regulator, and so can only offer an outsider’s opinion. Advertising is an immense and powerful industry that has, in all fairness, enabled the funding and innovation of a great deal of tech.

We, as Americans, have consistently struggled with the balance between what is best for economic growth and what may benefit more abstract societal needs. Greater insights into the specific and quantitative concerns of data harvesting and sale may help to fine-tune those discussions.