Have you ever Wondering why online ads appear for things you've just been thinking about?
There is no big conspiracy. Ad Tech can be scary accurate.
Technology giant Oracle is one of the few companies in Silicon Valley that has almost perfected the art of tracking people over the Internet. The company has spent a decade and billions of dollars buying startups to create their own panopticon of users' web browser data.
One of these startups, BlueKai, The company, which Oracle bought in 2014 for just over $ 400 million, is little known outside of marketing circles, but has amassed one of the largest banks of web tracking data outside of the federal government.
BlueKai uses website cookies and other tracking technologies to follow you on the Internet. Knowing what websites you visit and what emails you open, marketers can use this huge amount of tracking data to infer as much as possible about you – your income, education, political views and interests, to name a few name – to target you with ads that should suit your obvious tastes. When you click, the advertisers make money.
For a while, this web tracking data was transferred to the open internet because a server remained unsecured and without a password, and billions of records were available to everyone.
Security researcher Anurag Sen found the database and reported to Oracle about an intermediary – Roi Carthy, managing director of cyber security company Hudson Rock and a former theinformationsuperhighway reporter.
theinformationsuperhighway checked the data shared by Sen and found names, home addresses, email addresses and other identifiable data in the database. The data also revealed the web browsing activity of sensitive users – from shopping to unsubscribing from newsletters.
"There's really no telling how telling some of this data can be," Bennett Cyphers, human resources technician at the Electronic Frontier Foundation, told theinformationsuperhighway.
"Oracle is aware of Hudson Rock's Roi Carthy report, which relates to certain BlueKai records that may be posted on the Internet," said Oracle spokeswoman Deborah Hellinger. “While the initial information provided by the researcher did not contain enough information to identify an affected system, Oracle's investigation subsequently revealed that two companies had configured their services incorrectly. Oracle has taken additional measures to prevent this problem from recurring. "
Oracle did not name the companies and did not say what these additional measures were, and declined to answer our questions or provide further comments.
However, the sheer size of the exposed database makes this database one of the biggest security holes this year.
The more it knows
BlueKai relies on soaking up an infinite amount of data from various sources to understand trends and provide the most accurate indicators of a person's interests.
Marketers can either access Oracle's massive database, which they access from credit agencies, analysts, and other sources of consumer data, including billions of daily location data points, to target their ads. Or marketers can upload their own data, which they received directly from consumers, e.g. For example, the information you provide when you register an account on a website or when you sign up for a company's newsletter.
However, BlueKai also uses more covert tactics, e.g. For example, embedding pixel-sized invisible images on websites to collect information about you as soon as you open the page – hardware, operating system, browser and network connection information.
This data, known as a "web browser user agent", may not appear to be confidential. However, when they are merged, a unique "fingerprint" of a person's device can be created that can be used to track that person while surfing the Internet.
BlueKai can also link your mobile web browsing habits to your desktop activity so that it can follow you over the Internet no matter what device you use.
Suppose a marketer wants to run a campaign to sell a new car model. In the case of BlueKai, there is already a category of "car enthusiasts" – and many other, more specific categories – that the marketer can use to place ads. Anyone who has visited a car manufacturer's website or blog with a BlueKai tracking pixel can be classified as an "auto enthusiast". Over time, this person will be divided into different categories under a profile that learns so much about you to address you with these ads.
The technology is far from perfect. Harvard Business Review found earlier this year that the information gathered by data brokers like Oracle can vary widely in quality.
However, some of these platforms have proven alarmingly accurate.
In 2012, Target sent maternity vouchers to a student after an internal analytics system found that she was pregnant – before she even told her parents – based on the data she had gathered while surfing the web.
Some might argue that these systems are designed to do just that.
Jonathan Mayer, professor of science at Princeton University, told theinformationsuperhighway that BlueKai is one of the leading systems for linking data.
"If the browser sends an email address and a tracking cookie at the same time, you need to create this link," he said.
The ultimate goal: the more BlueKai collects, the more it can draw conclusions about you, which makes it easier to target you with ads that could tempt you to make that magic click.
However, marketers can't just log in to BlueKai and download tons of personal information from their servers, a marketing professional told theinformationsuperhighway. The data is cleaned up and masked so that marketers never see names, addresses or other personal data.
As Mayer explained: BlueKai collects personal data; It is not shared with marketers.
"I don't know how insightful"
Behind the scenes, BlueKai continuously captures and compares as much personal raw data as possible against each person's profile, and continually expands that profile data to ensure that it is current and relevant.
But it was this raw data that was spilled from the exposed database.
theinformationsuperhighway found records that contain details of private purchases. A record described in detail how a German man, whose name we are holding back, placed a € 10 bet on an Esport betting website on April 19 with a prepaid debit card. The record also included the man's address, phone number, and email address.
Another record revealed how one of the largest investment holding companies in Turkey used BlueKai to track users on their website. The recording detailed how a person living in Istanbul ordered $ 899 furniture online from a home goods store. We know that no login is required as the record contains all of these details, including the buyer's name, email address and direct web address for the buyer's order.
We also reviewed a record detailing how a person unsubscribed from an electronics consumer email newsletter sent to their iCloud address. The recording showed that the person may have been interested in a particular model of an auto dash cam. Based on his user agent, we can even determine that his iPhone was out of date and needed a software update.
The more BlueKai collects, the more it can tell you what makes it easier to target you with ads that could lead you to that magical click to make money.
According to Sen, who discovered the database, the data went back for months. Some logs date from August 2019, he said.
"Fine-grained records of people's web browsing habits can reveal hobbies, political affiliation, income class, health status, sexual preferences and, as can be seen here, gambling habits," said the EFF Cyphers. "As we live more of our lives online, this type of data makes up an increasing part of our time."
Oracle declined to say whether it informed those whose data were disclosed about the vulnerability. The company also declined to say whether it had warned U.S. or international regulators about the incident.
California law requires companies like Oracle to publicly disclose data security incidents, but Oracle has not yet announced the failure. When reached, a spokesman for the California Attorney General's Office declined to say whether Oracle had informed the law firm of the incident.
According to the General Data Protection Regulation of Europe, companies can be fined up to 4% of their worldwide annual turnover if they violate data protection and disclosure regulations.
Tracker, tracker everywhere
BlueKai is everywhere – even if you can't see it.
BlueKai is estimated to collect over 1% of all web traffic – an inscrutable amount of daily data collection – and some of the world's largest websites: Amazon, ESPN, Forbes, Glassdoor, Healthline, Levi & # 39; s, MSN.com, Rotten Tomatoes and Die New York Times. Even this article has a BlueKai tracker because our parent company Verizon Media is a BlueKai partner.
But BlueKai is not alone. Almost every website you visit contains an invisible tracking code that monitors you as you cross the Internet.
As invasive as it is that invisible trackers feed their web browser data into a gigantic database in the cloud, it is precisely this data that has largely kept the Internet free for so long.
To stay free, websites use advertising to generate revenue. The more targeted the advertising, the better the sales should be.
While the majority of web users are not naive enough to believe that there is no internet tracking, few external marketing circles understand how much data is collected and what is done with it.
In any case, consumers have no choice but to accept the terms. Be tracked or leave the website. That is the compromise with a free internet.
However, collecting web tracking data from millions of people is dangerous.
"When such databases exist, there is always a risk that the data will fall into the wrong hands and injure someone," said Cyphers.
Cyphers said that if the data is in the hands of someone who is malicious, it could contribute to identity theft, phishing, or stalking.
"It is also a valuable target for law enforcement and government agencies who want to use data collection that Oracle is already doing," he said.
Even if the data stays where it's intended, according to Cyphers, these extensive databases enable "manipulative advertising of things like political issues or exploitative services and enable marketers to tailor their messages to specific vulnerable groups," he said.
"Everyone has different things to keep private and different people to keep private from," said Cyphers. "When companies collect raw data for internet surfing or buy data, thousands of small details about the lives of real people are collected along the way."
"Each of these little details has the potential to put someone in danger," he said.
Send tips securely via signal and WhatsApp to +1 646-755-8849.