[Cryptography] Comey: targeted ads => plaintext access

Christian Huitema huitema at huitema.net
Mon Sep 21 18:32:36 EDT 2015

On Monday, September 21, 2015 12:01 AM, Florian Weimer wrote:
> ...
> But in an advertising context, these environments have to be leaky,
> otherwise you could not redirect users to other sites when they click
> the ads, or bill for showing specific ads or clicking on them.

The leakage is not so much at the individual ad level than at the auction sites were publishers and advertisers meet. When a web page load, scripts will run in the "place holder" for the app, which will trigger a real-time bid for an ad to fill the space. The bid request from the ad exchange will be submitted to maybe 15 different aggregators, and the highest bidder will get to show the ad. The sequence is defined by the "Open Real-Time Bidding" protocol, published by the Internet Advertisement Board: http://www.iab.net/media/file/OpenRTB_API_Specification_Version_2_3_1.pdf.

Each of the aggregators receiving the bid request sees the bid data: identification of the content, of the device, of the user -- device ID, location, brand, model, user ID, age, home location, interest and keywords, relevant cookies. If an agency wanted to track user activity, they could just sign a back room deal with one of these aggregators, and get all that bidding data. No need to actually publish an ad.

-- Christian Huitema

More information about the cryptography mailing list