U.S. Federal Trade Commission urged to investigate Google’s RTB data in first ever complaint under new national security data law
16 January 2025
Google sends enormous quantities of sensitive data about Americans to China and other foreign adversaries, according to evidence in a major complaint filed today at the FTC by Enforce and EPIC. This is the first ever complaint under the new Protecting Americans’ Data from Foreign Adversaries Act.
The complaint targets a major part of Google’s business: Google’s Real-Time Bidding (RTB) system dominates online advertising, and operates on 33.7 million websites, 92% of Android apps, and 77% of iOS apps. Much of Google’s $237.9 billion advertising revenue is RTB.
Today’s complaint reveals that Google has known for at least a decade that its RTB technology broadcasts sensitive data without any security, according to internal Google discussions highlighted in today’s complaint.
The complaint cites internal Google communications showing that Google CEO, Sundar Pichai, rejected or failed to act upon internal calls (example) to reform the company’s dangerous RTB system in 2021. Instead, Google continued to expose sensitive American defense and industry personnel, and their institutions, to blackmail and compromise, in addition to causing grave privacy harm to consumers.
The complaint cites internal Google communications showing that Google CEO, Sundar Pichai, rejected or failed to act upon internal calls to reform the company’s dangerous RTB system in 2021. Instead, Google continued to expose sensitive American defense and industry personnel, and their institutions, to blackmail and compromise, in addition to causing grave privacy harm to consumers. Even Google’s so called “non personalized” data contains dangerous data.
The complaint highlights Enforce’s 2023 report “America’s Hidden Security Crisis,” which revealed how extraordinarily sensitive Google RTB data about active U.S. military personnel, national security leaders, and even judges, are available for purchase on the commercial data market. The data include information about people’s health conditions, debt, gambling, sexuality, politics, and gun ownership.
The FTC previously relied on this report when it took action against Mobilewalla, a data company. Enforce and EPIC now urge the FTC to urgently act to protect Americans against Google, too.
“We can now be certain Google knew about the security flaw in its advertising system for at least a decade. Despite this, it continued to vent sensitive data, betraying America and her allies. The FTC must act to end Google’s security crisis”, said Dr Johnny Ryan, Director of Enforce.
“Google has time and again proven that it cannot be trusted to protect our data. The FTC must act to rein in Google’s data abuses, which expose Americans’ data to foreign adversaries, undermining democracy, and threatening our national security,” said Sara Geoghegan, EPIC Senior Counsel.
The complaint alleges that Google RTB violates the new Protecting Americans’ Data from Foreign Adversaries Act of 2024 (PADFAA). PADFAA prohibits any company that earns revenue by providing access to data from transferring data of U.S. individuals to a foreign adversary country, or to any entity controlled by North Korea, China, Russia, or Iran.