Google Ad-Tech Users Can Target National Security ‘Decision Makers’ and People With Chronic Diseases

A WIRED investigation into the inner workings of Google’s advertising ecosystem reveals that a wealth of sensitive information on Americans is being openly served up to some of the world’s largest brands despite the company’s own rules against it. Experts say that when combined with other data, this information could be used to identify and target specific individuals.

Display & Video 360 (DV360), one of the dominant marketing platforms offered by the search giant, is offering companies globally the option of targeting devices in the United States based on lists of internet users believed to suffer from chronic illnesses and financial distress, among other categories of personal data that are ostensibly banned under Google’s public policies.

Other lists of American users accessible for a price across the platform raise serious national security concerns, experts say, as they reveal data brokers striving to isolate millions of mobile devices carried by government workers—from US judges and military service members to executive agency staff and employees on Capitol Hill.

First reviewed by WIRED, an internal spreadsheet obtained from a US-based data broker shows the DV360 platform currently hosting hundreds if not thousands of restricted or otherwise sensitive “audience segments,” each containing a large tranche of data that points to countless mobile devices and online profiles of people in the US. The segments are generated not by Google, but by DV360 customers who upload them to the system, where others can use them to target ads at specific audiences.

The data—first obtained by the Irish Council for Civil Liberties (ICCL), Ireland’s oldest independent human rights body—reveals segments targeting hundreds of millions of device users based exclusively on health conditions, from chronic pain and menopause to, among others, fibromyalgia, psoriasis, arthritis, high cholesterol, and hypertension.

“As with other demand-side platforms, advertisers are able to upload audience lists to Display & Video 360, based either on their own first-party data or from segment providers,” says Erica Walsh, a Google spokesperson. “Our policies do not permit audience segments to be used based on sensitive information like employment, health conditions, financial status, etc.”

Despite this, numerous segments contained in the data are clearly targeted at households and businesses based purely on data suggesting they’re experiencing financial hardship—aiming, for instance, to help advertisers identify people who are in the process of bankruptcy or burdened by long-term debt.

Allison Bodack, another Google spokesperson, tells WIRED that when the company detects “non-compliant audience segments, we will take action.” Asked to explain why Google had not detected segments with descriptions such as “Individuals likely to have a Cardiovascular condition,” or “Parents of children likely to have a respiratory disease, like Asthma,” Bodack did not respond.

Segments accessible through DV360 that target Americans with asthma contain at least hundreds of millions of mobile IDs—among them, a list simply titled, “People who have asthma.” Hundreds of millions more were found on lists for no other reason than the fact that their users are believed to have diabetes. A vast number of devices and user profiles are spread out across lists that target users determined likely to need specific medications, including some controlled substances, such as Ambien. One list links more than 140 million mobile IDs to opioid usage, suggesting the users need relief from a common “opioid-induced” side effect.

Google did not respond when asked whether a data broker had violated its rules by offering advertisers access to a list of people “likely to have an Endocrine disorder.” (The company only stated that its policies “do not permit” such segments “to be used.”) Asked to explain whether it assigns any level of risk to audience segments that target US government employees working in national security jobs, or contractors with access to restricted US defense-related technologies, Google’s spokespeople did not respond.

Among a list of 33,000 audience segments obtained by the ICCL, WIRED identified several that aimed to identify people working sensitive government jobs. One, for instance, targets US government employees who are considered “decision makers” working “specifically in the field of national security.” Another targets individuals who work at companies registered with the State Department to manufacture and export defense-related technologies, from missiles and space launch vehicles to cryptographic systems that house classified military and intelligence data.

Sources with firsthand knowledge of Google’s platform, granted condition of anonymity to protect against retaliation on the job, confirmed the segments were actually accessible to Google’s ad buyers. Unlike Google Ads, which is free and typically used by individuals and small businesses, DV360 is a paid platform primarily aimed at companies that spend over $50,000 in ad buys per month. Google’s DV360 partners include the likes of Disney and NBCUniversal.

“This is exactly the kind of seemingly obscure data that would pique a foreign adversary’s interest,” says Justin Sherman, CEO of Global Cyber Strategies, and author of the upcoming book Navigating Technology and National Security. “It’s not necessarily held in every dataset, but it speaks to a medical condition, it speaks to use of a powerful drug, and it speaks to something that could potentially be exploited in an intelligence context.”

Over the last decade or so, online advertising has evolved to include technologies capable of “micro-targeting” individuals based on surveillance data gathered from a wide variety of sources. Users are grouped into “segments” by data brokers who aim to isolate individuals with the help of unique mobile identifiers—alphanumeric strings that are assigned to mobile devices and are widely shared across the advertising ecosystem. These mobile IDs are employed to not only track a user’s movements but their online habits, including which apps they use, and are regularly combined with “cookies” that track web browsing behavior and purchasing information.

While the purpose of mobile IDs and other ad-based identifiers is, ostensibly, to help shield users’ identities, it is no secret that when combined with other datasets, it can become trivial to re-identify people whose information has been “anonymized.”

A government report declassified by the US Office of National Intelligence in June 2023 notes that commercial data may be combined to “reverse engineer identities or deanonymize various forms of information.” Advisers to the nation’s top spy at the time, Avril Haines, added in the report: “In the wrong hands, sensitive insights gained through [commercially available information] could facilitate blackmail, stalking, harassment, and public shaming.”

Demonstrating the point, many data brokers that exist on the periphery of Google’s advertising exchange work to assist marketers by crafting complex dossiers on individual consumers, “enriching” anonymized profiles with information drawn from a range of public and government sources. Frequently this includes credit card transactions, social media posts, bankruptcy filings, vehicle registration records, employment records, and hoards of web tracking data quietly amassed from websites, apps, and IoT devices.

With such access, data brokers aim to craft customized lists of potential targets, such as people who have “careers in the armed forces” and enjoy “gambling in general,” or those who are an “active conservative voter” likely to “participate in a civil protest,” according to the ICCL-provided data.

The manner in which the data was originally acquired by the ICCL provides a quintessential example of the ease with which rival foreign intelligence agencies can gain access to Americans’ data with minimal effort. Johnny Ryan, director of Enforce, ICCL’s investigative branch, says he was surprised by how easy the access came. “I was prepared for a complex process that would test my cover story,” he says, “but when I signed up there was no questions asked whatsoever.”

To gain access to the data broker’s segments, Ryan created a website for a fake “data analytics” firm. The “company” isn’t registered anywhere officially, but exists solely as a handful of web pages. On them, Ryan placed an image of a Russian soldier, apparently in the midst of combat, alongside a map of Ukraine. The firm’s work is vaguely described as helping “select clients” obtain “real-time” awareness of “targets” in the field. Ryan used this implausible cover while approaching data brokers based in the US.

“I could have been anybody,” he says.

To protect the integrity of ongoing research, WIRED agreed to delay identifying any data brokers being monitored by the ICCL.

Ryan’s research into ad-tech abuse informed a Federal Trade Commission lawsuit brought in 2024 against Mobilewalla, a data broker that, the FTC claims, widely offered access to segments used “specifically” to target “pregnant women and young mothers,” while also selling mobile IDs that tracked people visiting medical facilities and domestic abuse shelters. (Similarly, WIRED identified segments in the ICCL’s data that linked millions of mobile devices to expectant mothers, as well as more than 140 lists that referenced a “propensity” for “disease.” Fifty-one million mobile IDs belong to a segment aimed specifically at women likely to lack preventive care.)

According to the FTC government complaint, Mobilewalla collected more than 183 million mobile IDs in 2021 alone. Between 2018 and 2020, the company sourced roughly 60 percent of its data directly from real-time bidding (RTB) exchanges, marketplaces where advertisers compete for online ad space in lightning-fast auctions.

A complaint filed by Enforce and the Electronic Privacy Information Center (EPIC) last month urges the FTC to launch an investigation into whether Google’s RTB tools have allowed sensitive data to be made available to foreign adversaries—information that Ryan, along with other experts, says includes vast troves of personal data tied to “active military, intelligence personnel, and key leaders.”

Many of the conditions, behaviors, and traits reflected in the data, such as a likelihood of financial debt, propensity for high alcohol use, and certain medical conditions, are criteria that can adversely affect a federal employee’s eligibility to access classified information—illustrating the potential of its use for blackmail purposes.

EPIC and Enforce allege that Google both “directly” and “indirectly” provides foreign adversaries, including China, with “extraordinarily sensitive” commercial data concerning “America’s leaders and sensitive defense personnel,” while pointing the finger at Google as the predominant commercial entity behind a vast and widely ignored “national security crisis.”

“Google’s purported self-regulation cannot protect us,” says EPIC senior counsel Sara Geoghegan, whose complaint points to restrictions on data broker deals cemented last year under a new federal law, the Protecting Americans’ Data from Foreign Adversaries Act (PADFAA). According to Geoghegan, Google’s advertising tools pose a unique national threat, one that Congress has specifically charged the FTC with eliminating.

Google’s spokesperson Erica Walsh denies any wrongdoing on the part of the company, saying that, for instance, while Google’s ad exchanges continue to accept business from Chinese companies, it has long since ceased sharing data with Russian entities. Last year, she says, Google introduced a new system designed to identify companies with ties to China in order to restrict the types of information they receive about US consumers. “This means we never share data tied to a specific user in the US for bid requests to those known entities,” she says.

While the FTC has yet to introduce any cases based on PADFAA—and also declined to comment for this story—the law notably extends far beyond data that is merely “tied to a specific user.” Google and other US companies are now forbidden under law from providing companies with ties to hostile nations with any information that, no matter how anonymized, can be tied back to a specific user when combined “with other data.”

China is reported to have the world’s largest security and intelligence apparatus, employing a veritable army of hackers that have spent decades infiltrating US corporations and agencies to steal data, most recently compromising at least 11 of the nation’s telecommunications networks.

“It would be a joke for the Chinese government to link a mobile ad ID to a person’s name,” says Sherman of Global Cyber Strategies.

Walsh notes that under Google’s new rules, mobile IDs are automatically stripped from RTB data served to Chinese entities. Along with other identifiers, Google also redacts the location data of devices being served the ads, limiting what Chinese companies can see to the name of a city. Google will provide the URL of a web page or the name of an app that an American is using, it says, but only in real time.

To ensure compliance, Walsh says, Google employs an independent company to “regularly” audit its authorized RTB buyers. Google declined to reveal more about the audits, but its public documentation suggests they are conducted at Google’s expense, “no more than once during each 12 month period.”

Zach Edwards, a longtime advertising-industry researcher and senior threat researcher at cybersecurity firm Silent Push, says Google’s efforts to limit the flow of data to China may ultimately have little effect. When a company wins a bid and its ad is served on a web page, he says, it becomes possible to acquire much of the same data that Google preemptively redacts, including a user’s full IP address and detailed information about the device they are using. Chinese hackers have reportedly used this technique in the past to execute malicious code on millions of users’ devices—a threat known as “malvertising.”

“Redacting the bid request is totally moot,” Edward says. “If you take tens of millions of dollars from Chinese advertisers and don’t blink at them buying every impression, they outbid everyone and are able to get on the page.” According to recent reports, Chinese companies are spending “huge sums” on ads targeting US consumers, netting major profits for Meta, X, YouTube, and similar Silicon Valley firms that dominate the digital advertising market. In a February 2024 earnings call, Meta said that “China-based advertisers represented 10 percent of our overall revenue” for 2023, which totaled $133 billion.

“Even if Google were to change its practices and only initially broadcast RTB data to entities in the United States,” EPIC’s complaint says, the data would “inevitably” fall into foreign actors’ hands. “Google has no way to control what happens to the data that it broadcasts so freely,” it alleges. This was also the contention of the organization that develops technical standards for the advertising industry. Known as the Interactive Advertising Bureau (IAB), the organization acknowledged in 2018 that there is “no technical way to limit the way data is used after the data is received by a vendor.”

Foreign actors and private surveillance firms have been caught routinely exploiting RTB systems by creating shell advertising companies in order to access bid-stream data: information on users broadcast between the demand and supply sides of an RTB auction. In 2022, Adalytics, a digital ad analysis firm, published a report alleging that Google was sharing RTB data with RuTarget, an ad-tech firm owned by Russia’s largest state bank; activity that Google says it ceased in response. In 2023, Bloomberg reported that, by operating its own demand-side platform, an Israeli surveillance company called Rayzone had gained direct access to Google’s RTB data.

Last year, 404 Media reported on another Israeli tool called Patternz that was for leveraging access to Google’s system in the same manner.

Senator Ron Wyden of Oregon, who has authored legislation that would ban federal agencies from buying data that normally requires a warrant, says the fact that Google’s platform provides overseas companies access to any personal data on military and intelligence personnel is an “outrageous practice.” “Federal regulators should throw the book at Google,” he believes, “and cut off the company from federal contracts until it stops exposing our troops to harm.”

Internal Google communications cited by EPIC and Enforce reveal a historical reluctance by Google to take practical steps to remedy the problem, despite company leaders internally acknowledging the risk. A 2014 exchange, first revealed during a federal antitrust case two years ago, shows one senior executive acknowledging the “difficulty in figuring out what buyers are actually doing with the data we’re sending.”

The remark prompted another executive to inquire as to what the “financial impact” may be of actually addressing the problem.

In another document, from late 2021, Google’s chief marketing officer, Lorraine Twohill, advises CEO Sundar Pichai to move the company away from real-time bidding, telling him: “Users point to our ads as THE reason why they can’t trust Google and why they think we sell their personal information to 3rd parties.”

Twohill’s letter—sent on International Data Privacy Day—makes clear her opinion of Google’s advertising practices: “real time bidding on user data = bad,” she writes, before signing off, “Your privacy obsessed pal.”