ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to get stories like this in your inbox.
Chair of the Senate Intelligence Committee the day after Russia invaded Ukraine in February Markus Warner sent a Letter to Google, warning it was on alert for “exploitation of your platform by Russia and Russia-related companies” and urging the company to review its advertising business’s compliance with economic sanctions.
But as recently as June 23, Google shared potentially sensitive user data with a sanctioned Russian ad-tech firm owned by Russia’s largest state bank, according to a new report provided to ProPublica.
Google allowed RuTarget, a Russian company that helps brands and agencies buy digital ads, to access and store data about people browsing websites and apps in Ukraine and other parts of the world. according to a study by digital advertising analytics firm Adamytics. Adalytics identified nearly 700 examples of RuTarget receiving user data from Google after the company was added to a U.S. Treasury Department’s list of sanctioned companies on Feb. 24. The data exchange between Google and RuTarget ended four months later, on June 23, the day ProPublica contacted Google about the activity.
RuTarget, which also goes by the name Segmento, is owned by Sberbank, a Russian state-owned bank that the finance ministry described as “uniquely important” to the country’s economy when it first hit the lender with sanctions. RuTarget was later listed in one April 6 Treasury Department announcement which imposed full lockdown sanctions on Sberbank and other Russian companies and individuals. The sanctions mean that US individuals and companies are not allowed to do business with RuTarget or Sberbank.
Of particular concern was that the analysis revealed that Google shared data about users visiting Ukraine-based websites with RuTarget. This means Google may have shared such vital information as unique cellphone IDs, IP addresses, location information, and details about users’ interests and online activities, data US senators and experts say are obtained from Russian military – and intelligence agencies could be used to track people or target interesting places.
Last April sent a bipartisan group of US senators a letter to Google and other major ad technology companies, who warn about the national security implications of data shared as part of the digital ad buying process. They said this user data “would be a gold mine for foreign intelligence agencies to exploit to inform and accelerate hacking, blackmail and influencer campaigns.”
Google spokesman Michael Aciman said the company blocked RuTarget from using its ad products in March and that RuTarget has not purchased ads directly through Google since then. He acknowledged that the Russian company was still getting user and ad purchases data from Google before being warned by ProPublica and Adalytics.
“Google is committed to complying with all applicable sanctions and trade laws,” Aciman said. “We have reviewed the companies in question and have taken appropriate enforcement action beyond what we took earlier this year to prevent them from using Google advertising products directly.”
Aciman said this measure includes not only blocking RuTarget from further accessing user data, but also from buying ads through third parties in Russia, which may not face sanctions. He refused to say whether RuTarget bought ads through Google systems with such third parties, and he did not comment on whether data about Ukrainians was shared with RuTarget.
Krzysztof Franaszek, head of Adalytics and author of the report, said that RuTarget’s ability to access and store Google user data could open the door to serious potential abuse.
“As far as we know, they take that data and combine it with 20 other data sources that they got from god knows where,” he said. “If RuTarget’s other data partners include the Russian government or the secret service or cybercriminals, there is a great risk.”
In a statement to ProPublica, Warner, a Virginia Democrat, called Google’s failure to sever its relationship with RuTarget alarming.
“All corporations have a responsibility to ensure that they do not help fund, or even inadvertently support, Vladimir Putin’s invasion of Ukraine. Hearing that an American company may be leaking user data to a Russian company owned by a sanctioned state-owned bank is incredibly alarming and frankly disappointing,” he said. “I urge all companies to conduct a thorough audit of their operations to ensure they are not in any way supporting Putin’s war.”
This article was previously published on Source link