Our phones, our data, and the ads we see

Think about all the ads you see on your phone. The banner ads you see in apps. The ads you see in your phone's browser. Newsfeed ads and video ads.

Key points
  • What information are these advertising companies accessing from our phones?
  • And what other they data they might have on us they are combining them with to target us with these ads?
  • We all should be able to understand this - but at present it is very difficult to answer many of these questions.
Our phones, our data, and the ads we see

PI has long worked on the exploitation of data by companies. We've filed complaints against companies that constantly track you around the internet, we've shown how numerous phone apps share data with Facebook, we've exposed how advertisers track visitors on mental health websites, we've shown how period tracking apps collect and share data of users (including whether they are having unprotected sex or not!), exposed how major tech companies are not providing meaningful transparency to their users globally, and much more. The totality of phone advertising brings together a lot of this work. What data apps collect, with whom they share it, how companies allow targeting of ads on their platforms, and more is largely unknown. This case study pulls together examples that demonstrate the black box nature of our phones and advertising, and small things you can do to help protect yourself.

Security information used for commercial purposes

There's been reporting about Facebook and Twitter inadvertently or not have used information that users provide for security purposes (for example when setting up two-factor authentication) for commercial purposes (to target ads).

PI raised concerns about the use of data of another purpose than what is told to users. One of the ways Facebook displays targeted adverts to users is through its Custom Audiences functionality. These "custom audiences" are lists of contact details, including phone numbers and email addresses, uploaded by advertisers. Facebook then matches this "custom audience" with the details they hold, to target adverts at accounts associated with this contact information.

Disclosing or using information provided for security purposes for any other purpose, including advertising is unacceptable and violates fundamental data protection principles: we believe that companies should protect their users' safety and never exploit critical security features for profit.

Phone apps sharing data with Facebook even if you don't have a Facebook account

In December 2018 PI's research showed that 42.55 percent of free apps on the Google Play store could share data with Facebook, making Facebook the second most prevalent third-party tracker after Google’s parent company Alphabet. Facebook routinely tracks users, non-users and logged-out users outside its platform through Facebook Business Tools. App developers share data with Facebook through the Facebook Software Development Kit (SDK), a set of software development tools that help developers build apps for a specific operating system.

Without any further transparency from Facebook, it is impossible to know for certain, how the data is being used. This is particularity the case since Facebook has been less than transparent about the ways in which it uses data of non-Facebook users in the past.

Mental health websites tracking uses for advertising purposes

In recent research, PI analysed 136 popular mental health web pages related to depression in France, Germany, and the UK. We found that 76.04% of web pages contained third-party trackers for marketing purposes. Depression-related web pages also used a large number of third-party tracking cookies, which were placed before users were able to express (or deny) consent. This seems to violate existing EU privacy laws.

It is exceedingly difficult for people to seek mental health information and for example take a “depression test” without countless of third parties watching. All website providers have a responsibility to protect the privacy of their users and comply with the requirements imposed by existing laws, but this is particularly the case for websites that share unusually granular or sensitive data with third parties. Such is the case for mental health websites.

Phones communicating with numerous companies without your knowledge

The Washington Post also reported on apps communicating with third parties. They said that in a single week they "encountered over 5,400 trackers, mostly in apps" and that "those unwanted trackers would have spewed out over 1.5 gigabytes of data over the span of a month."

And the examples go on.

So, what can you do?

*Disclaimer - none of these are perfect solutions – and that's the real problem. Under strong data protection laws like the EU's General Data Protection Regulation (or GDPR), you should be able to understand, among many other things, why you're being targeted with an ad, what data was used to target you with the ad. That doing so is currently very difficult, if not impossible, is problematic and breaks the law.

  1. Check your settings on your phone and apps
    1. Here are some steps you can take from us.
    2. Check our Instagram account for other suggestions like this and this. [Yes, the irony is not lost on us.]
  2. Ask companies to delete your data
    1. Here are directions for 7 ad-tech companies.
  3. Ask companies for your data
    1. Other NGOs have been working on tools to support individuals to exercise these rights. Here are a few: Data Rights Finder, My Data Done Right, personaldata.io
  4. Consider using plugin such as an ad blocker or Who Targets Me to understand who is targeting you with ads.
  5. If there are specific guides you’re interested in, consider telling us!
  6. If this work is valuable to you, consider donating to PI (we proudly do not take industry money).