This story was originally published by ProPublica.
The internet giant may have provided Sberbank-owned RuTarget with unique mobile phone IDs, IP addresses, location information and details about users’ interests and online activity.
The day after Russia’s February invasion of Ukraine, Senate Intelligence Committee Chairman Mark Warner
sent a letter
to Google warning it to be on alert for “exploitation of your platform by Russia and Russian-linked entities,” and calling on the company to audit its advertising business’s compliance with economic sanctions.
But as recently as June 23, Google was sharing potentially sensitive user data with a sanctioned Russian ad tech company owned by Russia’s largest state bank, according to a new report provided to ProPublica.
Google allowed RuTarget, a Russian company that helps brands and agencies buy digital ads, to access and store data about people browsing websites and apps in Ukraine and other parts of the world, according to research from digital ad analysis firm Adalytics
. Adalytics identified close to 700 examples of RuTarget receiving user data from Google after the company was added to a U.S. Treasury list of sanctioned entities on Feb. 24. The data sharing between Google and RuTarget stopped four months later on June 23, the day ProPublica contacted Google about the activity.
RuTarget, which also operates under the name Segmento, is owned by Sberbank, a Russian state bank that the Treasury described as “uniquely important” to the country’s economy when it hit the lender with initial sanctions. RuTarget was later listed in an April 6 Treasury announcement
that imposed full blocking sanctions on Sberbank and other Russian entities and people. The sanctions mean U.S. individuals and entities are not supposed to conduct business with RuTarget or Sberbank.
Of particular concern, the analysis showed that Google shared data with RuTarget about users browsing websites based in Ukraine. This means Google may have turned over such critical information as unique mobile phone IDs, IP addresses, location information and details about users’ interests and online activity, data that U.S. senators and experts say could be used by Russian military and intelligence services to track people or zero in on locations of interest.
Last April, a bipartisan group of U.S. senators sent a letter
to Google and other major ad technology companies warning of the national security implications of data shared as part of the digital ad buying process. They said this user data “would be a goldmine for foreign intelligence services that could exploit it to inform and supercharge hacking, blackmail, and influence campaigns.”
Google spokesperson Michael Aciman said that the company blocked RuTarget from using its ad products in March, and that RuTarget has not purchased ads directly via Google since then. He acknowledged the Russian company was still receiving user and ad buying data from Google before being alerted by ProPublica and Adalytics.
“Google is committed to complying with all applicable sanctions and trade compliance laws,” Aciman said. “We’ve reviewed the entities in question and have taken appropriate enforcement action beyond the measures we took earlier this year to block them from directly using Google advertising products.”
Aciman said this action includes not only preventing RuTarget from further accessing user data, but from purchasing ads through third parties in Russia that may not be sanctioned. He declined to say whether RuTarget had purchased ads via Google systems using such third parties, and he did not comment on whether data about Ukrainians had been shared with RuTarget.
Krzysztof Franaszek, who runs Adalytics and authored the report, said RuTarget’s ability to access and store user data from Google could open the door to serious potential abuse. Continue Reading