At least 18 public-sector websites in the UK and US send visitor data in some form to various web advertising brokers – including an ad-tech biz in China involved in past privacy controversies, a security firm claims.

[…]

In the US, .gov websites are not supposed to run ads. In the UK, ads are allowed on .gov.uk websites, subject to some limitations. The .gov and .gov.uk sites flagged by Silent Push each publish an ads.txt file that spells out the businesses allowed to automatically sell that site’s ad space to advertisers as a visitor arrives.

[…] Silent Push found a bunch of UK and US government websites with [the ads.txt] file listing various advertising exchanges and resellers ranging from Google (like what El Reg uses) to one in China.

[…]

One of the ad-tech vendors used by the .gov.uk sites, and highlighted by Silent Push, is Yeahmobi. This Chinese entity reportedly had its mobile ad SDK removed from the Google Play Store in 2018 for alleged ad fraud. Yeahmobi did not respond to requests for comment.

[…]

Silent Push’s report identifies four .gov sites that, in our experience, do not display adverts though do ping web ad platforms, do list various exchanges in their ads.txt files, and may break US government CISA rules. In the UK, it’s a different story, as 18 sites identified by Silent Push use Yeahmobi among others to display ads somewhere on pages.

  • AutoTL;DRB
    link
    English
    27 months ago

    This is the best summary I could come up with:


    Exclusive At least 18 public-sector websites in the UK and US send visitor data in some form to various web advertising brokers – including an ad-tech biz in China involved in past privacy controversies, a security firm claims.

    Silent Push’s report identifies four .gov sites that, in our experience, do not display adverts though do ping web ad platforms, do list various exchanges in their ads.txt files, and may break US government CISA rules.

    "So these organizations don’t all immediately get JavaScript access to drop on the page but they do get payloads from the bid stream – and by default it includes sensitive fields, like the device IP address.

    There are settings that publishers can toggle on to limit some of the personal data from being shared via the bid stream, but there’s no indication this is on for these UK sites – especially based on the significant number of vendors that are authorized by the domains."

    “The JavaScript of [tracking] pixels captures similar data that the JavaScript of real-time bidding endpoints collects, with the core difference being that pixels can set a cookie on your browser immediately, whereas in ad tech the thousands or tens of thousands of entities with opportunities to bid don’t get an opportunity to put a cookie on your computer unless they win an auction – and then only through approved attribution vendors,” he explained.

    "We take these matters very seriously, and after looking into this in some detail with the team, we have never had any ad quality issues with Yeahmobi in the past, nor are we aware of any Chinese links, but as a precaution we are in the process of removing them from all our publisher ads.txt files until further notice.


    The original article contains 1,311 words, the summary contains 290 words. Saved 78%. I’m a bot and I’m open source!