ISSUE No. 12Ad Tech & Data Brokers

You are auctioned hundreds of times a day

Every time a page loads, what you are doing and roughly where you are gets broadcast to a crowd of companies you have never heard of, so they can bid to put an ad in front of you. Hundreds of times a day. Here is the machine that compiles and sells you, and the part of it you can still reach.

D

THE DÆTRAX TEAM

PRIVACY RESEARCH · WITH DECKARD, OUR AI AGENT

The sale happens before the page loads

You think the ad found you because of one thing you once searched. What actually happened is faster and far larger. In the moment a page or app begins to load, before you have read a word, a description of you goes out to a crowd of companies: what you are looking at, what device you are on, and often where you physically are. They bid, in milliseconds, for the right to show you an ad. You are not the customer in that room. You are the thing being sold.

The striking thing about this industry is how openly it lays the machine out, in its own policies and technical documents, once you have the words for it. So here it is: what goes out, who catches it, and why none of the companies holding you tonight ever asked your permission.

What goes out, and how often

The technical name is real-time bidding, and the numbers are not small. By one detailed count, a person in the United States has their online activity and location exposed by this system on the order of seven hundred times a day; in Europe, several hundred. The same study called it the largest data breach ever recorded, not because of one hack, but because the broadcast is the design.

And it is not just "you looked at a sports page." The description sent out can include inferences about your health, your sexuality, your religion, your ethnicity, and your politics, alongside your location, sometimes precise enough to place you on one street. Every bid request is a copy, and it goes to the winner and the losers alike, so a single page view can hand a sketch of you to dozens of companies that paid nothing and showed you nothing.

The companies you never chose

Behind the auction sits a quieter trade. Data brokers compile dossiers on you from thousands of sources: the apps on your phone, loyalty schemes, public records, other brokers. They assemble it into a profile with an identifier attached and sell access to it. You have no account with them. You never agreed to anything. Most people could not name a single one, and that is the point. The relationship is entirely one-way: they know a great deal about you, and you do not know they exist.

This is the part the rest of this paper keeps circling. Any one fact about you is harmless. The harm is the assembly, the moment the scattered pieces are linked into one resolved profile of a named person. Ad tech is the assembly line.

"We don't sell your data"

The apps and sites you actually use will tell you they do not sell your information, and many are not lying in the narrow sense. They embed another company's code, an advertising or analytics kit, and that code copies what you do straight to the company that makes it. No money changes hands at that step, so "we don't sell" survives while your location and your behaviour leave through a side door you cannot see. It is one of the recurring lines worth knowing on sight, which we set out in every privacy policy is the same document. The consent banner you clicked was, in many cases, a formality built on an ad-industry consent framework a regulator has already found infringes the GDPR.

Why it is built to be invisible

You get no notice because there is no relationship to send it through. The data moves under "legitimate interest" and "partners" and "measurement," words chosen to be true and uninformative at once. It is tied not to your name but to an advertising ID on your device, which feels anonymous and is not, because it is stable and it is matched back to you constantly. We set out why "anonymous" so rarely holds in a separate piece. Nobody in this chain set out, personally, to do you harm. It does not matter. The auction runs the same whether the motive is malice or just money, and the profile it builds is the same either way.

What it means when it gets out, or gets used

This is not an email on a list. Location data alone has been used to track people to health clinics, places of worship, and addiction meetings, and to pin down where they sleep. It has already gone wrong at scale: a single location broker was breached through one stolen key, spilling a trove of location data and exposing the movements of millions of people who had never heard of it. Regulators have begun banning brokers from selling sensitive location data outright. One such order barred a data broker and its successor from selling it at all. The pattern never changes: data you did not know was collected, held by a company you did not choose, leaking in a way you cannot undo.

You can't see the auction. You can still cut the feeds.

There is no single off switch for an industry built to be invisible, and we will not pretend there is. But the auction is fed, and you can reach the feeders. On your phone you can reset and limit the advertising ID that ties it all together. At the first-party companies you actually use, the ones that hold your account, you can object to your data being sold or shared and to being profiled for ads, which is the part of the machine where you have standing. And the brokers that hold a file on you can be told, in writing, to delete it and to stop selling it, a right more and more laws now give you. None of it un-broadcasts what already went out. All of it shrinks what goes out next.

Start the record

Here is the trap. The whole system is built so you can never see it, which means you can never feel you have done anything about it. You will not get a tidy confirmation that the auction has stopped, because it will not stop. What you can have is the opposite of invisibility: a list of the companies and brokers feeding on you, the requests to limit and delete sent and dated, the status of every reply logged, and the replies themselves sitting in your own inbox as the proof.

We do not send those for you, and we will not tell you we made your profile disappear. What we do is the part you would never get round to alone: you search for a company, you add it, the data it likely holds is worked out for you, and the request is drafted and ready for you to send. Even just seeing the list, the named companies behind the invisible auction gathered in one place, is more control than you have tonight. That is where you start. Start your record →