Dig emerges from stealth to help organizations secure their data in public clouds

Dig, a Tel Aviv-based cloud data security startup, has emerged from stealth with an $11 million investment to help organizations protect data stored in public cloud environments.

It’s no secret that data is often the ultimate target for some cybercriminals, yet so many organizations don’t have visibility, context or control over data stored in public cloud environments — like the ones run by Amazon, Google and Microsoft — according to Dig. That’s why the startup has developed a data detection and response (DDR) solution, which it claims can help enterprises to discover, protect and govern their cloud data in real time.

“Companies don’t know what data they hold in the cloud, where it is, or most importantly how to protect it. They have tools to protect endpoints, networks, APIs but nothing to actively secure their data in public clouds,” Dan Benjamin, Dig’s co-founder and chief executive, tells TechCrunch. Prior to founding Dig in October last year, Benjamin led multi-cloud security at Microsoft and mentored CTOs at Google Cloud for Startups.

“If you speak to data security teams in large organizations today, most of them work with manual reports and run manual scans. We help organizations analyze and understand how that data is being used,” he added.

Dig claims, like unlike existing solutions, it analyzes and responds instantly to threats to cloud data, triggering alerts on suspicious or anomalous activity, stopping attacks, data exfiltration and employee data misuse. The solution — a software-as-a-service app — discovers all data assets across public clouds and brings context to how they are used, and also tracks whether each data source supports compliance like SOC2 and HIPAA.

“Just the other week, we integrated with a large financial public American company, and after five minutes, we had alerts. What we discovered is that they had all financial reports being copied to an external AWS account that doesn’t belong to them,” Benjamin says. “We see stuff like this all of the time because no-one has real visibility into how this data is being used.”

Benjamin, who founded the startup alongside veteran entrepreneurs Ido Azran and Gad Akuka — the first letters of the co-founders’ names spell “Dig” — tells TechCrunch that Dig currently works with Microsoft Azure and AWS, with support for Google Cloud Platform coming soon. His ultimate goal, however, is to expand beyond public clouds to provide a solution to protect data wherever it sits within an organization.

“Data sits in five main locations for a typical enterprise; endpoints, email, on-premise, SaaS, and public clouds,” Benjamin says. “We only cover public clouds, but I believe that, eventually, customers will want a single platform that protects data wherever it is.”

With its $11 million seed round led by Team8, with participation from CrowdStrike, CyberArk and Merlin Ventures, Dig plans to grow its headcount from 30 to 50 by the end of the year, including in the U.S. It also plans to expand the product, with Benjamin noting that the startup “still has a lot to do” across discovery, context and threat protection.

New Relic enters the security market with its new vulnerability management service

New Relic, which has long been known for its observability platform, is entering the security market today with the launch of a new vulnerability management service. Aptly named New Relic Vulnerability Management, the service aggregates data from botth its own native vulnerability detection system and third-party tools, giving security, DevOps, SecOps and SRE teams a single service for monitoring their sotware stack for vulnerabilities.

“Minimizing security risk across the entire software development life cycle is imperative — and we are seeing more pressure on DevOps to manage risk while making sure it doesn’t become a blocker to the pace of innovation,” said New Relic CEO Bill Staples. “New Relic Vulnerability Management delivers more value to engineers harnessing the power of observability with our platform approach, and accelerates our mission to help every engineer do their best work with data, not opinions.”

The company argues that one if its major differentiators is that this new tool can integrate with third-party security tools. This in turn should help teams prioritize which security risks to focus on (because there are always more than any team can handle), with the new service also helping them to identify which actions to take to remediate those risks).

The new service is part of a series of announcement New Relic made at the CNCF’s KubeCon + CloudNativeCon conference and its own FutureStack event today. Other announcements include enhancements to the company’s application performance monitoring service (which now collects logs in context), new partners in its Instant Observability ecosystem (which now features more than 470 integrations), and a major new partnership with Microsoft, allowing Azure users to use New Relic as their default observability platform natively inside the Azure Portal.

Daily Crunch: Musk pauses Twitter buy until platform proves less than 5% of users are spambots

It’s Tuesday, May 17, 2022, and we are currently in the midst of an existential crisis; aren’t we all, when we are being very honest with ourselves, a little bit spambot at heart? 

Tomorrow, TC Sessions: Mobility kicks off. Last chance saloon to buy tickets for our in-person event Wednesday and Thursday, or the virtual event on Friday! — Haje and Christine

The TechCrunch Top 3

  • Spambots holding up Twitter deal: Elon Musk doubled down on his previous tweets this morning, basically saying that if Twitter CEO Parag Agrawal is unable to back up claims that the number of spam and/or fake accounts is around the 5% the company says, Musk’s deal to acquire Twitter will not move forward. It would be a shame, really, after we’ve devoted so much effort in following the story, for it to not go through.
  • The Twitter choice is up to you: Which then begs the question: “Does Elon Musk really even want to buy Twitter?” Alex does a deep dive into this very question, and when he resurfaces, he finds that perhaps Musk wants to get out of the deal for a couple of reasons, one being it was not the company he thought it was.
  • Where dem dollas at?: Enabling other companies to offer financial products continues to be a hot area for venture capital investors to put their dollars. The latest is Unit, which is now a unicorn after closing on a $100 million Series C round. What’s interesting about what Unit does is that anyone, even those in the freelance or creator economy, can do it, too.

Startups and VC

Icarus ignores Daedalus’s instructions not to fly too close to the sun, melting his wax wings. A similar situation is causing Bird to change course and drop vehicle sales in pursuit of profitability, according to its Q1 earnings call, Rebecca reports. 

In a curious twist, Greenlight — which typically focuses on bank accounts for kids — just launched a new credit card aimed at helping parents save for college for their kids. The card’s purpose is reflected in the way it’s being marketed, but ultimately, it functions very similarly to any other credit card that offers cash back to users, Anita concludes. 

All startups, all the time:

How to evolve your DTC startup’s data strategy and identify critical metrics

Piggy bank with folding rule and spirit level against a white background

Image Credits: deepblue4you (opens in a new window) / Getty Images

Most e-commerce startups use the same major platforms and analytics tools to gather data for the dashboards that measure the health of their businesses.

As a result, most direct-to-consumer companies make the same mistakes when it comes to refining raw transactional data, according to Michael Perez, director of growth and data at M13.

The calculation errors hardwired into platform data can lead teams to miscalculate key metrics, “drastically overestimate their customer lifetime value and overspend on marketing campaigns,” says Perez.

He identifies two common data mistakes: creating metrics at the wrong level of granularity, and using downstream metrics that usually create data silos. 

“We’re generally big fans of plug-and-play business intelligence tools, but they won’t scale with your business.”

(TechCrunch+ is our membership program, which helps founders and startup teams get ahead. You can sign up here.) 

Big Tech Inc.

Want to monitor your company’s carbon footprint? Microsoft has an offering for that. The tech giant is joining other tech giants, like Salesforce, Google (which announced some new security features itself) and IBM, in offering sustainability tracking products. In Microsoft’s case, it will gather a bunch of data companies can use to eventually reduce that footprint and meet sustainability goals.

Robinhood has its sights set on a new target: more features. One includes enabling users to manage their own crypto wallets instead of Robinhood doing it for them. There seems to be a “private key” involved with the custodial accounts, so make sure you don’t leave it anywhere.

Lots of Apple news today. We’ll give you the short-short version, including new rules that will let apps raise subscription prices automatically (that won’t be abused, right?). The company is also kicking off its new Apple Music concert series with a livestream performance by Harry Styles and reportedly testing out E Ink’s outer display as it designs a foldable device.

Some others for your afternoon jam session:

Pulse, the maker of an automatic Slack status updater, acquires team communication startup Lounge

Lounge, a team communication startup that was looking to reimagine the future of work with features designed for remote and distributed workforces, has now found an exit after Slack entered its same market last year with competitive voice and video tools. Launched by former Life360 employees last year, Lounge confirmed it’s been acquired for an undisclosed sum by Pulse — another company building technology aimed at improving remote worker productivity, but specifically through features that automate updates to users’ Slack status via a combination of AI and custom rules.

Pulse was founded by Raj Singh, who has already had multiple exits, including to companies like Salesforce. In particular, Pulse was attracted to Lounge’s ideas around team-building activities for remote workers.

That was only a subset of what Lounge had offered, however. Its service was a more expansive platform with features like message boards, audio chat, group audio and visual representations of typical corporate office spaces — like employee desks, conference rooms and even break rooms. On top of this, it had built features designed to help remote workers connect and get to know one another, like photo-sharing tools and support for company-wide events — like steps or meditation challenges, for example.

According to Lounge CEO Alex Kwon, despite his startup’s unique features, it struggled against the lock-in and network effect of mainstream remote work platforms, like Slack and Microsoft Teams. But the final bullet was Slack’s introduction of Huddle, its own lightweight audio networking feature that effectively took aim at one of Lounge’s biggest selling points — drop-in voice chats.

Initially, Lounge decided to pivot to focus more on asynchronous team-building activities with deeper Slack integration.

Kwon says Singh later reached out to him and explained how Pulse aimed to become a platform for displaying the status of each team member right inside Slack, where they’re already working — as opposed to having employees use a whole new platform like Lounge. Pulse was also looking to expand its solution to other workplace apps, like Microsoft Teams, Google Workspace and even Discord. Both parties agreed that establishing team-building activities as a social layer for this existing offering could make sense. It also served Lounge’s original vision to make remote teams feel closer.

“Raj is an experienced entrepreneur in the B2B space with a previous exit to Salesforce, so the acquisition conversation became a natural next step for us,” notes Kwon.

Pulse aims to use Lounge’s asynchronous team-building activities like its Steps challenge and Team photos feature as the social roadmap for Pulse’s ambient status updater right inside Slack, Kwon says. You could imagine, then, how companywide team-building challenges could be turned into Slack status updates the same way Pulse today updates your status based on the apps you use — like Zoom, Google Meet, Skype, Slack Huddles, etc. — and your calendar, working hours and more.

As a result of the acquisition, Kwon is the only Lounge member joining Pulse, and only as a part-time product adviser — a signal the acquisition was more about the tech than talent.

Deal terms weren’t revealed but we understand it to be more stock than cash, implying a smaller exit.

Lounge had raised $1.2 million in funding from investors including Unusual Ventures, Hustle Fund, Translink, Unpopular Ventures and other angels.

Google Cloud launches new software supply chain and zero trust security services

Google Cloud is holding its annual Security Summit this week and unsurprisingly, the company used the event to launch a few new security features. This year, the announcements focus on software supply chain security, Zero Trust and tools for making it easier for enterprises to adopt Google Cloud’s security capabilities.

It’s no surprise that software supply chain security makes an appearance at this year’s event. Thanks to recent high-profile attacks, it’s been the focus of White House summits and, just last week, an industry group that includes Google, Amazon, Ericsson, Intel, Microsoft and VMware pledged $30 million to work with the Linux Foundation and Open Source Security Foundation to improve the security of open-source software.

At today’s Summit, Google Cloud announced the launch of its Assured Open Source Software service, which gives enterprises and government users access to the same vetted open-source packages that Google itself uses in its projects. According to the company, these packages are regularly scanned, analyzed and fuzz-tested for vulnerabilities and built with Google Cloud’s Cloud Build service with evidence of SLSA-compliance (that’s ‘Supply-chain Levels for Software Artifacts,’ a framework for safeguarding artifact integrity across software supply chains). These packages are also signed by Google and distributed from Google’s secured registry. “Assured OSS helps organizations reduce the need to develop, maintain, and operate a complex process for securely managing their open source dependencies,” Google explains in its announcement today.

Also new today is BeyondCorp Enterprise Essentials, a new edition of Google Cloud’s BeyondCorp Enterpirse Zero Trust solution that promises to “help organizations quickly and easily take the first steps toward Zero Trust implementation.” The company says it includes features like context-aware access controls for SaaS applications and other SAML-connected services, as well as threat and data protection capabilities, in addition to data loss prevention, malware and phishing protection in Chrome.

Finally, Google is also launched a new Security Foundation solution for enterprises that aims to make it easier for them to adopt Google Cloud’s security capabilities. It joins Google’s other ready-made solutions, which so far have focused on specific industries (retail, media and entertainment, financial services, etc.) as opposed to this more general security-centric package. “This solution is aligned to the prescriptive guidance from our Google Cloud Cybersecurity Action Team, and codified in our Security Foundations Blueprint, so that you get the controls you need for data protection, network security, security monitoring, and more to help make your deployments secure from day one–and to do it more cost-effectively,” Google explains.

Bill Gates is coming to TC Sessions: Climate

Last year, Bill Gates released “How to Avoid a Climate Disaster.” It’s a surprisingly breezy read about an extremely heavy topic. The book is a manifesto of sorts, exploring existing technologies and the future breakthroughs that can reduce greenhouse gas emissions down to zero.

Gates writes, “What we need now is a plan that turns all this momentum into practical steps to achieve our big goals.”

As we began the process of planning TechCrunch’s first-ever TC Sessions: Climate event, we put together a short list of dream speakers for the event. Since the outset, Gates’ name has been right at the top. Today, we’re excited to announce that the founder of Microsoft, Bill and Melinda Gates Foundation, Breakthrough Energy, TerraPower and Cascade Investment (among others) will be joining us onstage at our inaugural event at UC Berkeley on June 14.

Gates, best known as a driving force in the creation of the personal computer and his subsequent philanthropic work, has made the climate emergency a key focus of his work over recent years. In 2015, he announced a fund dedicated to getting the world to net zero emissions by 2050 and, in that same year, he founded Breakthrough Energy — a network of investment vehicles, nonprofits and philanthropic programs committed to achieving that goal.

Breakthrough Energy has brought together A-list investors in a bid to speed up climate tech innovations. The company focuses on venture investments, scientific and energy solutions and working with global governments to achieve these goals. It’s an attempt to realize the three-point vision he lays out in his new book:

  1. To avoid a climate disaster, we have to get to zero greenhouse gas emissions.
  2. We need to deploy the tools we already have, like solar and wind, faster and smarter.
  3. And we need to create and roll out breakthrough technologies that can take us the rest of the way.

Gates will join us to discuss this vision and the technologies necessary to solve the dire — but not hopeless — situation the planet is facing.

TC Sessions: Climate 2022 takes place at UC Berkeley’s Zellerbach Hall in Berkeley, California, on June 14 with an online event June 16. Don’t miss your chance to meet, connect and collaborate with the leading innovators in climate tech. Buy your pass today, and you’ll save $200 before prices go up at the door.

Microsoft joins Salesforce, Google and IBM in offering sustainability tracking products

As environmental issues take center stage with increasingly severe weather incidents, wildfires, droughts and floods across the globe, companies who generate pollution up and down the supply chain are looking for ways to measure their impact on the environment with an ultimate goal of finding ways to minimize their overall contribution to the problem.

But in order to improve your carbon footprint, you need to be able to get a baseline measurement and then follow the data over time and that takes a set of software tools.

Microsoft wants to help, and it announced new offering today called Microsoft Cloud for Sustainability. In a blog post authored by Alysa Taylor, Corporate vice president, industry, apps, and data marketing; and Elisabeth Brinton, Corporate vice president for sustainability; the company outlined its plans for a new offering to help.

The solution aims to use of a set of measuring devices to collect the data, and then take advantage of Microsoft’s cloud-based data collection services to process and understand that data.

“To effectively drive sustainability reporting, sustainability efforts, and business transformation, organizations need better visibility into activities across their enterprise and value chain. Collecting and connecting IoT data from devices using sensors — combined with rich services at the edge or in the cloud — provides the basis to monitor and measure activities at scale.”

The data collection piece takes place in a tool called Microsoft Sustainability Manager, which they write”will empower organizations to more easily record, report and reduce their environmental impact through increasingly automated data connections that deliver actionable insights.”

Microsoft is not alone in this type of effort as other major players have made similar announcements over the last year including Salesforce, Google and IBM. In fact, IBM CEO Arvind Krishna said at a press event last week, sustainability is going to be a big business moving forward, as more companies try to reduce their carbon output. Salesforce and Google have built similar products, while IBM acquired Envizi, a startup that helps companies measure their carbon usage.

All of these solutions are data driven, and look to help companies collect key data to understand their environmental impact, while finding ways to reduce it over time and meet sustainability goals.

Microsoft will also be working with a variety of partners to help extend the solution beyond its core offering. The tool will be available for testing or purchasing on June 1st.

Microsoft is turning Ally.io acquisition into Viva Goals module

Every company needs to track goals, often referred to as objectives and key results, or OKRs for short. Traditionally, those have been tracked manually in a spreadsheet, but over recent years many startups have been building software to track this key company information.

Early last year, Microsoft launched Viva, a modern employee portal/intranet product. The company referred to it as an employee experience platform, but whatever you call it, it’s about being a central place to track work-related information for employees.

Last fall, the company bought one of those OKR tracking software startups, Ally.io, with the goal of incorporating that functionality into Viva. Today, the company announced a private preview of the new module, which provides a way for individuals, teams and companies to track their progress on their internal goals.

Vetri Vellore, corporate vice president for Microsoft Viva Goals explained the new module. He came to Microsoft when Ally was acquired.

“We are announcing the new goal setting application within Viva to make it easy to now bring this purpose and alignment to every level of organization. It’s called Viva Goals, and Viva Goals is a new module in Microsoft Viva for business goal setting and management,”

Microsoft Viva Goals gif

Image Credits: Microsoft

Vellore says that his team has been working hard over the past seven months, since the acquisition, to transform what was the Ally product into a module inside Viva. And he says a big reason behind the acquisition was to accelerate the product development roadmap.

“We decided to get acquired because we saw this as the best way to accelerate Ally’s mission — How do we bring purpose to work?”

He believes that getting everyone aligned on goals has always been a huge challenge for organizations of all sizes, but the pandemic really accelerated this need. That’s because with people spread out more, managers needed to communicate goals more clearly than ever before.

“One of the specific things we keep hearing about, this was even before the pandemic, but suddenly now, employees want more clarity on how their work aligns to the company’s purpose and mission,” he said.

And with Viva Goals, this involves building a place where employees can see how their individual work relates to the team and organization’s overall goals. Once managers input these goals, they can link to other work systems and the goal progress can update automatically from the information in these linked programs, or they can go in and update the progress manually, depending on the need.

Viva Goals is going into private preview starting today. Vellore says it should be generally available some time in Q3.

Tech giants pledge $30M to boost open source software security

Tech giants including Amazon, Google and Microsoft have pledged millions of dollars to bolster the security of open source software.

The pledge was made during a meeting in Washington DC last week, which saw open source leaders, headed up by the Linux Foundation and the Open Source Software Security Foundation (OpenSSF), share their plans for enhancing the security of the software supply chain.

The industry gathering, which was attended by government leaders and over 90 executives from 37 companies, is a follow up to the historic White House summit in January convened in the wake of the Log4Shell zero-day vulnerability in January. The flaw affected the Apache’s Log4j library, a ubiquitous logging software, which put millions of devices worldwide at risk. But according to a study from March, almost a third of instances remain unpatched.

During last week’s meeting, companies including Amazon, Ericsson, Google, Intel, Microsoft, and VMware pledged a collective $30 million to fund a 10-point plan that aims to boost the security of open source software. Designed by the Linux Foundation and OpenSSF, the first-of-its-kind initiative aims to secure the production of open source code, improve vulnerability detection and remediation, and shorten patching response time. This will include the creation of a software bill of materials, known as an SBOM, allowing companies to gain visibility of the software that they are using in their tech stack.

The so-called Software Supply Chain Security Mobilization Plan also calls for security education for everyone working in the open source community, the elimination of non-memory safe programming languages like C+ and COBOL, and for annual third-party code reviews of 200 of the most critical open source software components.

The ultimate goal is to find and fix vulnerabilities like Log4Shell faster in an effort to better protect the U.S. from malicious cyberattacks that exploit insecure software platforms and devices.

“What we are doing here together is converging a set of ideas and principles of what is broken out there and what we can do to fix it,” said Brian Behlendorf, executive director of OpenSSF. “The plan we have put together represents the 10 flags in the ground as the base for getting started.  We are eager to get further input and commitments that move us from plan to action.”

Google Cloud also announced during the summit that it would launch an open source maintenance crew, a team of dedicated engineers that will work with upstream maintainers in order to boost the security of various open source projects.

Report spotlights vast scale of adtech’s ‘biggest data breach’

New data about the real-time-bidding (RTB) system’s use of web users’ info for tracking and ad targeting, released today by the Irish Council for Civil Liberties (ICCL), suggests Google and other key players in the high velocity, surveillance-based ad auction system are processing and passing people’s data billions of times per day.

“RTB is the biggest data breach ever recorded,” argues the ICCL. “It tracks and shares what people view online and their real-world location 294 billion times in the U.S. and 197 billion times in Europe every day.”

The ICCL’s report, which is based on industry figures that the rights organization says it obtained from a confidential source, offers an estimate of RTB per person per day across US states and European countries which suggests that web users in Colorado and the UK are among the most exposed by the system — with 987 and 462 RTB broadcasts apiece per person per day.

But even online individuals living in bottom of the chart, District of Columbia or Romania, have their information exposed by RTB an estimated 486 times per day or 149 times per day respectively, per the report.

The ICCL calculates that people living in the U.S. have their online activity and real-world location exposed 57% more often than people in Europe — likely as a result of differences in privacy regulation across the two regions.

Collectively, the ICCL estimates that U.S. Internet users’ online behaviour and locations are tracked and shared 107 trillion times a year, while Europeans’ data is exposed 71 trillion times a year.

“On average, a person in the U.S. has their online activity and location exposed 747 times every day by the RTB industry. In Europe, RTB exposes people’s data 376 times a day,” it also writes, adding: “Europeans and U.S. Internet users’ private data is sent to firms across the globe, including to Russia and China, without any means of controlling what is then done with the data.”

The report’s figures are likely a conservative estimate of the full extent of RTB since the ICCL includes the caveat that: “[T]he figures presented for RTB broadcasts as a low estimate. The industry figures on which we rely do not include Facebook or Amazon RTB broadcasts.”

Per the report, Google, the biggest player in the RTB system, allows 4,698 companies to receive RTB data about people in the U.S., while Microsoft — which ramped up its involvement in RTB in December last year when it bought adtech firm Xandr from AT&T — says it may send data to 1,647 companies.

That too is likely just the tip of the iceberg since RTB data is broadcast across the Internet — meaning it’s ripe for interception and exploitation by non-officially listed RTB ‘partners’, such as data brokers whose businesses involve people farming by compiling dossiers of data to reidentify and profile individual web users for profit, using info like device IDs, device fingerprinting, location etc to link web activity to a named individual, for example.

Privacy and security concerns have been raised about RTB for years — especially in Europe where there are laws in place that are supposed to prevent such a systematic abuse of people’s information. But awareness of the issue has been rising in the US too, following a number of location-tracking and data-sharing scandals.

The leaked Supreme Court opinion earlier this month which suggested the US’ highest court is preparing to overturn Roe v Wade — removing the constitutional protection for abortion — has further dialled up concern and sent shock waves through the country, with some commentators immediately urging women to delete their period tracking apps and pay close attention to their digital security and privacy hygiene.

The concern is ad tracking could expose personal data that can be used to identify women and people who are pregnant and/or seeking abortion services.

Many US states have already heavily restricted access to abortion. But if the Supreme Court overturns Roe v Wade a number of states are expected to ban abortion entirely — which means people who can get pregnant will be at increased risk from online surveillance as any online searches for abortion services or location tracking or other types of data mining of their digital activity could be used to built a case against them for obtaining or seeking to obtain an illegal abortion.

Highly sensitive personal data on web users is, meanwhile, routinely sucked up and shared for ad targeting purposes, as previous ICCL reports have detailed in hair-raising detail. The data broker industry also collects information on individuals to trade and sell — and in the US, especially, people’s location data appears all too easy to obtain.

Last year, for example, a top Catholic priest in the US was reported to have resigned after allegations were made about his sexuality based on a claim that data on his phone had been obtained which indicated use of the location-based gay hook-up app, Grindr.

A lack of online privacy could also negatively impinge on women’s health issues — making it easier to gather information to criminalize pregnant people who seek an abortion in a post-Roe world.

There is no way to restrict the use of RTB data after it is broadcast,” emphasizes the ICCL in the report. “Data brokers used it to profile Black Lives Matter protestors. The US Department of Homeland Security and other agencies used it for warrant-less phone tracking. It was implicated in the outing of a gay Catholic priest through his use of Grindr. ICCL uncovered the sale of RTB data revealing likely survivors of sexual abuse.”

The report raises especially cutting question for European regulators since, unlike the US, the region has a comprehensive data protection framework. The General Data Protection Regulation (GDPR) has been in force across the EU since May 2018 and regulators should have been enforcing these privacy rights against out-of-control adtech for years.

Instead, there has been a collective reluctance to do so — likely as a result of how extensively and pervasively individual tracking and profiling tech has been embedded into web infrastructure, coupled with loud claims by the adtech industry that the free web cannot survive if Internet users’ privacy is respected. (Such claims ignore the existence of alternative forms of ad targeting, such as contextual, which do not require tracking and profiling of individual web users’ activity to function and which have been shown to be profitable for years, such as for non-tracking search engine, DuckDuckGo.)

An investigation opened by the Irish Data Protection Commission (DPC) into Google’s adtech three years ago (May 2019), following a number of RTB complaints, is — ostensibly — ongoing. But no decision has been issued.

The UK’s ICO also repeatedly fumbled enforcement action against RTB following complaints filed back in 2018, despite voicing a view publicly since 2019 that the behavioral ad industry is wildly out of control. And in a parting shot last fall, the outgoing information commissioner, Elizabeth Denham, urged the industry to undertake meaningful privacy reforms.

Since then, a flagship adtech industry mechanism for gathering web users’ consent to ad tracking — the IAB Europe’s self-styled Transparency and Consent Framework (TCF) — has itself been found in breach of the GDPR by Belgian’s data protection authority.

Its February 2022 decision, also found the IAB itself at fault, giving the industry body two months to submit a reform plan and six months to implement it. (NB: Google and the IAB are the two bodies that set standards for RTB.)

That consent issue is one (solid) complaint against RTB under Europe’s GDPR. However the ICCL’s concern has been focused on security — as it argues that high velocity, massive scale trading of people’s data to place ads by broadcasting it over the Internet to thousands of ‘partners’ (but also with the clear risk of interception and appropriation by scores of unknown others) is inherently insecure. And, regardless of the consent issues, the GDPR requires people’s information is adequately protected — hence its framing of RTB as the “biggest ever data breach”.

In March, the ICCL announced it intended to sue the DPC — accusing the regulator of years of inaction over RTB complaints (some of which were lodged the same year the GDPR came into application). That litigation is still pending.

It has also approached the EU ombudsperson to complaint that the European Commission is failing to properly monitor application of the regulation — which led to the former opening an enquiry to look at the Commission’s claims to the contrary earlier this year.

A requested deadline for the EU’s executive to submit information to the ombudsperson passed yesterday without a submission, per the ICCL, with the Commission reportedly asking for 10 more days to provide the requested data — which suggests the four-year anniversary of the GDPR coming into force (May 25, 2018) will pass by in the meanwhile (perhaps a little more quietly than it might have done if the ombudsperson had been in a position to issue a verdict)…

“As we approach the four year anniversary of the GDPR we release data on the biggest data breach of all time. And it is an indictment of the European Commission, and in particular commissioner [Didier] Reynders, that this data breach is repeated every day,” Johnny Ryan, senior fellow at the ICCL, told TechCrunch.

“It is time that the Commission does its job and compels Ireland to apply the GDPR correctly,” he added.

We also contacted Google, Microsoft, the DPC and the European Commission with questions about the ICCL’s report but at the time of writing none had not responded.

Ryan told us the ICCL is also writing to US lawmakers to highlight the scale of the “privacy crisis in online advertising” — and specifically pressing the Senate Subcommittee on Competition Policy, Antitrust and Consumer Rights to ensure adequate enforcement resources are provided to the FTC — so it can take urgent action “against this enormous breach”.

In the letter, which we’ve reviewed, the ICCL points out that private data on US citizens is sent to firms across the globe, including to Russia and China — “without any means of controlling what is then done with the data”.

War in Europe certainly adds a further dimension to this surveillance adtech story.

Russia’s invasion of Ukraine earlier this year has fuelled added concern about adtech’s mass surveillance of web users — i.e. if citizens’ data is finding its way back, via online tracking, to hostile third countries like Russia and its ally China.

Back in March, the Financial Times reported that scores of apps contain SDK technology made by the Russian search giant Yandex — which was accused of sending user data back to servers in Russia where it might be accessible to the Russian government. 

In Europe, the GDPR requires that exports of personal data out of the bloc are protected to the same standard as citizens’ information should be wrapped with when it’s being processed or stored in Europe.

A landmark EU ruling in July 2020 saw the bloc’s top court strike down a flagship EU-US data transfer agreement over security concerns attached to US government mass surveillance programs — creating ongoing legal uncertainty around international data flows to risky third countries as the court underscored the need for EU regulators to proactively monitor data exports and step in to suspend any data flows to jurisdictions that lack adequate data protection.

Many of the key players in adtech are US-based — raising questions about the legality of any processing of Europeans’ data by the sector that’s taking place over the pond too, given the high standard that EU law requires for data to be legally exported.