A recently discovered Excel file hosted on a public web server contains nearly 25 megabytes of data related to global data trading for online advertising and AdTech industry practices. The file is an offer list from Xandr, a US advertising network that was bought by Microsoft in early 2022 for around one billion USD. The document includes over 650,000 lines and target group segments meant for personalized online advertising, including sensitive categories such as medical and health-related topics, ethnicity, political beliefs, and psychological profiles.
The discovery was made by Wolfie Christl, the head of the independent Viennese research institute Cracked Labs, who made the information available to the Netzpolitik.org portal and the US magazine “The Markup.” Christl believes that renowned multi-billion dollar corporations, as well as small companies, use this information to secretly collect information about users’ everyday behavior and sort them into a thousand categories before offering this data via a US data trading company that now belongs to Microsoft.
While the list does not contain information on individual consumers, it does contain a provider ID and a segment ID. The file lists 93 data suppliers, including well-known IT companies such as Oracle, Foursquare, and Acxiom. The online advertising companies Adsquare, Emtriq, and the ProSiebenSat.1 subsidiary “The Adex” are represented from Germany, and according to reports, Axel Springer and Burda also work with Xandr.
The Microsoft subsidiary has since removed the document, which was dated May 2021, from its website. However, a version of the page and the file stored there can still be found via the Internet Archive. The Federal Cartel Office warns of “transparent Internet users,” and individuals are concerned about a violation of contextual integrity and a loss of informational self-determination.
Personalized advertising on the Internet violates “practically all applicable data protection principles,” says former inspector Thilo Weichert. During the negotiations on the Digital Services Act (DSA), a cross-party coalition of MEPs and civil rights activists pushed for a far-reaching ban on “spying advertising” with microtargeting. Although the legislature did not go that far, profiling for the purpose of targeted advertising based on particularly sensitive data on platforms with user content is no longer permitted. Information about minors may no longer be used for personalized advertising.