An investigation by WIRED has revealed that Google’s advertising ecosystem enables major brands to access sensitive information about American citizens, despite the company’s public assertions that such practices are prohibited. Experts warn that the combination of these data sets with other sources could lead to the identification of specific individuals and their activities.
Google’s Display & Video 360 (DV360), a key advertising platform, allows companies worldwide to target U.S. users based on lists of internet users suspected of having chronic illnesses or financial difficulties. According to Google’s policies, such data should not be available to advertisers, yet in practice, they remain embedded within the advertising infrastructure.
Among the discovered lists were those posing potential threats to national security. This information enables the identification of mobile devices belonging to U.S. government officials, including judges, military personnel, federal agency employees, and members of Congress. These segments are uploaded to the system by DV360 clients and subsequently become accessible to other advertisers.
The data obtained by WIRED, compiled by the Irish Council for Civil Liberties (ICCL), includes hundreds of millions of mobile identifiers categorized by various medical and financial characteristics. These include lists of individuals suffering from cardiovascular diseases, asthma, and diabetes, as well as users taking specific prescription medications, such as Ambien (Zolpidem).
Google maintains that its policies prohibit the use of advertising segments based on sensitive information. However, when pressed about the availability of such lists, company representatives declined to provide detailed comments. Experts note that Google does not proactively detect or block these segments.
Of particular concern are lists containing data on government officials. One such list includes personnel involved in critical national security decisions, while another focuses on employees of companies registered with the State Department for the production and export of defense technologies.
Experts warn that such information could be of interest to foreign intelligence agencies. By employing reverse analysis techniques, malicious actors could identify and track specific individuals. A declassified 2023 U.S. intelligence report highlighted that commercial data could be used for “exposing identities, stalking, and blackmail.”
The investigation also underscores how easily such data can be accessed. An ICCL representative registered a fictitious “analytics company,” creating a rudimentary website with minimal details. This fabricated profile was sufficient to gain access to advertising segments containing sensitive data on American citizens.
These revelations have already led to legal action. In 2024, the Federal Trade Commission (FTC) filed a lawsuit against Mobilewalla for selling lists of users who had visited medical facilities and shelters for domestic violence survivors. A similar complaint against Google, filed by ICCL and the Electronic Privacy Information Center (EPIC), alleges that the company “provides data on U.S. leaders and defense sector employees to foreign states,” constituting a “national security crisis.”
In response, Google stated that it had severed ties with Russian companies and implemented new restrictions on data access for Chinese organizations. However, experts emphasize that such measures do not eliminate the risk of data leakage through intermediary networks.
Senator Ron Wyden condemned Google’s actions in granting foreign companies access to data on U.S. military personnel and intelligence officers. He further urged federal agencies to cease collaboration with Google until the company fully addresses the national security threat.
Google has already drawn scrutiny from regulators and privacy advocates over its new user-tracking method. Instead of traditional cookies, the company has transitioned to digital fingerprinting, a technique that renders online anonymity virtually unattainable.
