'Like a stalker': Data broker LiveRamp reported to UK, French regulators

'This kind of opaque identity monitoring cannot be part of our future digital society'

'Like a stalker': data broker LiveRamp reported to UK, French regulators

Image:
'Like a stalker': data broker LiveRamp reported to UK, French regulators

LiveRamp is a cloud data platform company based in San Francisco. Previously known as Acxiom Corporation, it is "the industry's only interoperable platform for data collaboration across all cloud, walled garden, and media platforms," according to its website, which also says it helps customers maintain "compliance with the ePrivacy Directive, GDPR, CCPA, and other data protection and privacy laws."

Not so on the last point, according to researchers at Vienna-based research institute Cracked Labs. LiveRamp operates a massive identity surveillance system that ties perople's online and offline activity to a single personal identifier, and almost certainly breaks UK and European data protection laws, they say.

Cracked Labs has released a 61-page report on how LiveRamp's complex system of data and identity trading works.

LiveRamp maintains identity databases on 700 million consumers globally, including 45 million in the UK and 25 million in France, using identifiers including cookies and mobile IDs to create a unique "RampID" for each individual. Tied to their real-world identity, this RampID is continuously updated using third party datasets and by tracking online activity.

The firm has 825 direct clients and thousands of indirect ones. Most are large players in the data and adtech industry, who themselves process personal data on behalf of "myriad web and app publishers, advertisers and other businesses," according to Cracked Labs.

LiveRamp's clients can use the RampID system to combine and link personal data across databases and exchange personal data between companies. They can track website and mobile app usage, create personal profiles by onboarding entire customer databases, and then transmit consumer records to adtech firms for ad targeting and other purposes.

To keep its identity graph up to date, LiveRamp says it obtains identity data from various offline and online sources. In France in 2022 these included major organisations such as La Poste, Orange, TF1, M6 and Prisma Media, although sources have since disappeared from its websites.

LiveRamp also allows its customers to exchange data with more than 500 third parties, including Google, Facebook, TikTok, LinkedIn and other social media and adtech platforms, using RampIDs as connectors.

"RampIDs ... serve as universal identifiers in the broader data and adtech industry, from the transmission of billions of RampIDs in the RTB [real-time bidding] bidstream in digital advertising per day, to Google utilising RampIDs as a ‘join key' between its advertising clients' data and its own massive behavioural data sets," the report notes.

LiveRamp does not typically send raw data on individuals to its customers. But the pseudonymised RampIDs can be used to cross-match with other data sources. In this way basic profiles can be augmented with details including "name, home address, past addresses, who they live with, email, phone and device IDs," according to Wolfie Christl, public interest researcher at Cracked Labs.

Most people know nothing about LiveRamp, but it knows a lot about them, he said.

"LiveRamp is like a stalker, who gradually learns more about the target, but it's highly automated, at population scale, and it sells this stalking ability to many other companies," Christl told Computing.

"This kind of opaque identity monitoring cannot be part of our future digital society."

LiveRamp reported to DPAs

Last week, digital rights campaigning organisation The Open Rights Group (ORG), which collaborated with Cracked Labs to produce the report on LiveRamp, issued a complaint about its activities to the UK and French data protection agencies.

ORG claims the complexity and opacity of LiveRamp's operations mean that users on its databases cannot possibly consent to their personal data being used in this way, as is required by EU GDPR and UK data protection rules.

Its activities may also violate GDPR principles of data reuse, data minimisation, transparency and security.

"The LiveRamp system is intrusive and lets advertisers link people's actual address and name with their browsing habits," said Jim Killock, ORG's executive director, in a statement.

"This is unacceptable. These new and dangerous technologies are an attempt to get around changes that limit the use of tracking cookies, and to make online advertising more intrusive, rather than less."

Christl added: "The UK and French data protection authorities must take action."

However, the ICO has been seemingly reluctant to take action against the adtech industry. In 2020 it closed down a previous complaint by ORG about systemic GDPR breaches by the adtech industry and the Internet Advertising Bureau (IAB). The European DPAs have also been slow to act, although the European Data Protection Board has been mover vocal on this topic of late.

We have contacted LiveRamp for comment.