Security

Microsoft’s Xandr (Potemkin Ad Broker) Setup to Deny GDPR Rights

Leave a comment

The noyb team has filed a complaint against Microsoft’s 2022 subsidiary for building a broker system that intentionally evades GDPR protection of consumer rights.

Advertising broker Xandr (a Microsoft subsidiary) collects and shares the personal data of millions of Europeans for detailed targeted advertising. This allows Xandr to auction off advertising space to thousands of advertisers. But: although only one ad is ultimately shown to users, all advertisers receive their data. This may include personal details concerning their health, sexuality or political opinions. Also, despite selling its service as “targeted”, the company holds rather random information: the complainant apparently is both a man, a woman, employed and unemployed. This could allow Xandr to sell ad space to multiple companies who think that they are targeting a specific group. As if that were not enough, Xandr does not comply with a single access request. noyb has now filed a GDPR complaint.

“Potemkin” refers to a facade or fake construct designed to deceive others into thinking a situation is better than it really is. The term originates from a story about the fake villages supposedly built to impress Empress Catherine II during her journey to Crimea in 1787:

  • Surface-level compliance: Xandr might appear to comply with GDPR regulations on the surface.
  • Lack of substance: Behind the facade, there might be inadequate measures to actually protect user data or honor GDPR rights.
  • Deception: Xandr could be designed to give the impression of compliance while actually making it difficult for users to exercise their GDPR rights.
  • Complexity as obfuscation: Xandr might be intentionally complex to discourage users from pursuing their data rights.
  • Misdirection: Resources ostensibly provided for GDPR compliance might actually serve to confuse or deter users.

Notably Xandr’s privacy center hasn’t updated since 2022 when Microsoft took it over. GDPR articles 15 and 17 are said to be violated, which noyb suggests will bring fines upwards of 20 million Euros.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.