MoPub operates in the vast, convoluted, opaque ecosystem of personal data collection and sharing that powers modern adtech. To understand how that ecosystem works and where Grindr and MoPub fit in, we need to talk about real-time bidding, or RTB. RTB is the automatic, milliseconds-long data-sharing frenzy that occurs whenever you see a third-party ad on one of your devices. First, an app developer, like Grindr, decides it wants to monetize its app. To do so, it partners with a Supply-Side Platform (SSP) like MoPub. SSPs are companies that app developers and website publishers hire to sell their advertising space. When you install the Grindr app on your phone, part of what you get is a big chunk of code from MoPub, called a software development kit (SDK). After some initial configuration, Grindr leaves the details of sharing data and serving ads up to MoPub. When a user opens the Grindr app, code from the MoPub SDK kicks into action. The process looks like this:
- The SDK gathers as much data as it can about the user’s phone. This may include the phone’s advertising ID, its precise GPS-derived location, and data from Grindr itself, like age and gender. The app directs the user's phone to send all this information to MoPub.
- MoPub links the data it got from Grindr with what it knows about the user from other sources. This includes the 55,000 other apps that use MoPub, such as The Weather Channel app, Ubisoft games, and Ask.fm.
- MoPub packages this data into a “bid request,” a standardized dossier about the user that includes device ID, location, gender, age, and interest keywords.
- MoPub sends the bid request to dozens or even hundreds of demand-side platforms (DSPs). DSPs are companies which advertisers hire in order to target and serve their ads, such as Criteo, Rocketfuel, and AppNexus. You may not have heard of them, but those and hundreds of other DSPs have probably handled a lot of your personal information. MoPub partners with over 130 different DSPs, listed here.
- Each DSP that receives the bid request can link the included device ID to its own profile of the user, or purchase additional information about the user from data brokers like LiveRamp.
- Each DSP submits a bid to serve an ad to that particular user at that particular time.
- MoPub determines the winning bidder and notifies all participants in the auction.
- The winning advertiser serves its ad to the user’s phone. Often, the ad itself allows the advertiser to collect even more information directly from the device.
A diagram from MoPub’s website showing a simplified view of the real-time bidding process.
All of this happens in a fraction of a second. MoPub boasts that its software reaches over 55,000 apps and 1.4 billion devices worldwide.So while Grindr’s actions definitely violated users’ privacy, it was using MoPub as intended. Twitter’s suspension of Grindr’s ad account pending “investigation” is an attempt to deflect blame, and lawmakers shouldn’t be fooled. MoPub is still operating at full tilt, harvesting and sharing sensitive personal data in at least 54,999 other apps.
To fix the problems raised by the NCC’s report, we need to fix the adtech ecosystem as a whole. That means laws that give users the right to know what happens to their data, freedom from processing of their data unless they expressly opt-in, and minimization of processing beyond what the user asked for. These laws must let people sue companies when their rights are violated. A better adtech paradigm is possible, but only with strong, enforceable laws to rein in the industry's current privacy-invasive practices.
(Reuters) - Early last year, Grindr LLC’s Chinese owner gave some Beijing-based engineers access to personal information of millions of Americans such as private messages and HIV status, according to eight former employees, prompting U.S. officials to ask it to sell the dating app for the gay community.