Back

Some time ago, I came across this website, which describes Patternz as an 'advertising-based intelligence platform' offered by ISA Security, an Israeli firm:
http://isasecurity.org/patternz
https://web.archive.org/web/20210622100652/http:/isasecurity.org/patternz

Here's another publicly available doc from Sovereign Systems, a Singapore-based firm with offices in UAE, New Zealand and Ireland, which also describes Patternz:
https://sovsys.co/wp-content/uploads/2020/04/PATTERNZ-NATIONAL-SECURITY-PATTERN-DETECTION.pdf
https://web.archive.org/web/20231003181009/https:/sovsys.co/wp-content/uploads/2020/04/PATTERNZ-NATIONAL-SECURITY-PATTERN-DETECTION.pdf

In addition, I received internal docs from the company.

Here's how Patternz can be used to monitor and profile individuals based on data from digital advertising.

The 'dashboard' shows detailed information about a person based on 5,273 activity records.

The profile includes the person's location history, home address, work location, information about 'people nearby', 'co-workers' and even 'family members', device details, demographic information, 'profile keywords' and 'hobbies and interests' (the latter of which may refer to RTB segment info).

Most digital advertising today is based on real-time bidding (RTB), which involves uncontrolled data flows to many entities who bid on user profiles.

Patternz claims to operate a "fully commercial and operational AdTech arm that actually trades in media" to obtain the data. It claims to have "extensive knowhow of operating a Realtime bidding platform for the last 5 years".

An earlier version of its website named Google, Yahoo and adtech firms like MoPub, AdColony, OpenX as data sources (!).

I've seen internal Patternz docs which describe the IAB's OpenRTB protocol in digital advertising in detail.

These docs, which I cannot publish, also explain that mobile phones are 'always with the users', who 'grant apps access voluntarily', which is why the smartphone becomes a 'de-facto tracking bracelet'.

The publicly available docs emphasize that the Patternz system can also be used for offensive purposes by sending "targeted messages, ads or trojans directly through the AdTech stack".

Although we cannot verify their claims, the docs and web sources suggest that Patternz turns the intrusive global surveillance infrastructure that has been built for digital advertising into a system for mass and targeted surveillance for national security agencies, and perhaps also other actors.

It's now the best-documented example of how personal data that is routinely processed to provide consumer services and digital advertising can be exploited for completely unrelated purposes at scale.

The commercial data industry is complicit. Google, the IAB, adtech firms, data brokers, publishers and advertisers are complicit.

Whenever someone visits a website or uses a mobile app that displays digital ads, profile data is broadcasted to dozens or hundreds of companies and other entities in uncontrolled ways.

This occurs billions and billions of times a day. Billions of people are affected globally, hundreds of millions in Europe.

(see our report: https://www.iccl.ie/wp-content/uploads/2023/11/Europes-hidden-security-crisis.pdf)

It was a deliberate decision to create the RTB advertising system in this bad way, and even worse, the data industry has since then been fighting hard to keep it running, for years, at any cost, from lobbying policymakers to trying to delay GDPR enforcement.

Anyway, thousands of adtech firms and a much larger number of publishers and advertisers have NO CONTROL over who they share personal data with.

Which means they cannot have a legal basis to do so under the GDPR. Which means it's illegal.

To my knowledge, this 2020 Forbes article provided evidence for the first time that a firm who sells surveillance tech to governments was running its own DSP to harvest personal data from RTB bid requests in digital advertising. There was not a lot of detail, but it has been a known issue for years:
https://www.forbes.com/sites/thomasbrewster/2020/12/11/exclusive-israeli-surveillance-companies-are-siphoning-masses-of-location-data-from-smartphone-apps/

Of course, it's ridiculous to believe that only 'Western' state actors would access RTB bidstream data. I'm sure several state and malicious actors do.

As such, the digital advertising industry systemically enables the worst possible kind of decontextualized misuse of everyone's personal information.

In Europe, GDPR enforcement has failed. Otherwise, uncontrolled personal data sharing via the RTB bidstream would have been shut down years ago. GDPR regulators must take action now, start a high-priority investigation, mandate processing bans.

RTB undermines the privacy and data rights of billions of people, and it undermines trust into digital technology at large.

RTB is also a national security threat, because of course the data sharing doesn't stop for political leaders, sensitive personnel, military staff and their families.

In our report published today we call for the European Commission, ENISA and EEAS to take action:
https://www.iccl.ie/wp-content/uploads/2023/11/Europes-hidden-security-crisis.pdf

We also call for the US FTC and Congress to take action:
https://www.iccl.ie/wp-content/uploads/2023/11/Americas-hidden-security-crisis.pdf

Ok, received a tip. It appears that 'Patternz' is closely affiliated or even identical to NUVIAD, an Israeli adtech firm, DSP and consumer data broker.

...not only because of the apparent similarity of their promotional materials:
https://web.archive.org/web/20200511011617/https://nuviad.com/

In 2020, Nuviad listed the following surveillance advertising companies as data sources:

Google, MobPub (back then owned by Twitter), AOL/Yahoo, Smaato, OpenX, Amobee, Pulsepoint, Rubicon, Inneractive/Fyber (Digital Turbine), Avocarrot/MobFox (Glipsa, Germany), Axonix, Altitude Digital, Opera Mediaworks.
https://web.archive.org/web/20200511011617/https://nuviad.com/

As of today, Google lists Nuviad as a vendor "eligible to receive bid requests compliant with US states privacy laws", i.e. sends data to them:
https://support.google.com/adsense/answer/10634320?hl=en

Xandr/Microsoft also lists Nuviad as a "partner which may receive Platform Data":
https://docs.xandr.com/bundle/service-policies/page/third-party-providers.html

Here's Nuviad boasting about '2.5 billion user profiles' and 'analyzing over 700k ad opportunities every second'. From an Amazon AWS event in 2018:
https://de.slideshare.net/AmazonWebServices/success-has-many-query-engines-tel-aviv-summit-2018

- You're an investigative journalist, have access to corporate/ownership records or 'osint' research capacity? Would be great to get more solid evidence about which company actually operates Patternz, links to other spytech firms, links to Nuviad or other adtech firms, resellers, product aliases, customers.

- You have insights into Nuviad, other adtech firms or 'adint' vendors? Reach out to trustworthy journalists, e.g. @josephcox

A week ago, we revealed 'Patternz', a global mass surveillance system that harvests digital advertising data on behalf of national security agencies, claiming to collect personal data on 5 billion users.

It seemed that Patternz was likely affiliated with Nuviad, an adtech company and 'DSP'.

Now another public source confirms that Nuviad and Patternz are identical.

In this video, Rafi Ton, the CEO of the adtech firm Nuviad, introduces himself as the 'CEO of Patternz':
https://www.youtube.com/watch?v=P6EZF0vdzYw

The video includes a demo of the Patternz system. An archived version should be soon available here:
https://web.archive.org/web/20231122160629/https://www.youtube.com/watch?v=P6EZF0vdzYw

The video seems to be a sales pitch to a Peruvian cybersecurity firm and the government of Peru for covid tracking purposes, but it also explains that Patternz was originally 'designed and built' as a 'homeland security platform', for 'anti-riots and protesting'.

Weird that this is publicly available. Uploaded in January 2023, but it might actually be older, 2020/21/22?

In the video, there's talk about Peru's 'declared state of emergency' (which one?), the president, military and the Peruvian ministry of defense as a potential customer.

The Patternz/Nuviad CEO also states that the Israeli 'security forces' were 'running' the platform ('mass coverage', 'national traffic'), and that an 'East European' country also deployed it and even linked Patternz with mobile operator data.

He adds that they can provide the service "to whomever wants it really in 48 hours".

According to the Patternz demo in the video, the system shows mobile apps which the location and profile data comes from.

As behaviors from >100k apps are analyzed, the data source cannot be mobile app SDKs.

App information is included in RTB bid data from ad-enabled apps.

The Patternz/Nuviad CEO states that they only analyze 3% of global traffic because of cost, but for some regions they operate 'production environments' that analyze 800k transactions per second, scaling it to >90% coverage.

In November, I revealed Patternz, a global mass surveillance tools based on digital advertising data, which monitors billions on behalf of national security agencies.

Today's 404 report from @josephcox confirms the relationship between Patternz and the digital advertising firm Nuviad.

Thanks to repeated inquiries by Cox and US senator Ron Wyden, Google now finally cut them off its RTB data.

Highly recommend to register at the @404mediaco site to read the full article:
https://www.404media.co/inside-global-phone-spy-tool-patternz-nuviad-real-time-bidding/

Patternz, a global phone spy tool which is built on advertising data, was specifically marketed as a "riot detection" tool, with maps pointing to New York City.

Plus, it appears that Patternz is linked to the initial technical director of NSO Group's Pegasus spyware.

Follow-up article by @josephcox:
https://www.404media.co/patternz-phone-spy-tool-pitched-for-riot-detection-in-nyc/

@Frederik_Borgesius Thanks, Frederik!

@vasto

https://en.wikipedia.org/wiki/Demand-side_platform
https://www.iccl.ie/rtb/

@wchr