Silent Push discovers UK.gov websites sending user data to controversial Chinese adtech vendor
We recently added three core ad tech standards – ads.txt, app-ads.txt and sellers.json – to the data we collect on public websites, via our custom query language SPQL.
These files contain what’s known as ad accountIDs – a unique identifier assigned to an advertising vendor that collects website visitor data.
Using this data, Silent Push analysts have discovered 18 UK public organizations that use a controversial Chinese adtech vendor – Yeahmobi – to serve ads on .gov domains.
Yeahmobi have previously had their SDK blacklisted as “malicious” by Google, following an investigation into ad fraud and attribution abuse.
Our research points to a Chinese ad vendor, linked to questionable practices, profiting from UK public sector organizations, and collecting unknown amounts of data from visitors to government websites.
How ad exchanges works
Before we delve into our research, let’s explore the concept of ad data sharing.
Ad bidding is a complex process. In a nutshell, on these sites user data is ingested via Google advertising endpoints. The visitors’ IP address (or partial IP address), user agent device (i.e. device type), and browser details then are shared with ad exchange partners via server-side data sharing.
Data is shared with ad accountIDs listed in the ads.txt file unless the publisher opts-out of the process, which is rare.
Ad auctions
Ad platforms such as Yeahmobi – along with any intermediaries – get an opportunity to submit bids in an ad auction. The winner then serves ads to the visitors of the given website.
The winner also gets the opportunity to sync data through selected adtech partners, with further data being shared if a user clicks on the ad and visits the destination webpage.
Methodology
Silent Push scans every clearnet and darkweb URL and categorizes the data using SPQL – a free-form query language that can be used to locate matching infrastructure within our proprietary threat intelligence datasets.
Scanned data is grouped into 6 separate repositories, known as a ‘data source’. The ‘webscan’ data source contains web data from the public IPv4 and IPv6 ranges.
We used a combination of 6 ‘webscan’ data types and an experimental API query to identify .gov sites that featured digital ads, using the following SPQL fields:
| Field name | Description | Type |
| adtech.ads_txt | Domain has /ads.txt | Boolean |
| adtech.ads_txt_sha256 | sha256 hash of /ads.txt | String |
| adtech.app_ads_txt | Domain has /app-ads.txt | Boolean |
| adtech.app-ads_txt_sha256 | sha256 hash of /app-ads.txt | String |
| adtech.sellers_json | Domain has /sellers.json | Boolean |
| adtech.sellers_json_sha256 | sha256 of /sellers.json | String |
Affected .gov websites
U.S. domains
In the United States, adtech rules are clear cut. The Cybersecurity Infrastructure and Security Agency (CISA) – via the Registry Team – specifically prohibits .gov websites being used for any commercial purposes that benefits private individuals or entities, including online advertising.
We looked into any .gov U.S. government domains with the ability to host programmatic ads, and found 4 domains with an ads.txt file that are potentially be in violation of CISA rules:
- mcdowellcountywv.gov/ads.txt
- fortdeposital.gov/ads.txt
- cohassetpolicema.gov/ads.txt
- sports.celina-tx.gov/ads.txt
The first three domains list only one vendor in their ads.txt file – Google.
sports.celina-tx.gov has dozens of partners listed in their ads.txt file, doesn’t have ads on any public pages but appears to be managed by a vendor called SportsEngine[.]com, based on details in the footer.
UK domains
Our scans identified 18 UK public sector organizations that are either actively running ads or have the capability to, featuring Yeahmobi in the ads.txt file:
| Organization name | URL | Ad Vendor Details |
| Transport for London | https://tfl.gov[.]uk | Yeahmobi |
| Derbyshire Dales District Council | https://www.derbyshiredales.gov[.]uk | Yeahmobi |
| Walsall Council | https://go.walsall.gov[.]uk | Yeahmobi |
| Sheffield City Council | https://www.sheffield.gov[.]uk | Yeahmobi |
| Milton Keynes City Council | https://www.milton-keynes.gov[.]uk | Yeahmobi |
| Lancashire County Council | https://lancashire.gov[.]uk | Yeahmobi |
| London Borough of Redbridge | https://www.redbridge.gov[.]uk | Yeahmobi |
| Monmouthshire County Council | https://www.monmouthshire.gov[.]uk | Yeahmobi |
| Torbay Council | https://www.torbay.gov[.]uk | Yeahmobi |
| Wandsworth Council | https://wandsworth.gov[.]uk | Yeahmobi |
| East Hampshire District Council | https://www.easthants.gov[.]uk | Yeahmobi |
| Havering London Borough | https://havering.gov[.]uk | Yeahmobi |
| Newcastle City Council | https://newcastle.gov[.]uk | Yeahmobi |
| Tameside Metropolitan Borough | https://tameside.gov[.]uk | Yeahmobi |
| Cheltenham Borough Council | https://cheltenham.gov[.]uk | Yeahmobi |
| Havant Borough Council | https://havant.gov[.]uk | Yeahmobi |
| Met Office | https://www.metoffice.gov.uk | Yeahmobi |
| South Gloucestershire Council | https://southglos.gov.uk | Yeahmobi |
All of these domains except one (tfl[.]gov.uk) are local council websites.
Whilst programmatic advertising is not prohibited on UK council websites, allowing a Chinese ad vendor with a questionable past to collect data on visitors to UK public sector websites is problematic for reasons that are self evident.
Council Advertising Network (CAN) involvement
The Council Advertising Network (CAN) is a UK organization that “generates income for local authorities across the UK by running digital premium and programmatic advertising on council websites”.
CAN manages the ads.txt files of all of the UK domains listed above. Within these files are accountIDs that prove that Yeahmobi is authorised to serve ads, and access visitor data from the domain.
Silent Push has contacted CAN for an explanation, but is yet to receive a reply.
Example ads.txt file
- https://www.derbyshiredales.gov.uk/ads.txt
- MANAGERDOMAIN=can-digital.net
- yeahmobi.com, 113772, RESELLER
Addendum
After this blog was published and distributed in the media, Mark Gardner, Director of CAN Digital Solutions, which provides ads.txt files to various .gov.uk websites, told tech news outlet The Register that references to Yeahmobi will be deleted, and had the following to say:
“We take these matters very seriously, and after looking into this in some detail with the team, we have never had any ad quality issues with Yeahmobi in the past, nor are we aware of any Chinese links, but as a precaution we are in the process of removing them from all our publisher ads.txt files until further notice.
“We have also reached out to the native advertising partner working with them to ask for more insight into these claims and are more than happy to provide their feedback when we have it.”
Register for Community Edition
Silent Push Community Edition is a free threat hunting and cyber defense tool used by security teams and researchers across the globe to proactively locate attacker infrastructure, and stop threats before they’re launched.
Community Edition also enables users to search for adtech-related data across the Silent Push web content database, using a custom query language (SPQL) and an intuitive console.
Community users can also use the Live Scan feature to get a realtime snapshot of clearnet and darkweb URLs, across 70+ data categories.