A new report from Reset Tech found Australians’ live location data is shared hundreds of times each day through real-time bidding systems, software used by ad-exchange companies that collect masses of consumer data to share with advertisers.

The digital advocacy group used data from the Irish Council of Civil Liberties’ investigation into Australia’s hidden security crisis and made shocking discoveries about how Australians’ personal information is being used without their consent.

Reset Tech uncovered Australian’s “extraordinarily sensitive information” was being exposed to hundreds of unknown third-party actors every second of every day.

The company explained RTB systems worked each time a person opened a website or app with an ad, instantly launching an auction to help advertisers decide which ad space to bid on.

The report found everyday thousands of companies received data on every available ad slot on Australians’ devices, which they could copy to build their own databases about Australians and resell the information over and over again.

Data included information about people’s movements, sexual interests, financial concerns, service providers, personal problems, gambling, drinking habits and online purchases.

Data could be categorised to identify who overate to cope with stress, who acted on impulse, who got a thrill from shopping, and who was self-indulgent.

The report found one company had 17,500 unique data categories about Australians for sale.

Currently, Australia has no limits on how this sensitive information is used which means residents’ private information can be sold to scammers and foreign-state actors.

The report highlighted scammers could buy this information from businesses to personalise scam ads that appeared to be from people’s service providers such as banks or telcos, or use it to scam people in other ways.

Real Tech executive director Alice Hawkins said no one knew who was buying the data or where it was going.

Ms Hawkins said there was no transparency over the transactions that were taking place in a largely business to business data trade.

“We don’t know who buys it and we don’t know what happens to the data after it is initially released and put on offer,” she said.

“There’s no way of knowing or controlling these data flows once they’ve been exposed through the RTB process.”

Ms Dawkins said it was widely recognised that browsing was not a private experience, but Australians would be shocked to hear the level of inferences and information that could be collected from advertisers, purchasers and advertising data.

She said the real point was how the information could be linked back to an identifiable person.

“The ad tech industry talk about the data being anonymous or anonymised, and the narrative of anonymous ads, which I just find so extraordinary,” she said.

“It’s the ad tech industries version of greenwashing.

“The whole point of the detail in these datasets is so you can target a person with ads relevant to them, such as through a cookie ID or a browser ID.

So the notion that all of this effort goes into targeting ads and then it couldn’t possibly be linked to a person is so nonsensical, because that’s the entire point.”

Ms Dawkins said the Australian parliament needed to set clearer expectations on what types of data was protected.

She said there needed to be a useful framework for businesses that handled, processed, collected and traded Australian’s data.

In September, Attorney-General Mark Dreyfus introduced the Privacy and Other Legislation Amendment Bill 2024 into parliament to offer better protection of Australian’s privacy.

A spokesperson for the Attorney-General said the government was committed to ensuring the Privacy Act worked for all Australians and was fit for purpose in the digital age.

“The Albanese Government’s landmark legislation now before the parliament will strengthen privacy protections for all Australians, including a statutory tort for serious invasions of privacy, targeted criminal offences to respond to doxxing and enable the development of a Children’s Online Privacy Code,” they said.

“This legislation is just the first stage of the Government’s commitment to providing individuals with greater control over their personal information.”

Consumer Police Research Centre deputy chief executive officer Chandni Gupta said Australians deserved privacy protections that were centred around people, not profit.

“It is time for the Federal Government to modernise what it means to be identifiable to cover data points obtained from any source and by any means,” he said.

“It must put the onus on businesses by imposing clear obligations on collecting, sharing and using consumer data that leads to fair and safe outcomes for Australians.”