Imagine you walk into a café. The moment you push the door open, before you've even decided what you want to drink, a thousand strangers sprint into a back room, shout numbers at each other for 80 milliseconds, and the winner buys the right to follow you around for the rest of the day taking notes. Nobody asks your permission, nobody tells you it's happening, and the café owner gets a small cut and smiles politely as you order your flat white.

None of that is fiction. It is a remarkably accurate description of what happens on the web every single time you load a page.

This is Real-Time Bidding, the automated advertising auction that fires every time a page loads, trades your attention like a commodity, and has turned the modern browser into the world's least transparent stock exchange. You are simultaneously the product being sold, the floor on which the trading happens, and the only party in the whole arrangement who doesn't get paid.

The Auction You Never Knew You Entered

Here's the part that still makes me blink twice: the entire process takes place in the sliver of time between you clicking a link and the page appearing on your screen. We're talking about 50 to 120 milliseconds. The neural impulse it takes to blink your eye is around 300 to 400 milliseconds. The industry has built a global financial market that operates in a quarter of a blink.

~100ms
The time it takes a real-time bidding auction to complete —
about a quarter of the time it takes you to blink.

When you land on a news site, your browser doesn't just quietly load some text and pictures. It fires a signal to something called a Supply-Side Platform (SSP), the auctioneer's assistant in this exchange, announcing: "Fresh visitor! Here's what we know about them." That packet contains your approximate location, the device you're using, your browser, the page you're loading, and a unique identifier linking back to everything you've ever done that was previously tracked.

The SSP takes that data parcel and broadcasts it simultaneously to dozens of Demand-Side Platforms (DSPs), which are the algorithmic buyers employed by advertisers. Each DSP consults its own vast database of profile information, pieced together from data brokers, loyalty card programmes, past browsing behaviour, social media activity, and things you probably don't even remember clicking on, and decides, in milliseconds, what your attention is worth to their clients.

Bids come back. Highest bidder wins. An ad loads. You read an article about sustainable fishing.

The uncomfortable truth: every participant in this chain, the publisher, the SSP, the DSP, the ad exchange, the data broker, receives a copy of the bid request containing your data. Even the companies that don't win the auction have already received and processed your profile. The auction is not just a transaction. It is a data broadcast.

Meet the Orchestra Playing in the Walls

When most people think of online tracking, they picture Google and Facebook, two enormous entities who definitely know a suspicious amount about them. That's like looking at a thunderstorm and noticing only the two biggest clouds.

The average popular website has somewhere between 30 and 70 third-party tracking scripts running on it. These are not all Google. They are a sprawling baroque ecosystem of companies you have almost certainly never heard of, with names like Criteo, The Trade Desk, PubMatic, Magnite, Index Exchange, Xandr, TripleLift, OpenX, Sharethrough, Unruly, Verizon Media, each one a tentacle of an industry that, collectively, generates over $600 billion a year by treating human attention as a raw material to be mined.

Each of these companies has set at least one small tracker in your browser. Not a tracker watching what you do on their own site (they don't have one you'd recognise), but a tracker watching what you do across everyone else's. Because the same script, served from the same domain, loads on thousands of websites simultaneously, it can join the dots across all of them. You visited a running shoe review page, then a physiotherapy clinic site, then a marathon training forum. Individually, innocuous. Together, a profile that says: person with probable knee problem, training for a race, disposable income implied by gear preferences, high purchase intent for footwear and supplements.

"You are not browsing the web. The web is browsing you, billing someone for the privilege."

The trackers themselves operate like barnacles on the hull of a ship. They attach to the part of the web you actually want, the content, and hitch a free ride everywhere it goes. You invited the content. The barnacles came along uninvited, multiplied, and filed reports about your journey to seventeen different companies in Menlo Park, London, and Tel Aviv.

The Data Broker: The Middleman Nobody Invited

Behind the real-time bidding ecosystem sits an even less visible industry: data brokers. If the ad-tech companies are the traders on the floor, data brokers are the shadowy warehouses where all the paper is kept.

Companies like Acxiom, Experian (yes, the credit one), Oracle Data Cloud, and hundreds of smaller operations collect data from every conceivable source, public records, loyalty card programmes, retail purchases, app permissions, social media, financial applications, and sell it in enriched profile form to anyone willing to pay. They are not subject to the GDPR in many jurisdictions because they claim to sell aggregated data. But the aggregates are thin enough that re-identification of individuals is trivial.

The result is a strange hall of mirrors. When a DSP bids on your browser's ad slot, it may be comparing two dozen different data sources about you, some of which came from your bank loyalty scheme, some from an app you downloaded in 2019 and forgot about, some from a political survey you took to win a voucher. None of these sources told you they were feeding into a financial market every time you load a webpage.

4,000+
The estimated number of data broker companies operating globally, most of which you have never heard of and none of which you directly consented to share your data with.

Why Blocking Ads Doesn't Solve It

Here is the thing about ad blockers: they are brilliant, and you should use one. But they are answering the wrong question. An ad blocker is like refusing to accept the printed receipt at the end of a transaction. The transaction still happened. The data was still broadcast. The auction still ran. You just didn't get the printout at the end.

The real-time bidding signal fires the moment the page begins to load, before the ad blocker has had a chance to inspect and block anything. The bid request, containing your device fingerprint, IP, and identifier, has already left the building. The auction has already run. The losing bidders have already received your profile. The ad blocker shows up, shrugs at the empty slot, and declares victory.

This is not the ad blocker's fault. It was built for a different era of advertising, one where ads were bad because they were intrusive and you didn't want to look at them. It was not built for an era where the real damage is invisible, happens before the page renders, and involves your data being traded rather than a banner being displayed.

What Prism Actually Does About It

Prism operates from a different premise: instead of trying to stop the data from being collected, a battle that's already largely lost, it intercepts the data at the source and ensures that you, the person the data describes, have a copy first.

Every tracker detected. Every site visited. Every interest inferred. Every consent signal fired. Prism captures the same signals the trackers send and stores them locally, encrypted, in a wallet only you control. The result is that for the first time, you can see exactly what the ad-tech ecosystem sees when it looks at you. Not a vague summary. Not a marketing department's reassuring blur. The actual data.

Then an AI layer with access to your own wallet can tell you things like: "You visited 14 sites this week that use Criteo. The profile they have assembled from those visits suggests high purchase intent for consumer electronics. The following 7 sites you use share that profile with Amazon Advertising."

That's not a warning. That's a revelation. Because once you can see what the market sees, you can make informed decisions about what to do with it. Maybe you decide to sell it directly. Maybe you decide to opt out. Maybe you just want to look the monster in the face.

Information asymmetry is the engine of exploitation, and the ad-tech industry has built an entire financial infrastructure on top of it. They hold a complete picture of your behaviour while you hold nothing. Prism is one effort to correct that balance.

The Regulation That Arrived Too Late and Too Quietly

GDPR was supposed to fix this. In 2018, the European Union passed what was heralded as the most significant data privacy legislation in history, and in a sense it was. Companies were required to obtain meaningful consent before tracking. Users had the right to access, correct, and delete their data. Fines were eye-watering in theory: up to 4% of global annual turnover.

In practice, the ad-tech industry responded the way it always responds to inconvenient regulation: it built something more complicated. Enter the Transparency and Consent Framework (TCF), an industry-designed system that technically complies with GDPR by surfacing consent banners, those pop-ups you've been clicking "Accept All" on for years, while structuring the choices so that accepting is one click and rejecting requires a guided tour through sub-menus that would make a tax return blush.

The Belgian Data Protection Authority found in 2022 that the TCF was fundamentally incompatible with GDPR. Enforcement moved at the speed of continental geology while tracking continued at the speed of light.

The real-time bidding auction has been the subject of multiple legal challenges, regulatory investigations, and academic papers so alarming that their authors have taken to adding mental health disclaimers in the introduction. None of it has meaningfully slowed the auction down. It still fires, it still broadcasts your data to hundreds of companies, and it still happens before you've finished reading the headline.

The Balance of Power

There's something philosophically strange about the arrangement we've all quietly accepted. The web was supposed to be a library, a place you went to get information. Instead, it became a machine that harvests information about everyone who visits it and trades that information in a market they never agreed to enter.

The companies that built this system would say it's the price of a free web. That without advertising revenue, your favourite news site would cease to exist and the internet would revert to a grey landscape of Wikipedia pages and academic papers. This is partly true and entirely beside the point. The question is not whether advertising should exist. The question is whether you should have a right to know what data is collected about you, by whom, and what is done with it.

That question has a clear legal answer in Europe: yes. It has a clear moral answer everywhere: obviously. And it has a practical answer that the industry has spent two decades engineering away from you.

Prism is one answer to the practical problem. Not a perfect one. Not a complete solution to a problem that requires legislative backbone and a great deal more political will than the ad-tech lobby has so far allowed. But a start. A tool that hands you a clipboard and says: here, take your own notes. The auction is still running. At least now you can see the prices.