Oracle knew you bought prenatal vitamins at CVS.

Oracle knew you read parenting articles on BabyCenter.

Oracle knew you searched for cribs on your phone at 2 AM and then again on your laptop the next morning.

Oracle knew your home address. Your email. Your phone number. The name on your credit card.

And Oracle merged all of it into a single profile and put it up for sale.

Not to your doctor. Not to your insurance company. To anyone with a credit card and an advertising budget.

You never signed up for this. You never clicked "I agree." You never even knew Oracle had your name. But they did. They had your name, and your purchase history, and your browsing habits, and a probabilistic model of every device you owned, and they had packaged all of it into a neat little dossier that sat on a server alongside five billion others.

Five billion.

Not five billion data points. Five billion people. Five billion profiles, built from fifteen million data sources, updated continuously, sold on an open marketplace to anyone who wanted to buy a slice of someone's life.

That number comes from Oracle's own vice president of data cloud, Eric Roza, who told Computerworld in 2017 that Oracle Data Cloud maintained profiles on over five billion consumer IDs drawn from more than fifteen million data sources. He said it like it was a selling point. Because it was.

At its peak, Oracle's advertising data division generated over a billion dollars a year in revenue. A billion dollars, extracted from the digital exhaust of people who had no idea they were being watched, catalogued, and sold.

Part 3 of this series catalogued the acquisitions. Datalogix. BlueKai. AddThis. Crosswise. Moat. Grapeshot. The shopping spree that turned Oracle from a database company into a surveillance conglomerate.

Now it's time to talk about what all that machinery actually did.

How it worked. What it captured. What it revealed about you.

And why the company that built a global surveillance apparatus couldn't be bothered to put a password on its own database.

Mechanism #1: The Loyalty Card Pipeline

You have a loyalty card.

Maybe it's from CVS. Maybe Kroger. Maybe Target, or Walgreens, or any of the dozens of grocery chains and pharmacies that offer you a few cents off your toothpaste in exchange for a little plastic rectangle on your keychain.

You know, on some level, that the store tracks your purchases. That's the deal. You save twelve cents on dish soap, and they learn you buy dish soap every three weeks. Fine. It feels harmless. It feels local. It feels like a transaction between you and the store.

It wasn't.

Datalogix, the company Oracle acquired in 2014 for $1.2 billion, had spent years building relationships with those retailers. CVS. Kroger. Target. Walgreens. Hundreds of them. Datalogix had access to the purchase histories of what it described as "almost every U.S. household." Not a sample. Not a projection. Almost every household.

Here's how the pipeline worked.

When you swiped your loyalty card at the register, the store recorded your purchase. Product name. Price. Date. Time. Location. That record went into the store's database, tied to the loyalty card number, which was in turn tied to whatever information you'd provided when you signed up. Name. Address. Email. Phone number.

Datalogix ingested those records. Billions of them. The Electronic Frontier Foundation estimated that Datalogix processed purchase data representing over one trillion dollars in consumer transactions. One trillion. That's not a typo. That's every box of cereal, every prescription refill, every pregnancy test, every bottle of whiskey, every tube of hemorrhoid cream purchased by almost every household in America, flowing into Oracle's servers.

But purchase history alone wasn't the prize. The prize was matching it to online identities.

Datalogix took the email addresses and phone numbers from loyalty card signups and hashed them. Hashing is a one-way mathematical function that turns "john.smith@gmail.com" into a string of characters like "a4f2e8c1d..." The theory is that hashing protects privacy because you can't reverse the hash back to the original email.

The practice is different.

Facebook also had your email address. So did Google, and Twitter, and dozens of other platforms. They hashed their emails the same way. And when Datalogix's hash matched Facebook's hash, the two companies knew they were looking at the same person. No raw email ever changed hands. Just a wink and a nod between two databases that both knew exactly who you were.

In September 2012, Facebook announced a partnership with Datalogix. The stated purpose was to help advertisers measure whether Facebook ads led to in-store purchases. The unstated reality was that Facebook had just connected its billion-user social graph to the purchase histories of almost every American household.

Facebook didn't ask its users for permission. It didn't notify them. It automatically opted in every single user. All of them. If you had a Facebook account in September 2012, you were part of the Datalogix partnership whether you knew it or not.

The backlash was immediate but ineffective. The Electronic Privacy Information Center filed an FTC complaint. Privacy researchers screamed. Facebook responded by creating an opt-out page buried deep in its settings, accessible only if you knew it existed, which required you to first know that the partnership existed, which Facebook had never told you about.

The FTC investigated. It found that Datalogix's privacy practices were questionable but technically legal. No enforcement action was taken. The partnership continued.

It took Cambridge Analytica to kill it. When that scandal erupted in 2018, Facebook frantically shut down its third-party data marketplace, cutting off Datalogix and its competitors from direct access to Facebook's user graph. But by then, the data had been flowing for six years. And Datalogix was already inside Oracle, where the purchase histories continued to be matched, merged, and sold through Oracle's own channels.

The loyalty card in your wallet was never just a loyalty card. It was an intake form for one of the largest consumer surveillance operations ever constructed. And the twelve cents you saved on dish soap was the price they paid you for your entire purchase history.

Mechanism #2: The Invisible Pixel

If Datalogix watched what you bought, BlueKai watched what you read.

You already know from Part 3 that Oracle acquired BlueKai in 2014. What matters now is understanding the mechanism. Because BlueKai's tracking technology was both brilliantly simple and profoundly invasive, and it was hiding in plain sight on websites you visited every day.

The core technology was the tracking pixel.

A tracking pixel is a 1x1 image, one pixel by one pixel, embedded in a webpage. It's invisible. You can't see it. Your browser loads it automatically as part of rendering the page, and you never know it's there. But when your browser requests that tiny image from BlueKai's server, it sends along information. Your IP address. Your browser type. Your operating system. And critically, the referrer URL, which is the full address of the page you're currently viewing.

That referrer URL is where the surveillance happens.

If you're reading an article on WebMD about diabetes symptoms, the referrer URL contains "webmd.com/diabetes/symptoms." If you're browsing mortgage rates on Bankrate, the URL contains "bankrate.com/mortgages." If you're reading about divorce lawyers, or depression medication, or bankruptcy filing, or HIV testing centers, the URL tells BlueKai exactly what you were looking at.

One pixel. Invisible. Loaded automatically. And it captured the full content of your browsing session.

BlueKai's pixels were embedded on thousands of websites. According to whotracks.me, a project by the privacy company Ghostery that monitors web trackers, BlueKai's tracking infrastructure touched approximately 1.2 percent of all web traffic. That might sound small. It isn't. 1.2 percent of all web traffic is billions of page views per month. Billions of referrer URLs. Billions of data points about what real people were reading, researching, worrying about, planning for.

But BlueKai wasn't just collecting this data for Oracle's internal use. BlueKai operated a data marketplace. A literal marketplace where advertisers could browse and purchase behavioral profiles based on web activity.

Want to target people who've been reading about luxury cars? BlueKai had a segment for that. People researching cancer treatment options? There was a segment for that too. People visiting pages about addiction recovery, or debt consolidation, or domestic violence resources? All available. All for sale.

The marketplace operated on a taxonomy of thousands of behavioral categories. Advertisers could slice and dice the browsing population by interest, intent, life stage, health concern, financial situation. And because BlueKai was matching this browsing data against other identity signals, including the hashed emails and device fingerprints flowing in from Oracle's other acquisitions, these weren't anonymous segments. They could be tied back to real people.

The invisible pixel was the intake valve. The marketplace was the cash register. And between them, BlueKai turned the simple act of reading a webpage into a transaction where you were the product, sold in real time to the highest bidder.

Mechanism #3: The Trojan Horse

AddThis was the most insidious one.

You've seen it a thousand times. Those little sharing buttons at the bottom of articles and blog posts. The row of icons: Facebook, Twitter, Pinterest, email. "Share this!" Friendly. Helpful. A public service, really, making it easy to pass along interesting content to your friends.

It was surveillance infrastructure.

AddThis provided its sharing toolbar to website publishers for free. Completely free. No charge. And publishers loved it, because it was easy to install, it looked professional, and it encouraged social sharing, which drove traffic. By the time Oracle acquired AddThis in 2016, the toolbar was installed on more than fifteen million websites and reached 1.9 billion unique users per month.

Let that number settle. 1.9 billion monthly uniques. That's not a typo. That's roughly a quarter of everyone on the internet, every month, interacting with pages that contained AddThis code.

But the sharing buttons were the candy coating. The real payload was the JavaScript that loaded alongside them.

When a webpage included the AddThis toolbar, it loaded a JavaScript file from AddThis's servers. That script did more than render sharing buttons. It tracked the user's behavior on the page. What they scrolled past. What they clicked. How long they stayed. And it reported all of that back to AddThis, along with the same referrer URL data that BlueKai was harvesting.

In July 2014, ProPublica published an investigation that revealed something even more troubling. AddThis was using a technique called canvas fingerprinting to track users across websites, even when they blocked cookies.

Canvas fingerprinting works like this. The JavaScript instructs your browser to draw a hidden image using the HTML5 canvas element. The way your browser renders that image depends on your operating system, your graphics card, your installed fonts, your screen resolution, and dozens of other variables unique to your specific machine. The resulting image is converted to a string of characters that serves as a fingerprint. Your fingerprint. Unique to your device. Persistent across browsing sessions. Nearly impossible to block.

ProPublica found AddThis's canvas fingerprinting code running on thousands of major websites. The White House website. YouPorn. Government agencies. Health information sites. News organizations. All of them, simultaneously feeding behavioral data back to AddThis through a piece of code that most of them had installed thinking it was just a sharing toolbar.

The YouPorn revelation was particularly telling. When ProPublica contacted the company, a spokesperson said YouPorn was "completely unaware that AddThis contained tracking software." They had installed it for the sharing buttons. They didn't know it was fingerprinting their users and sending the data to a third party. They pulled it immediately.

But YouPorn was one site among fifteen million. How many other publishers knew what was running on their pages? How many had read the AddThis terms of service closely enough to understand that "free" meant "we track your visitors and sell the data"?

The answer, based on the reaction to ProPublica's investigation, was almost none.

After Oracle acquired AddThis, the tracking continued. The data flowed into Oracle Data Cloud alongside the purchase histories from Datalogix and the browsing profiles from BlueKai. Fifteen million websites' worth of user behavior, merged into Oracle's growing surveillance apparatus.

AddThis had one problem. It couldn't survive GDPR.

The European Union's General Data Protection Regulation, which took effect in May 2018, required explicit, informed consent before tracking users. AddThis's entire business model was built on tracking users without their knowledge. The sharing buttons were designed to be installed by publishers who didn't understand what the code actually did. Getting informed consent from 1.9 billion monthly users for covert tracking was not a technical challenge. It was a logical impossibility.

Oracle tried to make it work. They tried consent frameworks, modified code, regional restrictions. None of it could square the circle. You cannot get informed consent for a system that was specifically designed to operate without anyone's knowledge.

On May 31, 2023, Oracle shut down AddThis. The sharing buttons disappeared from fifteen million websites. The Trojan Horse was finally wheeled out of the city.

But by then, Oracle had been collecting data through AddThis for seven years. That data didn't disappear with the toolbar.

Mechanism #4: The Device Stitcher

There was a problem with all of this data, and the problem was fragmentation.

Datalogix knew what you bought at the store. BlueKai knew what you read on your laptop. AddThis knew what you shared on your phone. But they didn't always know that the person buying prenatal vitamins at CVS was the same person reading BabyCenter articles on a MacBook and sharing nursery design ideas on an iPhone.

Different devices. Different browsers. Different IP addresses. Different cookies. To a tracking system, you looked like three or four different people.

Crosswise solved that problem.

Founded in Tel Aviv in July 2014, Crosswise was built by veterans of Unit 8200, the Israeli military's elite signals intelligence division. The same unit that produced the founders of NSO Group, Cellebrite, and dozens of other surveillance technology companies. The founders of Crosswise had spent their military careers learning how to identify and track targets across fragmented communications channels. They applied those skills to advertising.

Crosswise's technology was called probabilistic device matching, and it worked without requiring any login data at all.

Here's the concept. Your phone and your laptop are different devices, but they share certain behavioral patterns. They connect to the same WiFi networks. They're active at the same times of day. They visit the same IP addresses. They're in the same geographic location. They access some of the same apps and websites.

Crosswise's algorithms analyzed these signals across billions of devices and identified clusters of devices that appeared to belong to the same person. No login required. No email matching. No cookies. Just pattern analysis on network behavior, location data, temporal usage patterns, and other signals that, taken individually, meant nothing, but taken together could identify you with startling accuracy.

Oracle acquired Crosswise in 2016. It was not a large acquisition. There were no splashy press releases. But it was arguably the most important piece of the puzzle.

Because Crosswise was the bridge.

Without Crosswise, Oracle had islands of data. Purchase histories here. Browsing profiles there. Social sharing data somewhere else. With Crosswise, Oracle could connect those islands. The person buying prenatal vitamins at CVS (Datalogix) was now linked to the person reading BabyCenter on a laptop (BlueKai) and sharing nursery ideas on a phone (AddThis).

All without the person ever logging in to anything Oracle operated. All without consent. All invisible.

Unit 8200 built surveillance tools for national security. Their alumni built one for selling diapers.

Mechanism #5: The Oracle ID Graph

Now put it all together.

Oracle called it the Oracle ID Graph, and it was exactly what it sounds like: a massive graph database that merged every data source Oracle had acquired into unified consumer profiles.

The ID Graph used two types of matching.

Deterministic matching was the straightforward kind. If Datalogix had your email address from a loyalty card signup, and BlueKai had the same email address from a website registration, that was a deterministic match. Same email, same person. High confidence. Oracle also matched on phone numbers, names, and physical addresses.

Probabilistic matching was Crosswise's contribution. When Oracle couldn't find a deterministic link between two data points, it used Crosswise's device graph to make a probabilistic connection. Your laptop and your phone shared WiFi patterns and location signals, so they probably belonged to the same person. Probability: 94%. Close enough.

Between deterministic and probabilistic matching, Oracle could stitch together data from sources that had no direct connection to each other. The loyalty card from CVS had your email. The tracking pixel on WebMD had your browser fingerprint. The AddThis toolbar on a parenting blog had your device ID. And Crosswise connected your devices even when none of those identifiers overlapped.

The result was a profile that contained more about you than any single company, or possibly any government agency, had ever assembled.

A single Oracle ID Graph profile could include your full name, your email addresses, your phone numbers, your physical address and mailing address. It could include your complete web browsing history across every site running BlueKai pixels. Your in-store purchase history from every retailer feeding data to Datalogix. Every website where you clicked a share button powered by AddThis. Every device you owned, linked through Crosswise's probabilistic matching. Your inferred income bracket. Your estimated political affiliation. Your probable health conditions. Your likely life stage.

Oracle also partnered with PlaceIQ, a location data company that tracked GPS movements from mobile apps. Through that partnership, Oracle could add physical movement patterns to its profiles. Where you went. How long you stayed. How often you visited. Your commute pattern. Your shopping habits. Whether you went to church on Sundays or a bar on Fridays.

Let's go back to the prenatal vitamins.

You bought prenatal vitamins at CVS using your loyalty card. Datalogix captured that purchase and matched it to your email address from the card signup. BlueKai's pixel on BabyCenter captured your browsing session about first-trimester nutrition, linked to a browser cookie. AddThis's toolbar on a pregnancy forum captured your sharing activity and canvas-fingerprinted your device. Crosswise connected your phone, your laptop, and your work computer as belonging to the same person. PlaceIQ recorded your phone visiting a Babies "R" Us location for forty-five minutes on a Saturday.

Oracle's ID Graph merged all of this into a single profile. Your profile. With your name on it.

And then Oracle put that profile on the marketplace.

An advertiser selling baby products could now target you with ads. So could a health insurance company looking for expectant mothers. So could an employer looking for employees who might be about to take maternity leave. So could a data broker purchasing Oracle segments for resale to anyone with a checkbook.

You didn't know this was happening. You never consented to it. You never even knew Oracle had your name.

But Oracle had five billion profiles just like yours. And every single one of them was for sale.

The Server Without a Password

In 2020, a security researcher named Anurag Sen found something that would have been funny if it weren't so horrifying.

He found an Oracle BlueKai server sitting on the open internet, completely unsecured. No password. No authentication. No encryption. Nothing. Just a database containing billions of records of consumer tracking data, accessible to anyone who knew the IP address.

Sen reported his findings to Zach Whittaker at TechCrunch, who verified the exposure and published the story in June 2020.

The exposed data was staggering. Billions of records containing web browsing activity tied to real people. Names. Home addresses. Email addresses. The full referrer URLs that revealed exactly what people had been reading online. All of it sitting on a server that anyone could access.

Whittaker's reporting highlighted specific records that illustrated the scope of the exposure.

There was a German man whose record showed he had placed a ten-euro bet on an esports match. The record contained his full name, his home address, his email, and the details of the bet. A ten-euro wager, and Oracle had captured it, linked it to his identity, and then left it on an unsecured server for the world to see.

There was a Turkish investment company that appeared to be using BlueKai data to track the online behavior of its own users, with the tracking data exposed alongside personal details.

There were records showing people's browsing habits on health sites, financial sites, dating sites. Records that, if made public, could destroy careers, end relationships, alter insurance rates.

The company that had built the most comprehensive commercial surveillance apparatus in history, the company that sold data security as one of its core enterprise products, the company whose founder Larry Ellison had spent decades positioning as the gold standard of database technology, couldn't be bothered to put a password on its own surveillance database.

Oracle's response was muted. The company acknowledged the exposure, secured the server, and said it was "aware of a report regarding certain BlueKai records that may have been exposed on the internet." May have been. As if there were any ambiguity. The server was wide open.

No one knows how long the server was exposed. No one knows who accessed it. No one knows how many of those billions of records were copied, sold, or used. Oracle didn't say, and no regulator forced them to.

The irony was thick enough to choke on. Oracle had spent billions of dollars building a system to collect and monetize the most intimate details of people's lives. And then it left the back door open.

And it wasn't just the BlueKai server. Our own OSINT research found that documents stamped "Confidential, Oracle Internal" and "Oracle Restricted" are currently sitting on public-facing pages at docs.oracle.com, fully indexed by Google. Not leaked by a whistleblower. Not exfiltrated by a hacker. Just... there. Findable by anyone with a search engine and five minutes of curiosity. The company that built a global surveillance machine to track your every digital movement cannot secure its own confidential documents from a basic Google search.

This is the entity that wants you to trust it with your data. This is the company that governments and Fortune 500s pay to secure their most sensitive information. It stamps things "Confidential" and then publishes them on the open web. It's not negligence at this point. It's a pattern.

The Reckoning That Came Too Late

On August 19, 2022, a class action lawsuit was filed in the Northern District of California. The case was called Katz-Lacabe v. Oracle America Inc., and the complaint did not mince words.

The plaintiffs described Oracle Data Cloud as a "worldwide surveillance machine" that had compiled dossiers on approximately five billion people. The complaint alleged violations of the federal Electronic Communications Privacy Act, various state privacy laws, and common law privacy rights.

The core argument was simple. Oracle had intercepted, collected, and sold people's communications and personal data without their knowledge or consent. The tracking pixels captured web browsing activity in transit. The purchase history matching linked offline behavior to online identities. The device stitching connected data sources that users had never authorized to be connected. All of it happened invisibly, automatically, and at a scale that dwarfed any previous commercial surveillance operation.

The language in the complaint deserves to be read directly. The plaintiffs' attorneys described Oracle's operation as "deliberate and purposeful surveillance of the general population via their digital and online existence." Not incidental data collection. Not a byproduct of service delivery. Deliberate. Purposeful. Surveillance. Of the general population. The complaint further alleged that Oracle "tracks in real-time and records indefinitely." Real-time tracking. Indefinite retention. That's not an advertising platform. That's an intelligence operation with a marketing department.

The complaint detailed how Oracle's system worked in language that would have been illuminating for anyone who hadn't been following this series. The plaintiffs' lawyers had done their homework. They traced the data flows from loyalty cards through Datalogix, from tracking pixels through BlueKai, from sharing buttons through AddThis, from device fingerprinting through Crosswise, all converging in the Oracle ID Graph.

The case was strong enough that Oracle decided to settle rather than risk a trial.

In August 2024, Oracle agreed to pay $115 million to settle the class action. The settlement class covered anyone in the United States whose data had been collected from August 19, 2018 onward. Think about that date range for a moment. Six years of surveillance, covering essentially every human being with an internet connection. The settlement only covered American Adults, however their tracking covered everyone. The company also agreed to stop capturing referrer URLs and form text through its tracking systems.

One hundred and fifteen million dollars. That sounds like a lot of money.

It isn't.

Oracle's market capitalization at the time was over $300 billion. Its annual revenue exceeded $50 billion. $115 million represented approximately 0.23 percent of the company's annual revenue. Not two percent. Zero point two three percent.

To put that in perspective, if you made $50,000 a year, an equivalent fine would be $20. Twenty dollars. For running a worldwide surveillance machine that tracked five billion people without their consent.

But the settlement's real failure wasn't the dollar amount. It was what it didn't require.

The settlement did not require Oracle to delete the data.

Read that again. Oracle built profiles on five billion people without their consent. A federal court agreed that this was serious enough to warrant a $115 million settlement. And the settlement did not require Oracle to delete a single profile.

The five billion dossiers stayed right where they were.

Oracle agreed to stop certain collection practices going forward. No more capturing referrer URLs. No more grabbing form text. These were meaningful concessions in theory. In practice, Oracle had already collected years' worth of referrer URLs and form text. That historical data remained in Oracle's systems, fully intact, fully usable.

The settlement was a parking ticket on a getaway car. The car kept driving. The stolen goods stayed in the trunk.

Mechanism #6: The Name Change

The settlement did something else, though. Something Oracle would never publicly admit was connected.

In the months following the $115 million payout, Oracle announced that it was winding down Oracle Data Cloud and shutting down the entire Oracle Advertising division. Not trimming it. Not restructuring it. Killing it. The division that had housed Datalogix, BlueKai, AddThis, Crosswise, and all the other surveillance acquisitions was being eliminated.

Headlines treated it as a victory. "Oracle exits advertising." "Oracle Data Cloud shutters." Privacy advocates nodded approvingly. Another surveillance merchant brought low by regulation and public pressure.

Except that's not what happened.

Oracle didn't delete the data. Oracle didn't destroy the profiles. Oracle didn't dismantle the ID Graph.

Oracle migrated the data into Oracle CX, its customer experience platform, and Oracle Unity CDP, its customer data platform. The same profiles, the same matching algorithms, the same behavioral data. New product names. New branding. New marketing materials.

Oracle Data Cloud became a feature inside Oracle's enterprise software suite instead of a standalone advertising product. The data that was once sold directly to advertisers through a marketplace was now packaged as "customer intelligence" for Oracle's enterprise clients. Different sales pitch. Same surveillance data.

And those enterprise clients? The contract terms governing their data are even worse than you'd guess. We obtained and analyzed Oracle's standard boilerplate. What we found deserves its own section. That's coming in Part 5.

This shouldn't surprise anyone who has been following this series from the beginning.

In Part 1, we documented how Oracle was born from a CIA contract for a database called "Oracle," then renamed the entire company after the product when the contract became embarrassing. In Part 2, we traced how Larry Ellison turned a government project into a commercial empire by changing labels and rewriting histories. Oracle has been renaming things to make them disappear for fifty years.

Oracle Data Cloud didn't die. It changed its name. The surveillance infrastructure didn't disappear. It just changed customers. More on that in Part 5.

Oracle is very good at that.

The profiles are still there. The matching algorithms are still running. The behavioral data, the purchase histories, the browsing records, the device graphs, all of it persists inside Oracle's enterprise cloud. It's just not called "Oracle Data Cloud" anymore.

If you had an Oracle dossier before the shutdown, you still have one. It just lives in a product with a different name on a slide deck aimed at a different buyer.

Who's Knocking

Knock knock. Oh, I wonder who's there?

To nobody's surprise, it's Oracle, and there's something they had hoped you wouldn't look at.

Oracle publishes transparency reports. Slim little documents that disclose how many times law enforcement agencies requested data from the company. Most people have never read them. We did. And then we read all of them, going back five years.

In the earliest available report, Oracle received 22 law enforcement requests. In the most recent, that number was 164. That's a 645% increase in five years. Not a gradual uptick. Not a slow creep. A near-vertical line on a graph that Oracle never wanted anyone to draw.

The categories of requests are where it gets interesting. There's a line item called "Misc Investigation Assistance," which is exactly as vague as it sounds. It could mean almost anything. Technical consultation. Data pulls. System access. Who knows. Oracle doesn't define it. In the earliest report, there were 4 such requests. In the most recent, 136. That's a 3,300% increase in the vaguest, least accountable category of law enforcement engagement Oracle tracks.

The compliance rate sits at 73%. Nearly three out of every four requests get fulfilled.

And here's the geographic wrinkle that should raise every eyebrow in Brussels. EMEA, which includes the European Union and its supposedly ironclad GDPR protections, leads the pack with 75 requests. North America comes in at just 26. The continent with the strongest privacy laws on paper generates nearly three times the law enforcement data requests. Either European law enforcement has discovered something extraordinarily useful inside Oracle's systems, or GDPR's bark is considerably worse than its bite. Neither explanation is comforting. And as we'll see in Part 5, Oracle's own contracts give American government data fewer protections than British or European data. The company founded by the CIA treats US government information as the least protected tier.

Nobody is alleging that Oracle broke the law by complying with valid legal requests. That's not the point. The point is the trajectory. Twenty-two requests to 164. Four miscellaneous assists to 136. The surveillance machine that Oracle built to sell diaper ads is becoming something law enforcement finds increasingly indispensable, and the fastest-growing category of that use is the one with the least public accountability.

The five billion files weren't just for advertisers.

They never were.

What It Means For You

Let's make this personal.

If you live in the United States, you almost certainly have an Oracle dossier. If you have ever used a loyalty card at a major retailer, Oracle has your purchase history. If you have ever visited a website running BlueKai tracking pixels, Oracle has your browsing activity. If you have ever loaded a page with AddThis sharing buttons, Oracle fingerprinted your device and logged your behavior. If you own more than one internet-connected device, Crosswise probably linked them.

Five billion profiles. The world has eight billion people. Accounting for children, the unconnected, and statistical overlap, Oracle built a file on a meaningful percentage of every adult human being who has used the internet.

You didn't consent to this.

Nobody asked you. Nobody told you. There was no terms of service agreement to click through, no privacy policy to skim past. The entire system was designed to operate invisibly. Tracking pixels are invisible by design. Canvas fingerprinting happens without any user interaction. Purchase history matching occurs through hashed data exchanges between corporate partners. Device stitching relies on passive signal analysis. Every component of Oracle's surveillance machine was specifically engineered to function without the subject's knowledge.

The settlement didn't fix this.

$115 million and a promise to stop capturing referrer URLs. No data deletion. No requirement to notify the five billion people whose data Oracle collected. No requirement to offer opt-outs for existing profiles. The court called it "deliberate and purposeful surveillance of the general population." The punishment was 0.23% of annual revenue. The dossiers remain intact.

The "shutdown" didn't fix this either.

Oracle Data Cloud was rebranded, not dismantled. The profiles migrated to new products. The algorithms kept running. The enterprise clients kept buying. The same contract terms, with zero privacy provisions, govern how your data gets handled whether Oracle is selling it to a retailer or a government agency. Nothing changed except the name on the invoice.

And here's the part that should keep you up at night.

Everything we've discussed in this article, every tracking pixel, every loyalty card pipeline, every device stitcher, every invisible fingerprinting script, was the commercial side of Oracle's surveillance operation. The part designed to sell you baby products and car insurance and political ads. The part that existed to make money from advertisers.

There was another side.

Oracle's relationship with the United States government didn't end when they renamed the CIA's database. It deepened. It grew. It evolved into something far more significant than selling advertisements.

The same company that built profiles on five billion people for advertisers was simultaneously building something else for a very different customer. A customer that wasn't interested in selling you diapers.

A customer that was interested in you.

Five billion dossiers are worth nothing if nobody buys them.

The Pentagon was already calling. And what they were buying wasn't ad impressions.

That's next.

We'll see you all at the next drop, but until then always remember to Follow The Red Threads.

Sources

Every claim is sourced. Feel free to check our work.

Oracle Data Cloud & Five Billion Profiles

• Eric Roza on 5 billion profiles and 15 million data sources: Computerworld (2017)

• Oracle ID Graph architecture and data matching: AdExchanger

• Oracle Advertising (Datalogix) Wikipedia entry and shutdown timeline: Wikipedia

Datalogix & The Loyalty Card Pipeline

• Oracle acquires Datalogix (December 2014), $2 trillion in consumer spending: Wired

• Oracle Datalogix acquisition press release: Oracle

• Datalogix $1 trillion+ in consumer transactions, almost every US household: TechCrunch (2013)

• Facebook–Datalogix partnership (September 2012): Search Engine Watch

• EPIC FTC complaint over Facebook–Datalogix data matching: EPIC

• EPIC formal complaint to FTC (2012): EPIC Archive

BlueKai & The Invisible Pixel

• Oracle acquires BlueKai (February 2014, ~$400 million): Oracle

• BlueKai acquisition details and price: AdExchanger

• BlueKai Wikipedia entry: Wikipedia

• BlueKai tracking prevalence (~1.2% of all web traffic): WhoTracks.Me / Ghostery

BlueKai Data Exposure (2020)

• Unsecured BlueKai server exposing billions of records, reported by Anurag Sen: TechCrunch (Zach Whittaker, June 2020)

• Additional reporting on the BlueKai exposure: Forbes

AddThis & Canvas Fingerprinting

• ProPublica investigation on canvas fingerprinting (July 2014): ProPublica

• Oracle acquires AddThis (January 2016): Oracle

• GDPR full text: GDPR Info

Crosswise & Device Stitching

• Crosswise founded by Unit 8200 veterans, sold to Oracle for ~$50M (2016): Calcalist Tech

• Unit 8200 alumni and Israeli startup ecosystem: Forbes

PlaceIQ Location Data Partnership

• PlaceIQ integration with Oracle BlueKai Marketplace (July 2016): MediaPost

• Oracle PlaceIQ partnership and physical-digital tracking: Privacy International

Katz-Lacabe v. Oracle Settlement

• Class action complaint filed August 19, 2022, N.D. Cal.: ClassAction.org

• $115 million settlement (August 2024): Top Class Actions

• Federal Electronic Communications Privacy Act: Cornell Law

Law Enforcement Transparency Reports

• Oracle data requests and transparency reports: Oracle

OSINT Findings

• Confidential Oracle documents publicly indexed on docs.oracle.com: Original research (March 2026)

• Oracle robots.txt and contract directory analysis: Original research (March 2026)