Irish data cops are shoving a probe right into Google's ads

Doubleclick complaint alleges Chocolate Factory's data handling breaches GDPR

Updated Ireland's Data Protection Commission has launched a formal investigation into adtech giant Google over alleged breaches of the EU's General Data Protection Regulation (GDPR), potentially costing the company £1.12bn.

"A statutory inquiry pursuant to section 110 of the Data Protection Act 2018 has been commenced in respect of Google Ireland Limited's processing of personal data in the context of its online Ad Exchange" said the commission in a statement.

The investigation was triggered by a complaint from Dr Johnny Ryan, chief policy officer at Brave Software, makers of the privacy-focused browser.* It centres on Google Doubleclick, which Ryan said is running on 8.4 million websites around the world – and, he alleged, leaks personal data subject to the GDPR every single day.

Doubtless the Irish investigation will be welcomed by supporters of the EU regulations as a pleasant 1st birthday present for the new bloc-wide law. GDPR allows for fines based on turnover, rather than profit, to be imposed, and in this case could lead to Google being stung for a maximum of £1.12bn (€1.28bn), based on its full-year results of €32bn last year.

Ryan told The Register: "I think the fact that the Irish Data Protection Commission has now acted puts the position of the UK Information Commissioner in focus. I and my co-complainants, Michael Veale of University College London, and Jim Killock of Open Rights Group, are eager to hear from the ICO about its investigation into real-time bidding."

The ICO had not responded to The Register's request for comment on the Irish investigation at the time of writing, bearing in mind identical UK complaints are its job to consider.

Ryan's complaint alleges that personal data leaks from Doubleclick, Google's advert booking and display product, by design through its "bid request" system when it decides which ad to display on a page running the software.

The data being broadcast, Ryan said, includes what URL you're browsing at the time; unique device identifiers, including user-agent strings; screen size and ratio; language settings; and what mobile network you're on. It also checks out your unique Google ID; cookies, a long-running obsession of the EU's; your interests, inferred from what you're browsing; and your location, including latitude, longitude and postcode.

Google has yet to reply to The Register's request for comment.

Ryan has put a selection of his evidence online here. He also testified to the US Senate about online advertising yesterday, and that can be watched on Google-owned website YouTube here. Don't forget to clear your history before clicking. ®


* There is some irony in Brave being built on Chromium, the browser engine built and maintained by – who else? – Google. Ryan told us that Brave had "certainly not" seen any pushback from Googlers involved in the Chromium project.

Updated to add

An ICO spokesperson told The Register: "The data protection implications of adtech are of interest to the ICO. We are currently concentrating on the ecosystem of programmatic advertising and real-time bidding (RTB). This aligns with our Technology Strategy, where both online tracking and artificial intelligence are highlighted as priority areas.

"We have been engaging with representatives of the adtech industry and recently hosted an event to discuss the data protection implications of current and future industry practices."

Other stories you might like

  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022