Brave, the maker of a Chromium-based browser with a focus on privacy, claims advertising giant Google flouts Europe's data protection rules by effectively leaking netizens' web browsing activities to advertisers.
In an essay published on Wednesday, Brave's chief policy officer Johnny Ryan said Google’s Authorized Buyers real-time bidding (RTB) system – which is used by millions of websites to serve ads to visitors – "broadcasts personal data" about those visitors to thousands of ad-industry companies all day, every day.
Said data can be used to track netizens as they surf across the web, from site to site, in violation of the EU General Data Protection Regulation (GDPR), Ryan claimed.
Google states that when it shares marketing data it does so "without identifying you personally to advertisers or other third parties." Non-personal data shared in an RTB broadcast may include data about income, age and gender, habits, social media influence, ethnicity, sexual orientation, religion or political affiliation. That's how interest-based adverts are targeted at folks: when you land on a webpage that uses Google's RTB, a package vaguely describing you is emitted to advertisers, whose automated systems bid slivers of money in real time to show you an ad that is, hopefully, relevant to your life.
Google insists that partners abide by its policies, which ban the identification and profiling of internet users using this shared information.
But Ryan suggests self-regulation is insufficient. He notes Google's Authorized Buyers system, active over some 8.4m websites, appends a string of characters to Push Page URLs that third parties can use as an identifier. The string does not provide actual personal information like a name or address; rather it's a unique pseudonymous marker that, when combined with other Google cookies, can be used for tracking user activities across websites.
In the US, this isn't illegal; but it's an alleged violation of Europe's rules. Ryan provided this latest finding to supplement evidence submitted in a September 2018 complaint to the Irish Data Protection Commission (DPC). In May, this year, the DPC opened an investigation into Google's GDPR compliance.
Plot twist: Google's not spying on King's Cross with facial recognition tech, but its landlord isREAD MORE
The mechanism by which Google is said to pass identifiers to partners, Ryan claims, is known as a hidden Push Page, which loads without being seen by the website visitors and initiates network requests to various programmatic ad services. Push Pages get served from a Google domain as HTML files named "cookie_push.html."
"Each Push Page is made distinctive by a code of almost two thousand characters, which Google adds at the end to uniquely identify the person that Google is sharing information about," Ryan explained in his post. "This, combined with other cookies supplied by Google, allows companies to pseudonymously identify the person in circumstances where this would not otherwise be possible."
Companies invited to access a Push Page, Ryan says, all receive the same identifier for the person profiled, allowing them to cross-reference their internal profiles and trade them for a broad view of a user's online activity.
Asked to comment, a Google spokesperson disputed Ryan's characterization of Push Pages. "A cookie_push is not an ID and not an identifier," a spokesperson said in an email to The Register. "It is a parameter for measuring end-to-end latency."
"We do not serve personalized ads or send bid requests to bidders without user consent," Google's spokesperson continued. "The Irish DPC – as Google's lead DPA – and the UK ICO are already looking into real time bidding in order to assess its compliance with GDPR. We welcome that work and are co-operating in full."
The DPC did not immediately respond to a request for comment.
According to The Washington Post, more than half the State Attorneys General in the US are expected to announce an antitrust investigation into Google's business practices next week. ®