Just recently, Google has been accused of leaking the private information of its users to advertisers across the globe. This is a direct violation of Europe’s privacy laws regarding data control and transparency. The privacy laws strictly forbid search engines and websites from using the personal information of the users without their prior knowledge and consent.
This news was broke was by Brave, which is a Chromium-based browser. Brave is an open-source web browser that blocks any type of website trackers and advertisements. Brave is a rival of Google Chrome and has mentioned that they have proof of Google leaking the personal information of users to advertisers and being in direct conflict with the EU’s privacy laws.
Chief policy and industry relations officers of Brave, Johnny Ryan has also submitted his findings regarding Google’s breach of data to the Irish Data Protection Commission (DPC). Irish DPC is the lead regulator of Google in Europe.
Ryan first filed a complaint in 2018 against the RTB system of Google. He argued that both the ad companies and Google leak the personal information of users while making the RTB bid requests on websites, which use behavioral advertising of Google. Behavioral advertising in its essence is all about targeting customers on the basis of their past behavior, which means users’ activities are monitored.
In contrast to contextual advertising, this form of advertising uses cookies and similar ways to track the behavior of users across different websites. As the ad system of Google is being used on 8.4 million websites worldwide, it would not be an exaggeration to say that private data of users is actually being broadcasted by Google to its ad tech partners (which number in hundreds at the least), according to the estimations of Ryan.
Back in May, the investigation was opened by DPC into Google’s Authorized Buyers real-time bidding (RTB) ad exchange. RTB is responsible for connecting ad buyers with websites spanned over millions in numbers to sell their products. Ryan said,
“One cannot know what these companies then did with it, because Google loses control over my data once it was sent. Its policies are no protection.”
These concerns were raised by Ryan because of the Google’s ‘Push Page’ or ‘google_push’ that identifies/characterizes the user. This is Google’s way of breaking the GDPR limitations without being too obvious. RTB bidders are exposed to the user identifier as well as the ‘google_gid’, which is another identifier.
Ryan explained ‘google_push’ further by starting that this identifier enables advertisers to cross-reference the profiles of users amongst themselves. The advertisers are even free to share data and trade within themselves.
Ryan did not make these claims on a hunch, rather he also did a little experiment of his own to see how Google shares data. He installed Google Chrome, did not log into any account and had no browsing history. After that, he started analyzing the logs of network traffic on his PC.
In merely an hour, Ryan witnessed that the ‘google_gid’ of his browser was had already been used 318 times. It was used by 10 companies, which had won the RTB auction. Once these companies get ‘google_gid’, they can easily check if the user has already been profiled or not.
The key information to take from here is that once the information is shared by Google with its ad bidders, there are no laws or policies that refrain the advertising companies from using the data. A single RTB request results in private information of users being shared by hundreds of ad companies. Google’s own privacy policies work only until the data is with them, once it is broadcasted – every company can use it according to their policies.
The Information Commissioners office of the UK released a report about their findings about the RTB system of Google in June this year. The report echoed with the findings of Ryan as the ICO said, “adtech industry appears immature in its understanding of data-protection requirements”.