Google accused of leaking personal data to thousands of advertisers

Browser maker Brave says Google is using a secret workaround to bypass EU data-protection laws and serve targeted ads.
Written by Liam Tung, Contributing Writer

Brave, the maker of a Chromium-based browser rival to Google Chrome, says it has new proof that Google is leaking personal information to advertisers and violating Europe's privacy laws around data control and transparency. 

Johnny Ryan, Brave's chief policy and industry relations officer, has submitted his findings to the Irish Data Protection Commission, Google's lead regulator in Europe. 

SEE: IT pro's guide to GDPR compliance (free PDF)

In May the DPC opened an investigation into Google's Authorized Buyers real-time bidding (RTB) ad exchange that connects ad buyers with millions of websites selling their inventory.  

Ryan filed a GDPR complaint in Ireland over Google's RTB system in 2018, arguing that Google and ad companies expose personal data during RTB bid requests on sites that use Google's behavioral advertising. 

As opposed to contextual advertising, higher-value behavioral advertising relies on tracking the behavior of a device across websites using cookies and other means. 

Google's Authorized Buyers ad system is used on 8.4 million websites, and Ryan estimates that Google is "broadcasting" personal data to hundreds of Google's ad tech partners that bid for users in Google's RTB system. 

"One cannot know what these companies then did with it, because Google loses control over my data once it was sent. Its policies are no protection," said Ryan. 

Ryan's latest claim centers on Google's so-called 'Push Page' or 'google_push', which he characterizes as a user identifier and a workaround to GDPR restrictions. It was made available to RTB bidders in addition to an existing identifier called 'google_gid'. 

He contends the Push Page allows multiple advertisers to share user profile identities when a person loads a web page. 

Each Push Page is made unique by adding an identifier to the end of a common URL and combined with Google cookies 'to allow companies to pseudonymously identify the person, according to Ryan. 

"All companies that Google invites to access a Push Page receive the same identifier for the person being profiled. This 'google_push' identifier allows them to cross-reference their profiles of the person, and they can then trade profile data with each other," writes Ryan. 

To test what data Google is sharing with advertisers, Ryan used a clean install of Chrome, which had no logins, cookies or browsing history, and then analyzed network traffic logs on his computer. 

Within one hour of surfing the web, the 'google_gid' of Ryan's browser was used 318 times in network traffic from 10 companies that won an RTB auction. The companies can then use a cooking-matching process to check if the user is someone they've previously profiled and then update the user's profile. 

However, Ryan notes it's likely Google also shared the identifier with hundreds of companies it lists as EU ad tech partners.

"Like the 'google_gid' identifier, the 'google_push' identifier was previously given to these companies by Google to identify the Data Subject," writes Ryan. 

"However, there is an important difference between the two identifiers. The 'google_gid' identifier is specific to each company that receives it. This means that these companies are less likely to be able to cross-reference what they learn about the Data Subject from Google with each other. The 'google_push' identifier, however, is common to multiple companies who receive it."

In a statement to ZDNet a Google spokesperson said the company does not serve targeted ads without user consent. 

"We do not serve personalized ads or send bid requests to bidders without user consent. The Irish DPC – as Google's lead DPA – and the UK ICO are already looking into real-time bidding to assess its compliance with GDPR. We welcome that work and are co-operating in full," the spokesperson said. 

SEE MORE: You can't ignore GDPR in customer service

Nonetheless, UK's Information Commissioners Office, in a June report on its review of the RTB ecosystem, which also looked at Google's Authorized Buyers, shared some of Ryan's concerns about the RTB data supply chain. 

Overall, the ICO found that the "adtech industry appears immature in its understanding of data-protection requirements". 

It also noted a single RTB request can result in personal data being processed by hundreds of organizations, each with their own privacy policies.  

"Multiple parties receive information about a user, but only one will 'win' the auction to serve that user an advert. There are no guarantees or technical controls about the processing of personal data by other parties, eg retention, security etc," the ICO wrote. 

"In essence, once data is out of the hands of one party, essentially that party has no way to guarantee that the data will remain subject to appropriate protection and controls." 

More on Google and privacy issues

  • Google antitrust: Are over 30 states about to join big probe into how Google behaves?
  • Google and YouTube part with $170 million to settle alleged violations of kids' privacy
  • Are Amazon, Google about to feel full force of US antitrust scrutiny?
  • Google hit with €1.49 billion antitrust fine by Europe over online advertising  
  • Android antitrust: Google hit with giant €4.34 billion fine by Europe
  • Google intends to appeal €50 million European GDPR fine
  • GDPR: Google hit with €50 million fine by French data protection watchdog
  • Android shake-up: Google agrees to promote rivals to its Chrome and search
  • Google files appeal of $5 billion EU fine
  • GDPR fines levied so far: The lessons businesses can learn TechRepublic
  • Editorial standards