Irish Internet browser Brave has claimed that they have offered new information to the Data Protection Commission (DPC) in Ireland which proves that Google has been trying to bypass General Data Protection Regulation (GDPR) legislation.
Brave claims that Google has implemented this workaround to share the data of Google users with a network of advertising and marketing companies.
Johnny Ryan, chief policy and industry relations officer at anti-ad-tracking browser Brave, says that he has identified a tactic called ‘Push Pages’ being used by Google. Ryan published a blog post on the Brave blog which states: “each Push Page is made distinctive by a code of almost two thousand characters, which Google adds at the end to uniquely identify the person that Google is sharing information about. This, combined with other cookies supplied by Google, allows companies to pseudonymously identify the person in circumstances where this would not otherwise be possible.”
Using this tactic, advertisers can uniquely identify individuals instead of targeting grouped audiences of hundreds or thousands of people. The amount of information obtained by the advertisers is so precise that, Brave argues, advertisers could eventually have the power to identify an individual offline.
Brave filed a complaint in Ireland and the UK earlier in 2019 concerning privacy breaches by Google and other Internet advertising agencies. The first complaint, which is still under review, claimed advertising bid requests included access to user viewing history, location information, IP address, device details, and many other types of tracking IDs.
Brave alleges that Google have not prevented real-time bidding ad (RTB) system users from linking up with the profiles of the sensitive data of website visitors, despite Google claiming this does not take place.
Furthermore, Brave claims that Google has not brought an end to the practice of sharing pseudonymous identifiers. Instead, they claim Google has allowed may other parties to match with Google identifiers. It stated: “The evidence further reveals that Google allowed multiple parties to match their identifiers for the data subject with each other”.
Zach Edwards, a technology expert, assisted Brave’s investigation into Google’s activities. Using Ryan’s web-browsing log, Edwards confirmed that Ryan’s personal data was shared via ‘Push Pages’, through which Google allows multiple companies to share profile identifiers about a person when they access a web page.
Ryan’s blog post said: “Google’s ‘DoubleClick/Authorized Buyers’ ad system is active on 8.4-plus million websites. It broadcasts personal data about visitors to these sites to 2,000-plus companies, hundreds of billions of times a day. The evidence we have submitted to the Irish Data Protection Commission proves that Google leaked my protected data to an unknown number of companies. One cannot know what these companies then did with it, because Google loses control over my data once it was sent. Its policies are no protection. All companies that Google invites to access a Push Page receive the same identifier for the person being profiled. This ‘google_push’ identifier allows them to cross-reference their profiles of the person, and they can then trade profile data with each other.”
In response to Brave’s reporting, a Google representative stated: “We do not serve personalised ads or send bid requests to bidders without user consent. The Irish DPC, Google’s lead DPA and the UK ICO are already looking into real-time bidding to assess its compliance with GDPR. We welcome that work and are co-operating in full.”
Violations of GDPR carry the risk of hefty fines, either 4% of annual turnover or €20m (whichever is higher). Google’s annual revenue last year was $136.22bn (£111.09bn), with 4% equating to $5.45bn.
