Brave accuses Google of sidestepping GDPR

A senior executive at private browser company Brave has accused Google of using a workaround that lets it identify users to ad networks. The system violates GDPR – the EU’s data protection regulation – he said.

Brave’s chief policy and industry relations officer Dr Johnny Ryan made the accusation against Google’s Authorized Buyers (formerly DoubleClick, the advertising network which incorporates 8.4 million websites) in a blog post last week.

Whenever you visit a member site, Authorized Buyers logs the visit and what page you were looking at. This information, aggregated from the sites that you visit, forms a detailed profile about you. Authorized Buyers also does something else whenever you hit one of its member sites: it puts you up for auction. It takes bids from advertisers interested in showing you ads based on your profile. It happens in microseconds, in a process called real-time bidding (RTB).

Ryan submitted a complaint about Authorized Buyers to the Irish DPA in September 2018, which prompted a formal investigation. He had three main concerns.

First, he said that what had started as a simple personalised advertising mechanism had morphed into a mass data collection system that collected more data than necessary and sent it on to numerous third parties.

Second, once that information was sent on, it was no longer secure or controllable.

Third, he worried that this data might include what GDPR calls ‘special category’ information. That’s data on sensitive subjects like sexual orientation, ethnicity, or political leanings.

A clever workaround?

GDPR calls for strict controls over the use and dissemination of personal data – especially special category data – and Google must comply with it because it deals with European residents, so how could it be doing this? In his blog post, Ryan accuses the search giant of using a clever workaround:

Analysis of the network log shows that the Data Subject’s personal data has been processed in Google’s Authorized Buyers RTB system. It further shows that Google has also facilitated the sharing of personal data about the Data Subject between other companies.

Push Pages therefore appear to be a workaround of Google’s own stated policies for how RTB should operate under the GDPR.

Ryan worked with third-party researcher Zach Edwards at web analytics company Victory Medium to analyse browsing sessions on a new machine that he hadn’t used before.

In an email interview, Edwards told Naked Security that Google has historically tracked its users with an identifier called google_user_id. Demand-side platforms (DSPs) – companies that manage multiple advertising purchases on behalf of advertisers – could use these identifiers to understand who users were and what they were doing.

The identifiers were what Edwards calls shared strings, and because they lacked consent, they didn’t comply with GDPR, he warned. Google announced a year ago that it was phasing these out for European users by the end of this year.

Edwards said:

I’m certain Google wanted to keep the google_user_id field, but it’s not GDPR compliant – they had to trash it. It’s a unique user identifier shared across multiple companies.

Edwards and Ryan discovered a new mechanism that they call push pages. These all come from the same Google web address, but they each append a pseudo-anonymous unique identifier to the address. These identifiers rotate every 14 days. Advertisers can still use them to identify users, according to Edwards, but Google only gives them to the auction winner and any DSPs that it synchronizes with to optimize future auctions. He explained that “slight limiting of the shared strings” and “putting it behind the scenes” is what makes this a GDPR workaround.

However, he argued that push pages still fall foul of GDPR:

Multiple DSPs are given that same string, which is what puts the entire cookie_push.html structure out of GDPR compliance.

DSPs match unique identifiers (cookies) with the information that they have about a website visitor using a mechanism called match tables. The idea is that a DSP should only be able to collaborate with Google on a match table so that only it and Google have data about a user. Google forbids DSPs from collaborating together on their match tables to find out more about website visitors.

However, Edwards said that the unique identifiers found in push tables break that rule:

Basically, Google has TOS that prevent companies from collaborating on match tables, but then Google turns around and gives them a shared string

He accused Google of not auditing or controlling what happens to these push page identifiers after DSPs received them. In at least one case, he claimed a DSP was sharing the identifier with other companies.

Ryan’s isn’t an isolated complaint. Jim Killock, executive director of the Open Rights Group, and Michael Veale, a professor at University College London, submitted duplicate complaints to the UK Information Commissioner’s Office (ICO) in September 2019. That resulted in a report from the ICO, published in June 2019, which it passed to the adtech industry for comment. It said:

Thousands of organisations are processing billions of bid requests in the UK each week with (at best) inconsistent application of adequate technical and organisational measures to secure the data in transit and at rest, and with little or no consideration as to the requirements of data protection law about international transfers of personal data.

It added that adtech companies are processing data for these auctions unlawfully, and that they aren’t being clear enough with people about the privacy implications. It said that it wants changes, and will review things at the end of the year.

Concern over Authorized Buyers’ practices is mounting. Activists have also filed duplicate or similar complaints in Belgium, Luxembourg, the Netherlands, Poland, and Spain.

A Google spokesperson told us:

We have strict policies that prohibit advertisers on our platforms from targeting individuals on the basis of sensitive categories such as race, sexual orientation, health conditions, pregnancy status, etc. If we found ads on any of our platforms that were violating our policies and attempting to use sensitive interest categories to target ads to users, we would take immediate action.