Brave browser accuses Google of using hidden web pages to track users
Google stands accused of using hidden web pages to circumvent EU privacy regulations, secretly sending users' personal data to advertisers.
The accusation comes from the privacy-focused Brave web browser which says it has, "uncovered what appears to be a GDPR workaround that circumvents Google's own publicly stated GDPR data safeguards". Evidence has been handed to the Irish Data Protection Commission that allegedly shows Google using hidden web pages to share data on its Authorized Buyers exhange, formally known as DoubleClick.
- Google's bug bounty program now covers any big Android app
- Google security researcher warns that hackers are using malicious websites to exploit iOS flaws and monitor iPhone users
- Google Calendar spam is a thing; here's how to protect yourself
Chief policy and industry relations officer at Brave, Dr Johnny Ryan, says that concrete evidence off underhand activity by Google has been unearthed. Dr Ryan has been able to track the flow of his own personal data, but there is concern about the number of people that could be affected because of the prevalence of Google's advertising system.
Google's "DoubleClick/Authorized Buyers" ad system is active on 8.4+ million websites. It broadcasts personal data about visitors to these sites to 2,000+ companies, hundreds of billions of times a day.
The evidence we have submitted to the Irish Data Protection Commission proves that Google leaked my protected data to an unknown number of companies. One cannot know what these companies then did with it, because Google loses control over my data once it was sent. Its policies are no protection.
Dr Ryan found that Google attached an identifying tracker to his data. This was "fed to third-party companies that logged on to a hidden web page". The tracker was linked to his browsing activity, and would enable users of the Authorized Buyers ad exchange to deliver targeted ads. Over the course of just an hour, Dr Ryan was able to find six pages sending his identifier to at least eight advertising companies.
Reporting on the findings, the Financial Times explains:
Mr Ryan's experiment was reproduced by adtech analyst Zach Edwards, who runs technical consulting firm Victory Medium, after being commissioned by Brave. He recruited hundreds of people to test Google's behaviours over a month. They found that the identifier was indeed unique and was shared between multiple advertising companies to enhance their targeting abilities.
Currently, Google's own rules prohibit ad buyers from matching disparate profiles on the same user. On September 5, 2018, Google announced that it would no longer share encrypted cookie IDs in bid requests with buyers in its Authorized Buyers marketplace, "as part of our ongoing commitment to user privacy". Mr Ryan's analysis also found that Google continued to share these with ad firms.
Google has denied any wrong-doing, saying: "We do not serve personalised ads or send bid requests to bidders without user consent". The company also says that it is cooperating with the Irish Data Protection Commission's investigation.