BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Alleged Global Google Privacy Leak: ‘GDPR Workaround’ Could Incur $5.4B Fine

Following
This article is more than 4 years old.

Startup browser maker Brave has filed new evidence with the Irish Data Protection Commission stating that Google has created a GDPR workaround that is sharing the personal data of billions of people to thousands of companies globally.

If upheld, this could cost Google $5.4 billion.

Under Europe’s GDPR privacy law, violations can result in fines of “up to €20 million, or 4% of the firm’s worldwide annual revenue.” Google had global revenue of $136 billion in 2018.

The alleged breach does not involve any hacking or vulnerability in Google’s systems, but rather is core to Google’s function as an ad network. Google denies any wrongdoing (see statement below). The issue in question involves data transferred to advertisers in high-speed real-time bidding for digital ads (RTB auctions).

And it is very widespread.

“Google’s ‘DoubleClick/Authorized Buyers’ ad system is active on 8.4+ million websites,” says Brave Chief Policy & Industry Relations Officer Johnny Ryan. “It broadcasts personal data about visitors to these sites to 2,000+ companies, hundreds of billions of times a day.”

Zack Edwards, founder of digital analytics startup Victory Medium, who Brave hired to do much of the investigation and analysis that resulted in this evidence, had a very simple answer when I asked him how big the scope of this alleged breach is:

“It’s global.”

The mechanism in question is something called “Push Pages.”

When a person visits a website that has Google ads embedded on its pages, a milliseconds-long auction kicks off to determine which advertiser will get to display its ads. Knowing who is visiting the page is clearly important to advertisers, who will bid more for people are more likely to be interested in their products.

That means that advertisers participating in RTB auctions could get sexual, religious, political, and health data about audiences they are bidding on, plus information on location and activity on the web and other media.

In the past Google offered user IDs which helped advertisers to connect with audiences they wanted to reach. When GDPR took effect, Google banned exporting user IDs in an attempt to comply with GDPR regulations around privacy.

Brave’s allegation, however, is that Google introduced a new technology, “Push Pages,” that can essentially be used as a work-around for user IDs.

“Each Push Page is made distinctive by a code of almost two thousand characters, which Google adds at the end to uniquely identify the person that Google is sharing information about,” Ryan posted to the Brave blog. “This, combined with other cookies supplied by Google, allows companies to pseudonymously identify the person in circumstances where this would not otherwise be possible.”

But the identifier for each site visitor is unique and persistent, Brave says.

That introduces the possibility that advertisers can go beyond grouped audiences of hundreds or thousands of people, and uniquely identify individuals. With enough data over time, advertisers could acquire enough insight about who they are and where they are to perhaps even resolve a real-world identity.

I asked Edwards if that was possible.

“Oh yes, most definitely,” he answered. “Some could do that.”

Potentially far worse, individual companies could pool their data, enabling quicker and more accurate identification of individuals.

“All companies that Google invites to access a Push Page receive the same identifier for the person being profiled,” Ryan write. “This ‘google_push’ identifier allows them to cross-reference their profiles of the person, and they can then trade profile data with each other.”

Edwards added that this is new technology that Google tested before GDPR but only unveiled after GDPR took effect.

Google denies any wrongdoing.

“We do not serve personalised ads or send bid requests to bidders without user consent,” a Google spokesperson told me via email. “The Irish DPC — as Google's lead DPA — and the UK ICO are already looking into real time bidding in order to assess its compliance with GDPR. We welcome that work and are co-operating in full."

(Translation guide: Irish DPC refers to Irish Data Protection Commission; DPA refers to the Data Protection Authority which governs Google’s behavior in the EU since its European headquarters is in Dublin; UK ICO is the United Kingdom’s Information Commissioner’s Office.)

It’s also important to note that Brave is a competitor of Google in the browser as well as the ad space. Brave has recently launched privacy-safe ads for desktop as well as mobile which pay people for viewing ads.

Follow me on Twitter or LinkedInCheck out my website or some of my other work here