Google is covertly using unseen web pages that feed the personal data of its users to advertisers, sabotaging its own policies and by-passing EU privacy regulations that require approval and transparency, according to one of its smaller competitors. The Irish data regulator, which supervises Google’s European business, has submitted new evidence to an investigation, blamed the US tech company of misusing personal data without adequate control or concern over data protection. The regulator is examining whether Google uses sensitive data, such as the health, race and political leanings of its users, to aim ads.
In his confirmation, Johnny Ryan, chief policy officer of the niche web browser Brave, told that he had found the secret web pages as he tried to observe how his data were being exchanged on Google’s advertising exchange, the business previously recognized as DoubleClick. The exchange, now called Authorized Buyers, is the world’s largest real-time advertising sale house, selling display area at websites across the internet. Mr Ryan found that Google had categorized him with an identifying tracker that it fed to third-party companies that logged on to a concealed web page. The page displayed no content but had an exclusive address that connected it to Mr Ryan’s surfing activity. Incorporating the tracker from Google, which is based on the user’s time of browsing and location, companies could match up their profiles of Mr Ryan and his web-browsing activity with profiles from other companies, to target him with advertisements.
After a single hour of watching websites on Google’s Chrome browser, Mr Ryan found six separate pages pushing out his identifier. The identifier had the phrase “google_push” and was directed to minimum eight ad-tech companies. “This practice is concealed in dual ways: the most straightforward way is that Google makes a page that the user never sees, it is blank with no content, but permits . . . third parties to spy on the user and the user is none the wiser. According to Ryan, he had no idea this was happening even if he consulted his browser log.
A spokesman for Google said the company had not seen the specifics of the information submitted by Mr Ryan to the supervisory body and that it was collaborating with investigations in Ireland and the UK into its advertising business. The representative added that the company does not give personalized ads or send bid requests to buyers without user approval. According to marketing executives, Google could achieve a noteworthy competitive benefit over other companies that run advertising auctions by providing likely buyers with such a granular level of targeting. Mr Ryan’s experiment was replicated by ad-tech analyst Zach Edwards, who operates technical consulting firm Victory Medium, after being hired by Brave. He employed hundreds of people to test Google’s patterns over a month. They found that the identifier was undoubtedly exceptional and was shared between multiple advertising companies to improve their targeting abilities.
Currently, Google’s own rules forbid ad buyers from matching different profiles on the same user. On September 5 2018, Google announced that it would no longer share encrypted cookie IDs in bid requests with purchasers in its Authorized Buyers marketplace, as a part of their continuing pledge to user privacy. [Ed note: lols]
Mr Ryan’s analysis also discovered that Google continued to share these with ad firms. Ioannis Kouvakis, a legal officer at Privacy International, said Google had a leading position in online advertising and that it should let users know what information the tracking identifier is gathering. He added that Google needs to lead by example.