Brave uncovers Google’s GDPR workaround
Brave presents new RTB evidence, and has uncovered a mechanism by which Google appears to be circumventing its purported GDPR privacy protections.
Google’s DoubleClick/Authorized Buyers ad business is already under investigation by the Irish Data Protection Commission (DPC) for suspected infringement of the GDPR, as a result of a formal complaint by Brave’s Chief Policy & industry Relations Officer, Dr Johnny Ryan.
The Irish DPC is Google’s primary GDPR regulator. New evidence gathered by Brave gives the Irish DPC concrete proof that Google’s ad system did broadcast personal data about Dr Ryan, which infringed the GDPR. In addition, Brave has uncovered what appears to be a GDPR workaround that circumvents Google’s own publicly stated GDPR data safeguards.
“Google’s “DoubleClick/Authorized Buyers” ad system is active on 8.4+ million websites. It broadcasts personal data about visitors to these sites to 2,000+ companies, hundreds of billions of times a day”, said Dr Johnny Ryan of Brave.
“The evidence we have submitted to the Irish Data Protection Commission proves that Google leaked my protected data to an unknown number of companies. One cannot know what these companies then did with it, because Google loses control over my data once it was sent. Its policies are no protection.”
Google’s GDPR workaround
The new evidence reveals a surreptitious mechanism that raises additional data protection concerns about Google’s “DoubleClick/Authorized Buyers” advertising system. This system is active on 8.4 million websites.
Google claims to prevent the many companies that use its real-time bidding ad (RTB) system, who receive sensitive data about website visitors, from combining their profiles about those visitors. It also announced that it had stopped sharing pseudonymous identifiers that could help these companies more easily identify an individual, apparently in response to the advent of the GDPR.
But in fact, Brave’s new evidence reveals that Google allowed not only one additional party, but many, to match with Google identifiers. The evidence further reveals that Google allowed multiple parties to match their identifiers for the data subject with each other.
Brave commissioned Zach Edwards to analyze a log of Dr Ryan’s web browsing. The analysis confirmed that Dr Ryan’s personal data was broadcast, confirming the fears laid out in his complaint to the DPC in September 2018. The analysis also revealed a mechanism, “Push Pages”, through which Google invites multiple companies to share profile identifiers about a person when they load a web page.
Google Push Pages are served from a Google domain (https://pagead2.googlesyndication.com) and all have the same name, “cookie_push.html”. Each Push Page is made distinctive by a code of almost two thousand characters, which Google adds at the end to uniquely identify the person that Google is sharing information about. This, combined with other cookies supplied by Google, allows companies to pseudonymously identify the person in circumstances where this would not otherwise be possible.
All companies that Google invites to access a Push Page receive the same identifier for the person being profiled. This “google_push” identifier allows them to cross-reference their profiles of the person, and they can then trade profile data with each other.
The Push Pages are not shown to the person visiting a web page, and will display no content if accessed directly. You can download a sample Push Page here.
The evidence includes a network log of all items (including web pages and their component parts, files, etc.) that Dr Ryan’s device was instructed to load by the web sites that he visited. Analysis of the network log shows that the Data Subject’s personal data has been processed in Google’s Authorized Buyers RTB system. It further shows that Google has also facilitated the sharing of personal data about the Data Subject between other companies.
Push Pages therefore appear to be a workaround of Google’s own stated policies for how RTB should operate under the GDPR.
“Real-time bidding in its current form is toxic. The speed and scale of the broadcast is incapable of complying with the GDPR’s security principle”, said Ravi Naik, a data rights solicitor who is acting for Dr Ryan and Brave.
“Now our client finds seemingly clandestine profile matching by Google. Deceptive and uncontrolled profile matching is the antithesis of the fairness and transparency principles of data protection. Unfortunately, the lawlessness at the heart of AdTech has begat a culture of data exploitation above data protection. The DPC must act fast to put an end to such practices.”
Brave’s evidence shows that Google’s Push Page mechanism undermines Google’s purported data protection measures. They are also vulnerable to abuse by other parties. We are aware that companies other than Google have used the Push Page mechanism to establish their own Push Pages to share data with their own business partners. This appears to happen without Google’s knowledge. The loss of control over personal data in Google’s RTB system is again evident, and it is clear that Google’s policies have provided no protection.
Brave’s 12 month campaign to put the RTB data breach on the agenda
12 months ago, in September 2018, Brave revealed a massive and ongoing data breach in which Google’s and others’ RTB ad systems leak the online habits of billions of Internet users. Now, Brave’s work to reform the multi billion dollar RTB industry spans sixteen EU countries, in collaboration with privacy NGOs, academics and others. The primary targets of this campaign are Google and the IAB, which control the RTB system.
Brave’s submissions and expert evidence to regulators have triggered a statutory investigation into suspected infringement of the GDPR by Google’s RTB ad system by the Irish Data Protection Commission, and a report and warning from the UK Information Commissioner.
“Twelve months ago, I first complained to the Irish Data Protection Commission about this”, said Dr Ryan of Brave. “I hope that the DPC will accelerate its work to stop this enormous and ongoing data breach”.
Every time a person visits a website that uses RTB, data about them is broadcast to tens or hundreds of tracking companies, who let advertisers compete for the opportunity to show them an ad. The data can include the category of what they are reading – which can reveal their sexual orientation, political views, their religion, and health conditions including AIDS, STDs, and depression. It includes what the person is reading, watching, and listening to. It includes their location. And it includes unique, pseudonymous ID codes that are specific to that person, so that all of this data can be tied to you, continually, over time.
This allows companies, who the average Internet user has never heard of, to build and trade intimate profiles about them and what makes them tick. This happens hundreds of billions of times a day.
Google has no control over what happens to these data once broadcast. Its policy requires only that the thousands of companies that Google shares peoples’ sensitive data with monitor their own compliance, and judge for themselves what they should do.
- Google DoubleClick/Authorized Buyers is installed on 8.4+ million websites.
- It broadcasts personal data about visitors to these sites to 2,000+ companies, hundreds of billions of times a day.
- The data can include people’s locations, inferred religious, sexual, political characteristics, and what they are reading, watching, and listening to online.
- There is no control over what happens to the data once broadcast.
- This appears to be by far the largest leakage of personal data ever recorded.
- Google’s sole means of protecting RTB data once broadcast is a weak policy that asks the thousands of companies it shares data with to self-regulate.
- The campaign for GDPR action to fix the Google and IAB real-time bidding system now includes Brave, the Open Rights Group, Dr Michael Veale of the Turing Institute, the Panoptykon Foundation, Bits of Freedom, Eticas Foundation, Exigo, Dr Jef Ausloos of the University of Amsterdam, Pierre Dewitte of the University of Leuven, Liberties.eu, the Society for Civil Rights, Digitale courage, Digitale Gesellschaft, Netzwerk Datenschutzexpertise, Deutsche Vereinigung für Datenschutz, the Italian Coalition for Civil Rights and Freedoms, the Bulgarian Helsinki Committee, the Association for the Defense of Human Rights in Romania, the Italian Coalition for Civil Rights and Freedoms, the Estonian Human Rights Centre, the Peace Institute.
What the GDPR says
- GDPR Article 5, paragraph 1, point f, of the GDPR requires that personal data be tightly controlled:
“Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”
- Article 5, paragraph 1, point a and point b of the GDPR require that individuals be adequately informed about what will happen to their data:
“Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);”
“Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);”
- The Irish Data Protection Commission is now investigating Google’s “suspected infringement” of the GDPR under Section 110 of the Irish Data Protection Act.
- Google may be forced to stop processing all personal data for its DoubleClick/Authorized Buyers ad business, and may be fined up to 4% of global turnover.
Thanks to Zach Edwards of MetaX, and to Luke Mulks and Jimmy Secretan at Brave. Special thanks to our colleagues in the campaign to reform RTB: the Open Rights Group, Dr Michael Veale of the Turing Institute, the Panoptykon Foundation, Bits of Freedom, Eticas Foundation, Exigo, Dr Jef Ausloos of the University of Amsterdam, Pierre Dewitte of the University of Leuven, Liberties.eu, the Society for Civil Rights, Digitale courage, Digitale Gesellschaft, Netzwerk Datenschutzexpertise, Deutsche Vereinigung für Datenschutz, the Italian Coalition for Civil Rights and Freedoms, the Bulgarian Helsinki Committee, the Association for the Defense of Human Rights in Romania, the Italian Coalition for Civil Rights and Freedoms, the Estonian Human Rights Centre, the Peace Institute.
 Google claims to prohibit companies from “joining their match tables” in “Cookie matching”, Authorized Buyers, 25 June 2019 (URL: https://developers.google.com/authorized-buyers/rtb/cookie-guide).
 Google announced that it had “removed encrypted cookie IDs” from RTB bid requests, in “Important changes to data transfer”, Google, last updated 5 September 2018 (URL:https://support.google.com/dcm/answer/9006418?hl=en).
 See for example Google codes 113 “Lesbian, Gay, Bisexual & Transgender”, 1301 “Same-Sex Marriage” in https://developers.google.com/authorized-buyers/rtb/downloads/publisher-verticals. As referred to in Google’s Authorized Buyers RTB protocol https://developers.google.com/authorized-buyers/rtb/realtime-bidding-guide.
 See for example Google codes 409 Right-Wing Politics, 410 Left-Wing Politics, in ibid.
 See for example Google codes 550 “Jewish Culture”, 1124 “Jewish Holidays”, 864 “Christianity”, 1275 “Islamic Holidays” and 868 “Islam”, in ibid.
 Google code 625 “AIDS & HIV”, in ibid.
 Google code 421 “Sexually Transmitted Diseases”, in ibid.
 Google code 640 “Depression”, in ibid.
 Recital 30 of the GDPR makes clear that “Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”
 Google asks that companies it sends data to “will regularly monitor your compliance with this obligation and immediately notify Google in writing if Buyer can no longer meet (or if there is a significant risk that Buyer can no longer meet) this obligation, and in such cases Buyer [data recipient] will either cease processing Personal Information or immediately take other reasonable and appropriate steps to remedy the failure to provide an adequate level of protection.” Authorized Buyers Program Guidelines, Google, last updated on 22 August 2018. (https://www.google.com/doubleclick/adxbuyer/guidelines.html).
 “Ad Exchange Certified External Vendors”, Google Authorized Buyers (URL: https://developers.google.com/third-party-ads/adx-vendors), last updated 18 April 2019, and “Number of bid requests per day”, evidence submitted to the Irish Data Protection Commission, and UK Information Commissioner’s Office, 20 February 2019 (URL: https://brave.com/wp-content/uploads/2019/07/Scale-billions-of-bid-requests-per-day-RAN2019061811075588.pdf).
 See “Ryan report on behavioral advertising and personal data” (URL: https://brave.com/wp-content/uploads/Behavioural-advertising-and-personal-data.pdf) and “Examples of data in a bid request from IAB OpenRTB and Google Authorized Buyers’ specification documents” (URL: http://fixad.tech/wp-content/uploads/2019/02/3-bid-request-examples.pdf); and “Google’s publisher verticals list” (URL: https://brave.com/wp-content/uploads/update-rtb-ad-auction-gdpr/Google-publisher-verticals-marked-up.pdf), evidence submitted to the Irish Data Protection Commission, and UK Information Commissioner’s Office, 12 September 2018 and 20 February 2019.
 “Ryan report on behavioral advertising and personal data”, evidence submitted to the Irish Data Protection Commission, and UK Information Commissioner’s Office, 12 September 2018 (URL: https://brave.com/wp-content/uploads/Behavioural-advertising-and-personal-data.pdf); see also “pubvendors.json v1.0”, an IAB document presented in evidence to the Irish Data Protection Commission, and UK Information Commissioner’s Office, 20 February 2019 (URL: https://brave.com/wp-content/uploads/2019/02/2-pubvendors.json-v1.0.pdf).
 Authorized Buyers Program Guidelines, Google, last updated on 22 August 2018.