Hidden web pages, a possible violation of several EU privacy regulations, a sneaky GDPR bypass.Google, one of the world’s biggest tech giants, is in serious trouble right now. Or, should we say – once again.
In January of this year, the company was fined $57 million by France’s data regulator for breaching the European Union’s online privacy rules.The French regulator stated that the world’s biggest search engine lacked transparency and clarity when it came to informing users about the handling of their personal data, and that it failed to properly obtain their consent for personalised ads.
Then, just a few days ago, YouTube – which is owned by Google – also got in trouble, as the Federal Trade Commission (FTC) discovered that it has violated the Children’s Online Privacy Protection Act (COPPA).
It turns out that Google’s video service had collected personal data on children without their parents’ consent. The FTC reported that Google used ad tracking data on videos, collected from children under the age of 13 without parental consent, and used them to push more targeted ads to those age groups.
Due to this latest violation, Google has to pay $170 million. And now the US tech giant is all over the headlines once more: this time for secretly using hidden web pages to track and feed its users’ personal data to advertisers.
The issue started to come to light a few months ago when Ireland’s Data Protection Commission, one of the lead authorities over Google in the European Union, launched an investigation into Google’s collection of personal data for online advertising.
Ryan, chief policy and industry relations officer at Brave, a privacy-focused browser maker, initially filed a complaint saying that Google violated GDPR by broadcasting personal information to companies bidding to show targeted ads.
The investigation had to determine two main things: whether the search giant’s ad practices comply with the EU’s new GDPR Regulations, and if Google really used specific information such as the race, health and even political leanings of its users, to target its ads.
Now new evidence has been submitted in the case and Google is being accused of sending its users’ personal data to advertisers without permission and “exploiting it without sufficient control or concern over data protection”.
Essentially, and to put it in some context of numbers, new evidence revealed that Google is allowing ad-tech companies to compile and share personal information from users on over 8.4 million websites. According to the Financial Times, Ryan tracked his personal data and found it was being traded on Google’s advertising exchange platform called Authorized Buyers, previously known as DoubleClick.
Ryan discovered that Google used an identifying tracker containing web browsing information, location and other data, which was sent to ad companies via webpages that “showed no content”.
He also explained, “the evidence we have submitted to the Irish Data Protection Commission proves that Google leaked my protected data to an unknown number of companies. One cannot know what these companies then did with it, because Google loses control over my data once it was sent. Its policies are no protection.”
In response, Google claims that it doesn’t “serve personalised ads or send bid requests to bidders without user consent. The Irish DPC – as Google’s lead DPA – and the UK ICO are already looking into real-time bidding in order to assess its compliance with GDPR. We welcome that work and are co-operating in full.”However, Ryan says that Google allowed advertisers to combine information about him through hidden “push” pages, which are not visible to web users and could lead to them more easily identifying people online.
He further explained that “This practice is hidden in two ways: the most basic way is that Google creates a page that the user never sees, it’s blank, has no content, but allows third parties to snoop on the user and the user is none the wiser. I had no idea this was happening. If I consulted my browser log, I wouldn’t have had an idea either.”
To be more specific, Google’s push pages are served from a company’s domain and all have the same name: “cookie_push.html“. Each page has a unique code of almost 2,000 characters, which Google adds at the end: this way it becomes possible to uniquely identify the person that Google is sharing information about. Once these actions are combined with other cookies supplied by Google, it allows companies to pseudonymously identify the person, which otherwise would not be possible at all.
Basically, it all comes down to the fact that by providing potential buyers with such detailed targeting, Google could gain a very significant competitive advantage over other companies that run advertising auctions.
Ryan succinctly concluded that, “This constant leaking of personal data, that seems to be happening constantly, needs to be urgently addressed by regulators.”