Google is heavily reliant on its ad business. And for that business model to thrive, it needs to profile users, and share the data to advertisers.
Among the many ways Google can track and profile users, Brave, the privacy-focused and Chromium-based browser with its own native cryptocurrency, has alleged that Google is using hidden web pages to feed personal data of its users to advertisers, reports Financial Times.
These pages are known as 'Push Pages', which load without being seen by the website visitors and initiates network requests to various programmatic ad services.
In this case, Google's hidden Push Pages get served from a Google domain as HTML files named cookie_push.html.
According to Brave's Chief Policy Officer Johnny Ryan, he discovered Google‘s alleged secret web pages after tracking his data as it was traded on Google‘s advertising exchange Authorized Buyers, formally known as DoubleClick.
This is clearly a violation to the European Union's General Data Protection Regulation (GDPR), Ryan claimed, saying that the move circumvents EU's privacy regulations that demand user consent, as well as transparency from tech giants like Google.
.
According to Ryan on his post:
Google’s Authorized Buyers real-time bidding (RTB) system is already being used by millions of websites to serve ads to visitors. With the alleged hidden pages, Google "broadcasts personal data" about those visitors to thousands of ad-industry companies at any given moment.
Ryan notes Google's Authorized Buyers system appends a string of characters to the Push Page URLs.
The information within those hidden pages, contain users' activities as they browse from one website to another.
Visiting that web page showed no content, besides a “unique address” that linked directly to Ryan’s browsing activity. After one hour of browsing the web using Google Chrome web browser, Ryan said that he found six separate pages that sent his identifier to at least eight adtech companies.
The string itself doesn't provide any actual information, like name or address. But since the string is more or less an identifier, third parties can use it as a unique pseudonymous marker that, when combined with other Google data, can reveal users' activities across websites.
In the evidence, it was pointed out that Google had labelled Ryan "with an identifying tracker that it fed to third-party companies that logged on to a hidden web page.”
Brave then hired an advertising technology analyst to reproduce Ryan’s findings.
Financial Times states that investigation confirmed Google‘s alleged hidden web page identifiers were indeed unique to each user. The advertising technology analysts hired by Brave, also found instances where user data had been shared with multiple advertising companies to boost the effectiveness of Google's targeted advertising.
The evidence from Brave is in the hands of the Irish data regulator.
Google that is reportedly co-operating with Ireland’s data regulator in its investigation, said that “We do not serve personalized ads or send bid requests to bidders without user consent,” according to the company's spokeperson.
The spokesperson also disputed Ryan's characterization of Push Pages, by saying that "A cookie_push is not an ID and not an identifier," in an email to The Register. "It is a parameter for measuring end-to-end latency."
Google said that when it shares marketing data, is does it "without identifying you personally to advertisers or other third parties."
While Google insists that partners abide by its policies, which ban the identification and profiling of internet users using this shared information, Ryan suggests that self-regulation alone is insufficient.
Ryan's finding and the supplement evidence are submitted in a September 2018 complaint to the Irish Data Protection Commission (DPC).