Brave browser team says Google is using hidden pages to circumvent GDPR
In brief: Google is under investigation by the Irish data regulator, which is overseeing its European business, for possible violations of GDPR. The search giant is being accused of exercising poor control or concern over protecting user data and evidence brought forward by Brave seems to confirm those allegations.
Brave is known for its privacy-focused web browser that supports native cryptocurrency wallets. Last year, it filed a GDPR complaint against Google in the UK and Ireland and decried the way the company processes user data to power its advertising business. However, Google strongly denied the accusations and the whole thing looked like it subsided after a few weeks.
This year, Brave is presenting new evidence that Google may be knowingly defying GDPR. The search giant allegedly uses a clever way to track its users while keeping the appearance that everything is in compliance with the European privacy laws. It turns out that Google is now under investigation by the Irish Data Protection Commission for possible GDPR violations as a result of Brave’s complaint last year.
Brave’s Chief Policy & Industry Relations Officer, Johnny Ryan gathered the evidence by using Google’s real-time bidding ad system, Authorized Buyers — also known as DoubleClick. Google says it prevents many companies from using it to combine the profiles they receive about their visitors and that it no longer shares “pseudonymous identifiers that could help these companies more easily identify an individual.”
However, Ryan discovered that Google labeled him with an identifying tracker that was then provided to many companies that logged on to a hidden web page that had no content. Instead, the page had a unique address that linked it to Ryan’s browsing activity and thus allowed bidders to match their profiles of him and eventually get access to all his web browsing habits. In just one hour, the identifier was sent to at least eight ad companies.
Ryan didn’t stop there and commissioned ad tech analyst Zach Edwards to try and reproduce the results. The analysis confirmed his findings and further revealed that Google may be using so-called “Push Pages” as a GDPR workaround. It turns out the search giant’s secret identifiers are unique to every user and may have been shared with advertising companies to improve ad targeting.
Google is said to be cooperating with the Irish Data Protection Commission, but if it turns out the company has knowingly circumvented GDPR, it could face yet another hefty fine for its practices. The company told the Financial Times that it doesn’t “serve personalized ads or send bid requests to bidders without user consent.”