
Google’s GDPR Workaround - donohoe
https://brave.com/google-gdpr-workaround/
======
bluesign
I checked the sample log provided.

Below is the google_gid for different publishers, there is no proof of
overlap, they have different google_gid for same person. Which is exactly what
google describes. [1]

I don't understand what Brave claims.

    
    
      d.agkn.com          CAESEP-S3Zs5f0_kq11XTCZP_mE
      id.rlcdn.com          CAESEPpf2T4-2AsAR_4rer3RfNs
      image6.pubmatic.com          CAESEB9H3qdV26kxEiz-BJ_TY-M
      pippio.com          CAESEJyqG1Pg1j-_scqW8kDzTkg
      token.rubiconproject.com         CAESEE1DyZ245WggYaQZEWpQWI8
      us-u.openx.net          CAESEPIJ9jHcY2j4jK3-DPmfar4
    

[1] [https://developers.google.com/authorized-
buyers/rtb/cookie-g...](https://developers.google.com/authorized-
buyers/rtb/cookie-guide)

~~~
mintplant
This log [0], right? Did you miss in the article that it's the `google_push`
identifier that's being used for syncing between adtech companies? If you
search for it (AHNF13KKSmBxGD6oDK9GEw5O0kvgmFa3qM30zpNaKl72Og), you can see it
being included in requests to lots of different adtech firms' domains.

[0] [https://brave.com/wp-
content/uploads/files_2019-9-2/sample_p...](https://brave.com/wp-
content/uploads/files_2019-9-2/sample_push_page_from_session.txt)

~~~
bluesign
There is unfortunately no way to prevent that part.

BidRequest Data [0] and Request Time is already enough to fingerprint the
user.

"Google prohibits multiple buyers from joining their match tables." part is
not technical, it is contract based.

[0] Sample Data from Bid Request

    
    
      ip: "F\303\006"
      user_agent: "Mozilla/5.0 (Linux; Android 7.1.1; Pixel XL Build/NOF26V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Mobile Safari/537.36"
      url: "http://www.myfitnesspal.com/food/calories/popeyes-buttermilk-biscuit-29980768"
      cookie_version: 1
      google_user_id: "CAESEIMlaNwMN-rtiDFzjwNIX6Y"
      timezone_offset: -360
      detected_content_label: 39
      mobile { is_app: false 3: "android" 8: 1 12: "google" 13: "pixel xl" 14 { 1: 7 2: 1 3: 1 } 15: 412 16: 732 18: 70092 19: 3500 }
      cookie_age_seconds: 12960000
      geo_criteria_id: 9023221
      device { device_type: HIGHEND_PHONE platform: "android" brand: "google" model: "pixel xl" os_version { major: 7 minor: 1 micro: 1 } carrier_id: 70092 screen_width: 412 screen_height: 732 screen_pixel_ratio_millis: 3500 }

~~~
rhizome
_There is unfortunately no way to prevent that part._

Well there's absolutely _a_ way: single-source JS and no CORS.

~~~
_eht
Lol.

:/

------
joefkelley
I'm an engineer who has worked on ad systems like this and I'm really
struggling to make sense of this article - what hope does a layman have?

Here's my understanding: Google runs real-time bidding ad auctions by sending
anonymized profiles to marketers, who bid on those impressions. The anonymous
id used in each auction was the same for each bidder, which is in violation of
GDPR. If Google were to send different ids for each bidder, it would be ok? Is
this correct?

Why would it matter that the bidders are able to match up the IDs with each
other, aren't they all receiving the same profile anyway? Wouldn't privacy
advocates consider the sending of the profiles at all an issue?

~~~
avanderveen
This is a problem because companies can use this ID to correlate private user
data, without _anyone 's_ knowledge or consent.

There are companies that specialise in sharing user information. Some of them
work by only sharing data with companies that first share data with them (an
exchange).

If you got this Google ID, and you had a few other pieces of information about
the user, you could share that data with an exchange, indicating that the
Google ID is a unique identifier. Then, the exchange would check if it has a
matching profile, add the information you provided to that profile, and then
return all of the information they have for that profile to you.

So, let's say you're an online retailer, and you have Google IDs for your
customers. You probably have some useful and sensitive customer information,
like names, emails, addresses, and purchase histories. In order to better
target your ads, you could participate in one of these exchanges, so that you
can use the information you receive to suggest products that are as relevant
as possible to each customer.

To participate, you send all this sensitive information, along with a Google
ID, and receive similar information from other retailers, online services,
video games, banks, credit card providers, insurers, mortgage brokers, service
providers, and more! And now you know what sort of vehicles your customers
drive, how much they make, whether they're married, how many kids they have,
which websites they browse, etc. So useful! And not only do you get all these
juicy private details, but you've also shared your customers sensitive
purchase history with anyone else who is connected to the exchange.

~~~
bluesign
Considering google_gid is valid for you for 14 days only. It is very unlikely
to build a profile around it.

~~~
cthalupa
I have no doubt that if you had a record of my browsing habits for 2-3 days
you could readily identify who I am the next time you have my browsing habits
for that period of time.

I wouldn't be surprised at all if 2-3 hours of active browsing was enough for
this.

~~~
msbarnett
Your device fingerprint alone is generally enough to tie your new google id to
any previous ones.

~~~
raxxorrax
Which is also a typical example of privacy violations in the name of alleged
security.

Some newer linux kernels (>2016) use random tcp timestamps offsets to prevent
clock skew profiling.

That is a security feature, not the shit big tech is offering here.

But of course the mechanisms in question are suddenly implemented for fraud
protection instead of user security. Yeah, bullshit.

------
gtallen1187
I'm glad this story was reported, and I'm thankful to the author for putting
in the work required to report this story. But after the first five
paragraphs, the author's shameless, repetitive self-promotion and insistence
on referring to himself in the third person almost made this unreadable.

The headline was enough to pique my curiosity to explore Brave's product
offering. Unfortunately, actually reading the article had the exact opposite
affect.

~~~
dvcrn
I thought the exact same thing after reading the first few paragraphs but
didn't even notice that the author IS Johnny Ryan, the person mentioned in the
story, until you pointed it out.

I didn't make it to the end, closed the tab and went over to HN comments for a
summary.

------
rtbthrowaway
I've worked in the sector for years and honestly thought this was well
documented, common knowledge: [https://developers.google.com/authorized-
buyers/rtb/cookie-g...](https://developers.google.com/authorized-
buyers/rtb/cookie-guide)

The only thing Google did in regards to GPRR was limit the number of parties
in RTB they're including by default for syncing to a "trusted set" of parties.

~~~
annoyingnoob
I think the silent/invisible nature of cookie sync'ing is what upsets people
when they discover it. T

he diagrams in your link show a single hop for the 302, in my experience that
can be many hops going between different advertisers. The same thing happens
on non-google platforms, like TradeDesk and others.

The sync scenario can make it next to impossible to delete cookies when those
cookies can be rebuilt using data from others.

------
teamspirit
I think the HN community, and most consumers, tend to look at things from only
one angle. Imagine you start work at some small shop that manufacturers
widgets for consumers. What would you do when you have to advertise your
product? You'd have to turn to Google is a similar company. Are there any real
alternatives? (I am asking because I really want to know)

I say this because I am in this position now. I have to figure out how to
advertise my company's products and am torn on how to go about it.

~~~
drusepth
The alternative is to spend hundreds of hours finding widget-related websites,
trying to contact the owner(s), negotiating what ad spots are available, what
ads are acceptable to run, and what pricing/terms will work for both parties,
then managing that relationship over time to ensure ads are actually being
displayed, being paid on time, contracts renewed, etc.

It's definitely possible, but you're just doing everything manually that ad
networks do for you. Whether that is worth your time (or worth it to hire
someone to do this kind of thing for you...) is up to you.

~~~
soraminazuki
> It's definitely possible, but you're just doing everything manually that ad
> networks do for you.

You've just explained how contexual ads used to work, which doesn't need all
the invasive surveillance modern internet users have to put up with.

~~~
rtkwe
Yeah and there's a reason the tech moved on from that. It was a LOT of work on
both ends to negotiate and monitor the relationship. Instead now we have a
central broker who both parties work with that has set up a computerized way
to manage these relationships.

Personally I think the solution that lets us keep ad supported content and
easy ad placement would be for Google to force companies to provide bots they
could run internally so the profiles never leave Google's datacenters and
strictly monitor the output so the buyer bots don't leak information back to
the companies. I think that would do a lot to alleviate the privacy concerns
and breaches and is honestly how I though ads were being sold for the longest
time instead of profiles being sent to companies buying placement.

~~~
soraminazuki
> Yeah and there's a reason the tech moved on from that. It was a LOT of work
> on both ends to negotiate and monitor the relationship. Instead now we have
> a central broker who both parties work with that has set up a computerized
> way to manage these relationships.

I'm not disputing the necessity of a central broker. Contexual ads based on
search keywords or website content used to work fine without surveillance, and
can perfectly be automated by a central broker.

Years ago, I didn't have much issue with online ads (with the exception of
popups and spam emails). Nowadays, I'm forced to block them altogether to
avoid the extensive surveillance by adtech. It doesn't have to be this way if
adtech respected user privacy.

------
cj
Snippets from the article:

> The evidence further reveals that Google allowed [...]

> Google has no control over what happens to these data once broadcast [...]

Is it possible that Google _does_ have "control" over the data after
broadcast, albeit legal control via contracts with advertisers (as opposed to
technical control)?

Perhaps Google's GDPR compliance strategy relies on the participating
advertisers to comply with their contract with Google. If that assumption is
accurate, perhaps Google's advertisers are in breach of their contract with
Google which makes it appear as though Google itself is in breach?

I could be off-base, the details in the article aren't incredibly clear to me.

(For the record, I don't like Google's business model and I don't like
Google's pervasive tracking -- I'm playing devil's advocate to better
understand the issue)

~~~
michaelbuckbee
The real time bidding on ad placements seems like a thing that a user could
never give consent to as it's literally feeding your info to a massive ever
churning list of companies that get to bid on it.

Aka - you land on a site, it send your IP and whatever identifiers it has to
10,000+ companies who all then figure out if they want to bid on showing you
an ad.

~~~
SpicyLemonZest
Do you have to give consent for each individual third party your data gets
shared with? I’d thought that if you give consent for some purpose, the
company can use whatever processors it wants as long as it ensures they
protect your privacy.

~~~
eitland
Yep, thats what those ridiculous pop up boxes with 400 (I counted one)
"carefully select partners" of the websitd you visit are supposed to be.

It is IMO just a mockery of the intent of the law and I wonder when this will
be punished.

I personally think GDPR might be a bit strict, but adtech have practically
been begging for this for years so acting surprised now doesn't cut it.

~~~
gregknicholson
I seem to recall (correct me if I'm wrong) that European courts ruled that
“agreeing” to a very-long EULA for desktop software didn't constitute
_informed_ consent, because it's trivial to demonstrate that the users didn't
actually read the entire agreement — even if they scrolled to the end, it's
unreasonable to believe that most people read 10,000 words in 15 seconds.

So I assume that eventually these performances of consent-gathering will be
legally judged meaningless.

------
csours
Do they have to prove that the RTB ID can be used to retrieve PII? Or only
that the RTB ID is correlated with personally protected information?

Is it enough that a RTB ID is pseudo-anonymous? (it always identifies the same
person, but cannot be used to find that person's real information) - OR - is a
RTB ID not even pseudo-anonymous?

~~~
simpss
GDPR definitions are slightly different.

A person is identified, if the ID references only one user in the whole
dataset[1]. This also makes any information linked to the ID PII.

the ID would be pseudo-anonymous if one would need some extra data, to which
they don't have access to, for linking the ID to one specific user in the
whole dataset[2].

So to answer your question, RTB ID is not pseudo-anonymous as it only
references a single user out of all of them.

[1] It's also important to understand the definition of PII in GDPR context.
Which is any data that relates to an identified or identifiable person.
Identifiable is the same as distinguishable. Knowing this helps to understand
where the line is.
[https://www.lexico.com/en/definition/identifiable](https://www.lexico.com/en/definition/identifiable)

[2] Definition of pseudonymisation, 5'th bullet-point: [https://gdpr-
info.eu/art-4-gdpr/](https://gdpr-info.eu/art-4-gdpr/) sheds some light on
this.

~~~
csours
Awesome, thanks.

(5) ‘pseudonymisation’ means the processing of personal data in such a manner
that the personal data can no longer be attributed to a specific data subject
without the use of additional information, provided that such additional
information is kept separately and is subject to technical and organisational
measures to ensure that the personal data are not attributed to an identified
or identifiable natural person;

------
tbodt
There's some documentation for this mechanism:
[https://developers.google.com/authorized-
buyers/rtb/cookie-g...](https://developers.google.com/authorized-
buyers/rtb/cookie-guide)

------
hexadec
This some great work on tracking down all of these measures to track users. I
really hope we get to the point where dumb ads rules the web once more.
Hopefully this results in more than a slap on the wrist, but I doubt it.

~~~
intopieces
Why should ads rule the web at all? Surely the cleverest engineers to walk the
planet can come up with a new way of making money that doesn’t involve
psychological manipulation.

~~~
hobofan
> Surely the cleverest engineers to walk the planet can come up with a new way
> of making money that doesn’t involve psychological manipulation.

If they could, they would've already done so.

One of the things "the cleverest engineers to walk the planet" would probably
need to do is to increase consumers willingness to pay for good content by a
factor of ~10 for e.g. online newspapers with quality journalism to be
profitable, which frankly sounds near-impossible.

~~~
phreack
Not that I think their proposition is better but the Brave people particularly
are trying to push a different model with their attention token scheme, so
it's not that no one can think of something different, just that it's
enormously hard to get people on board when the old advertisers are holding on
to everyone using every single way at their disposal, legal or not.

~~~
brettz
Brave is trying to be the middleman and launching their own ad network. I
think browsers forcing a business model onto publishers still isn't the right
answer.

------
matempo33
Sad that Brave did not do their work correctly, the google_push parameter they
are talking about is not an identifier. Otherwise it’s true that RTB should
not exist and violate GDPR, but it’s so complex that even Brave was not able
to correctly state the workflow.

See their release note (15 April 2013);
[https://developers.google.com/authorized-
buyers/rtb/relnotes](https://developers.google.com/authorized-
buyers/rtb/relnotes)

“Starting in mid-April, we will begin assigning a URL-safe string value to the
google_push parameter in our pixel match requests and we will expect that same
URL-safe string to be returned in the google_push parameter you set. This
change will help us with our latency troubleshooting efforts and improve our
pixel match efficiency.”

~~~
mintplant
Okay, but the `google_push` parameter seems to be the same for all adtech
providers swarming on the same user in the same RTB session. Nothing in your
comment contradicts the claim that this allows them to sync up profiles for
that user across providers, in the way that the switch to per-provider
`google_gid` values supposedly blocks.

~~~
matempo33
Well, for 2 page views (same session), I have 2 different ‘google_push’
(Chrome with default parameters, no extensions).

~~~
mintplant
Sure, but as long as the adtech providers each have their own stable IDs for
you, they can still use `google_push` to link their corresponding stable IDs
together, uniquely identify you, and merge their respective profiles.

====

Page View #1:

\- Acorp: google_gid=qwerty, google_push=foo

\- Bcorp: google_gid=asdfgh, google_push=foo

\- Ccorp: google_gid=zxcvbn, google_push=foo

By exchanging their `google_gid` values corresponding to the page load with
shared `google_push` value foo, Acorp, Bcorp, and Ccorp can identify you as
user qwerty-asdfgh-zxcvbn.

====

Page View #2:

\- Acorp: google_gid=qwerty, google_push=bar

\- Bcorp: google_gid=asdfgh, google_push=bar

\- Ccorp: google_gid=zxcvbn, google_push=bar

By exchanging their `google_gid` values corresponding to the page load with
shared `google_push` value bar, Acorp, Bcorp, and Ccorp can _still_ identify
you as user qwerty-asdfgh-zxcvbn, even though the `google_push` value has
changed.

~~~
matempo33
I now see your point, thanks. I was thinking this “google_push” is probably
not unique (a.k.a many users could have the same) but the adtech providers
could check the ids + timestamps to help with the match. NB: Google is not
syncing with everyone on the same page view so the adtech providers have to be
lucky enough to be synced on the same page view. Another question is: what is
the “google_push” entropy?

Having worked in adtech, I can tell you the adtech providers probably don’t do
that, for those reasons: 1) those adtech providers are usually competitors 2)
if they work together, they can already sync their user ids directly together
(so using google id is not necessary).

So I don’t think Google intentions were malign here on this particular point
(contrary to Brave communication and all the press coverage). But yes, Google
shouldn’t add entropy by sending the same “page view id” to different adtech
providers. Note that Google is “better” than the others here: every other
adtech providers send the same user id to each partner (persistant identifier,
not session or page view like google). And those providers are sometimes quite
big: for example, AppNexus or Criteo trackers are also everywhere on the web.
Overall, it’s the RTB system with all those cookie syncs that shouldn’t exist,
and except for the “google_push” argument, Brave study is quite good (they are
just explaining how the adtech world works).

------
notatoad
can somebody explain in simple terms what Brave is actually accusing Google of
doing? The article seems to be written in a way that matches the language of
the GDPR legistlation, instead of language actually meant to be read by
people, and i can't figure out what the "workaround" actually is.

~~~
unityByFreedom
Agreed, this is so wordy, this is what I got,

> Google claims to prevent the many companies ... from combining their
> profiles about those visitors

> Brave’s new evidence reveals that Google allowed not only one additional
> party, but many, to match with Google identifiers. The evidence further
> reveals that Google allowed multiple parties to match their identifiers for
> the data subject with each other.

BTW, many comments in here seem quick to agree w/this headline given how
buried the details are. If someone has better detail, please share it.

~~~
gundmc
I take exception with Brave's phrasing here.

Essentially, Google assigns an anonymized identifier to a user and sends that
to prospective ad buyers. The idea is that the ad buyer can use this to target
ads to people who have visited their site as they browse other areas of the
internet participating in Google's auction. This is called remarketing.

An example. You go to footlocker.com and put a pair of sneakers in your
shopping cart but decide not to buy. When you go read an article on the New
York Times site, a potential advertiser recognizes your anonymized id and bids
to serve you an ad for the sneakers.

The issue Brave is raising is that the same anonymized id is served to each
potential ad buyer. This isn't an issue with data Google collects or exposes,
but Brave states that buyers could theoretically collude to build profiles by
sharing the data collected on their own sites with each other joining by
Google's identifier. There is no evidence of this actually happening and
Google's contract with ad buyers specifically prohibits this activity.

~~~
nocturnial
> essentially, Google assigns an anonymized identifier to a user and sends
> that to prospective ad buyers.

If it's anonymized then how could they send targeted ads to you? I think
you're using a slightly different version of the word anonymous.

How I use the word anonymous it means, roughly speaking, that it can't be
traced back to you. Or in this context, google wouldn't be selling anonymized
data to third parties who in turn could contact you.

If they were selling data like X persons like product Y more then Z, there
would be less of an uproar about this.

------
DrScientist
Are Google engineers quietly working on alternatives? What is this repo?
[https://github.com/PolymerLabs/arcs](https://github.com/PolymerLabs/arcs)

Also there was an interesting story a while back about a clash between
advertising and the Fuchsia engineering team
[https://9to5google.com/2018/07/20/fuchsia-friday-
respecting-...](https://9to5google.com/2018/07/20/fuchsia-friday-respecting-
user-privacy/)

~~~
colordrops
What is Arcs

~~~
ChoGGi
It seems to be 'an open ecosystem for privacy-preserving, AI-first computing'?

~~~
lol768
Legitimately a meaningless description. I find it very odd the README and
repository description are completely devoid of any meaingful information.

~~~
DrScientist
Maybe they value their privacy :-) More seriously this article might shed some
light: [https://internetfreedomhack.org/re-decentralise-the-
commerci...](https://internetfreedomhack.org/re-decentralise-the-commercial-
web)

------
crtlaltdel
brave is incentivized to push this narrative, accurate or inaccurate as it may
be. i am not ad-tech guru, nor digital marketer. i do know that brave's entire
premise hangs on traditional ad-tech strategy remaining static, consumer
sentiment around "big tech" to sour and a groundswell of "privacy focused
consumers" to materialize. that groundswell is their identified target market
for their product.

~~~
trpc
What's funnier is that Brave """product""" is nothing more but a theme over
Chrome that any 12 yo kid can do in 2 hours, an adblocker based on FOSS
blacklists and some compilation flags that prevent Google from enabling its
own server features and tracking system and redirecting the tracking system to
their own servers. Yet their entire PR and marketing is based on "Google is
evil!". In any other industry this scam would have been shut down and the
management would have been sued to probably jail time. But in tech, many
things are blurry.

~~~
Ayesh
I also see how Brave likes to thrive on anti-Google pro-privacy camp and I
personally pick Firefox over Brave any day if the week.

There is de-Googled Chromium OS project, but Brave takes a few steps sideways
by making further changes such as proxying location services, safe browsing
API, etc. I doubt a 12 y/o could compile it though, let alone in 2 hours.

------
priansh
EDIT: since everyone seems to be mentioning the 4% rule, I'd just like to
point out that I'm not denying the existence of this, just denying that it is
actually effective. Google has violated antitrust before, and walked away with
a "big" fine that's a slap on the wrist. They've violated GDPR before as well
once or twice, and got a "record breaking" 57MM$ fine. The 4% rule exists and
clearly isn't enforced well. I know a lot of people love GDPR but I would be
beyond shocked if the EU actually managed to hit Google with something that
sticks. I very much hope I'm proved wrong!

This sort of resolution was inevitable.

I said it before and I'll say it again: GDPR is an annoying measure for
developers, small businesses and startups. It doesn't do much other than put
in place so many steps that growth tools for startups become risky to use. For
big businesses that (ab)use big data, it's not much of a hassle because they
can afford the legal steps as well as the change in infrastructure. They can
even work around it and keep abusing data without consequences.

If they're able to beat Google's lawyer army and actually prosecute them, then
Google will take a whopping fine in the millions of dollars that'll be more
than covered by their daily revs.

~~~
mola
The European Union has decided that growth based on clandestine tracking of
users, selling their PII without consent is not a legitimate growth tool. You
know, like the way we outlawed violence as a "growth tool"

Your other claims are more reasonable. But they would lead me to the
conclusion we need bigger fines on bigger businesses. Not absolutely bigger,
as the law already does, but relatively bigger. The more power you have to
break the law, the bigger the stakes should be.

~~~
owenmarshall
> Your other claims are more reasonable. But they would lead me to the
> conclusion we need bigger fines on bigger businesses. Not absolutely bigger,
> as the law already does, but relatively bigger. The more power you have to
> break the law, the bigger the stakes should be.

GDPR penalties are a flat fee or a percentage of revenue, whichever is
_higher_.

If Google is truly willfully violating the GDPR, the maximum penalty by law
could be up to 4% of their global turnover. I would not call that pocket
change. But more importantly, it is a relative increase in fine based on the
law breaking company.

(Will the EU actually fine Google ~6 billion dollars? Perhaps we will find
out!)

~~~
Polyisoprene
If their whole business model is selling personal data, then 4% is clearly
just a cost of running their business.

~~~
hobofan
Given that "European Commision fines" is its own bullet point under "Costs and
Expenses" in Alphabet's latest quaterly report, that view sounds about right.

------
lpgauth
I really doubt Google Adx would pass buyer_uid to buyers in EU28 countries.
They were the first ones to truncate IPs in EU for privacy reasons.

We've stopped cookie matching in EU28 countries so I can't verify if they do
pass the buyer_uid.

------
amelius
Targeted ads are already a serious leak of information.

If somebody looks over my shoulder and sees the ads presented to me, they can
infer things about me.

Also, if a malicious actor targets an ad to a group of people, and some of
these people buy the advertised items, then the actor can infer things about
those people not necessarily related to the items sold.

~~~
billyc74
if someone looked over your shoulder and saw you browsing HN they could infer
things too

~~~
thebouv
Yet, they choose to surf to HN.

They're not choosing to have targeted ads that share their info around the web
and cause someone over their shoulder to infer things about them.

That's the point -- we should have that choice. And the default should be
"no".

~~~
kupiakos
I understand the opt-in rather than opt-out, but does disabling Ads
Personalization [1] not do what you're asking?

[1]:
[https://adssettings.google.com/authenticated?hl=en](https://adssettings.google.com/authenticated?hl=en)

~~~
tgragnato
No, a Google account shouldn’t be required.

~~~
drusepth
Why not? How else would Google know who not to track? It's not like they can
identify you and remember that preference without a Google account...

~~~
superturkey650
Yes, that's why targeted ads shouldn't be a thing unless it's opt-in (not
necessarily my opinion but it seems to be the point the parent was making). At
that point, to opt-in you can create a google account. Currently though,
Google will attempt targeted ads on people without a Google account by trying
to identify and track them through other means.

Ideally you would have site-specific or content-specific ads normally and
personalized ads if you created an account and chose to opt-in.

------
senegoid
The sharing of data is what makes RTB valuable and most likely viable.

Because what Google are doing is not dissimilar to how any other RTB
participant is acting, saying this is a Google workaround seems disingenuous.

Unfortunately I fear this will only embolden Google to further monopolize
digital advertising.

------
gnud
Is it really a "workaround" if they're just breaking the law?

I mean, if the allegations are correct, Google didn't find any loophole,
they're just hiding the fact that they're selling person identifiers.

~~~
TheArcane
EU should raise the 4% annual turnover rule to 10%. Google doesn't seem to be
deterred

~~~
rat9988
There is a reason they didn't. They fear the US government's reaction.

Edit: Why downvote? Do you really think that the US government will stay
silent if the European Union threatens with such fines? Political tensions are
something you take heavily into account.

~~~
panpanna
EU should ignore the fines this time and start an "information campaign"
regarding behavior of Google and others.

I bet that hurts Google 10 times more.

~~~
nocturnial
They could also do both.

I'm _really_ tempted to write that they could use the fine to finance the
information campaign, but I know that government finances doesn't work that
way.

~~~
gowld
Gov finances do work that way. That's how the anti-tobacco campaigns are
funded in USA.

------
la_barba
Is there any way to improve the matching of ads to the viewer without
violating their privacy?

~~~
fmajid
The matching is in itself a violation of privacy, at least if you interpret
the right of privacy as "The right to be left alone", as former Supreme Court
Justice Louis Brandeis put it.

~~~
rpastuszak
I think that’s incorrect, relevant ads could be displayed based purely on the
site content, without user info attached to ad calls. We’ve been there.

~~~
0xffff2
True and irrelevant. If you're displaying ads based on site content, you are
matching ads to the site content, not to the viewer.

~~~
eitland
It is actually relevant because they _are_ matching the ads to the user, only
it happens by a proxy variable which is the site you are visiting.

~~~
0xffff2
The original question was "Is there any way to improve the matching of ads to
the viewer without violating their privacy?"

Your answer is that we should match something other than the user, that
happens to correlate with user interests. That is, by definition, not matching
ads to viewers.

~~~
eitland
In think either our idea of "by definition" or something else differs.

Viewers get ads matching their interests, as proven by the fact that they are
on a related website. I don't see how that isn't "matching ads to viewers"?

------
falsedan
I think a large cause of impedance for engineers to understand the issue is:
randomly-assigned ids don’t anonymise users, because you can still attribute
an action uniquely to one user (even if you don’t know their name/personal
details).

I think of it like the UID I get on a UNIX machine: it identifies me, and
anyone with /etc/passed can get my name, and things that don’t have access to
it can still see “oh uid 1099 is logging in again to play nethack”.

------
laythea
Presumably ads are so valuable because people click through them and go on to
purchase.

I realise I am in a minority, but I have never clicked on a digital ad and
went through to buy something, and I never will.

The minute I see ads on a webpage, I automatically associate that site with
trash. (Please take note HN :))

It is as if humanity cannot be trusted with technology. This creates a certain
"ceiling" for us in terms of development as a species. Such a shame.

~~~
bduerst
The ads you're referring to here are called _display ads_. Most of these ads
are not about getting you to click, but about awareness.

It's the same thing as a full-page advert in a magazine that you flip through.
For some readers, they will stop an read it, raising awareness to that
brand/product/company etc.

~~~
laythea
I take your point about being "exposed" to the product, however it must be the
case that ads want you to click them, otherwise clicking them would not do
anything. Which is not the case.

A company spamming my eyeballs with visual ads to "raise awareness" does not
get my money. I take particular offence to that, as it is _my_ screen. Not a
Billboard for example.

My point is proven in the HN website, where it enjoys a large readership,
largely influenced by the sites clean, ad-free design.

Slashdot used to be like that until they started displaying ads, and that is
what brought me to HN. Thank you HN for not doing this.

------
afarviral
At this point I'm just waiting for some of these tech companies to drop their
analytics and drop targeted advertising, and just ask users for their
advertising preferences or do advertising the traditional way... why do we
HAVE to have targeted advertising? It's either hit or miss, or too creepy
anyway...

------
jiveturkey
> This, combined with other cookies supplied by Google, allows companies to
> _pseudonymously_ identify the person in circumstances where this would not
> otherwise be possible.

At first glance, I would have thought this isn't a workaround at all. GDPR
allows for pseudonymisation as a method of data protection. But, Recital 26 of
the GDPR disallows this:

> The principles of data protection should apply to any information concerning
> an identified or identifiable natural person. Personal data which have
> undergone pseudonymisation, which could be attributed to a natural person by
> the use of additional information should be considered to be information on
> an identifiable natural person. [...]

That said, I don't think this is cut and dried, because Google themselves
isn't providing the linkage to an identifiable natural person. The person that
can make that linkage necessarily already has the identifying information. Get
ready for a major legal battle.

------
bogomipz
The article states:

>"The primary targets of this campaign are Google and the IAB, which control
the RTB system."

Can someone say who makes up the IAB exactly? Is this just an industry trade
group?

~~~
singron
Yes. Take a look at their board of directors: [https://www.iab.com/our-
story/#board-of-directors](https://www.iab.com/our-story/#board-of-directors)

It's a mix of the major players in the digital advertising industry.
Historically the IAB has taken actions that are good for the industry overall.
It focuses on standardization/interoperability in the ad-tech space. It
generally isn't a watchdog and doesn't regulate the industry except when the
industry as a whole would benefit (e.g. self-regulatory programs that have no
real effect but stave off state regulation).

------
panpanna
Friendly reminder that this is all to show you "targeted ads".

You can fight back by providing fake and bogus data. For example, there are
browser extensions that do this for you.

------
decide1000
The article claims that personal data is shared along 2000 companies. As far I
understand those companies do not receive personal information. I do not see
real proof.

------
juanbyrge
Kind of a ratty move by Brave to leverage all of Google's tech in their
browser (blink, v8, etc..) while simultaneously suing them as a PR tactic.

~~~
ummonk
Google didn't have to open source it. They open sourced it knowing it would
encourage adoption.

~~~
juanbyrge
Regardless this is a very calculated PR move by Brave. And the privacy zealots
and anti-google cadre on HN and elsewhere are eating this up. They are
effectively giving Brave free advertising and playing right into their hands.

------
therealmarv
Surprise... I'm thinking every state outside of EU does not even need that
sophisticated workarounds... just go directly to the target (you).

------
jwildeboer
Hundreds of deflecting comments about coffee at McDonalds and astroturfing.
Well done! Can we now talk about how Google uses creepy tactics to undermine
privacy and the GDPR?

------
stunt
I remember they dropped "Don't be evil" from their code of conduct a couple of
years ago.

------
erichocean
Does GDPR only apply to individuals, or can I find out all of the information
that is being held by Google (or anyone else) on my EU-based business?

------
banku_brougham
People are missing the point. Google is trying to manage GDPR and their
previous business model which is selling all that user data. They are not
going succeed and GDPR is going to prevail.

------
leegr
Cringe

------
rvz
It's really funny to see that yesterday, I was branded as a 'privacy nut'
after the release of Android 10 as I was concerned about the privacy issues
that are in Android. Then the Go modules proxy issue around the Go Programming
language that raised suspicions about tracking usage statistics around
downloading modules turned on by default without any consent and now this.

I think there are some folks at Google who have just read too deep into both
1984 and The Google Book to go on to think that privacy violations like this
is a normal thing. But what do I know? I'm just another 'privacy lunatic' on
the net that wears a metal helmet (tinfoil hats are just not good enough)
trying to protect my privacy.

~~~
zdw
The Go module hash checking seems to be more about avoiding the problems
encountered by other language repos integrity and versioning issues ( _cough_
NPM), and in terms of tracking it seems about as invasive as Debian's popcon.

Enabled by default can and should be the default for security-related
features.

I tend to agree about the rest of the creepiness, especially anything
personally behavioral.

~~~
nindalf
On HN it is taken as gospel that any information sent to a server will
absolutely compromise your privacy. If anyone points out that the information
is trivial or useless the rebuttal is instant - it can be cross referenced
with other sources to build a complete profile of you.

If you want to know which Go modules I use, go check out my github. They're
listed right there in import statements. If I'm hacking on a project that I
want to keep private, I'll disable this feature with a command line flag -
easy.

My issue with the paranoid folks in that thread is not that they made no sense
(they can't help that), it was they were attacking the person who implemented
the feature viciously. He had implemented a feature that a majority of Go
developers had been requesting for 5+ years, had done it in a way that
improved clean build time, improved security and could easily be disabled or
replaced with a private DB. Literally what else could that man have done?

Even though all his work could be verified trivially (Go is open source!),
they still chose to attack him.

~~~
stonogo
> Literally what else could that man have done?

He could have _not_ sent all build-time network accesses to Google by default.
It's that simple.

~~~
nindalf
No it isn't. Please tell me how you achieve security without storing hashes in
a DB? The default is only for those who'd prefer not to run their own DB. You
are welcome to run your own DB if you want.

Why are you so upset that other people will be using a feature you obviously
won't? Why are you upset when this leaks literally no info that your github
repo doesn't already?

~~~
ori_b
> No it isn't. Please tell me how you achieve security without storing hashes
> in a DB?

I bet the DB is small enough that you could default to just downloading it and
syncing on your machine.

~~~
irq-1
256 byte hash x 10000 packages x 10 package versions = 25mb

That's a conservative estimate, and if you try to sync only what's needed
you're no better off then not-syncing.

~~~
ori_b
Yeah, I've got 25 megs of disk space.

If you try syncing the whole thing incrementally (rsync style) all you leak is
the frequency of your updates

------
idlerig
This is exactly what happened in the McDonald's "hot coffee" lawsuit. It
wasn't some "Karen" who hit a bump while driving. It was an elderly woman (in
her 70s, IIRC), sitting in the passenger seat.

McDonalds already had complaints (and some lawsuits) over the (significantly
higher than industry standard) temperature of their coffee, so this wasn't
exactly out of the blue.

She ended up with 3rd degree burns on her legs and crotch. She asked only for
her medical bills to be paid. McDonald's refused, so she eventually took them
to court. Even then, she only asked for medical bills (and now legal
expenses).

The jury decided that McDonalds was not only liable for those costs, but had
treated the woman so poorly that they should pay punitive damages. The massive
amount you heard about in the news was based on the amount of money McDonalds
makes selling coffee in one day.

But that's not the story that was spread by the shills...

~~~
mumblemumble
The most interesting thing to me about that McDonald's "hot coffee" lawsuit is
how different the narrative is in popular circles vs. in legal circles. It's a
little bit like in _Rashomon_.

In popular circles, the story is framed in a way that does make the lawsuit
look frivolous. But this is also a case that has made it into the legal
textbooks as an example of corporate negligence that's clear-cut enough to use
for demonstrating the concept in introductory textbooks.

Of course, in the legal textbooks, the version of the story that's told
includes a lot of details that, as you point out, get excluded from the
popular version.

~~~
endorphone
Are you a lawyer? Because this take is quite remarkable, especially given that
the _overwhelming_ public sentiment is that McDonalds was heinously negligent,
coupled with a lot of supporting but not entirely factual claims to justify
that position. I feel like the same people who were jeering at the victim just
marched over to sainting her and demonizing McDonalds.

The Internet extreme position machine. Everything has to be clear cut.

How McDonalds no longer engages in "corporate negligence": they put pronounced
warnings on the cup that it's a dangerously hot substance. That's it. They did
not lower the temperature (as is frequently claimed, nor is the temperature at
all outside of normal industry standards, yet this is being repeatedly stated
throughout this thread -- coffee, brewing with boiling water, is hot). You can
get a searingly hot cup of coffee from most quick-serve restaurants today
depending upon how freshly it was brewed. This is a case where the solution is
more warnings on things.

This case was, however, an example of bad brand management, and perhaps
throwing good money after bad for something they could have privately settled
early on.

This is certainly not a hill I want to die on, and generally arguing against
the prevalent opinion (which is overwhelming the one that you and the GP have
expressed, albeit almost always positioning it like it's contrarian) is self-
defeating, however this whole case is fascinating in how public perception
shifts.

~~~
ChainOfFools
> The Internet extreme position machine. Everything has to be clear cut

aka compression machine. optimized to trigger brains' reward circuitry for
accomplishment by 'tidying up' unmanageable landscapes of disjointed data into
easily stored and recalled bimodal silhouettes of same.

~~~
205guy
This is actually a very interesting and seemingly accurate description of what
powers so much of the internet.

------
NullPrefix
>I was branded as a 'privacy nut'

Companies do actually employ shills to go on forums and try to sway public
opinion. They call them something like public advocates, doesn't change the
idea though.

~~~
kspacewalk2
Should their point of view just not be heard then, in such discussions?

~~~
kaibee
Hi kspacewalk2,

I'm John and I have views on privacy that are completely genuine and happen to
align with what benefits the corporation(s) that my company,
TotallyLegitimateComments LLC, contracts for. I believe advertisement is a
force for good in the world and can bring together people and products that
enrich their lives while creating value for shareholders! While I'd love to
share what wonderful businesses my company works with, various privacy
agreements prevent us from doing so. However, I can tell you that they all
appreciate the fact that you find their views important! We will continue to
lobby your congressmen on your behalf to ensure that these views are reflected
in the nations laws! Thanks and remember, corporations are people like you and
me!

Sincerely, John

~~~
thekyle
This is a total straw man.

~~~
stonogo
I'm not sure it is.

[https://twitter.com/AmazonFCHannah/status/116191039733676851...](https://twitter.com/AmazonFCHannah/status/1161910397336768512)

~~~
maest
Is that satire? I'm genuinely unsure if that's a real account, a shill,
innocent satire or malicious satire.

I wonder what that says about the state of "truth" on the Internet.

------
sam1r
Just learned about Brave for the first time. Pretty neat stuff.

~~~
Kiro
Only if you're into cryptocurrencies. I wish there was an alternative without
the BAT stuff.

~~~
colordrops
That makes no sense. BAT is opt-in and isn't even mentioned when you install
the browser.

~~~
Kiro
I would argue that the whole reason for Brave's existence is BAT. It's their
business model and I'm surprised that HN normally hates cryptocurrencies with
a passion but gives Brave a pass.

~~~
colordrops
First, HN isn't some hive mind that takes stances as a collective. Second,
cryptocurrencies are a technology and can be used for good or bad. To hate
them is like hating linked lists. Third, there _is_ plenty of (undeserved)
hate for Brave here on HN. Lastly, "the whole reason for their existence" is a
subjective judgement. As long as they remain open source and don't force me to
use their cryptocurrency, I am completely fine with it.

------
wtdata
What is sad is that the EU commission doesn't take real action against Google.
At best we are to expect a slap in the hand, at worst, the investigations will
drag on and nothing will happen.

~~~
Barrin92
Google has been fined a _5 billion dollar fine_ already last year, that claim
simply isn't true. But I agree with the implicit demand, they clearly haven't
gotten the message. The EU should slap them with billion dollar fines again
until they learn their lesson.

~~~
docker_up
The executives should face jail time. That would certainly light a fire under
Google's ass to finally "do no evil".

~~~
peterwwillis
Jail time? For telling companies what kinds of shoes you shop for on Amazon?

~~~
docker_up
Yep. Privacy violations and leaks should be punished with fines and jail time.
Period. End of sentence.

Just like execs have to personally sign for and are accountable for their
financial statements, they should do the same thing with privacy. GDPR sets a
very common leveling of the field so it's completely fair now.

~~~
peterwwillis
"Privacy violation" is a huge, gigantic category of all kinds of things. One
kind of privacy violation is completely different from another; some privacy
violations are completely harmless, and some are actually directly harmful,
and some in between.

Giving jail time for any of these is like giving jail time for any kind of
"offensive behavior". Maybe someone just didn't like what someone said and
called it offensive, or maybe someone physically attacked someone else. You
don't get jail time just because someone claimed offense, you have to prove
harm, and fit the punishment to the crime.

This is why I can't take privacy advocates seriously. Their effort to fight
for _all_ privacy undermines the attempt to prevent _real harm_ from specific
kinds of information being exposed.

~~~
feanaro
How about systematic, deliberate, deceptive privacy violations in order to
increase profits? That seems like a pretty distinct category from the cases
you are concerned with.

~~~
peterwwillis
> systematic, deliberate, deceptive

I'll take your word for it, the evidence doesn't look clear cut to me,

> privacy violations

Again, _who cares_ if it was just your shoe size? We should not send someone
to jail for leaking who your favorite pop star is. Did it, or could it, _do
harm_? This is a nearly universal standard used to assess how someone is
punished according to the law.

> in order to increase profits

Of course it's to increase profits, you think they're doing it for fun? Did we
stop living in a capitalist economy and nobody told me?

~~~
feanaro
The point is simple, though: they cannot do it to increase profits. Doing it
for profit makes it more jarring than, say, collecting extraneous personal
information through an error.

Your shoe size point is simply a strawman. You've chosen one arbitrary data
point in order to make the argument look less important. In any case, I'm of
the opinion that _neither_ Google nor the governments of the world should be
allowed to do this kind of large scale surveillance and profiling.

And finally,

> We should not send someone to jail for leaking who your favorite pop star
> is.

I agree with this completely. However if it's not just my favourite pop star,
but it also contains all the articles I've read in the last two weeks, and my
age, and what I've recently bought... All of these neat little data points
about me, neatly filed in a profile made just for me, then the natural
question that arises is: Why do you even have this? Who allowed you to start
building this profile on me and on thousands of others? The systematicity and
scale of it is hard to argue against.

------
nautilus12
"Don't worry about being evil"

------
a_imho
Google has been violating GDPR from day one.

~~~
drusepth
That's not surprising seeing as how GDPR was pretty much drafted explicitly
against Google.

~~~
a_imho
That's just your bias and no grounds for violating it. In fact, if it was true
the more reason to comply. But it is obviously false, seeing Google can still
do whatever they wish without serious repercussions.

------
metalliqaz
Just 17 days ago I was downvoted into the abyss for suggesting that Google's
GDPR "compliance" doesn't protect my privacy. And now this.

------
mfer
Free startup idea: An ad service that did things simply without any targeted
stalking involved.

~~~
alkonaut
These exist. But so long as adivertisers _can_ buy ads with tracking, fraud
detection etc, they will.

The key to getting reasonable ads back is making the bad ads impossible for
advertisers to buy.

~~~
mfer
Do you have a reference? Looking around I didn't see anything. I might have
missed it though.

~~~
edoceo
Maybe Carbon ads?

~~~
carstenhag
Yeah, carbon seems to be pretty good. I used to see it on codepen and some
other design website. Always relevant, but carbon seems limited to developers
and designers.

Some other ad thing which doesn't need tracking: Sponsored posts or targeting
people who follow someone on Instagram.

------
whenchamenia
Maybe someone will finally take googles abusive practices to task.

------
aledalgrande
After this, do you still want to use Chrome? Who knows what data they are
sending when they control your desktop experience.

------
_pmf_
Slap on the wrist incoming. But looks like a solid case with a EU national (?)
as plaintiff.

------
cavneb
I am so glad that this violation is being exposed. Well done Brave!

I invite any developer / blogger to check out
[https://CodeFund.io](https://CodeFund.io). We are a non-tracking 100% open
source ethical ad platform that focuses on funding open source.

~~~
dang
It's ok to occasionally link to one's own site in relevant contexts, but only
as a small part of using HN as intended—i.e. for gratifying intellectual
curiosity:
[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)

But it looks like you've been using HN primarily to do this. That crosses into
spamming, so please don't.

------
downandout
Yeah. Brave is desperately trying to compete with Chrome and can’t figure out
why they aren’t making much headway, despite having better privacy (hint:
users just don’t care about privacy, except for the HN crowd).

These complaints filed by Brave, with their own employees posing as
professional “victims” intentionally grasping at straws for evidence of
privacy violations, smack of desperation. This is not the first claim they
have filed, and sadly, it won’t be the last. Their claims thus far have been
disingenuous at best, downright dishonest at worst.

GDPR was not meant as a weapon with which one could hobble their far more
successful competitors. It’s sad to see that a company that claims to care so
much about privacy is undermining GDPR by bringing the worst fears of those
that opposed it to life.

~~~
rhizome
_(hint: users just don’t care about privacy, except for the HN crowd)._

I'm not sure that's true: uBlock Origin has twice as many installations as
Brave does. You might say "oh, but that's just blocking ads!" But if you don't
block ads, privacy problems are going to spring out of the woodwork like
nobody's business. That is, they might not care about privacy by name, but
they certainly care about it in effect.

~~~
downandout
I’d say the vast majority of uBlock users care about user experience. The
current ad experience sucks. Most local newspaper sites, for example, are
unusable because of ads. But if it still preserved their privacy behind the
scenes and didn’t significantly improve their experience, the install base on
uBlock and other ad blockers would be near 0.

~~~
girvo
And I'd say the opposite. My grandfather just wanted ads gone; user experience
isn't even on his radar. I've seen the thesis you've presented here before,
and while it sounds plausible, I don't think it's as cut and dried as it
seems.

People really do hate ads. We're inundated with them, constantly. Low grade
psychological assault, at all times. I don't blame people for wanting a
respite.

~~~
downandout
Actually, you’re saying precisely the same thing I was. When I say “user
experience,” I am talking about the ads being gone. No ads = better user
experience.

------
lanevorockz
Google has been very naughty in the past few years. It does look like they
removed the “don’t” be evil motto for a clear reason. And people thought that
Investment Banks were bad.

