
Google accused of secretly feeding personal data to advertisers - drocer88
https://www.irishtimes.com/business/technology/google-accused-of-secretly-feeding-personal-data-to-advertisers-1.4007629
======
paganel
More details on the Google GDPR workaround are included on this page [1]

[1] [https://brave.com/google-gdpr-workaround/](https://brave.com/google-gdpr-
workaround/)

~~~
JorgeGT
HN discussion:
[https://news.ycombinator.com/item?id=20876248](https://news.ycombinator.com/item?id=20876248)

------
codedokode
> On September 5th 2018, Google announced that it would no longer share
> encrypted cookie IDs in bid requests with buyers in its Authorized Buyers
> marketplace, “as part of our ongoing commitment to user privacy”. Mr Ryan’s
> analysis also found that Google continued to share these with ad firms.

But now Google shares not cookies, but unique URLs. Look, they kept their
promise.

~~~
ModsCtrlideas
I too have learned not to believe in government solutions to problems.

As a result I stopped searching for... Well unfortunately I'm one of those,
"nothing to hide" people.

Life as usual.

If I needed to use google without anyone knowing, either use a public
computer, or a stack of layers to remove IP, browser id, cookies, etc...
Unique URLs would not trace far.

~~~
zwkrt
Just for the record, google is not in compliance. The law is not a switch
statement where you just need to find that magic missing “break” and then the
system is pwned. Justice is not a mathematical equation.

~~~
ModsCtrlideas
Sure and as a result, I cannot trust them to do their job.

Historically they suck.

------
khawkins
I don't understand why there is so much push back against the nebulous threats
like targeted advertising. Advertising is unquestionably here to stay and it's
hard to believe that people would rather have irrelevant ads to relevant ads.
I'd rather Google figure out what type of TV shows/movies I might care about
and only advertise those to me.

And if they want to aggregate large amounts of data about internet browsing
habits to get a better idea of the types of customers which want certain
things, I see that as only a positive since it helps steer businesses in the
service of their customers. Data mining large sets of browsing history does
this in an incredibly non-intrusive way.

I'm all behind auditing the data being used and sold for identifying features,
but the cases where this has been a real and serious problem are sparse at
best. The most serious threats have been successful hacking attempts releasing
data which isn't controversial for them to collect.

That is, people are worried about Google telling Capital One your IP address
is in the market for a credit card while hackers are walking out the back door
with hundreds of thousands of social security numbers, names, addresses, and
credit scores.

~~~
ne9xt
Google owns hoards of personal data, including yours and mine. It’s nearly
impossible to avoid, sans living life offline. Now that google has shown they
are willing to share your personal information with advertisers without your
permission, what do you think will happen when google becomes the arbiter of
medical (and persoanal) information to health insurance companies? google will
win. health insurance companies will win. individuals and families will
suffer.

~~~
khawkins
I think it's important to be aware of conflicts of interest like this, but
that's not what's being discussed, and the solutions offered aren't attacking
this type of problem.

------
gagan2020
I worked on Ad systems for 2-3 years.

It is fault of advertisement industry and RTB. RTB rely on personal data with
some fields missing (name, phone, email, etc) to be send for real time bidding
for Ads by many players. Remaining data mapped by these players to infer these
missing fields and guess purchase habit of person browsing the site and bid on
Ad space.

Data sent to these RTBs do have unique fields like Android Ad ID that can
easily identify person.

Ad industry rely on these obfuscation like Android Ad ID to track us
individually but giving the idea that personal data is not sent.

------
donw
... secretly?

------
michaelbuckbee
Two levels of things here: Google/Doubleclick and the GDPR and then this
particular "push page" issue. \- GDPR instructs that an organization maintain
control of people's data. "Control" in the legal sense of it where you know
who is getting the data, what their data handling practices are, how it's
going to be used, etc.

\- Real Time Ad bidding is the process where you land on a site and then that
site has a JS snippet which passes your information (it can be more than this,
but lets just say your IP address) to an Ad Auction where advertisers bid on
showing you an ad. They do geolocation, company lookups, check retargeting
cookies, etc. and then whoever offers the most money to show you an ad gets
their banner on the page you are looking at.

\- Google's Doubleclick is one of the largest Real Time Bidding setups.

Side Note: a frequent comment I see on HN is that "IPs are not personally
identifiable" which is true in the abstract, but they are identifiable enough
that advertisers are willing to spend significant amounts of money on ad bids.

You may immediately see the problem here: it's impossible for you (the person
browsing) to give meaningful consent to share your information with all these
companies participating in the ad auction because the site you just browsed to
has zero flipping idea who they are and in any case there is a constantly
churning audience of literally tens of thousands of companies participating in
these auctions.

All of that is the context then for this newest development: push pages.

Google/Doubleclick is attempting a bunch of different approaches to deal with
the fact that the GDPR shatters the current privacy destroying setup of
anytime you land on a site with their JS include that your information is sent
to several thousand companies unknown to you.

They're trying to implement psuedo anonymous identifiers [1] they're trying
pull back on cross site matching, etc. all of which hurts their bottom line.
So what this "push pages" looks like is an attempt at a technical workaround
to some of the legislative hurdles raised by the GDPR. By moving the JS+Cookie
setting to the Google domain they're able to say (in some context) that it's a
1st party cookie and not a tracker and able to do more sophisticated matching.

Side Note: another frequent comment I see on HN about the GDPR is that "It's
too vague, why doesn't it just say what I can and can't technically implement"
and this is exactly why: if the law is laid out in technical terms instead of
intentions and actions it's easy to find loopholes (aka moving some aspect of
tracking from a site to Google's page).

1 -
[https://support.google.com/analytics/answer/2763052?hl=en](https://support.google.com/analytics/answer/2763052?hl=en)

~~~
jbverschoor
T-Mobile uses your IP to identify you. You don't have to log in to access your
account and make changes to your subscription

~~~
hobofan
Your ISP is the only one able to reliably identify you by your IP. And even
then they would not be allowed to use that info in other contexts (e.g.
advertising) according to GDPR IIRC.

