Johnny Ryan:

The new evidence reveals a surreptitious mechanism that raises additional data protection concerns about Google’s “DoubleClick/Authorized Buyers” advertising system. This system is active on 8.4 million websites.[1]

Google claims to prevent the many companies that use its real-time bidding ad (RTB) system, who receive sensitive data about website visitors, from combining their profiles about those visitors.[2] It also announced that it had stopped sharing pseudonymous identifiers that could help these companies more easily identify an individual, apparently in response to the advent of the GDPR.[3]

But in fact, Brave’s new evidence reveals that Google allowed not only one additional party, but many, to match with Google identifiers. The evidence further reveals that Google allowed multiple parties to match their identifiers for the data subject with each other.

Brave commissioned Zach Edwards to analyze a log of Dr Ryan’s web browsing. The analysis confirmed that Dr Ryan’s personal data was broadcast, confirming the fears laid out in his complaint to the DPC in September 2018. The analysis also revealed a mechanism, “Push Pages”, through which Google invites multiple companies to share profile identifiers about a person when they load a web page.

Google Push Pages are served from a Google domain (https://pagead2.googlesyndication.com) and all have the same name, “cookie_push.html”. Each Push Page is made distinctive by a code of almost two thousand characters, which Google adds at the end to uniquely identify the person that Google is sharing information about. This, combined with other cookies supplied by Google, allows companies to pseudonymously identify the person in circumstances where this would not otherwise be possible.

All companies that Google invites to access a Push Page receive the same identifier for the person being profiled. This “google_push” identifier allows them to cross-reference their profiles of the person, and they can then trade profile data with each other.