Google accused of circumventing the GDPR in the context of RTB
On September 4, 2019, Brave, the company behind the eponymous browser, accuses Google of a gigantic leak of personal data via its Ad Exchange called Authorized Buyers (formerly Google AdX). Brave succeeds in its media coverage, notably with a significant coverage of the accusations by the Financial Times (cf. Google accused of secretly feeding personal data to advertisers and How Google feeds your data to advertisers). The details of these accusations is part of a complaint investigated by the Irish CNIL, accusing Google of circumventing GDPR regulations.
We can be pleased to see the problems caused by RTB denounced by mainstream media because adtech is an extremely complex field, well understood by only a few insiders. Unfortunately, the accusation contains many errors, so it is easily disqualified by Google.
Brave errors linked to misunderstanding RTB
Let's analyze the press release in detail: it begins with a fanciful figure advanced by Johnny Ryan (Brave’s Chief Policy & industry Relations Officer):
Google’s “DoubleClick/Authorized Buyers” ad system is active on 8.4+ million websites.
This figure is based on analysis of a third party site which counts the number of websites calling a Doubleclick (advertising company owned by Google) tracker. However, these trackers are not only used for Google Authorized Buyers, Google's Ad Exchange (which is aimed at large professional sites), but also for other tools such as Google's RTB purchasing platform (DSP) (called DV360), Google Analytics or Google AdSense. The number of Authorized Buyers customers is not publicly known but is considerably lower.
The press release continues with an inaccuracy:
Google claims to prevent the many companies that use its real-time bidding ad (RTB) system, who receive sensitive data about website visitors, from combining their profiles about those visitors.
Google documentation is significantly different:
Google prohibits multiple buyers from joining data they receive from the Cookie Matching Service.
Google therefore prohibits its partners from combining their data, but does not claim to technically prevent them from doing so (here we touch on a problem intrinsic to RTB, an AdExchange cannot control how personal data transmitted to partner purchasing platforms will be managed by them).
The press release then purports to reveal that Google would have betrayed a previous promise, having indicated in October 2019 the cessation of the sharing of pseudonymous identifiers in RTB:
It also announced that it had stopped sharing pseudonymous identifiers that could help these companies more easily identify an individual, apparently in response to the advent of the GDPR.
However, Google's announcement did not indicate stopping the sending of pseudonymous identifiers in RTB requests (requests sent by Google in real time to shopping platforms when you surf the web), but removing these pseudonymous identifiers consolidated files sent afterwards to the purchasing platforms (“Data Transfer files”):
We removed encrypted cookie IDs and list names (if used) from the Data Transfer file for all global bid requests to Authorized buyers.
These files, usually exchanged daily, contain additional information such as the winner of the auction, the effective selling price of the advertising opportunity, etc.
The accusation
Brave’s new evidence reveals that Google allowed not only one additional party, but many, to match with Google identifiers.
Brave seems here to discover how RTB works, however well documented for many years by Google and by the many players in the field.
The evidence further reveals that Google allowed multiple parties to match their identifiers for the data subject with each other.
Here we come to the novelty revealed by Brave. What is it about?
All companies that Google invites to access a Push Page receive the same identifier for the person being profiled. This “google_push” identifier allows them to cross-reference their profiles of the person, and they can then trade profile data with each other.
Google would therefore send the same personal identifier (google_push) to all purchasing platforms, which would then allow these purchasing platforms to exchange with each other the information they respectively hold on users.
Sharing of personal identifiers inherent to RTB
Here it is important to take a break: For the RTB to work, the Ad Exchange (the sales platform, also called SSP) synchronizes its user identifiers with its partner purchasing platforms. The problem noted by Brave is generalized and inherent to RTB. To overcome this problem, Google sends different user identifiers for each purchasing platform (to my knowledge other SSPs do not take these precautions):
For buyers, Google identifies users using a buyer-specific Google User ID consisting of an encrypted version of the doubleclick.net cookie, derived from but not equal to that cookie.
So since the RTB exists, purchasing platforms can enter into collusion and exchange their own personal data to enrich their databases. This requires entering into agreements with competitors, and taking a huge legal risk, but it is indeed theoretically possible.
A circumvention of the GDPR by Google?
So what is this personal “google_push” identifier sent by Google to its partner purchasing platforms? Brave indicates that this is a circumvention introduced by Google, in reaction to the GDPR.
Push Pages therefore appear to be a workaround of Google’s own stated policies for how RTB should operate under the GDPR.
It is also the argument that Zach Edwards takes up, the researcher commissioned by Brave for the investigation.
A simple search on Google Authorized Buyers online help indicates that the google_push parameter already existed in April 2013, which ruins the circumvention argument (the GDPR came into force on May 25, 2018):
Starting in mid-April, we will begin assigning a URL-safe string value to the google_push parameter in our pixel match requests and we will expect that same URL-safe string to be returned in the google_push parameter you set. This change will help us with our latency troubleshooting efforts and improve our pixel match efficiency.
The google_push parameter is therefore used by Google to diagnose latency problems and not to track users.
Does this “personal identifier” allow buyers to share user information?
Here too we can look Zach Edwards' communication :
It therefore turns out that this "personal identifier" is not personal (useless because Google's goal is to measure latency, it is an identifier that changes with each page load). But theoretically, Google's partner DSPs who have been competing for the same advertising opportunity can in fact share their logs in order to enrich the information they hold on users.
Conclusions
If the problem identified by Zach Edwards is real, it is a shame on the part of Brave to have multiplied the errors and attributed to Google a dishonest intention with this google_push parameter. It would be more relevant to extend the criticism to the RTB mechanism, probably incompatible with the GDPR (see on this subject the ongoing investigation by the UK ICO).