As mentioned in my article on Google services that collect your personal data, Google offers multiple services capturing personal data. The general public is aware of B2C services, but is often unaware that they are also tracked by Google's advertising and analytics services on third-party sites.
Originally, the acquisition of the Doubleclick advertising tool
This generalized policing on the web and on applications started with the takeover of Doubleclick in 2008, but until 2016, Google was prohibited from associating your Doubleclick surfing data with your personal data without your positive consent.
- Here is what Google proclaimed until October 2016: “we will not combine DoubleClick cookie information with personally identifiable information unless we have your opt-in consent”
- Here is the new Google policy after October 2016 : "Depending on your account settings, your activity on other sites and apps may be associated with your personal information in order to improve Google’s services and the ads delivered by Google."
Thanks to the Framasoft team, the remarkable study "Google data collection" was translated into French. This study indicates how Google associates your Doubleclick data with your Google personal data: if you already have a doubleclick cookie, when you log in to your Google account, you send your Google authentication token as well as your cookie to Doubleclick in the same request, which allows your data to be cross-referenced.
Can we deactivate this association?
Now let's see if you can deactivate this association via your Google account settings. Apparently yes, in Google Account > Data and personalization > Activity commands, you must uncheck “Include Chrome history and activity related to sites, applications and devices that use Google services”.
Then follow the following steps:
- Disable your adblocker
- Delete cookies on Chrome (Settings > Advanced settings > Clear browsing data)
- Then surf on lemonde.fr, site using Doubleclick services (Google Ad Manager, the publisher ad server and the SSP offered by Google)
- Open the Chrome console (⌘+Option+J on Mac, Ctrl, Shift and J on PC), "Network" tab and filter on doubleclick
- Scroll on the page (lemonde.fr considers that scrolling constitutes acceptance of cookies, and then triggers advertising tracking)
- In the "Network" tab of the console, check your doubleclick cookie
Via lemonde.fr, doubleclick now follows you on the web with the “IDE” cookie:
You will now log in to your Google account:
- Go to google.com and open the Chrome console
- Log in and filter the Chrome console on doubleclick
Google sends doubleclick your authentication token as well as your doubleclick "IDE" cookie, allowing your pseudonymized Doubleclick data to be associated with your Google personal data. But unlike the "Google Data Collection" report, you have unchecked the inclusion of activity related to sites that use Google services. Why does Google still make this association?!
Doubleclick saves this association in a new cookie, “DSID”:
Let's see what Google says about this cookie in its privacy policy : "We also use cookies called “AID”, “DSID” and “TAID” to track your cross-device activity when you are already signed into your Google account from another device. We do this to coordinate the ads you see across devices and measure conversion events.".
In fact, Google is more vocal about online help for its B2B tools:
- Google Analytics : "When users enable ad personalization, Google can get an overview of their interaction with an online property across different browsers and devices. For example, this allows you to analyze how users browse products on your site on their phone, then return later to make a purchase via their tablet or laptop. With the large volume of data generated by users who have enabled ad personalization, Google can produce estimates about the cross-device behavior of your entire user base."
- Doubleclick Campaign Manager (its advertising server) : "Cross-environment conversion reporting combines cookies (for web), resettable device IDs (for mobile apps), and anonymous Google logins to identify a user across environments."
If you want to object to this “multi-device” tracking, it’s complicated. You can therefore disable ad personalization : "These cookies may come from the websites google.com/ads, google.com/ads/measurement, or googleadservices.com. If you do not want the ads you see to be coordinated between your devices, you can opt out of Ad Personalization in Ads Settings".
This will allow you to disappear from Google Analytics reports but apparently not from Doubleclick Campaign Manager reports.
Conclusions
This test makes us doubt the respect given by Google to your choices regarding your personal data:
- You can uncheck "Include Chrome history and activity from sites, apps, and devices that use Google services", but Google will still send your authentication token to Doubleclick, allowing your pseudonymized data to be associated with your personal data. How can you control that Google does not actually associate your data? Except through an internal audit, this is currently impossible.
- Doubleclick tracks you on all your devices when you are connected to your Google account using the "DSID" cookie; your Google account settings can't do anything about it.
- If you want to stay logged into your Google account, the most direct option to stop this cheating is to install an adblocker.