Google is secretly using hidden web pages that feed the personal data of its users to advertisers, undermining its own policies and circumventing EU privacy regulations that require consent and transparency, according to one of its smaller rivals.

New evidence submitted to an investigation by the Data Protection Commissioner, which oversees Google’s European business, accused the US tech company of “exploiting personal data without sufficient control or concern over data protection”.

The regulator is investigating whether Google uses sensitive data, such as the race, health and political leanings of its users, to target ads. In his evidence, Johnny Ryan, chief policy officer of the niche web browser Brave, said he had discovered the secret web pages as he tried to monitor how his data were being traded on Google’s advertising exchange, the business formerly known as DoubleClick.

The exchange, now called Authorized Buyers, is the world’s largest real-time advertising auction house, selling display space on websites across the internet.

Identifying tracker

Mr Ryan found that Google had labelled him with an identifying tracker that it fed to third-party companies that logged on to a hidden web page. The page showed no content but had a unique address that linked it to Mr Ryan’s browsing activity.

Using the tracker from Google, which is based on the user’s location and time of browsing, companies could match their profiles of Mr Ryan and his web-browsing behaviour with profiles from other companies, to target him with ads.

Mr Ryan found six separate pages pushing out his identifier after a single hour of looking at websites on Google’s Chrome browser. The identifier contained the phrase “google_push” and was sent to at least eight adtech companies.

“This practice is hidden in two ways: the most basic way is that Google creates a page that the user never sees, it’s blank, has no content, but allows ... third parties to snoop on the user and the user is none the wiser,” said Mr Ryan. “I had no idea this was happening. If I consulted my browser log, I wouldn’t have had an idea either.”

Co-operating

A spokesperson for Google said the company had not seen the details of the information sent by Mr Ryan to the regulator and that it was co-operating with investigations in Ireland and the UK into its advertising business. The spokesperson added: “We do not serve personalised ads or send bid requests to bidders without user consent.”

By providing potential buyers with such a granular level of targeting, Google could gain a significant competitive advantage over other companies that run advertising auctions, according to marketing executives.

Mr Ryan’s experiment was reproduced by adtech analyst Zach Edwards, who runs technical consulting firm Victory Medium, after being commissioned by Brave. He recruited hundreds of people to test Google’s behaviours over a month. They found that the identifier was indeed unique and was shared between multiple advertising companies to enhance their targeting abilities.

Google’s own rules prohibit ad buyers from matching disparate profiles on the same user. On September 5th, 2018, Google announced it would no longer share encrypted cookie IDs in bid requests with buyers in its Authorized Buyers marketplace, “as part of our ongoing commitment to user privacy”. Mr Ryan’s analysis also found that Google continued to share these with ad firms.

Ioannis Kouvakis, legal officer at Privacy International, said Google had a dominant position in online advertising and that it should let users know what data the tracking identifier is collecting. “Google needs to lead by example,” he added.

– Copyright The Financial Times Limited 2019