How Google uses secret websites to track you online

A smartphone lying on a table in the dark, displaying the logo of the Google

Brave is one of the many privacy-focused web browsers which is taking on Google’s internet monopoly. It, therefore, goes without saying that it is in their interests to reveal the true extent that Google hoovers up user data to sell to advertisers.

This is exactly what they have been doing and their bombshell findings, which have been revealed in a complaint lodged with the Irish Data Protection Commission make for deeply concerning reading.

How Google is dodging GDPR rules

Essentially, Brave has discovered how Google is getting around the EU’s new General Data Protection Regulations (GDPR).

They have examined how Google’s advertising system known as Authorised Buyers (and formerly called DoubleClick) worked.

Brave’s Chief Policy Officer, Johnny Ryan, conducted the research. He used Google’s Chrome browser on a clean device with no logins, cookies, or browser history.

What he found was the Google was generating hidden webpages with a unique address. These webpages acted as an identifier and Google used them, along with cookies, to track his activity on the web.

According to Ryan, after browsing the internet for an hour, he discovered that Google had created 9 such pages about him, with 11 more duplicate pages being set up to transfer data about him.

Google’s new way of tracking you

While he couldn’t see precisely what data these pages contained, he speculated that they could have contained such details as age, gender, interests, social media usage, ethnicity, or political affiliation.

Ryan found evidence that the identifiers were used a total of 278 times. Eight other companies were also active on at least one of these pages which suggests that advertisers were getting real-time access to the information they contained.

Why would Google be using this method? According to Brave, it is likely to be a way for Google to get around GDPR requirements. Under those regulations cookies (which are the most common way of tracking users internet habits) require permission from users before they can be used. These pages do not.

This is a technical issue which it would be easy for some people to dismiss, so it is important to put it into some kind of context.

As Brave have noted in their complaint, Google’s Authorised Buyers system is used on more than 8.4 million websites. It shares information about visitors to these sites to more than 2,000 different companies and data is being transmitted hundreds of billions of times every day. It is also responsible for a significant chunk of Google’s substantial profits.

If Google is breaking EU law and in doing so infringing user privacy, it is likely that every single person reading this article is affected.

Google’s flat denial

Google, inevitably, has strongly denied the claims. They have claimed in the past that they no longer share data with advertisers that could help them identify individual users.

Speaking to the Register, Google argued that these pages were used to measure website latency and not as an identifier.

It has issued a dismissively short statement in response to the allegations. In it, Google claims, “We do not serve personalised ads or send bid requests to bidders without user consent.”

“The Irish Data Protection Commission – as Google’s lead data-protection authority – and the UK Information Commissioner’s Office are already looking into real-time bidding in order to assess its compliance with GDPR,” it added. “We welcome that work and are co-operating in full.”

This is all well and good, but it hardly sits comfortably alongside Google’s recent attempts to rebrand themselves as a privacy-friendly business.

Meanwhile, Brave stood by its findings.

Ryan said in a statement, “the evidence we have submitted… proves that Google leaked my protected data to an unknown number of companies. One cannot know what these companies then did with it, because Google loses control over my data once it was sent.”

What now?

The complaint which Brave has submitted to the Irish Data Protection Commission will now be considered.

If Google is found to be in breach of GDPR. It is likely to face a hefty fine. Given that Google’s profits are in the billions of dollars, this is unlikely to ruffle their feathers too much.

As we reported earlier this week, they have just been fined a whopping $200 million in the USA for YouTube’s violations of that country’s children’s privacy laws. But campaigners argue that huge fine is not nearly enough to deter Google from offending again.

If they are ordered to stop using the practice, which is possible, this could have severe implications for their profit margins.

But, as cybersecurity expert Dr. Alan Woodward told the BBC, “If that method is taken away, they will work out new ways.”

Data capitalism is still alive and well and Google remain its chief proponents.

David Spencer

Author: David Spencer

David is VPNCompare's News Editor. Anything going on in the privacy world and he's got his eye on it. He's also interested in unblocking sports allowing him to watch his favourite football team wherever he is in the world.

Away from writing, he enjoys reading and politics. He is currently learning Mandarin too... slowly.

Leave a Reply

Your email address will not be published. Required fields are marked *

Sign up to our newsletter

Get the latest privacy news, expert VPN guides & TV unblocking how-to’s sent straight to your inbox.