Google has been accused of using hidden webpages that are assigned to users to provide more information to advertisers about their every move online.
The allegation has been added to a complaint lodged with the Irish Data Protection Commission.
The tech firm insists it acts in accordance with EU privacy laws.
It comes a day after Google was fined $170m (£138m) by a US watchdog for illegally capturing data from children and targeting them with adverts.
What is Google being accused of?
Privacy-focused web browser Brave has published details of an investigation it conducted into a Google ad system known as Authorised Buyers, which was previously known as DoubleClick.
It sent the findings to the Irish data commissioner as a supplementary part of a complaint filed last year.
Chief policy officer Johnny Ryan used Google’s Chrome browser to conduct his research. He had no logins, cookies or browsing history on the device so was, in effect, a new user.
He said he discovered hidden webpages that had a unique address. It acted as an identifier, which was unique to him. This so-called pseudonymous marker, when combined with cookies, can help track user activity across the web, he claims.
Cookies – small pieces of code that are embedded in websites and downloaded to devices to track how users browse the net – require permissions from the user to be used, which the hidden webpage does not.
Over the course of just one hour of web browsing, he said, Google created at least nine of these pages and 11 duplicate pages that transferred data about him.
That data was not seen by him but could have included information about income, age and gender, habits, social media usage, ethnicity or political affiliation, he said.
Eight companies other than Google were active on one or more of these pages and the identifiers for him were used 278 times, he found.
Brave claims that Google is using these push pages as a workaround to GDPR – the General Data Protection Regulation privacy law, which aims to give users far greater control of their data.
Google has previously said that it no longer shares unique identifiers that could help companies link an individual to their own internal profiles.
The question for the commissioner will be whether these webpages help advertisers build detailed profiles of web users and whether that is against the principles of GDPR.
Google told The Register news site that the pages were used to measure website latency and not as an identifier.
This sounds complicated. Why should I care?
There is an old adage that online “if you aren’t the paying customer, you are the product”.
The trade-off for free information and communication is paid for with our data. But are the methods by which the advertising industry accumulate this data becoming more sophisticated, more opaque and more invasive?
Frederike Kaltheuner, from Privacy International, thinks so.
“On the surface, online advertising sounds like a great deal for everyone; people can use websites and services for free, publishers, website and app developers can monetise their products and advertisers can reach their audiences,” she says.
“But here is the catch: over the past decade targeted advertising has become exponentially more invasive.”
Now thousands of companies know your identity, not by your name, photo or address but by what you do online. And, say some, these online profiles often reveal extremely private information about you.
“If you’re reading an article about erectile dysfunction, depression or self-harm, chances are high that this will be broadcast to thousands of companies,” Ms Kaltheuner says.
How does this happen?
Google’s advertising system is present on 8.4 million websites and increasingly it relies on a system known as real-time bidding (RTB), a type of online advertising that allows all the details of what people are doing online to be auctioned in real time in order to serve them targeted adverts.
Through RTB, large amounts of personal data exchanges hands between a large number of players a billion times a day, in transactions that take milliseconds, a bit like algorithmic trading in the financial markets but with data as the prize.
When a person visits a website which displays advertisements via RTB, a request to serve them an ad is sent to an ad exchange which broadcasts what they are doing to hundreds of ad buyers. They then hold an auction and bid to serve them ads.
The industry is worth billions of pounds.
How has Google responded?
Its statement is short.
“We do not serve personalised ads or send bid requests to bidders without user consent,” it says.
“The Irish Data Protection Commission – as Google’s lead data-protection authority – and the UK Information Commissioner’s Office are already looking into real-time bidding in order to assess its compliance with GDPR. We welcome that work and are co-operating in full.”
Is this new?
How RTB worked and the method of matching cookies to profiles was first explained by researcher Lukasz Olejnik in his paper How much are we worth?, written five years ago.
“Each time we browse the web, we are being evaluated in real-time by complex systems that allow advertisers to decide your value to them and bid for your private data in order to display advertisements on the sites you visit,” he wrote.
Mr Olejnik also linked to Google’s own developer website, where it details the practice.
And Google itself is perfectly open about cookie matching, which it describes as an industry-wide practice.
The big question is whether how it is facilitating RTB and cookie matching is in line with GDPR and the protection of user’s data.
What happens next?
If the Irish data commissioner finds Google in breach of GDPR, it will face another hefty fine. And if it is ordered to change its practices, it could be damaging for its ad business.
Computer security expert Prof Alan Woodward said, however: “If that method is taken away, they will work out new ways such as fingerprinting, where browsers sends lots of information about the devices we are on and that can be put together to create a unique profile of us.”
“Marketers know far more about you than the security services.”
What can I do?
For those worried about exactly how much information they are giving away, the website Panopticklick, an Electronic Frontier Foundation research project, can reveal the extent to which your browsing is being tracked.