Google accused of circumventing the GDPR in the context of RTB
On September 4, 2019, Brave, the company behind the browser of the same name, accused Google of causing a massive leak of personal data through its Ad Exchange, Authorized Buyers (formerly Google AdX). Brave managed to get strong media coverage, in particular from the Financial Times (see Google accused of secretly feeding personal data to advertisers and How Google feeds your data to advertisers). The details of these accusations form part of a complaint being investigated by the Irish data protection authority, accusing Google of circumventing the GDPR.
It is good to see the problems caused by RTB denounced by mainstream media, because adtech is an extremely complex field, well understood by only a few insiders. Unfortunately, Brave's accusation contains many errors, making it easy for Google to dismiss.
Brave's errors stem from a misunderstanding of RTB
Let's analyze the press release in detail: it begins with a fanciful figure put forward by Johnny Ryan (Brave's Chief Policy & Industry Relations Officer):
Google’s “DoubleClick/Authorized Buyers” ad system is active on 8.4+ million websites.
This figure is based on an analysis by a third-party site that counts the number of websites calling a DoubleClick tracker (DoubleClick is the advertising company owned by Google). However, these trackers are not used only for Google Authorized Buyers, Google's Ad Exchange aimed at large professional sites. They are also used for other tools, such as Google's RTB buying platform (DSP), called DV360, as well as Google Analytics or Google AdSense. The number of Authorized Buyers customers is not publicly known, but it is considerably lower.
The press release continues with an inaccuracy:
Google claims to prevent the many companies that use its real-time bidding ad (RTB) system, who receive sensitive data about website visitors, from combining their profiles about those visitors.
Google's documentation says something significantly different:
Google prohibits multiple buyers from joining data they receive from the Cookie Matching Service.
Google therefore prohibits its partners from combining their data, but does not claim to technically prevent them from doing so (this touches on a problem intrinsic to RTB: an Ad Exchange cannot control how personal data transmitted to partner buying platforms will then be handled by those platforms).
The press release then claims to reveal that Google betrayed a previous promise, after saying in October 2019 that it would stop sharing pseudonymous identifiers in RTB:
It also announced that it had stopped sharing pseudonymous identifiers that could help these companies more easily identify an individual, apparently in response to the advent of the GDPR.
However, Google's announcement did not say it would stop sending pseudonymous identifiers in RTB requests (requests sent by Google in real time to buying platforms when you browse the web). It referred instead to removing these pseudonymous identifiers from consolidated files sent afterwards to buying platforms (“Data Transfer files”):
We removed encrypted cookie IDs and list names (if used) from the Data Transfer file for all global bid requests to Authorized buyers.
These files, usually exchanged daily, contain additional information such as the winner of the auction, the effective selling price of the advertising opportunity, etc.
The accusation
Brave’s new evidence reveals that Google allowed not only one additional party, but many, to match with Google identifiers.
Here, Brave seems to discover how RTB works, even though it has been well documented for many years by Google and by many players in the field.
The evidence further reveals that Google allowed multiple parties to match their identifiers for the data subject with each other.
Here we come to the new element revealed by Brave. What exactly is it?
All companies that Google invites to access a Push Page receive the same identifier for the person being profiled. This “google_push” identifier allows them to cross-reference their profiles of the person, and they can then trade profile data with each other.
Google would therefore send the same personal identifier (google_push) to all buying platforms, which would then allow those platforms to exchange the information they respectively hold on users.
Sharing personal identifiers is inherent to RTB
Here it is important to pause: for RTB to work, the Ad Exchange (the selling platform, also called an SSP) synchronizes its user identifiers with its partner buying platforms. The problem noted by Brave is widespread and inherent to RTB. To limit this problem, Google sends different user identifiers to each buying platform (to my knowledge, other SSPs do not take these precautions):
For buyers, Google identifies users using a buyer-specific Google User ID consisting of an encrypted version of the doubleclick.net cookie, derived from but not equal to that cookie.
So since RTB has existed, buying platforms have been able to collude and exchange their own personal data to enrich their databases. This requires entering into agreements with competitors, and taking a huge legal risk, but it is indeed theoretically possible.
A circumvention of the GDPR by Google?
So what is this personal “google_push” identifier sent by Google to its partner purchasing platforms? Brave indicates that this is a circumvention introduced by Google, in reaction to the GDPR.
Push Pages therefore appear to be a workaround of Google’s own stated policies for how RTB should operate under the GDPR.
This is also the argument made by Zach Edwards, the researcher commissioned by Brave for the investigation.
A simple search in the Google Authorized Buyers online help shows that the google_push parameter already existed in April 2013, which undermines the circumvention argument (the GDPR came into force on May 25, 2018):
Starting in mid-April, we will begin assigning a URL-safe string value to the google_push parameter in our pixel match requests and we will expect that same URL-safe string to be returned in the google_push parameter you set. This change will help us with our latency troubleshooting efforts and improve our pixel match efficiency.
The google_push parameter is therefore used by Google to diagnose latency problems, not to track users.
Does this “personal identifier” allow buyers to share user information?
Here too, we can look at Zach Edwards' communication:
It therefore turns out that this "personal identifier" is not personal (it would be useless for that purpose because Google's goal is to measure latency; it is an identifier that changes with each page load). But theoretically, Google's partner DSPs that have competed for the same advertising opportunity can indeed share their logs in order to enrich the information they hold on users.
Conclusions
If the problem identified by Zach Edwards is real, it is a shame that Brave multiplied the errors and attributed dishonest intent to Google over this google_push parameter. It would be more relevant to broaden the criticism to the RTB mechanism itself, which is probably incompatible with the GDPR (see, on this subject, the ongoing investigation by the UK ICO).