Below is the google_gid for different publishers, there is no proof of overlap, they have different google_gid for same person. Which is exactly what google describes. [1]
This log [0], right? Did you miss in the article that it's the `google_push` identifier that's being used for syncing between adtech companies? If you search for it (AHNF13KKSmBxGD6oDK9GEw5O0kvgmFa3qM30zpNaKl72Og), you can see it being included in requests to lots of different adtech firms' domains.
which is the "workaround" to the gdpr the article badly describes (probably because brave upcoming ad network will do the same but more workaroundily)
now those are used to match a 3rd party id. you just need a gdpr_workaround schema in your data base with two columns user-id, google-random-id with N-1 records indexed both ways.
gdpr has restrictions on pin pointing a single person. this is effectively doing that, but claim it is not, because random ids. apple is just a little better with how device-advertiser-id works.
I'm an engineer who has worked on ad systems like this and I'm really struggling to make sense of this article - what hope does a layman have?
Here's my understanding: Google runs real-time bidding ad auctions by sending anonymized profiles to marketers, who bid on those impressions. The anonymous id used in each auction was the same for each bidder, which is in violation of GDPR. If Google were to send different ids for each bidder, it would be ok? Is this correct?
Why would it matter that the bidders are able to match up the IDs with each other, aren't they all receiving the same profile anyway? Wouldn't privacy advocates consider the sending of the profiles at all an issue?
This is a problem because companies can use this ID to correlate private user data, without anyone's knowledge or consent.
There are companies that specialise in sharing user information. Some of them work by only sharing data with companies that first share data with them (an exchange).
If you got this Google ID, and you had a few other pieces of information about the user, you could share that data with an exchange, indicating that the Google ID is a unique identifier. Then, the exchange would check if it has a matching profile, add the information you provided to that profile, and then return all of the information they have for that profile to you.
So, let's say you're an online retailer, and you have Google IDs for your customers. You probably have some useful and sensitive customer information, like names, emails, addresses, and purchase histories. In order to better target your ads, you could participate in one of these exchanges, so that you can use the information you receive to suggest products that are as relevant as possible to each customer.
To participate, you send all this sensitive information, along with a Google ID, and receive similar information from other retailers, online services, video games, banks, credit card providers, insurers, mortgage brokers, service providers, and more! And now you know what sort of vehicles your customers drive, how much they make, whether they're married, how many kids they have, which websites they browse, etc. So useful! And not only do you get all these juicy private details, but you've also shared your customers sensitive purchase history with anyone else who is connected to the exchange.
> Why would it matter that the bidders are able to match up the IDs with each other, aren't they all receiving the same profile anyway?
I would guess that yes, they're all receiving – _from Google_ – the "same profile" but they also are collecting additional info that they can then share with each other and, because they can match profiles exactly, they can access each other's info about specific people.
> Wouldn't privacy advocates consider the sending of the profiles at all an issue?
I'd imagine that the profile Google has and shares is by itself fairly anodyne, but I could be (very) wrong about that. The problem seems to be more (if not entirely) that different advertisers can share info using a common profile ID.
I'd imagine that even a single advertiser would be able to perform a similar 'attack' by, e.g. running multiple different campaigns, but I may be misunderstanding exactly what info is being shared. It's possible advertisers are able to match the Google profiles to specific unique identities and thus are sharing much more than just the info they're collecting directly from their ads.
Are they maybe only receiving a partial profile, with info relevant to that ad buy? And by compiling that data with the unique identifier, they can match it with other partial data from other ad buys?
I'm glad this story was reported, and I'm thankful to the author for putting in the work required to report this story. But after the first five paragraphs, the author's shameless, repetitive self-promotion and insistence on referring to himself in the third person almost made this unreadable.
The headline was enough to pique my curiosity to explore Brave's product offering. Unfortunately, actually reading the article had the exact opposite affect.
I thought the exact same thing after reading the first few paragraphs but didn't even notice that the author IS Johnny Ryan, the person mentioned in the story, until you pointed it out.
I didn't make it to the end, closed the tab and went over to HN comments for a summary.
The only thing Google did in regards to GPRR was limit the number of parties in RTB they're including by default for syncing to a "trusted set" of parties.
I think the silent/invisible nature of cookie sync'ing is what upsets people when they discover it. T
he diagrams in your link show a single hop for the 302, in my experience that can be many hops going between different advertisers. The same thing happens on non-google platforms, like TradeDesk and others.
The sync scenario can make it next to impossible to delete cookies when those cookies can be rebuilt using data from others.
I think the HN community, and most consumers, tend to look at things from only one angle. Imagine you start work at some small shop that manufacturers widgets for consumers. What would you do when you have to advertise your product? You'd have to turn to Google is a similar company.
Are there any real alternatives? (I am asking because I really want to know)
I say this because I am in this position now. I have to figure out how to advertise my company's products and am torn on how to go about it.
The alternative is to spend hundreds of hours finding widget-related websites, trying to contact the owner(s), negotiating what ad spots are available, what ads are acceptable to run, and what pricing/terms will work for both parties, then managing that relationship over time to ensure ads are actually being displayed, being paid on time, contracts renewed, etc.
It's definitely possible, but you're just doing everything manually that ad networks do for you. Whether that is worth your time (or worth it to hire someone to do this kind of thing for you...) is up to you.
You advertise on a website for widget fans. That's how it successfully worked for a long time.
The whole targeted advertising is to allow adtech companies to identify users of the "widget fans" site, and then advertise to the same people, but on another, cheaper site.
For actual, physical widgets the traditional advertising markets still work: trade magazines and trade shows. Contacting vendors who specialize in your market of interest and running promotions with them also works.
However, it's all a whole lot more expensive and effortful than running some Google ads.
I've started a few successful businesses, and all I can say is what's worked for me.
I've never needed to turn to Google or other ad-slingers. Instead, I've done things the old-fashioned way, by going to where my potential customers tend to congregate and engaging with them (this kickstarts word-of-mouth, which is still the best advertising you can get), hosting my own online forums for customers, going to trade shows as appropriate, and supplementing everything with a few direct-placement ads in carefully selected media.
Yes, it's more work -- what Google et. al. are actually selling you is convenience, after all. But the rewards in terms of of ROI as well as fostering a real community, complete with evangelists, are more than worth it to me.
Trade "print" media with an online presence. Online media that doesn't sell all their pixels to Google? Radio, depending on your audience and required reach? Forums specific to your audience that don't sell all their pixels to Google. Podcasts. Submarine articles in the trades? Open source ad networks that don't embed insanity or real-time bidding?
Mostly, I would try to target your initial audience as precisely as possible where they live, rather than with a wide net. Perhaps a Google search returns results for top websites dealing with your product - if they are not vendors, then perhaps you advertise on that site?
Disclaimer: I'm not a growth hacker, but I've thought about these things and run a couple of poor Facebook campaigns for a brick and mortar business.
Look for genuine, verified success marketing stories for people in similar positions and follow similar strategies.
I've personally never heard of a success story for what you describe that involves paying google. But maybe they exist and they're just keeping it quiet?
> The evidence further reveals that Google allowed [...]
> Google has no control over what happens to these data once broadcast [...]
Is it possible that Google does have "control" over the data after broadcast, albeit legal control via contracts with advertisers (as opposed to technical control)?
Perhaps Google's GDPR compliance strategy relies on the participating advertisers to comply with their contract with Google. If that assumption is accurate, perhaps Google's advertisers are in breach of their contract with Google which makes it appear as though Google itself is in breach?
I could be off-base, the details in the article aren't incredibly clear to me.
(For the record, I don't like Google's business model and I don't like Google's pervasive tracking -- I'm playing devil's advocate to better understand the issue)
Do they have to prove that the RTB ID can be used to retrieve PII? Or only that the RTB ID is correlated with personally protected information?
Is it enough that a RTB ID is pseudo-anonymous? (it always identifies the same person, but cannot be used to find that person's real information) - OR - is a RTB ID not even pseudo-anonymous?
This some great work on tracking down all of these measures to track users. I really hope we get to the point where dumb ads rules the web once more. Hopefully this results in more than a slap on the wrist, but I doubt it.
Why should ads rule the web at all? Surely the cleverest engineers to walk the planet can come up with a new way of making money that doesn’t involve psychological manipulation.
Sad that Brave did not do their work correctly, the google_push parameter they are talking about is not an identifier. Otherwise it’s true that RTB should not exist and violate GDPR, but it’s so complex that even Brave was not able to correctly state the workflow.
“Starting in mid-April, we will begin assigning a URL-safe string value to the google_push parameter in our pixel match requests and we will expect that same URL-safe string to be returned in the google_push parameter you set. This change will help us with our latency troubleshooting efforts and improve our pixel match efficiency.”
Okay, but the `google_push` parameter seems to be the same for all adtech providers swarming on the same user in the same RTB session. Nothing in your comment contradicts the claim that this allows them to sync up profiles for that user across providers, in the way that the switch to per-provider `google_gid` values supposedly blocks.
can somebody explain in simple terms what Brave is actually accusing Google of doing? The article seems to be written in a way that matches the language of the GDPR legistlation, instead of language actually meant to be read by people, and i can't figure out what the "workaround" actually is.
> Google claims to prevent the many companies ... from combining their profiles about those visitors
> Brave’s new evidence reveals that Google allowed not only one additional party, but many, to match with Google identifiers. The evidence further reveals that Google allowed multiple parties to match their identifiers for the data subject with each other.
BTW, many comments in here seem quick to agree w/this headline given how buried the details are. If someone has better detail, please share it.
> Fuchsia’s engineers wanted to create a secure platform, but the advertising team, at the time, believed that privacy “goes against everything [they] stood for.”
brave is incentivized to push this narrative, accurate or inaccurate as it may be. i am not ad-tech guru, nor digital marketer. i do know that brave's entire premise hangs on traditional ad-tech strategy remaining static, consumer sentiment around "big tech" to sour and a groundswell of "privacy focused consumers" to materialize. that groundswell is their identified target market for their product.
EDIT: since everyone seems to be mentioning the 4% rule, I'd just like to point out that I'm not denying the existence of this, just denying that it is actually effective. Google has violated antitrust before, and walked away with a "big" fine that's a slap on the wrist. They've violated GDPR before as well once or twice, and got a "record breaking" 57MM$ fine. The 4% rule exists and clearly isn't enforced well. I know a lot of people love GDPR but I would be beyond shocked if the EU actually managed to hit Google with something that sticks. I very much hope I'm proved wrong!
This sort of resolution was inevitable.
I said it before and I'll say it again: GDPR is an annoying measure for developers, small businesses and startups. It doesn't do much other than put in place so many steps that growth tools for startups become risky to use. For big businesses that (ab)use big data, it's not much of a hassle because they can afford the legal steps as well as the change in infrastructure. They can even work around it and keep abusing data without consequences.
If they're able to beat Google's lawyer army and actually prosecute them, then Google will take a whopping fine in the millions of dollars that'll be more than covered by their daily revs.
The European Union has decided that growth based on clandestine tracking of users, selling their PII without consent is not a legitimate growth tool.
You know, like the way we outlawed violence as a "growth tool"
Your other claims are more reasonable. But they would lead me to the conclusion we need bigger fines on bigger businesses. Not absolutely bigger, as the law already does, but relatively bigger.
The more power you have to break the law, the bigger the stakes should be.
> If they're able to beat Google's lawyer army and actually prosecute them, then Google will take a whopping fine in the millions of dollars that'll be more than covered by their daily revs.
This is why the 4% of global annual revenue fine option exists. A few of those add up quick.
And I'm very annoyed that your initial reaction to reading this article is to blame the GDPR instead of blaming Google for these shady practices. Boycott that crap, move to other services. This shouldn't be acceptable.
I'm very happy that the GDPR exist, if only because it forced all these websites from explicitly giving me a list of the literally hundreds of partners they want to share my data with, along with a way to say "hell no". Of course Google and friends will try to work around it but hopefully that won't come to pass and they'll have to actually bother changing their crappy business model. I think the spirit of the law is fairly clear, I wonder why Google thinks this scheme can work. Maybe they're just trying to buy some time.
As for startups that sink because they can't be bothered to sanely handle my personal data: good riddance.
From my (admittedly limited) understanding, this is not actually legal under the GDPR. Certainly the alleged (but not demonstrated) behind-the-scenes trading of personal info isn’t, but the shared id is also personally-identifying information, and directly regulated.
Targeted ads are already a serious leak of information.
If somebody looks over my shoulder and sees the ads presented to me, they can infer things about me.
Also, if a malicious actor targets an ad to a group of people, and some of these people buy the advertised items, then the actor can infer things about those people not necessarily related to the items sold.
The matching is in itself a violation of privacy, at least if you interpret the right of privacy as "The right to be left alone", as former Supreme Court Justice Louis Brandeis put it.
Yes! Contextual Targeting (target based on what I am reading) could work, although the industry seems to be clinging to Behavioural Targeting (target based on who I am). This will become more important for Open Web due to the 3p cookie constraints, regulatory changes etc..., but Google/Amazon/FB are less likely to be impacted.
In fact Contextual Targeting predates the current approaches, but it became less important once advertises/adtech companies started preaching the thinly veiled idea of using behaviourism to trigger conversions/less products.
Changes like this are slow to introduce due to technical and (mainly) structural/cultural issues in the Advertising Industry, but that’s a topic for an entire essay/series of blog posts.
Source: I work in AdTech and deal with privacy/the ethical impact of programmatic, content monetisation models. Opinions obv. mine.
[+] [-] bluesign|6 years ago|reply
Below is the google_gid for different publishers, there is no proof of overlap, they have different google_gid for same person. Which is exactly what google describes. [1]
I don't understand what Brave claims.
[1] https://developers.google.com/authorized-buyers/rtb/cookie-g...[+] [-] mintplant|6 years ago|reply
[0] https://brave.com/wp-content/uploads/files_2019-9-2/sample_p...
[+] [-] ggg3|6 years ago|reply
now those are used to match a 3rd party id. you just need a gdpr_workaround schema in your data base with two columns user-id, google-random-id with N-1 records indexed both ways.
gdpr has restrictions on pin pointing a single person. this is effectively doing that, but claim it is not, because random ids. apple is just a little better with how device-advertiser-id works.
[+] [-] joefkelley|6 years ago|reply
Here's my understanding: Google runs real-time bidding ad auctions by sending anonymized profiles to marketers, who bid on those impressions. The anonymous id used in each auction was the same for each bidder, which is in violation of GDPR. If Google were to send different ids for each bidder, it would be ok? Is this correct?
Why would it matter that the bidders are able to match up the IDs with each other, aren't they all receiving the same profile anyway? Wouldn't privacy advocates consider the sending of the profiles at all an issue?
[+] [-] avanderveen|6 years ago|reply
There are companies that specialise in sharing user information. Some of them work by only sharing data with companies that first share data with them (an exchange).
If you got this Google ID, and you had a few other pieces of information about the user, you could share that data with an exchange, indicating that the Google ID is a unique identifier. Then, the exchange would check if it has a matching profile, add the information you provided to that profile, and then return all of the information they have for that profile to you.
So, let's say you're an online retailer, and you have Google IDs for your customers. You probably have some useful and sensitive customer information, like names, emails, addresses, and purchase histories. In order to better target your ads, you could participate in one of these exchanges, so that you can use the information you receive to suggest products that are as relevant as possible to each customer.
To participate, you send all this sensitive information, along with a Google ID, and receive similar information from other retailers, online services, video games, banks, credit card providers, insurers, mortgage brokers, service providers, and more! And now you know what sort of vehicles your customers drive, how much they make, whether they're married, how many kids they have, which websites they browse, etc. So useful! And not only do you get all these juicy private details, but you've also shared your customers sensitive purchase history with anyone else who is connected to the exchange.
[+] [-] aeorgnoieang|6 years ago|reply
I would guess that yes, they're all receiving – _from Google_ – the "same profile" but they also are collecting additional info that they can then share with each other and, because they can match profiles exactly, they can access each other's info about specific people.
> Wouldn't privacy advocates consider the sending of the profiles at all an issue?
I'd imagine that the profile Google has and shares is by itself fairly anodyne, but I could be (very) wrong about that. The problem seems to be more (if not entirely) that different advertisers can share info using a common profile ID.
I'd imagine that even a single advertiser would be able to perform a similar 'attack' by, e.g. running multiple different campaigns, but I may be misunderstanding exactly what info is being shared. It's possible advertisers are able to match the Google profiles to specific unique identities and thus are sharing much more than just the info they're collecting directly from their ads.
[+] [-] Despegar|6 years ago|reply
[+] [-] whamlastxmas|6 years ago|reply
[+] [-] gtallen1187|6 years ago|reply
The headline was enough to pique my curiosity to explore Brave's product offering. Unfortunately, actually reading the article had the exact opposite affect.
[+] [-] dvcrn|6 years ago|reply
I didn't make it to the end, closed the tab and went over to HN comments for a summary.
[+] [-] phnofive|6 years ago|reply
[deleted]
[+] [-] rtbthrowaway|6 years ago|reply
The only thing Google did in regards to GPRR was limit the number of parties in RTB they're including by default for syncing to a "trusted set" of parties.
[+] [-] annoyingnoob|6 years ago|reply
he diagrams in your link show a single hop for the 302, in my experience that can be many hops going between different advertisers. The same thing happens on non-google platforms, like TradeDesk and others.
The sync scenario can make it next to impossible to delete cookies when those cookies can be rebuilt using data from others.
[+] [-] teamspirit|6 years ago|reply
I say this because I am in this position now. I have to figure out how to advertise my company's products and am torn on how to go about it.
[+] [-] drusepth|6 years ago|reply
It's definitely possible, but you're just doing everything manually that ad networks do for you. Whether that is worth your time (or worth it to hire someone to do this kind of thing for you...) is up to you.
[+] [-] pornel|6 years ago|reply
The whole targeted advertising is to allow adtech companies to identify users of the "widget fans" site, and then advertise to the same people, but on another, cheaper site.
[+] [-] dleslie|6 years ago|reply
However, it's all a whole lot more expensive and effortful than running some Google ads.
[+] [-] aledalgrande|6 years ago|reply
[+] [-] JohnFen|6 years ago|reply
I've never needed to turn to Google or other ad-slingers. Instead, I've done things the old-fashioned way, by going to where my potential customers tend to congregate and engaging with them (this kickstarts word-of-mouth, which is still the best advertising you can get), hosting my own online forums for customers, going to trade shows as appropriate, and supplementing everything with a few direct-placement ads in carefully selected media.
Yes, it's more work -- what Google et. al. are actually selling you is convenience, after all. But the rewards in terms of of ROI as well as fostering a real community, complete with evangelists, are more than worth it to me.
Of course, ymmv.
[+] [-] sailfast|6 years ago|reply
Trade "print" media with an online presence. Online media that doesn't sell all their pixels to Google? Radio, depending on your audience and required reach? Forums specific to your audience that don't sell all their pixels to Google. Podcasts. Submarine articles in the trades? Open source ad networks that don't embed insanity or real-time bidding?
Mostly, I would try to target your initial audience as precisely as possible where they live, rather than with a wide net. Perhaps a Google search returns results for top websites dealing with your product - if they are not vendors, then perhaps you advertise on that site?
Disclaimer: I'm not a growth hacker, but I've thought about these things and run a couple of poor Facebook campaigns for a brick and mortar business.
[+] [-] harry8|6 years ago|reply
I've personally never heard of a success story for what you describe that involves paying google. But maybe they exist and they're just keeping it quiet?
[+] [-] unknown|6 years ago|reply
[deleted]
[+] [-] gregknicholson|6 years ago|reply
[+] [-] cj|6 years ago|reply
> The evidence further reveals that Google allowed [...]
> Google has no control over what happens to these data once broadcast [...]
Is it possible that Google does have "control" over the data after broadcast, albeit legal control via contracts with advertisers (as opposed to technical control)?
Perhaps Google's GDPR compliance strategy relies on the participating advertisers to comply with their contract with Google. If that assumption is accurate, perhaps Google's advertisers are in breach of their contract with Google which makes it appear as though Google itself is in breach?
I could be off-base, the details in the article aren't incredibly clear to me.
(For the record, I don't like Google's business model and I don't like Google's pervasive tracking -- I'm playing devil's advocate to better understand the issue)
[+] [-] csours|6 years ago|reply
Is it enough that a RTB ID is pseudo-anonymous? (it always identifies the same person, but cannot be used to find that person's real information) - OR - is a RTB ID not even pseudo-anonymous?
[+] [-] tbodt|6 years ago|reply
[+] [-] hexadec|6 years ago|reply
[+] [-] intopieces|6 years ago|reply
[+] [-] matempo33|6 years ago|reply
See their release note (15 April 2013); https://developers.google.com/authorized-buyers/rtb/relnotes
“Starting in mid-April, we will begin assigning a URL-safe string value to the google_push parameter in our pixel match requests and we will expect that same URL-safe string to be returned in the google_push parameter you set. This change will help us with our latency troubleshooting efforts and improve our pixel match efficiency.”
[+] [-] mintplant|6 years ago|reply
[+] [-] notatoad|6 years ago|reply
[+] [-] unityByFreedom|6 years ago|reply
> Google claims to prevent the many companies ... from combining their profiles about those visitors
> Brave’s new evidence reveals that Google allowed not only one additional party, but many, to match with Google identifiers. The evidence further reveals that Google allowed multiple parties to match their identifiers for the data subject with each other.
BTW, many comments in here seem quick to agree w/this headline given how buried the details are. If someone has better detail, please share it.
[+] [-] Ayesh|6 years ago|reply
[+] [-] DrScientist|6 years ago|reply
Also there was an interesting story a while back about a clash between advertising and the Fuchsia engineering team https://9to5google.com/2018/07/20/fuchsia-friday-respecting-...
[+] [-] carapace|6 years ago|reply
[+] [-] colordrops|6 years ago|reply
[+] [-] crtlaltdel|6 years ago|reply
[+] [-] unknown|6 years ago|reply
[deleted]
[+] [-] priansh|6 years ago|reply
This sort of resolution was inevitable.
I said it before and I'll say it again: GDPR is an annoying measure for developers, small businesses and startups. It doesn't do much other than put in place so many steps that growth tools for startups become risky to use. For big businesses that (ab)use big data, it's not much of a hassle because they can afford the legal steps as well as the change in infrastructure. They can even work around it and keep abusing data without consequences.
If they're able to beat Google's lawyer army and actually prosecute them, then Google will take a whopping fine in the millions of dollars that'll be more than covered by their daily revs.
[+] [-] mola|6 years ago|reply
Your other claims are more reasonable. But they would lead me to the conclusion we need bigger fines on bigger businesses. Not absolutely bigger, as the law already does, but relatively bigger. The more power you have to break the law, the bigger the stakes should be.
[+] [-] ceejayoz|6 years ago|reply
This is why the 4% of global annual revenue fine option exists. A few of those add up quick.
[+] [-] simias|6 years ago|reply
I'm very happy that the GDPR exist, if only because it forced all these websites from explicitly giving me a list of the literally hundreds of partners they want to share my data with, along with a way to say "hell no". Of course Google and friends will try to work around it but hopefully that won't come to pass and they'll have to actually bother changing their crappy business model. I think the spirit of the law is fairly clear, I wonder why Google thinks this scheme can work. Maybe they're just trying to buy some time.
As for startups that sink because they can't be bothered to sanely handle my personal data: good riddance.
[+] [-] kd5bjo|6 years ago|reply
[+] [-] lpgauth|6 years ago|reply
We've stopped cookie matching in EU28 countries so I can't verify if they do pass the buyer_uid.
[+] [-] amelius|6 years ago|reply
If somebody looks over my shoulder and sees the ads presented to me, they can infer things about me.
Also, if a malicious actor targets an ad to a group of people, and some of these people buy the advertised items, then the actor can infer things about those people not necessarily related to the items sold.
[+] [-] senegoid|6 years ago|reply
Because what Google are doing is not dissimilar to how any other RTB participant is acting, saying this is a Google workaround seems disingenuous.
Unfortunately I fear this will only embolden Google to further monopolize digital advertising.
[+] [-] gnud|6 years ago|reply
I mean, if the allegations are correct, Google didn't find any loophole, they're just hiding the fact that they're selling person identifiers.
[+] [-] la_barba|6 years ago|reply
[+] [-] fmajid|6 years ago|reply
[+] [-] rpastuszak|6 years ago|reply
In fact Contextual Targeting predates the current approaches, but it became less important once advertises/adtech companies started preaching the thinly veiled idea of using behaviourism to trigger conversions/less products.
Changes like this are slow to introduce due to technical and (mainly) structural/cultural issues in the Advertising Industry, but that’s a topic for an entire essay/series of blog posts.
Source: I work in AdTech and deal with privacy/the ethical impact of programmatic, content monetisation models. Opinions obv. mine.