In a statement via their website, Brave Chief Policy & Industry Relations Officer Dr. Johnny Ryan claims to have uncovered a way in which Google secretly feeds data to its advertisers through hidden pages.
Brave CEO Brendan Eich, who would undoubtedly love to see his established competitor tumble quickly, took to twitter:
“The evidence we have submitted to the Irish Data Protection Commission proves that Google leaked my protected data to an unknown number of companies. One cannot know what these companies then did with it, because Google loses control… once it was sent.” https://t.co/tAfdwni29t
— BrendanEich (@BrendanEich) September 4, 2019
Google is already facing antitrust allegations in the U.S. but will have to divide its attention with the EU after Dr. Ryan submitted the evidence to the Irish Data Protection Commission.
This isn’t the first time Brave has filed a complaint, either. Earlier this year, the fledgling browser launched a similar inquest into the practices of Google’s ad system known as the RTB (real-time bidding).
The Personal Data Exploit
The exploit was discovered after Brave commissioned a private contractor, Zach Edwards at MetaX, to analyze the browsing history of Dr. Ryan.
MetaX confirmed that Google did indeed broadcast his personal data, which allowed third-party advertisers to match their profiles and target him with ads.
Edwards and his team reverse-engineered the exploit known as cookie_push, the technicalities of which are outlined over here.
Just out from me & the team at @metaxchain – during our research for @Brave into Google’s cookie_push GDPR workaround, we found OpenX created their own workaround within Google’s cookie_push. The research is @ https://t.co/CSuMZmnjMB / We’ll have more later today🤖 pic.twitter.com/0TJQyFipxc
— ℨ𝔞𝔠𝔥 𝔈𝔡𝔴𝔞𝔯𝔡𝔰 (@thezedwards) September 4, 2019
According to the report, a Google tracker creates hidden pages that allow advertisers to eavesdrop on a user’s activity. It furthermore noted that while these third-parties had access, users were not able to view their own data.
The exploit is, according to Dr. Ryan, a clear violation of the EU’s GDPR mandate. Data rights solicitor Ravi Naik, who is acting on behalf of Dr. Ryan and Brave, was quoted as saying:
“Now our client finds seemingly clandestine profile matching by Google. Deceptive and uncontrolled profile matching is the antithesis of the fairness and transparency principles of data protection. Unfortunately, the lawlessness at the heart of AdTech has begat a culture of data exploitation above data protection. The DPC must act fast to put an end to such practices.”
Google Looking to Diversify Away From Its Controversial Core Business
Despite the ongoing controversies, Google’s core ad business couldn’t be healthier. The company generated $32.6 billion in ad revenue in Q2 2019. That’s a mouthwatering increase of 22% from last year.
Google is clearly aware of the regulatory threat that stares down its bottom line, however. While advertising remains the largest chunk of its revenue, the company continues to diversify away from its core business:
Google collects more than 15% of its income from other sources. The company’s non-advertising revenue now exceeds $20.5 billion, giving it a hefty war chest in the battle against the authorities.