How Google uses secret 'push pages' to share personal details with advertisers

Combined with tracking cookies supplied by Google, push pages enable organisations to identify individual web browsers, claims Brave's Johnny Ryan

Johnny Ryan, the chief policy officer of browsing company Brave, this week accused Google of using secret web pages to feed users' personal data to advertisers. But how does it supposedly work?

According to Ryan, Google has been using this technique as a "workaround" of the EU's General Data Protection Regulation (GDPR). This (among other things) requires companies to show transparency in their practices, and to get the consent of users before collecting and sharing their data with third-party firms.

Real-time bidding in its current form is toxic

Ryan said that he recently conducted a test to monitor how Google traded his data on its advertising exchange, called Authorised Buyers - formerly known as DoubleClick. This ad system is currently active on more than 8.4 million websites and is used to broadcast data about visitors to more than 2,000 companies "hundreds of billions of times" a day, according to Ryan.

Google's advertising system is increasingly reliant on a real-time bidding (RTB) system - a type of online advertising that enables all the details of people's anonymised online activities to be auctioned in real time to allow advertising firms to serve targeted ads to people surfing the web.

With RTB, thousands of advertising firms receive large amounts of users' personal data billion of times in a day, in transactions that take just milliseconds to complete.

Deceptive and uncontrolled profile matching is the antithesis of the fairness and transparency principles of data protection

To analyse how Google shard his data with other firms, Ryan used Google's Chrome browser, with no cookies, logins, or past browsing history. After a few hours of web browsing, he discovered that Google had assigned him an identifying tracker, which was unique to him and contained information about his web browsing, location, and other data.

This pseudonymous marker, when used in combination with cookies, can help advertising firms track user activity across the web, Ryan claims.

He said he also observed that the identifying tracker assigned to him was being sent to ad firms via secret "Push Pages" showing no content.

"Google Push Pages are served from a Google domain (https://pagead2.googlesyndication.com) and all have the same name, "cookie_push.html"," Ryan wrote in an online post.

All companies that Google invites to access a Push Page receive the same identifier for the person being profiled

"Each Push Page is made distinctive by a code of almost two thousand characters, which Google adds at the end to uniquely identify the person that Google is sharing information about. This, combined with other cookies supplied by Google, allows companies to pseudonymously identify the person in circumstances where this would not otherwise be possible."

"All companies that Google invites to access a Push Page receive the same identifier for the person being profiled. This "google_push" identifier allows them to cross-reference their profiles of the person, and they can then trade profile data with each other."

According to Ryan, the Push Pages, when directly accessed by a person, won't display any content. But, the information contained on those pages can be viewed by third-party companies, enabling them to match their own user profiles with those created by Google.

Ryan noticed that eight third-party firms were active on one or more of the "push pages" created by Google for him.

the lawlessness at the heart of AdTech has begat a culture of data exploitation above data protection

"Real-time bidding in its current form is toxic," said Ravi Naik, a data rights solicitor who is acting for Ryan and Brave.

"The speed and scale of the broadcast is incapable of complying with the GDPR ' s security principle. Now our client finds seemingly clandestine profile matching by Google.

"Deceptive and uncontrolled profile matching is the antithesis of the fairness and transparency principles of data protection.

"Unfortunately, the lawlessness at the heart of AdTech has begat a culture of data exploitation above data protection. The DPC must act fast to put an end to such practices," he added.

Ryan submitted its findings to Ireland's Data Protection Commission on Wednesday, as a supplementary part of a complaint filed last year. The watchdog is currently investigating whether Google uses sensitive users' data to target advertising.

Google has denied all the claims made by Ryan. The company said that it doesn't serve "personalised ads or send bid requests to bidders without user consent".