Brave Is Brave: Google Allegations

September 5, 2019

I read “Brave Uncovers Google’s GDPR Workaround.” The main point of the write up seems to be that Googlers have allegedly engineered a way to work around the GDPR privacy protections. The write up asserts:

New evidence gathered by Brave gives the Irish DPC concrete proof that Google’s ad system did broadcast personal data about Dr Ryan, which infringed the GDPR. In addition, Brave has uncovered what appears to be a GDPR workaround that circumvents Google’s own publicly stated GDPR data safeguards.

“Dr. Ryan”  is Brave’s chief policy and industry relations officer. This individual allegedly stated:

“The evidence we have submitted to the Irish Data Protection Commission proves that Google leaked my protected data to an unknown number of companies. One cannot know what these companies then did with it, because Google loses control over my data once it was sent. Its policies are no protection.”

What did Google allegedly do?

First, Google allegedly used DoubleClick components. (Note: DoubleClick patents are quite interesting. You can get started on the path to grasping the nature of the systems and methods Google acquired in 2007 for about $3 billion at this link.)

We learned:

Google allowed not only one additional party, but many, to match with Google identifiers. The evidence further reveals that Google allowed multiple parties to match their identifiers for the data subject with each other.

We noted:

Google Push Pages are served from a Google domain ( and all have the same name, “cookie_push.html”. Each Push Page is made distinctive by a code of almost two thousand characters, which Google adds at the end to uniquely identify the person that Google is sharing information about. This, combined with other cookies supplied by Google, allows companies to pseudonymously identify the person in circumstances where this would not otherwise be possible. All companies that Google invites to access a Push Page receive the same identifier for the person being profiled. This “google_push” identifier allows them to cross-reference their profiles of the person, and they can then trade profile data with each other.

The write up argues:

Brave’s evidence shows that Google’s Push Page mechanism undermines Google’s purported data protection measures. They are also vulnerable to abuse by other parties. We are aware that companies other than Google have used the Push Page mechanism to establish their own Push Pages to share data with their own business partners. This appears to happen without Google’s knowledge. The loss of control over personal data in Google’s RTB system is again evident, and it is clear that Google’s policies have provided no protection.

Let’s assume Brave’s data are accurate. Furthermore, let’s assume that the Irish Data Protection Commission integrates these data into its deliberations. What’s the outcome?

DarkCyber believes that Google’s credibility would take another hit. Fines are unlikely to apply friction to the alleged behavior. Understanding the nuances of what it means when Google operates in a way that is not easily understood by anyone other than specialists is a type of digital circumvallation. It worked for Caesar, and it seems to be working for Google. Of course, if Brave’s data are inaccurate, then Google is just another simple online outfit selling ads. Simple. Efficient. Business as usual.

Stephen E Arnold, September 5, 2019


Comments are closed.

  • Archives

  • Recent Posts

  • Meta