By Allison Schiff and James Hercher
Are Google’s cookie syncing capabilities a violation of consumer privacy or are they common industry practice? The answer to both could be “yes.”
This new data debate, which fired up the ad tech industry, was sparked Wednesday when ad browser Brave’s chief policy officer, Johnny Ryan, asserted that Google’s consent data architecture could allow partners to sync cookies with unauthorized third-party companies.
The question is whether these claims are a big deal or a big nothing burger.
For one, OpenX was the only company that’s been documented actually using Cookie Match Assist – the Google Open Bidding feature that allows partners to match their cookies with Google’s advertising ID – to sync with other vendors, said MetaX Chief Data Officer Zach Edwards, who conducted the research on behalf of Brave.
Edwards claims that OpenX’s behavior is not standard operating procedure and is enabled by a loophole in Google’s Cookie Match Assist program. Specifically, that Google doesn’t audit how their partners build redirect URLs.
But, according to some industry pundits, the process being described is nothing more than run of the mill cookie matching.
So, what’s going on?
Brave describes how Google is creating iframe pages – what it calls “Push Pages” – that fire within a web browser that isn’t visible to the user, so that partners can sync cookies with consent data.
After analyzing Chrome browsing data from more than 100 volunteers over a number of hours, Edwards identified 199 Google partners able to fire on the hidden iframe pages. These partners could then use data for advertising in Google’s GDPR compliance program.
But using iframes for cookie matching isn’t new. Google doesn’t hide the fact that its partners can cookie match or sync across sites based on a user’s browsing, and Google prohibits activities like data harvesting.
Ryan, however, argues that just because something is considered to be a standard practice, and just because Google has documented restrictions around it, “doesn’t mean it’s legitimate.”
So though the report, commissioned by Brave, doesn’t necessarily point to newly-discovered malfeasance, it does surface a pertinent question that hasn’t been answered yet, which is whether cookie matching, and real-time bidding for that matter, is compatible with GDPR or not.
But there’s one other important distinction. According to Google, cookie matching is a process that only happens between itself and one additional party. The accusation is that cookies matches actually facilitated between multiple companies which are then able to cross match between themselves.
What’s the actual problem?
In this way, Edwards’ research appears to show that Google’s system is vulnerable to abuse, because it allows partners to create their own URL redirects within the iframe – a box-within-a-box scenario worthy of an “Inception” sequel.
The iframe pages don’t pass a cookie, but rather the time and location of when the page loads. Since it fires at the same time as the normal site page, it can cross reference consent collected by a publisher with an ad partner’s data.
Although the URLs all start with the same parameter (cookie_push.html), they’re each appended with a string of around 2,000 additional characters which transforms them, in essence, into unique identifiers.
OpenX has been creating URL redirects within the iframe to call on its own data partners after it matched with Google, thus connecting the identity match with partners that otherwise wouldn’t sync with Google’s consent data, Edwards said. The impact is hard to quantify, but it would likely help OpenX win a higher percentage of bids on Google inventory.
Edwards published a series of videos on Wednesday that claim to demonstrate this leakage in action, using OpenX as the example.
Possible fallout
Under GDPR, companies are required to safeguard personal data, conduct audits of their data flow and ensure that their partners are also treating data in the proper way.
“But Google loses control over its pages when other parties like OpenX can create their own,” Ryan said. “These pages in themselves are vulnerable.”
And then there’s also the question of pseudonymous data, which is data that’s been hashed, encrypted or anonymized. Pseudonymous data is considered personal and therefore protected under GDPR if it can be re-identified with a reasonable amount of effort.
As part of the matching process, the cookie_push.html URLs associated with Google’s iframe syncing are distinguished by several thousand characters added to the end. The combination of cookies supplied by Google could allow companies to create pseudonymous identifiers that wouldn’t have existed otherwise, which would be a GDPR infraction.
Regardless, push pages aren’t the main attraction, Ryan said. In his view, they’re just one example of “a loss of control over personal data that happens in the RTB system in general.”
“There is a collective delusion among ad tech companies that the law can be read in other ways,” Ryan said. “That delusion is being gradually dispelled.”
Helping to clear the air is the ongoing statutory investigation being conducted by the Irish Data Protection Commission, Google’s lead regulatory authority in Europe, digging into Google’s ad exchange and data-processing practices. Google, a company spokesperson told AdExchanger, welcomes the scrutiny and is cooperating with it “in full.”
“We do not serve personalized ads or send bid requests to bidders without user consent,” the spokesperson said.
