Brave says Google is (still) secretly sharing your personal data with advertisers

Brave Software, the company behind the privacy-focused, open-source Brave browser, has accused Google of secretly using a “workaround” to avoid adhering to strict European Union privacy regulations.

Google is allegedly using hidden web pages—a mechanism called “Push Pages”—that scoop up and deliver personally identifiable data to advertisers, violating the tech giant’s own publicly stated privacy policies, according to findings published by Brave on Wednesday.

In an emailed response to Decrypt, Google spokesperson Caroline Klapper-Matos flatly denied the allegation: “We do not serve personalised ads or send bid requests to bidders without user consent. The Irish DPC—as Google's lead DPA—and the UK ICO are already looking into real time bidding in order to assess its compliance with GDPR. We welcome that work and are co-operating in full.”

Brave, itself a fork of Google’s Chrome browser, has nevertheless provided real-time bidding (RTB) evidence that indicates Google is using a General Data Protection Regulation (GDPR) workaround that circumvents consumer safeguards. Brave performed an analysis of the web browsing log of their chief policy and industry relations officer, Dr. Johnny Ryan, and determined that his personal data had been exposed. 

Ryan told Decrypt that, following an analysis of his own web log, Brave commissioned Enterprise analytics auditor Zach Edwards to follow up with a “much broader piece of research.”

Google already faces an investigation by its lead European regulator, the Ireland Data Protection Commission (DPC), due to a previous formal complaint from Brave's Ryan.

This possible leakage of personal data affects Google's DoubleClick/Authorized Buyers advertising system that is said to be active on 8.4 million websites. Visitors to these sites have their data shared with over 2,000 companies. This information includes user geographic location, online usage trends and even inferred religious, sexual and political characteristics.

The Brave browser in many ways positions itself as the “anti-Google.” It aims to provide increased privacy by using technology that disables advertising and data tracking while browsing the Internet. It also allows users and content publishers to earn Ethereum-based BAT tokens by way of configurable opt-in advertising. Brave Software recently announced plans to build their own cryptocurrency wallet.

GDPR is a regulation in European Union law on data privacy. This important change in data privacy regulations was implemented in May 2018. In January of this year, Google was hit with a €50 million GDPR violation fine for poor transparency in failing to disclose to users how data is collected to present personalized ads.

While Google claims to avoid letting companies that use their RTB ad system from sharing user profiles, Brave's findings point to Google allowing the matching and sharing of data using identifiers.