Google is using secret web pages that feed personal user data to advertisers in breach of GDPR, new evidence presented to the Irish data regulator suggests.

The discovery was made by the chief policy officer of Brave, a small but influential rival to the internet giant. The Financial Times reports that the new evidence accuses Google of “exploiting personal data without sufficient control or concern over data protection”.

The evidence was submitted to the Irish Data Protection Commissioner, which oversees Google in Europe, as part of an investigation into the company’s potential use of users’ sensitive data – race, politics, health – for ad targeting, and therefore infringement of the General Data Protection Regulation (GDPR).

The findings come from Johnny Ryan of the privacy-focused web browser company Brave, who said he found secret web pages when he attempted to monitor how personal information was traded through Google’s Real-Time-Bidding system, Authorized Buyers (previously DoubleClick).

Brave commissioned analysis from the analyst and digital strategist Zach Edwards, who runs the consultancy Victory Medium. It revealed the “Push Pages” mechanism, through which Google “invites companies to share profile identifiers about a person when they load a website”.

According to Ryan, he found that Google had assigned him an identifying tracker leading to a hidden web page. Onto this unique page, third-party companies could find a link to the user’s browsing activity, allowing them to match their profiles with Google’s for targeting purposes. On six different pages during an hour’s browsing, an identifier containing “google_push” was being pushed out to a minimum of eight adtechs, Ryan claims.

“All companies that Google invites to access a Push Page receive the same identifier for the person being profiled. This google_push identifier allows them to cross-reference their profiles of the person, and they can then trade profile data with each other.”

Edwards replicated the experiment with the browsing of hundreds of volunteers recruited to test whether the identifier was indeed unique and being shared.

“Google allowed not only one additional party, but many, to match with Google identifiers. The evidence further reveals that Google allowed multiple parties to match their identifiers for the data subject with each other,” he explained in a statement on Brave’s website.

“This practice is hidden in two ways,” Ryan told the FT. “The most basic way is that Google creates a page that the user never sees, it’s blank, has no content but allows … third parties to snoop on the user and the user is none the wiser.

“I had no idea this was happening. If I consulted my browser log, I wouldn’t have had an idea either.”

Google, through a spokesperson said the company had not seen the evidence submitted but that it was co-operating with the investigation. “We do not serve personalised ads or send bid requests to bidders without user consent,”  the spokesperson said.

Sourced from the Financial Times, Brave