Investigation by Brave Finds Google Is Circumventing Privacy Controls by Providing Unique User Identifiers to Third Parties ⇥ ft.com

Madhumita Murgia, Financial Times:

The regulator is investigating whether Google uses sensitive data, such as the race, health and political leanings of its users, to target ads. In his evidence, Johnny Ryan, chief policy officer of the niche web browser Brave, said he had discovered the secret web pages as he tried to monitor how his data were being traded on Google’s advertising exchange, the business formerly known as DoubleClick.

The exchange, now called Authorized Buyers, is the world’s largest real-time advertising auction house, selling display space on websites across the internet.

Mr Ryan found that Google had labelled him with an identifying tracker that it fed to third-party companies that logged on to a hidden web page. The page showed no content but had a unique address that linked it to Mr Ryan’s browsing activity.

Johnny Ryan of Brave explained the “hidden web pages” in more detail:

Google Push Pages are served from a Google domain (https://pagead2.googlesyndication.com) and all have the same name, “cookie_push.html”. Each Push Page is made distinctive by a code of almost two thousand characters, which Google adds at the end to uniquely identify the person that Google is sharing information about. This, combined with other cookies supplied by Google, allows companies to pseudonymously identify the person in circumstances where this would not otherwise be possible.

All companies that Google invites to access a Push Page receive the same identifier for the person being profiled. This “google_push” identifier allows them to cross-reference their profiles of the person, and they can then trade profile data with each other.

The Push Pages are not shown to the person visiting a web page, and will display no content if accessed directly.

A cursory web search turns up an article by Nic Jansma about ResourceTiming that references cookie_push.html in the context of cross-frame communication. It also references a Facebook script, another Google page, and similar blank-appearing pages from Twitter and Criteo — all of which appear to be for frame-bypassing tracking purposes. I’d love to know if any of these other companies are also passing uniquely-identifying characteristics to third parties through similar means.