Google’s Surveillance Advertising Model under Attack on Both Sides of the Atlantic for Its Deep Privacy Problems

Posted on Feb 4, 2022 by Glyn Moody

PIA blog has just written about a major problem for Google: a decision by the Austrian Data Protection Authority that the continuing use of Google Analytics violates the EU’s GDPR legislation. The post noted that the Dutch Data Protection Authority is also investigating the use of Google Analytics; now it seems that France may follow suit. Meanwhile, there’s been more bad news from Europe, with the European Parliament agreeing its text for the proposed Digital Services Act (DSA) that has a number of problems for Google (among others). This is not the final version of the DSA, which must be jointly agreed with the other key players in the EU legislative process, the European Commission and the European Council, but it defines the elements that the European Parliament will be pushing for in the so-called “trilogues” where a common legal text will be drawn up.

Previous posts on PIA blog have mentioned that there were attempts to bring in a DSA ban for all micro-targeted advertising based on surveillance. That has failed, but the European Parliament does want some limitations on the kind of data that can be used for ad targeting. Sensitive information relating to a person’s political and religious beliefs, as well as their sexual orientation would be excluded. In addition, the MEPs voted to impose a complete ban on using surveillance advertising to target young people online. There are other important requirements in this area:

the text provides for more transparent and informed choice for the recipients of digital services, including information on how their data will be monetised. Refusing consent shall be no more difficult or time-consuming to the recipient than giving consent. If their consent is refused or withdrawn, recipients shall be given other options to access the online platform, including “options based on tracking-free advertising”

In addition, online platforms will be prohibited from using “dark patterns” — tricks to nudge people into accepting tracking.

It’s not just the EU that is looking to bring in restrictions on micro-targeted advertising: in the US, the Democrats have unveiled a bill to ban online surveillance advertising completely. As The Verge reports, as well as empowering the FTC and state attorneys to enforce the new rules, it “allows individual users to sue platforms like Facebook and Google if they break the law, granting up to $5,000 in relief per violation.”

Google is also under attack for alleged privacy failings involving tracking the location information of its users. The lawsuits brought by the attorneys general of the District of Columbia, Texas, Washington and Indiana, were initiated following a report by The Associated Press in 2018, which found:

Google wants to know where you go so badly that it records your movements even when you explicitly tell it not to.

An Associated Press investigation found that many Google services on Android devices and iPhones store your location data even if you’ve used a privacy setting that says it will prevent Google from doing so.

Google is well-aware that the writing is on the wall for many of its privacy practices. In an attempt to head off some of that criticism, it introduced its Federated Learning of Cohorts (FloC) approach. This received a less-than-warm reception, so Google has come up with a new system called Topics:

With Topics, your browser determines a handful of topics, like “Fitness” or “Travel & Transportation,” that represent your top interests for that week based on your browsing history. Topics are kept for only three weeks and old topics are deleted. Topics are selected entirely on your device without involving any external servers, including Google servers. When you visit a participating site, Topics picks just three topics, one topic from each of the past three weeks, to share with the site and its advertising partners. Topics enables browsers to give you meaningful transparency and control over this data, and in Chrome, we’re building user controls that let you see the topics, remove any you don’t like or disable the feature completely.

The fact that the processing only takes place on the user’s device is good, but Topics is still based on sending personal information to sites that display online ads. They may be gathering information from other sources — or simply buying it from vendors of such personal data — to combine with Topics.

Privacy advocates are not the only ones with concerns about Google’s attempts to move away from its current methods. According to the Financial Times, a group of German businesses, led by the publishing giant Axel Springer, have sent a 108-page complaint demanding that the EU should intervene over Google’s plans to drop third-party cookies — the ones that publishers typically deploy to track visitors to sites. The publishers say that they must “remain in a position where they are allowed to ask their users for consent to process data, without Google capturing this decision.” But once more, this approach is about carrying out surveillance on users, albeit with the personal information ending up in a different database from the one run by Google.

The only solution that preserves privacy is to move towards contextual ads, as many people — including this blog — have proposed. This is not an attack on targeted advertising, as some have suggested the DSA would become if micro-targeting were banned. There is a world of difference between ads placed according to context, and those that employ intrusive and pervasive online surveillance to build up detailed profiles of their users. The sooner companies — and politicians — learn to distinguish them, the better it will be for people’s privacy.

Feature image by Gregory Varnum.