Google tracks what you spend offline to prove its online ads work. And privacy folks are furious
Watchdog goes to court to open up black box system
Google's advertising systems that connect people's in-store purchases to their online browsing may face regulatory review – because the Chocolate Factory won't disclose details about how it slices and dices its data.
On Monday, privacy warriors at EPIC announced they have filed a complaint with America's Federal Trade Commission asking the agency to halt Google's Store Sales Measurement service.
The ad program was introduced in May at the company's 2017 Google Marketing Next event. It allows marketers "to measure in-store revenue in addition to the store visits delivered by your Search and Shopping ads."
It does so by attempting to associate the approximately 70 per cent of credit and debit card transactions in the US with online ads and actions, in order to link online ad spending to offline sales. In other words, it allows Google to tell advertisers that folks bought stuff in shops after seeing Google-served adverts on the web. That correlation makes online advertising more valuable to ad buyers and increases revenue potential for Google.
But EPIC contends that the data Google has gathered reveals sensitive information about consumers' purchases, health, and private lives. Google's assurance that it can protect privacy while linking offline purchases with online behavior, the privacy watchdog argues, cannot be verified because Google has not disclosed details about its technology or its third-party partners and does not allow independent auditing.
"The privacy of millions of consumers thus depends on a secret, proprietary algorithm," the complaint states. "And although Google claims that consumers can opt out of being tracked, the process is burdensome, opaque, and misleading."
The complaint points out that the FTC has reached settlements involving proprietary algorithms that fell short of privacy claims and cites academic research showing that anonymized data can be de-anonymized.
According to the complaint, Google's system for aggregating and anonymizing transaction data is based on CryptDB, software described in a 2011 research paper and subsequently found to be insecure.
"In 2015, researchers were able to hack into a CryptDB protected database of healthcare records and access over 50% (sometimes 100%) of sensitive patient data at an individual level," the complaint says.
What's more, EPIC contends that Google's refusal to disclose its partnerships with data brokers endangers consumer privacy, because data brokers operate with little scrutiny and rarely give consumers control over how their data gets used.
In a statement, a Google spokeswoman told us:
We take privacy very seriously so it’s disappointing to see a number of inaccuracies in this complaint. We invested in building industry-leading privacy protections before launching this solution.
All data is encrypted and aggregated – we don’t share or receive any identifiable credit card data whatsoever. Users have robust controls – we only use data that they’ve consented to have associated with their Web and App activity in their Google account, which users can opt-out of at any time.
We are committed to constantly innovating and continuing to provide transparency to users on what data we collect and how we use it.
We also understand that Google does not use CryptDB internally, and that it doesn't store individuals' credit card records: that information stays with its partners, but is shared with the ads giant in some way.
Reached by phone on Monday afternoon, an FTC spokesperson said the agency had yet to receive the complaint. Assuming the complaint arrives, there's no guarantee EPIC's indignation will result in FTC action. As a matter of policy, the agency does not comment on active investigations or whether it will initiate such action.
Google has emerged more or less unscathed from FTC encounters during the Obama administration. It agreed to pay $22.5 million in 2012 to settle FTC charges that it bypassed Apple Safari privacy protections, which followed a previous settlement that it violated privacy promises related to its now defunct Google Buzz service.
But the Chocolate Factory is facing tougher scrutiny in Europe, thanks to ongoing efforts by foes like Oracle to humble the Google.
The Trump administration looks less inclined to mete out wrist-slaps than last year's leadership. Chief policy strategist Steve Bannon recently said he'd like to see Google, along with Amazon and Facebook, regulated like utilities. However, there remains a gap between what the current administration says it wants and what it has actually been able to achieve. ®
Sponsored: Becoming a Pragmatic Security Leader