There absolutely are moderators who do a good and thoughtful job. This post has been up for 23 minutes at this time. Chill for a second and they'll get to it. Jesus.
"It's ok to post stories from sites with paywalls that have workarounds.
In comments, it's ok to ask how to read an article and to help other users do so. But please don't post complaints about paywalls. Those are off topic."
Reading articles online in social media has evolved into social and collaborative effort where most people don't have to read the article itself.
HOWTO for (de facto) collaborative and delegated reading in the social media:
1/ You can upvote and comment articles based on the title without reading the article itself. If the subject is interesting, you agree with the title or you want to know more, upvote. When the article gains enough popularity and attention, the collaborative reading happens in three batches of comments.
2/ First batch of comments is from people who didn't read the article but want to say something or steer the discussion. They either use the title as writing cue to write what they think, or try to guess the article content and comment on it.
3/ Second batch is comments to the first batch from those who skimmed the article and correct the misconceptions the first batch of commenters had and provide information from the article.
4/ Third batch of comments comes from those who read the article or are subject experts or both. They correct the first and second batch comments and even correct errors in the original article. Sometimes the third batch never happens and the quality of the community reading suffers.
When I used a completely blank browser session, the google referrer allowed access to the site. This may have been inconsistent across more users or triggered an anti-abuse mechanism by the FT restricting access.
This article is centered around evidence submitted by Brave CPO Johnny Ryan. If you're not an FT subscriber, they have a blog post about it here: https://brave.com/google-gdpr-workaround/
So there's a "realtime bidding system" where when the user access a page, google goes out to bidders in realtime to figure out which ad to show. I haven't quite figured out the rest but in the process somehow, those networks are able subsequently match up details about the user.
EDIT from the Brave article:
>>> Every time a person visits a website that uses RTB, data about them is broadcast to tens or hundreds of tracking companies, who let advertisers compete for the opportunity to show them an ad. The data can include the category of what they are reading – which can reveal their sexual orientation,[4] political views,[5] their religion,[6] and health conditions including AIDS,[7] STDs,[8] and depression.[9] It includes what the person is reading, watching, and listening to. It includes their location. And it includes unique, pseudonymous ID codes that are specific to that person,[10] so that all of this data can be tied to you, continually, over time.
EDIT why does this article keep getting flagged? Can it just be redirected to the Brave post instead?
Ignoring the paywall, if the allegations are true, this is extremely sketchy behavior from Google. Is there something weasel-worded into the privacy policy that lets them do this after they’ve promised not to?
If the claims are true, man, Google has descended very far from their high “don’t be evil” perch. If true they are hardly better than content farms and herbal medicine sites. What a disaster.
I guess all the steady hands have cached out and retired leaving the new people to their own devices without the benefit of company history to guide them.
Google is secretly using hidden web pages that feed the personal data of its users to advertisers, undermining its own policies and circumventing EU privacy regulations that require consent and transparency, according to one of its smaller rivals.
New evidence submitted to an investigation by the Irish data regulator, which oversees Google’s European business, accused the US tech company of “exploiting personal data without sufficient control or concern over data protection”.
The regulator is investigating whether Google uses sensitive data, such as the race, health and political leanings of its users, to target ads. In his evidence, Johnny Ryan, chief policy officer of the niche web browser Brave, said he had discovered the secret web pages as he tried to monitor how his data were being traded on Google’s advertising exchange, the business formerly known as DoubleClick.
The exchange, now called Authorized Buyers, is the world’s largest real-time advertising auction house, selling display space on websites across the internet.
Mr Ryan found that Google had labelled him with an identifying tracker that it fed to third-party companies that logged on to a hidden web page. The page showed no content but had a unique address that linked it to Mr Ryan’s browsing activity.
Using the tracker from Google, which is based on the user’s location and time of browsing, companies could match their profiles of Mr Ryan and his web-browsing behaviour with profiles from other companies, to target him with ads.
Mr Ryan found six separate pages pushing out his identifier after a single hour of looking at websites on Google’s Chrome browser. The identifier contained the phrase “google_push” and was sent to at least eight adtech companies.
“This practice is hidden in two ways: the most basic way is that Google creates a page that the user never sees, it’s blank, has no content, but allows . . . third parties to snoop on the user and the user is none the wiser,” said Mr Ryan. “I had no idea this was happening. If I consulted my browser log, I wouldn’t have had an idea either.”
Recommended
Google/GDPR: not as advertised
A spokesperson for Google said the company had not seen the details of the information sent by Mr Ryan to the regulator and that it was co-operating with investigations in Ireland and the UK into its advertising business. The spokesperson added: “We do not serve personalised ads or send bid requests to bidders without user consent.”
By providing potential buyers with such a granular level of targeting, Google could gain a significant competitive advantage over other companies that run advertising auctions, according to marketing executives.
Mr Ryan’s experiment was reproduced by adtech analyst Zach Edwards, who runs technical consulting firm Victory Medium, after being commissioned by Brave. He recruited hundreds of people to test Google’s behaviours over a month. They found that the identifier was indeed unique and was shared between multiple advertising companies to enhance their targeting abilities.
Currently, Google’s own rules prohibit ad buyers from matching disparate profiles on the same user. On September 5 2018, Google announced that it would no longer shareencrypted cookie IDs in bid requests with buyers in its Authorized Buyers marketplace, “as part of our ongoing commitment to user privacy”. Mr Ryan’s analysis also found that Google continued to share these with ad firms.
Ioannis Kouvakis, legal officer at Privacy International, said Google had a dominant position in online advertising and that it should let users know what data the tracking identifier is collecting. “Google needs to lead by example,” he added.
Does nobody click the "your ad choices" button on each ad? I assumed a good amount of participating companies[0] build ad profiles at the same pace Google does.
Two levels of things here: Google/Doubleclick and the GDPR and then this particular "push page" issue.
- GDPR instructs that an organization maintain control of people's data. "Control" in the legal sense of it where you know who is getting the data, what their data handling practices are, how it's going to be used, etc.
- Real Time Ad bidding is the process where you land on a site and then that site has a JS snippet which passes your information (it can be more than this, but lets just say your IP address) to an Ad Auction where advertisers bid on showing you an ad. They do geolocation, company lookups, check retargeting cookies, etc. and then whoever offers the most money to show you an ad gets their banner on the page you are looking at.
- Google's Doubleclick is one of the largest Real Time Bidding setups.
Side Note: a frequent comment I see on HN is that "IPs are not personally identifiable" which is true in the abstract, but they are identifiable enough that advertisers are willing to spend significant amounts of money on ad bids.
You may immediately see the problem here: it's impossible for you (the person browsing) to give meaningful consent to share your information with all these companies participating in the ad auction because the site you just browsed to has zero flipping idea who they are and in any case there is a constantly churning audience of literally tens of thousands of companies participating in these auctions.
All of that is the context then for this newest development: push pages.
Google/Doubleclick is attempting a bunch of different approaches to deal with the fact that the GDPR shatters the current privacy destroying setup of anytime you land on a site with their JS include that your information is sent to several thousand companies unknown to you.
They're trying to implement psuedo anonymous identifiers [1] they're trying pull back on cross site matching, etc. all of which hurts their bottom line. So what this "push pages" looks like is an attempt at a technical workaround to some of the legislative hurdles raised by the GDPR. By moving the JS+Cookie setting to the Google domain they're able to say (in some context) that it's a 1st party cookie and not a tracker and able to do more sophisticated matching.
Side Note: another frequent comment I see on HN about the GDPR is that "It's too vague, why doesn't it just say what I can and can't technically implement" and this is exactly why: if the law is laid out in technical terms instead of intentions and actions it's easy to find loopholes (aka moving some aspect of tracking from a site to Google's page).
32 comments
[ 2.5 ms ] story [ 82.8 ms ] threadI feel lost in an endless maze
Relevant Pinochio scene: https://youtu.be/EFFGR72tA4g?t=64
http://archive.is/L2m5K
"It's ok to post stories from sites with paywalls that have workarounds.
In comments, it's ok to ask how to read an article and to help other users do so. But please don't post complaints about paywalls. Those are off topic."
[0] https://news.ycombinator.com/newsfaq.html
HOWTO for (de facto) collaborative and delegated reading in the social media:
1/ You can upvote and comment articles based on the title without reading the article itself. If the subject is interesting, you agree with the title or you want to know more, upvote. When the article gains enough popularity and attention, the collaborative reading happens in three batches of comments.
2/ First batch of comments is from people who didn't read the article but want to say something or steer the discussion. They either use the title as writing cue to write what they think, or try to guess the article content and comment on it.
3/ Second batch is comments to the first batch from those who skimmed the article and correct the misconceptions the first batch of commenters had and provide information from the article.
4/ Third batch of comments comes from those who read the article or are subject experts or both. They correct the first and second batch comments and even correct errors in the original article. Sometimes the third batch never happens and the quality of the community reading suffers.
https://brave.com/wp-content/uploads/files_2019-9-2/sample_p...
Ah, actually, this explains things a bit better:
https://brave.com/wp-content/uploads/sequence.pdf
So there's a "realtime bidding system" where when the user access a page, google goes out to bidders in realtime to figure out which ad to show. I haven't quite figured out the rest but in the process somehow, those networks are able subsequently match up details about the user.
EDIT from the Brave article:
>>> Every time a person visits a website that uses RTB, data about them is broadcast to tens or hundreds of tracking companies, who let advertisers compete for the opportunity to show them an ad. The data can include the category of what they are reading – which can reveal their sexual orientation,[4] political views,[5] their religion,[6] and health conditions including AIDS,[7] STDs,[8] and depression.[9] It includes what the person is reading, watching, and listening to. It includes their location. And it includes unique, pseudonymous ID codes that are specific to that person,[10] so that all of this data can be tied to you, continually, over time.
EDIT why does this article keep getting flagged? Can it just be redirected to the Brave post instead?
I guess all the steady hands have cached out and retired leaving the new people to their own devices without the benefit of company history to guide them.
Bite the hand that feeds you much, FT?
Google is secretly using hidden web pages that feed the personal data of its users to advertisers, undermining its own policies and circumventing EU privacy regulations that require consent and transparency, according to one of its smaller rivals.
New evidence submitted to an investigation by the Irish data regulator, which oversees Google’s European business, accused the US tech company of “exploiting personal data without sufficient control or concern over data protection”.
The regulator is investigating whether Google uses sensitive data, such as the race, health and political leanings of its users, to target ads. In his evidence, Johnny Ryan, chief policy officer of the niche web browser Brave, said he had discovered the secret web pages as he tried to monitor how his data were being traded on Google’s advertising exchange, the business formerly known as DoubleClick.
The exchange, now called Authorized Buyers, is the world’s largest real-time advertising auction house, selling display space on websites across the internet.
Mr Ryan found that Google had labelled him with an identifying tracker that it fed to third-party companies that logged on to a hidden web page. The page showed no content but had a unique address that linked it to Mr Ryan’s browsing activity.
Using the tracker from Google, which is based on the user’s location and time of browsing, companies could match their profiles of Mr Ryan and his web-browsing behaviour with profiles from other companies, to target him with ads.
Mr Ryan found six separate pages pushing out his identifier after a single hour of looking at websites on Google’s Chrome browser. The identifier contained the phrase “google_push” and was sent to at least eight adtech companies.
“This practice is hidden in two ways: the most basic way is that Google creates a page that the user never sees, it’s blank, has no content, but allows . . . third parties to snoop on the user and the user is none the wiser,” said Mr Ryan. “I had no idea this was happening. If I consulted my browser log, I wouldn’t have had an idea either.”
Recommended
Google/GDPR: not as advertised
A spokesperson for Google said the company had not seen the details of the information sent by Mr Ryan to the regulator and that it was co-operating with investigations in Ireland and the UK into its advertising business. The spokesperson added: “We do not serve personalised ads or send bid requests to bidders without user consent.”
By providing potential buyers with such a granular level of targeting, Google could gain a significant competitive advantage over other companies that run advertising auctions, according to marketing executives.
Mr Ryan’s experiment was reproduced by adtech analyst Zach Edwards, who runs technical consulting firm Victory Medium, after being commissioned by Brave. He recruited hundreds of people to test Google’s behaviours over a month. They found that the identifier was indeed unique and was shared between multiple advertising companies to enhance their targeting abilities.
Currently, Google’s own rules prohibit ad buyers from matching disparate profiles on the same user. On September 5 2018, Google announced that it would no longer shareencrypted cookie IDs in bid requests with buyers in its Authorized Buyers marketplace, “as part of our ongoing commitment to user privacy”. Mr Ryan’s analysis also found that Google continued to share these with ad firms.
Ioannis Kouvakis, legal officer at Privacy International, said Google had a dominant position in online advertising and that it should let users know what data the tracking identifier is collecting. “Google needs to lead by example,” he added.
0: https://youradchoices.com/participating
- GDPR instructs that an organization maintain control of people's data. "Control" in the legal sense of it where you know who is getting the data, what their data handling practices are, how it's going to be used, etc.
- Real Time Ad bidding is the process where you land on a site and then that site has a JS snippet which passes your information (it can be more than this, but lets just say your IP address) to an Ad Auction where advertisers bid on showing you an ad. They do geolocation, company lookups, check retargeting cookies, etc. and then whoever offers the most money to show you an ad gets their banner on the page you are looking at.
- Google's Doubleclick is one of the largest Real Time Bidding setups.
Side Note: a frequent comment I see on HN is that "IPs are not personally identifiable" which is true in the abstract, but they are identifiable enough that advertisers are willing to spend significant amounts of money on ad bids.
You may immediately see the problem here: it's impossible for you (the person browsing) to give meaningful consent to share your information with all these companies participating in the ad auction because the site you just browsed to has zero flipping idea who they are and in any case there is a constantly churning audience of literally tens of thousands of companies participating in these auctions.
All of that is the context then for this newest development: push pages.
Google/Doubleclick is attempting a bunch of different approaches to deal with the fact that the GDPR shatters the current privacy destroying setup of anytime you land on a site with their JS include that your information is sent to several thousand companies unknown to you.
They're trying to implement psuedo anonymous identifiers [1] they're trying pull back on cross site matching, etc. all of which hurts their bottom line. So what this "push pages" looks like is an attempt at a technical workaround to some of the legislative hurdles raised by the GDPR. By moving the JS+Cookie setting to the Google domain they're able to say (in some context) that it's a 1st party cookie and not a tracker and able to do more sophisticated matching.
Side Note: another frequent comment I see on HN about the GDPR is that "It's too vague, why doesn't it just say what I can and can't technically implement" and this is exactly why: if the law is laid out in technical terms instead of intentions and actions it's easy to find loopholes (aka moving some aspect of tracking from a site to Google's page).
1 - https://support.google.com/analytics/answer/2763052?hl=en
So maybe the original Brave post would survive unflagged? https://news.ycombinator.com/item?id=20876248
I'm just not buying the 'it isn't Google employees doing it' thesis.
https://news.ycombinator.com/item?id=20876248