Audit Finds Google, Microsoft, and Meta Still Tracking Users After Opt-Out (404media.co) 48
alternative_right shares a report from 404 Media: An independent privacy audit of Microsoft, Meta, and Google web traffic in California found that the companies may be violating state regulations and racking up billions in fines. According to the audit from privacy search engine webXray, 55 percent of the sites it checked set ad cookies in a user's browser even if they opted out of tracking. Each company disputed or took issue with the research, with Google saying it was based on a "fundamental misunderstanding" of how its product works.
The webXray California Privacy Audit viewed web traffic on more than 7,000 popular websites in California in the month of March and found that most tech companies ignore when a user asks to opt-out of cookie tracking. California has stringent and well defined privacy legislation thanks to its California Consumer Privacy Act (CCPA) which allows users to, among other things, opt out of the sale of their personal information. There's a system called Global Privacy Control (GPC), which includes a browser extension that indicates to a website when a user wants to opt out of tracking.
According to the webXray audit, Google failed to let users opt out 87 percent of the time. "Google's failure to honor the GPC opt-out signal is easy to find in network traffic. When a browser using GPC connects to Google's servers it encodes the opt-out signal by sending the code 'sec-gpc: 1.' This means Google should not return cookies," the audit said. "However, when Google's server responds to the network request with the opt-out it explicitly responds with a command to create an advertising cookie named IDE using the 'set-cookie' command. This non-compliance is easy to spot, hiding in plain sight."
The audit said that Microsoft fails to opt out users in the same way and has a failure rate of 50 percent in the web traffic webXray viewed. Meta's failure rate was 69 percent and a bit more comprehensive. "Meta instructs publishers to install the following tracking code on their websites. The code contains no check for globally standard opt-out signals -- it loads unconditionally, fires a tracking event, and sets a cookie regardless of the consumer's privacy preferences," the audit said. It showed a copy of Meta's tracking data which contains no GPC check at all.
The webXray California Privacy Audit viewed web traffic on more than 7,000 popular websites in California in the month of March and found that most tech companies ignore when a user asks to opt-out of cookie tracking. California has stringent and well defined privacy legislation thanks to its California Consumer Privacy Act (CCPA) which allows users to, among other things, opt out of the sale of their personal information. There's a system called Global Privacy Control (GPC), which includes a browser extension that indicates to a website when a user wants to opt out of tracking.
According to the webXray audit, Google failed to let users opt out 87 percent of the time. "Google's failure to honor the GPC opt-out signal is easy to find in network traffic. When a browser using GPC connects to Google's servers it encodes the opt-out signal by sending the code 'sec-gpc: 1.' This means Google should not return cookies," the audit said. "However, when Google's server responds to the network request with the opt-out it explicitly responds with a command to create an advertising cookie named IDE using the 'set-cookie' command. This non-compliance is easy to spot, hiding in plain sight."
The audit said that Microsoft fails to opt out users in the same way and has a failure rate of 50 percent in the web traffic webXray viewed. Meta's failure rate was 69 percent and a bit more comprehensive. "Meta instructs publishers to install the following tracking code on their websites. The code contains no check for globally standard opt-out signals -- it loads unconditionally, fires a tracking event, and sets a cookie regardless of the consumer's privacy preferences," the audit said. It showed a copy of Meta's tracking data which contains no GPC check at all.
New Samsung cell phones have Google connections. (Score:5, Insightful)
There need to be laws limiting Google's invasions to user devices.
Fewer than 1 of a hundred ads are interesting to me. Maybe 1 in a thousand.
Re: (Score:2)
There are zero ads that I will buy from. I will NEVER buy from geckos or llamas, for example.
Re: (Score:2)
The issue is you need to add a cookie stating you opted out, otherwise it has no idea if you actually did. Now if there was a blanked browse option like robots.txt to state you opt-out of x,y,z or all cookies that would be smarter but less money for them.
Well Duh! (Score:5, Insightful)
Re:Well Duh! (Score:5, Informative)
I have verified this a few times when doing IT security audits. Turns out when Google detects Chrome being used, they do all kinds of illegal (in the EU) stuff. Not so much with other browsers, not even chromium ones.
Re: (Score:2)
Have you documented it? I'd like to submit a legal complaint.
Re: (Score:2)
Sorry, the reports are all confidential. But try, for example, playing an embedded YouTube video without being logged in on Chrome, on a Chromium browser and on Firefox and then check what persistent cookies were set. (Permitted under the GDPR: Only ones that do not allow tracking.) This was a few years back though. Since I do not use Chrome, I have not re-tested it.
Re: (Score:2)
I will do some tests. Thanks for the pointer.
Re: (Score:2)
You are welcome. I found the problems to be pretty obvious when I last tried.
Re: (Score:2)
What about the Evil Bit? How do they handle that? (nowadays usage of a Google domain should act as a substitute).
Re: (Score:3)
Guessing the explanation (Score:5, Funny)
Each company disputed or took issue with the research, with Google saying it was based on a "fundamental misunderstanding" of how its product works.
There are a few, simple reasons for this. We have to track you (a) so we know if we're not suppose to track you, (b) so we know if our not tracking is working and track how well it's working and (c) in case you change your mind we want all your data retroactively. All the tracking data from when we're not tracking you is stored in a separate database that no one has access to, except when we track statistics on how well the non-tracking is working -- pinky swear.
Re: (Score:2)
Don't even have to go very far. The company responses say exactly what's going on. (d) the law doesn't say we can't create cookies unrelated to ad tracking.
âoeGlobal Privacy Controls only restricts certain uses of third-party data and allows website operators to override GPC signals, and we offer the Limited Data Use feature to help websites indicate what permissions they have. When data is transmitted to us with the LDU flag, we restrict the use of that dataâ
we opt the user out of sharing personal data with third parties for personalized advertisingâ a Microsoft spokesperson said. âoeCertain Microsoft cookies are necessary for operational purposes, and may therefore be placed and read even when a GPC signal is detected.â
This could go either way... (Score:4, Interesting)
It's possible the companies are flagrantly ignoring the opt out indication.
It's also possible that webXray is confusing ad/tracking cookies with cookies required for normal site operation, viewing any set-cookie command as a violation.
Based on my experience working at Google, I'm betting on the second possibility. But, we'll see. Either we'll hear some stories about the companies being fined, or sued, or prosecuted (depending how the law works), or this will just quietly disappear when someone educates webXray.
Re: (Score:1)
Re: (Score:3, Informative)
It's also possible that webXray is confusing ad/tracking cookies with cookies required for normal site operation
There is no such thing. Everything done with cookies can be done some other way EXCEPT for tracking, e.g. with hidden form variables or additional arguments in a request.
Re: (Score:3)
It's also possible that webXray is confusing ad/tracking cookies with cookies required for normal site operation
There is no such thing. Everything done with cookies can be done some other way EXCEPT for tracking, e.g. with hidden form variables or additional arguments in a request.
It can be, sure, but it's less reliable and more painful to work with.
Re: This could go either way... (Score:1)
That's ok. I'm sure Google has some competent programmers who could do it.
aww (Score:2)
did I hurt someone's feefees? someone with sockpuppets?
Re: (Score:2)
That's ok. I'm sure Google has some competent programmers who could do it.
No one can make session tracking with form variables or URL arguments as reliable as it is with cookies.
Re: (Score:2)
No one can make session tracking with form variables or URL arguments as reliable as it is with cookies.
That's OK, a user might have to occasionally log in a little more. It's a small price to pay to prevent ubiquitous tracking.
Re: (Score:2)
And no, "replace every single link with a POST form request" is not reasonable, starting with
Re: (Score:1)
And no, "replace every single link with a POST form request" is not reasonable, starting with the issue that now you can't hit back.
Yes, you can. I regularly use a webapp where most links are driven with javascript, and the back button works fine both on links where they are and those where they aren't. This is kind of amazing given the general incompetence of the web app in question, like how actually doing that will at times lead to the creation of duplicate data because they apparently don't track whether forms have been used already. But that's not because they don't use cookies, because they do. It's just made by Accenture and they
Re: (Score:2)
Presumably they silo all the data from "sec-gpc: 1" responses for internal use, because the lawyers said that was okay and the mere presence of the tracker on the third party site did not constitute share or sale of their personal information by that third party (with contributory infringement on their part).
As the law says, "cookies concern the collection of personal information and not the sale or sharing of personal information".
Re: (Score:3)
If the law is about sale or sharing, not collection, then Google doesn't have to change anything, because Google doesn't sell or share data. That would be wasteful; Google's ad business is all about monetizing the data at Google, not giving someone else a chance to monetize it.
How to check your browser's GPC (Score:1)
You can check if your browser is sending GPC in the top banner here [globalprivacycontrol.org] or seeing GPC header and JavaScript settings here [vercel.app].
The Privacy Badger extension by the EFF [privacybadger.org] adds GPC to your browser if it's missing native support [globalprivacycontrol.org], like Chrome or Edge.
Re: (Score:2)
> this will just quietly disappear when someone educates webXray
"Nice business you have here. It would be a shame if something happened to it."
https://www.youtube.com/watch?... [youtube.com]
Re: (Score:2)
> this will just quietly disappear when someone educates webXray
"Nice business you have here. It would be a shame if something happened to it."
https://www.youtube.com/watch?... [youtube.com]
Incredibly unlikely. If the claimed violations are legitimate, and webXray reported them to the state plus the attempt to lean on them, Google would get slammed, hard, both legally and in the press. No way in hell Google would risk that.
Re: (Score:2)
"spectre of ... non-compliance" (Score:2)
Before you get outraged, do take care about what you rage.
The moment you read something like "spectre of ... non-compliance", you have to know you're reading rage bait trying to be careful not to get into libel territory.
Re:"spectre of ... non-compliance" (Score:5, Funny)
The moment you read something like "spectre of ... non-compliance", ...
Really hoping that's not the screenplay for next James Bond film.
How about a fine per cookie? (Score:5, Insightful)
Re: (Score:2)
Re: (Score:2)
About 40% of voters are currently super super concerned about trans girls in sports having suddenly become big fans of women's sports in the last couple of years after spending their whole lives ignoring them.
Eventually they'll forget about that and move on to some other pointless moral panic and continue to ignore there ever worsening econ
Obligatory.. (Score:5, Funny)
Re: Obligatory.. (Score:2)
Thinly Veiled Advertisement (Score:1)
Hi,
This research ties back to a product page, which provides no information aside from an option to talk to someone about a demo.
If they give me a free eval copy, I'll take this comment down.
Auto opt out? (Score:2)
Self-regulation must be binding (Score:2)
Second, "too big to care" corporations failed to regulate their "do not track" self-regulation. It's why, promises like this need to be legally binding: Not something corporations secretly cancel their compliance to, then shrug-off when caught.
EFF Privacy Badger adds GPC to your browser (Score:3, Informative)
The Privacy Badger extension by the EFF [privacybadger.org] adds GPC to your browser if you're not using one that supports it natively [globalprivacycontrol.org]. Chrome and Edge need the extension.
You can see whether the signal is disabled by checking the banner here [globalprivacycontrol.org] or, for more details, here [vercel.app].
Caught red-handed (Score:2)
Now skewer them. They really deserve it.
google should have never bought doubleclick (Score:3)