MetaX is proud to provide additional important context to the research released today from Brave and featured in the Financial Times, focusing on a GDPR workaround built by Google known as “cookie_push” (aka “Push Pages”). Our intention is not to single any one company out, but rather inform the community on these ongoing data issues.
The data released by Brave and reported in the Financial Times article showed that Google deployed a new data syncing architecture prior to GDPR – the details released by Brave include numerous written explanations of the process, and also a chart showing the cookie data flow that our team helped with.
How Google’s RTB and Push Pages allow hundreds of DSPs to tie their tracking profiles about people together (View the full chart)
One of the most important aspects of this research, which was alluded to in the original FT piece, and included in data released by Brave, is the fact that Google’s data flow architecture made it possible for the Google partners to create their own URL redirects within Google’s Push Pages. This minor technical “allowance” opened up the doors to what our team at MetaX is referring to as, “The OpenX workaround of Google’s GDPR workaround” In short, we found that OpenX, a Google partner, was taking advantage of the unique data architecture of Push Pages, and inviting their own partners to sync data, seemingly without approval to do so.
For the last two years, MetaX has been building tools to help clean up the ad tech industry and working with a wide variety of publishers, advertising networks, and marketing firms. Over the last 6 months, MetaX has been working with our new Chief Data Architect, Zach Edwards, who was commissioned to do the initial research for Brave and found the Google Cookie_push workaround as well as the OpenX workaround. We devised a collection plan to learn the anatomy of the Google cookie_push workaround (and other advertising systems in the process). In this joint effort, we have developed a compliant data collection engine with hundreds of people across the world that is capable of accessing the different layers of adtech exposing the 4th, 5th, and Nth party data links.
Essentially, we’ve spent a few months reverse engineering adtech in order to graph the relationship of meaningful identifiers/parameters/partners.
We also executed on a plan to collect as much data as possible about Google’s cookie_push and to document the OpenX workaround “in the wild” in order to identify which companies were receiving data from Google’s “Cookieless user sync” via cookie_push, but without apparent permission or authorization from Google to collect that user data since it was through a workaround within the Google Push Pages.
Before we share the information below, we’d like to note that this is just a sampling of the data — just prior to publication we shared this research privately with Google to try and help them fix these problems.
During our testing period, the MetaX team was able to identify dozens of unique companies firing pixels into the OpenX cookie_push workaround, which fired into Google’s own cookie_push GDPR workaround.
In total, MetaX hired people in 28 countries to help us audit their data flow, and people in 40 U.S. states.
We hired people in 7 EU countries to audit the data flow on some of the largest publishers.
We hired people in 8 Asian countries to help us map some very unique regional ad networks.
We had thousands of network request files sent by our teams browsing publishers and cookie syncing pages and over 2,000 videos created documenting their processes.
We visited over 500 publisher websites, tested the Google Push Page workaround over 1,000 times, and the OpenX workaround nearly 5,000 times.
We also recorded several video walkthroughs, showing some of the data flow experiences that we captured.
This first video shows how to find a Google cookie_push URL from a publisher website – the first example being on espn.com:
This second video shows how to find the OpenX workaround URL sent within the Google cookie_push workaround — an important point to look for in the video is that when you see a pixel piggybacked into the Google workaround by OpenX, you’ll see a clash between 3 domains – the Request URL, Location URL and Referral URL – in the video they are all unique domains, showing the clear additional data partners being added into Google’s push page.
This third video is of users loading the OpenX page in different countries — we had numerous unique processes to reverse this data flow and tracked dozens of unique (and some regional) ad network partners being added by OpenX into Google’s Push Page workaround:
We anticipate releasing more research as we ramp up client collection work and our ongoing monitoring of real user data transfer from the largest publisher websites in the world and from some of the smallest, spammiest websites in the world. We also have started to audit mobile app data transfer and have additional plans for auditing all sources of local data that can be manipulated to duplicate/share network headers, cookies and other URL parameters that can be used to track and target users across their desktop computers, mobile phones, TVs, video game systems, cars, and almost all connected devices.
Moving forward, MetaX will be working with a select group of initial clients — anyone who is willing to admit they could have a data problem and wants to fix it.
We also intend to dramatically limit our initial clients on these efforts in 2019 and into 2020, but are looking for the right corporate partners, advertising networks, publisher networks, and in-house buying teams that could be the right fit for our significant network string audits, publisher network red team assessments, legal refund architecture, and on our most important deliverable — sending refund requests to anyone who has removed or reduced your value by means that were not allowed in the network terms or not allowed due to local regulations or other means.
We intend to take back the advertising tax that has been levied upon small businesses, large corporations, media firms, ad technology providers, and individuals. We plan to call companies and organizations to task when they are not compliant with data privacy standards, and when those standards fall into a quality control concern. We plan to work with our clients to get the problems fixed, and get refunds for money wasted or taken.
We look forward to working with the community at large and for the time being, we won’t be providing any additional information on the data flow in Google’s Push Pages or the OpenX Push Page workaround. We believe it’s important to work with partners on problems we’ve identified, but also will be providing public insights as often as possible.