So your hypothesis is that Google took the knowledge of the search query and attached some sort of indicator that the user was interested in AA onto the user's personal data (in violation of its own policies for interest-based advertising on sensitive topics). Then, it mapped that user to a cookie (in violation of its own policy towards cookie-user matching). Then it gave a list of cookies associated with alcohol rehab to a 3rd party (also not how any Google systems work, this would be in violation of many internal policies). Then, someone was able to match cookies to email addresses (available, unfortunately, in the shadier black markets of the marketing world, but totally in violation of Google remarketing standards such that the 3rd party would be likely barred, if caught, from all Google systems). Then, the spammer bought the email addresses and sent the emails.
Alternate theory: someone at AA sold an email list to a shady marketer.
You're misremembering the article. The spam emails were claimed to be because of a Google Maps search. The AA link was because an app on the phone (probably Facebook) was mining the address book.
You'll have to explain how that's supposed to work. Are you saying that google is selling email addresses, that they are allowing people to supply content that they then send, or that the people running the ads are selling the email addresses? The first two I find extremely unlikely, and the third should not be possible, since running an ad does not give you info on who it was delivered to.
It gets elaborate but you can essentially buy email address -> cookie mappings or make your own. You then sync those cookies with the ad exchange and then they're returned to you with every ad auction for that user.
I used to work for an ad retargeting company. Our advertisers gave us a ton of data that we didn't necessarily want along with pixel data that we did, including email addresses. So if you're logged in to some retailers website and they were retargeting with us, they might either accidentally or deliberately passing us your email address, which would allow us (if we wanted to) to map your email address to your cookie. We see your cookie look at galleries, bam.
Or, more legally, the advertisers could be part of a specific email retargeting campaign where they give us your email addresses, and then we can establish the mapping in a more direct way.
Obviously there must have been more shading goings on in this case, but the principle is the same.
Right, but how did the cookie get associated with a Google search query and then get to the 3rd party who did the shady mapping? That's what wouldn't have happened.
If they clicked through to the art gallery website (from maps/search) and the art gallery was running an ad/tracker network that already knew the user's email from elsewhere, they could put two and two together.
Cookie onboarding services are nothing new. To start, look at a company like LiveRamp. They ask sites that get users to authenticate to login, then you provide them with an anonymous hashed email address of the user which they match with they then use to match against a larger cookie pool. If there's a match, they set another cookie.
This helps solve the issue for advertisers using retargeting where cookies don't have a long shelf life. So they leverage 2nd party data sources to basically set those cookies again for them so they can continue retargeting.
They can also work with vendors to upload their hashed email lists from their CRMs and gain access to the relevant cookies in the pool to market to them.
Onboarding vendors like this tend to pay a CPM rate based on the number of matches they can make with their cookie pool, so really all that matters is that you have a massive number of people authenticating with email addresses.
While unsettling, that still doesn't explain the data flow out of Google. Google wants your customized list of email targeting, sure. But they don't want to leak anything proprietary to others to use, such as search history.
Alternate theory: someone at AA sold an email list to a shady marketer.