[avanderveen]

This is a problem because companies can use this ID to correlate private user data, without anyone's knowledge or consent.

There are companies that specialise in sharing user information. Some of them work by only sharing data with companies that first share data with them (an exchange).

If you got this Google ID, and you had a few other pieces of information about the user, you could share that data with an exchange, indicating that the Google ID is a unique identifier. Then, the exchange would check if it has a matching profile, add the information you provided to that profile, and then return all of the information they have for that profile to you.

So, let's say you're an online retailer, and you have Google IDs for your customers. You probably have some useful and sensitive customer information, like names, emails, addresses, and purchase histories. In order to better target your ads, you could participate in one of these exchanges, so that you can use the information you receive to suggest products that are as relevant as possible to each customer.

To participate, you send all this sensitive information, along with a Google ID, and receive similar information from other retailers, online services, video games, banks, credit card providers, insurers, mortgage brokers, service providers, and more! And now you know what sort of vehicles your customers drive, how much they make, whether they're married, how many kids they have, which websites they browse, etc. So useful! And not only do you get all these juicy private details, but you've also shared your customers sensitive purchase history with anyone else who is connected to the exchange.

[bluesign]

Considering google_gid is valid for you for 14 days only. It is very unlikely to build a profile around it.

[cthalupa]

I have no doubt that if you had a record of my browsing habits for 2-3 days you could readily identify who I am the next time you have my browsing habits for that period of time.

I wouldn't be surprised at all if 2-3 hours of active browsing was enough for this.

[msbarnett]

Your device fingerprint alone is generally enough to tie your new google id to any previous ones.

[raxxorrax]

Which is also a typical example of privacy violations in the name of alleged security.

Some newer linux kernels (>2016) use random tcp timestamps offsets to prevent clock skew profiling.

That is a security feature, not the shit big tech is offering here.

But of course the mechanisms in question are suddenly implemented for fraud protection instead of user security. Yeah, bullshit.

[moron4hire]

It seems likely that the ad network could detect the change in ID if the expiration happens in the middle of a browsing session. Which, considering user habits, they are probably online at the same time every day, or have habits that cycle weekly.

Also, considering we largely do the same things every week and every day, I suspect a single day to give you at least 50% of a user's identifying data, and a week to give you at least 80%. That leaves a whole week of pretty accurate tracking.

I think you've made a pretty wild claim that 14 days isn't enough time to build a useful profile. Regardless, even if the usefulness of the data over two weeks is questionable, it's still illegal to share the data in this way. You wouldn't be too happy if someone broke into your house and "only" stole a single fork.

[WD-42]

Considering how much time many people spend online, and how efficient these profiling systems have become, I wouldn't be surprised if 14 days was plenty of time.

[seanhunter]

The time of validity and how hard it might be to build a profile are not factors in whether or not this is legal under GDPR. Here's the actual text from GDPR on pseudonyms and synthetic keys of this type[1]

> The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person

So PII that has been pseudonymized (mapped to a gid in this case) is protected in exactly the same way as if it had not been if the pseudonymized data could be mapped to a natural person by the use of additional data. The pseudonym (gid) is itself also considered PII under gdpr. [1] https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...

[inlined]

> The pseudonym (gid) is itself considered PII under GDPR.

I know of multiple systems that use a UID but throw away a user’s information, including the UID mapping, when the user leaves. This allows historic metrics to be retained without ever identifying a user who isn’t still using the system.

AFAICT, guids are a grey area.

[JohnFen]

I don't mind that at all, so long as that replacement is never shared with other entities.

[bertil]

Thank you: that explanation is the first that makes sense to me.

I get the impression that this structure would require an exchange: retailers would not trust each other otherwise.

Wouldn’t commercial pamphlets, interviews with salespeople, etc., from the exchange be obvious proof of illegal behaviour there? Google’s implementation is imperfect but, for the loophole to work, it would need coordination between several competitors and third party with a business model explicitly and almost exclusively about going around against GDPR.

If I can risk a comparison, that would be Google is like a chemical company selling fertilizer, and the exchange is selling bombs made from raw material bought by other people.

Am I missing the point? Shouldn’t this article be about those exchange and their clients, not Google?

[koffiezet]

> To participate, you send all this sensitive information, along with a Google ID

Isn't that also a GDPR violation?