[bluesign]

Considering google_gid is valid for you for 14 days only. It is very unlikely to build a profile around it.

[cthalupa]

I have no doubt that if you had a record of my browsing habits for 2-3 days you could readily identify who I am the next time you have my browsing habits for that period of time.

I wouldn't be surprised at all if 2-3 hours of active browsing was enough for this.

[msbarnett]

Your device fingerprint alone is generally enough to tie your new google id to any previous ones.

[raxxorrax]

Which is also a typical example of privacy violations in the name of alleged security.

Some newer linux kernels (>2016) use random tcp timestamps offsets to prevent clock skew profiling.

That is a security feature, not the shit big tech is offering here.

But of course the mechanisms in question are suddenly implemented for fraud protection instead of user security. Yeah, bullshit.

[moron4hire]

It seems likely that the ad network could detect the change in ID if the expiration happens in the middle of a browsing session. Which, considering user habits, they are probably online at the same time every day, or have habits that cycle weekly.

Also, considering we largely do the same things every week and every day, I suspect a single day to give you at least 50% of a user's identifying data, and a week to give you at least 80%. That leaves a whole week of pretty accurate tracking.

I think you've made a pretty wild claim that 14 days isn't enough time to build a useful profile. Regardless, even if the usefulness of the data over two weeks is questionable, it's still illegal to share the data in this way. You wouldn't be too happy if someone broke into your house and "only" stole a single fork.

[WD-42]

Considering how much time many people spend online, and how efficient these profiling systems have become, I wouldn't be surprised if 14 days was plenty of time.

[seanhunter]

The time of validity and how hard it might be to build a profile are not factors in whether or not this is legal under GDPR. Here's the actual text from GDPR on pseudonyms and synthetic keys of this type[1]

> The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person

So PII that has been pseudonymized (mapped to a gid in this case) is protected in exactly the same way as if it had not been if the pseudonymized data could be mapped to a natural person by the use of additional data. The pseudonym (gid) is itself also considered PII under gdpr. [1] https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...

[inlined]

> The pseudonym (gid) is itself considered PII under GDPR.

I know of multiple systems that use a UID but throw away a user’s information, including the UID mapping, when the user leaves. This allows historic metrics to be retained without ever identifying a user who isn’t still using the system.

AFAICT, guids are a grey area.

[JohnFen]

I don't mind that at all, so long as that replacement is never shared with other entities.