Audit Finds Google, Microsoft, and Meta Still Tracking Users After Opt-Out (404media.co)
- Reference: 0181711388
- News link: https://tech.slashdot.org/story/26/04/14/1955224/audit-finds-google-microsoft-and-meta-still-tracking-users-after-opt-out
- Source link: https://www.404media.co/google-microsoft-meta-all-tracking-you-even-when-you-opt-out-according-to-an-independent-audit/
> An [2]independent privacy audit of Microsoft, Meta, and Google web traffic in California found that the companies may be violating state regulations and racking up billions in fines. According to the audit from privacy search engine [3]webXray , 55 percent of the sites it checked set ad cookies in a user's browser even if they opted out of tracking. Each company disputed or took issue with the research, with Google saying it was based on a "fundamental misunderstanding" of how its product works.
>
> The webXray California Privacy Audit viewed web traffic on more than 7,000 popular websites in California in the month of March and [4]found that most tech companies ignore when a user asks to opt-out of cookie tracking . California has stringent and well defined privacy legislation thanks to its California Consumer Privacy Act (CCPA) which allows users to, among other things, opt out of the sale of their personal information. There's a system called Global Privacy Control (GPC), which includes a browser extension that indicates to a website when a user wants to opt out of tracking.
>
> According to the webXray audit, Google failed to let users opt out 87 percent of the time. "Google's failure to honor the GPC opt-out signal is easy to find in network traffic. When a browser using GPC connects to Google's servers it encodes the opt-out signal by sending the code 'sec-gpc: 1.' This means Google should not return cookies," the audit said. "However, when Google's server responds to the network request with the opt-out it explicitly responds with a command to create an advertising cookie named IDE using the 'set-cookie' command. This non-compliance is easy to spot, hiding in plain sight."
>
> The audit said that Microsoft fails to opt out users in the same way and has a failure rate of 50 percent in the web traffic webXray viewed. Meta's failure rate was 69 percent and a bit more comprehensive. "Meta instructs publishers to install the following tracking code on their websites. The code contains no check for globally standard opt-out signals -- it loads unconditionally, fires a tracking event, and sets a cookie regardless of the consumer's privacy preferences," the audit said. It showed a copy of Meta's tracking data which contains no GPC check at all.
[1] https://slashdot.org/~alternative_right
[2] https://globalprivacyaudit.org/2026/california?ref=404media.co
[3] https://webxray.ai/?ref=404media.co
[4] https://www.404media.co/google-microsoft-meta-all-tracking-you-even-when-you-opt-out-according-to-an-independent-audit/
Well Duh! (Score:2)
"Still Tracking Users After Opt-Out" The only deluded individuals here are the ones thinking they were not ignoring this? But never mind, it is just monopolies being monopolies!
Guessing the explanation (Score:3)
> ... 55 percent of the sites it checked set ad cookies in a user's browser even if they opted out of tracking.
> Each company disputed or took issue with the research, with Google saying it was based on a "fundamental misunderstanding" of how its product works.
There are a few, simple reasons for this. We have to track you (a) so we know if we're not suppose to track you, (b) so we know if our not tracking is working and track how well it's working and (c) in case you change your mind we want all your data retroactively. All the tracking data from when we're not tracking you is stored in a separate database that no one has access to, except when we track statistics on how well the non-tracking is working -- pinky swear.
This could go either way... (Score:4, Interesting)
It's possible the companies are flagrantly ignoring the opt out indication.
It's also possible that webXray is confusing ad/tracking cookies with cookies required for normal site operation, viewing any set-cookie command as a violation.
Based on my experience working at Google, I'm betting on the second possibility. But, we'll see. Either we'll hear some stories about the companies being fined, or sued, or prosecuted (depending how the law works), or this will just quietly disappear when someone educates webXray.
Re: (Score:1)
If only we had some sort of legal penalty for this.
Re: (Score:3)
> It's also possible that webXray is confusing ad/tracking cookies with cookies required for normal site operation
There is no such thing. Everything done with cookies can be done some other way EXCEPT for tracking, e.g. with hidden form variables or additional arguments in a request.
Re: (Score:2)
>> It's also possible that webXray is confusing ad/tracking cookies with cookies required for normal site operation
> There is no such thing. Everything done with cookies can be done some other way EXCEPT for tracking, e.g. with hidden form variables or additional arguments in a request.
It can be, sure, but it's less reliable and more painful to work with.
Re: (Score:2)
Presumably they silo all the data from "sec-gpc: 1" responses for internal use, because the lawyers said that was okay and the mere presence of the tracker on the third party site did not constitute share or sale of their personal information by that third party (with contributory infringement on their part).
As the law says, "cookies concern the collection of personal information and not the sale or sharing of personal information".
Re: (Score:2)
If the law is about sale or sharing, not collection, then Google doesn't have to change anything, because Google doesn't sell or share data. That would be wasteful; Google's ad business is all about monetizing the data at Google, not giving someone else a chance to monetize it.
"spectre of ... non-compliance" (Score:2)
Before you get outraged, do take care about what you rage.
The moment you read something like "spectre of ... non-compliance", you have to know you're reading rage bait trying to be careful not to get into libel territory.
Re: (Score:2)
> The moment you read something like "spectre of ... non-compliance", ...
Really hoping that's not the screenplay for next James Bond film.
How about a fine per cookie? (Score:3)
It only has to be one cent. They would notice real quickly.
Re: (Score:2)
Or maybe the 250 grand(per infringement) that the MPAA wants to fine you for violating copyright, splashed right up with an FBI warning on every video disc I've ever watched.
Obligatory.. (Score:2)
I am shocked...shocked I tell you.
Thinly Veiled Advertisement (Score:1)
Hi,
This research ties back to a product page, which provides no information aside from an option to talk to someone about a demo.
If they give me a free eval copy, I'll take this comment down.
New Samsung cell phones have Google connections. (Score:2)
New Samsung cell phones have many connections to Google.
There need to be laws limiting Google's invasions to user devices.
Fewer than 1 of a hundred ads are interesting to me. Maybe 1 in a thousand.