Google Doesn’t Believe in Privacy, episode 4772

Last night, I did a Google search in an incognito window. Twelve hours later, Groupon sent me an email with my search term in the subject line.

This was the first email I’d received from them in years. How did this happen? Nevermind the terrible life choices that led me to have a Groupon account in the first place.

For those who are curious, I searched for “Rosetta Stone v. Google”, a case where Rosetta Stone sued Google for displaying counterfeit-“Rosetta Stone” software ads.
For those who are curious, I searched for “Rosetta Stone v. Google”, a case where Rosetta Stone sued Google for displaying counterfeit-“Rosetta Stone” software ads. This is the email I got shortly thereafter.

Hints:

  • The Groupon email went to an address that isn’t hosted by Gmail.
  • Ads are blocked.
  • Cookies are blocked.
  • A Groupon employee was not standing behind my shoulder.

Ready for the answer? It’s in this sequence of events.

  • I log into my Groupon account. Could have been years ago, doesn’t matter.
    The Groupon website runs Google Analytics (GA). GA is a tracking script that creates a fingerprint for my browser and sends it to Google (more on browser fingerprinting).

    Groupon sets a UserId in the tracking script. Maybe UserId is my email, maybe it’s my name. It serves as a shared key between Groupon and GA, so Groupon can always identify me in GA’s data collection.

  • I log into Twitter. And Bank of America, Zenefits, HealthCare.gov. Each one runs a GA script, each one uploads their local UserId for my fingerprint. GA adds all these UserIds to my profile, along with a record of my interactions on each site.
    I traipse the internet with reckless abandon, leaving dirty fingerprints everywhere. 75% of the 100k most highly-trafficked sites run a GA tracking script.
  • My laptop is destroyed. Oops!

    I buy a new computer, install a fresh browser. I have a completely different fingerprint. Am I safe?

    Nope. I log into Twitter, which uploads my old UserId along with a new fingerprint. Google learns about the new device and associates it with the old one. There is no discontinuity in data collection.

  • Time passes. Last week, my mother forwards a Groupon to me because she doesn’t know how Groupon works. I click the link.

    Groupon doesn’t know I’m on their site, but Google does.

  • I do my search for Rosetta Stone v Google.
  • Groupon queues up their daily spam list.
    “Hey Google, we need a list of UserIds for recent web visitors who are in the market for some shitty items we’re shilling.”

    “Here they are, sorted by keyword!”

    “Thanks Google! Your valuable service more than justifies your $500 billion market cap.”

This last step could use some clarification.

Anyone who runs Google Analytics has access to a handy privacy-invasion dashboard. Here, we can filter users by demographics, interests, and other creepy criteria.

Screen Shot 2016-07-06 at 2.41.40 PM

A filter of my recent visitors shows that 12% of you are in the market for dating services. Don’t worry, I’m not judging anyone here; just abusing your privacy.

Google determines whether someone is In-Market based on their recent search queries and site interactions. In Google’s words, “they are researching products and are actively considering buying a service or product.” Maybe the users identified as “In the Market for Dating Services” have recently stopped by Match.com or Pornhub. Both run Google trackers.

Let’s look at these visitors.

Screen Shot 2016-07-06 at 4.29.02 PM

My users are shown as anonymous numbers because I don’t have any identifying info about them.

An employee at Twitter or Groupon, on the other hand, would see a list of personalized UserIds. The identifiers are linked to customer contact information in their own databases. When Groupon sees my UserId on the list, they send a targeted ad directly to my email.

Screen Shot 2016-07-07 at 12.03.36 AM

Most people generate so much noise with their internet activity that it’s hard to draw a clear connection between an action and an ad. I’ve been blocking all Google trackers for the last two years, but recently disabled the blocker to test some code. Google interpreted my sudden tracker activity as INTENTION TO SPEND MONEY. When Google discovers a user with commercial intent, it does whatever it can to make that user look at high-priced ads.

And that is how Google drives customer value, increases business performance, and ensures peace and prosperity for all.

Are you blocking trackers yet?

See Also:
1. Don’t Hate the Ad, Hate the Ad-Tracker
2. Facebook is just as shameless about abusing personal data. Richard Stallman has a good overview. (h/t Warren)
3. See everything that Google knows about you at My Activity.

Leave a Reply