New Google ad tracking policy a ‘Pandora’s box’ for privacy, experts warn

Google's new ad tracking policy is drawing scrutiny from regulators and privacy watchdogs who say it makes it harder for users to be anonymous online.

On Sunday, the search giant switched from enabling cookies to so-called digital fingerprinting. 

Digital fingerprints allow advertisers and data brokers to collect consumer data based on internet users’ activities across web browsers, online sessions and often multiple devices. Google’s new policy enabling them will make it difficult for people online, including those using VPNs, Tor and privacy browsers, to stay anonymous, experts say.

Google had previously allowed advertisers to shadow users with cookies, which only track people across websites and sometimes across sessions.

To block cookies, individuals can use ad blockers, cookie blockers and incognito mode or clear their cookie cache, but with digital fingerprinting those protections aren't available.

Because of how digital fingerprinting strips users of agency over their privacy, Google’s move is catching the attention of data protection authorities overseas, where information collection by tech companies is tightly regulated.

In a recent blog post, the executive director of regulatory risk at the United Kingdom’s Information Commissioner’s Office called digital fingerprinting “irresponsible” and said advertisers will have a “high bar” to meet to prove they are complying with the law. 

Even Google itself previously criticized the technology, calling digital fingerprinting an unfair constraint on user choice and “wrong” in 2019. 

The technology can gather fingerprint data across devices sharing an IP address, as well as across different web sessions, which can be used to build highly personal identity profiles for advertisers, data brokers and potentially governments targeting journalists and activists, experts said.

Digital fingerprinting creates what data broker expert Jeff Jockisch calls a “persistent identity” and allows machine information to be combined with other data, like location, demographics and which apps a user downloads. 

Even the pixel dimensions on a user’s screen and the font settings on devices, combined with IP addresses, help create the digital fingerprint. Connecting these details with other online attributes to determine a user’s identity means advertisers can piece together what someone does online, often regardless of device, and can combine a larger array of data to profile them, experts said.

It is very difficult, if not impossible, for even the most privacy conscious consumers to stay anonymous online when digital fingerprinting is enabled, said Jockisch, who co-founded the digital privacy consulting firm ObscureIQ.

Having a tech behemoth like Google begin using fingerprinting also will change the ad ecosystem and lead more companies to jump into the game, Jockisch said.

“People were doing fingerprinting before, but now Pandora's box has been opened and everybody's going to put more and more energy into fingerprinting,” Jockisch said. “It's going to be worse.”

The information gathering that digital fingerprinting allows is uniquely vast, experts say.

“When it's all coming together in this massive data pool, it can be extremely revealing, and they can draw some really, really sensitive inferences from that information,” said Calli Schroeder, senior policy counsel at the Electronic Privacy Information Center. “So it's like cookies, but on steroids, across multiple devices.”

A company blog post about the shift said “advances in privacy-enhancing technologies (PETs)  such as on-device processing, trusted execution environments, and secure multi-party computation” contributed to the shift.

The rise of new ad-supported platforms like connected TV (CTV) also factored into Google’s decision, the blog post said. 

A company spokesperson shared a statement saying that “data signals like IP addresses are already commonly used by others in the industry today, and Google has been using IP responsibly to fight fraud for years.”

“Privacy enhancing technologies offer new ways for our partners to succeed on emerging platforms like CTV without compromising on user privacy,” the statement said. 

Jockisch, though, thinks the tech giant’s change of heart comes down to profits.

Fingerprinting is going to “make a lot more money,” he said.