Data watchdog slammed for lack of action against Google on UK’s ‘largest ever data breach’
Written by News on 17/01/2020
Britain’s data watchdog has been criticised for failing to punish companies involved in what has been described as the UK’s largest recorded data breach.
The breach itself was industrial in scale and conducted through an online advertising process designed by Google and the Interactive Bureau of Advertising (IAB), known as real-time bidding.
After launching its investigation last year, the Information Commissioner’s Office (ICO) has now said it would only be seeking “real improvements” from the pair rather than bringing any enforcement actions, which could stretch to fining them up to 4% of their global turnover.
Real-time bidding (RTB) is the market which underpins online advertising and has been described as “the largest data breach ever recorded in the UK” by those who initially complained about it to the regulator.
RTB effectively sells impressions – how the industry refers to the number of times an advertisement is loaded into a web browser – through a practically instantaneous auction which automatically takes place when a browser begins to load up a web page.
When this happens, behind the scenes using tracking cookies and other forms of data which our browsers drag with us around the web, companies bid to be able to show us advertisements based on the enormous and detailed profiles which publishers build up on our lives.
RTB is an industry which monetises a digital surveillance system that records what every person on the web watches, reads and listens to.
This system builds a profile on every individual who uses the web, and the details the system collects includes users’ age, gender, location, and even a historic record of browsing.
This record is crucial because it allows one of the most significant forms of tracking, when publishers connect you with what they call “content taxonomies”. These are lists of categories which are used to classify online content. They range from the general (sport, movies, jazz) to the creepily specific.
Google’s list, for instance, one of two used as standard across the industry, includes the categories Reproductive Health, Substance Abuse, Health Conditions, Politics and Ethnic & Identity Groups.
Both Google and the IAB insist their categories are only ever applied to content. But there is substantial evidence to suggest that they do get connected to individual people.
The ICO said that Google will now “remove content categories, and improve its process for auditing” and said it was encouraged by the company’s plans to phase out support for third party cookies in the Chrome browser.
It added that the IAB has “agreed a range of principles that align with our concerns, and is developing its own guidance for organisations on security, data minimisation, and data retention, as well as UK-focused guidance on the content taxonomy”.
However it has taken no enforcement action against either organisation, prompting outrage from many of those involved in bringing the initial complaint against the RTB system.
“The ICO is a regulator, so needs to enforce the law. It appears to be accepting that unlawful and dangerous sharing of personal data can continue, so long as ‘improvements’ are gradually made, with no actual date for compliance,” said Jim Killock, the executive director of digital rights advocacy organisation Open Rights Group.
“Last year the ICO gave a deadline for an industry response to our complaints. Now the ICO is falling into the trap set by industry, of accepting incremental but minimal changes that fail to deliver individuals the control of their personal data that they are legally entitled to.
“The ICO must take enforcement action against IAB members,” Mr Killock continued. “We are considering our position, including whether to take legal action against the regulator for failing to act, or individual companies for their breach of data protection law.”
Dr Johnny Ryan, chief policy officer at ethical web browsing company Brave, criticised the ICO for taking “no substantive action to fix ‘RTB’, the largest data breach ever recorded in the UK”.
“Google and the IAB have taken no steps to stop the vast, systematic data breach that broadcasts what billions of people read, watch, and listen to online, every day,” Dr Ryan added.
He said that Brave was considering all options, including a judicial challenge of the ICO’s decision.
Sky News has contacted Google for comment.
(c) Sky News 2020: Data watchdog slammed for lack of action against Google on UK’s ‘largest ever data breach’
