Meet Johnny Ryan, the thorn in Google’s side

The chief policy officer for Brave came for ad markets first. Now, he wants regulators to crack down on tech giants' "internal data free-for-alls."

Johnny Ryan

Brave CPO Johnny Ryan believes people should be able to give up their location data to access a map without having that data used in another context later on.

Photo: Rune Hellestad/Getty images for ANFO

Johnny Ryan has spent the last year and a half trying to convince European regulators that the business model that props up the biggest tech companies in the world — behavioral advertising — is illegal. Now, he is gearing up for a new fight. This time, he wants regulators to crack down on how tech giants use data inside their own virtual walls.

The charismatic Irishman is the chief policy officer for the web browser company Brave. Back in 2018, he filed a complaint with Ireland's Data Protection Commissioner accusing Google and the Interactive Advertising Bureau in Europe of violating European data protection laws through the wanton broadcasting of sensitive personal information in online ad exchanges. Flexing his media savvy, Ryan drummed up tons of press about it, and strategically coordinated with other data rights groups throughout Europe to file similar complaints. It caused a stir.

Get what matters in tech, in your inbox every morning. Sign up for Source Code.

His complaint ricocheted around Europe and has since been replicated in more than a dozen countries across the European Union, sparking investigations and reviews by data regulators in Ireland, the United Kingdom and Belgium.

But those complaints only address what happens when companies share data externally, Ryan says. The flip side of that problem is what tech giants are doing with customer data internally.

"Right now, big tech companies are taking data from one bit of their business, and they have an internal free-for-all that allows them to use that data to prop up another bit of their business," Ryan says. Ryan argues that's illegal under GDPR, which says that data must be processed in a "transparent manner" for "specified, explicit and legitimate purposes."

He wants regulators to step in. And so, Ryan is in the process of preparing another legal complaint against one of the Silicon Valley giants. He's not saying who just yet, but earlier this month, Ryan laid out a withering case against Google's internal uses of data in a letter to the U.K.'s antitrust regulator.

"Preliminary analysis conducted by Brave indicates that Google has several hundred processing purposes that are conflated in a vast, internal data free-for-all," Ryan wrote in the letter. "Google's internal data free-for-all should therefore be remedied by data protection enforcement."

If European regulators were to enforce these so-called "purpose limitation" requirements against even one company, Ryan and his attorney Ravi Naik of the London-based law firm AWO say it could have a domino effect across the continent. "If it applies to one company, it applies to all companies," Naik says. "If anyone has a policy that's not transparent, they should be paying attention."

If it applies to one company, it applies to all companies. — Ravi Naik, Ryan's attorney

Ryan wasn't always such a skeptic about technology. Quite the opposite. In his 2011 book, "A History of the Internet and the Digital Future," Ryan, then a doctoral candidate at the University of Cambridge, marveled at the "newly enfranchised internet activists" reinventing democracy.

Almost a decade later, Ryan confesses, "I was far too utopian." He went on to become chief innovation officer of The Irish Times, where, he says, he had little idea how much personal data might have been driving the ads that landed on the page.

All that changed when Ryan began working for PageFair, an ad tech company that helped publishers measure and counter the impact of ad-blocking technology. That gave him his first look under the hood of real-time bidding markets. He came to understand that billions of times every day, companies like Google are broadcasting granular data about what people are looking at when they're browsing the web, in order to find them just the right ad at just the right time. This information is packaged up into bid requests and disseminated instantaneously to so-called "demand side platforms," which take bids from advertisers. In some cases, Ryan found, those bid requests include sensitive data, like precise GPS coordinates and URLs that might hint at a person's sexual orientation or ethnicity.

In January 2018, Ryan wrote an email to the United Kingdom's Information Commissioner's Office, which oversees violations of data privacy law, saying he wanted to report a data leak.

"I want to very privately whistle blow, and I am unsure of how to do so," Ryan wrote in an email reviewed by Protocol. He says at first they were interested. He spoke on the phone a few times with ICO officials. But after a while, he says he heard nothing back. GDPR went into effect four months later, and the behavioral advertising industry went on largely uninterrupted. That is, except for the widespread proliferation of pop-up notices asking people for consent to do who knows what with their data. That, to Ryan, didn't constitute consent at all.

Under the law, he says, "You cannot even ask for my consent unless you know what's going to happen to the data so you can tell me. If you have no idea and no control, you're not in a position to ask."

Ryan decided the only way to get regulators' attention was through a formal complaint. This wasn't an exclusively altruistic endeavor. By then, Ryan was working for Brave, a company whose main product is a browser that tries to distinguish itself from, say, Google Chrome, by blocking behavioral ads and trackers. Its co-founder and CEO, Brendan Eich, co-founded Mozilla.

"I think it's fair to say it's no different than when Apple or Tim Cook speaks out on privacy," says Jason Kint, CEO of Digital Content Next, a trade association representing digital companies. "The common refrain is, 'That will help Apple's business because they don't have ads.' Yeah, sure, but the fact that Apple is making that human right a priority that aligns with their business interest is great."

Ryan says Eich was immediately on board with the idea. "With the privacy wave rising in Europe and the U.S., it is crucial that regulators are aware of what's happening behind the scenes in tech so that they can best protect users," Eich told Protocol in a statement.

Ryan got to work on what would become known as the Ryan Report, a 32-page document that summarized his concerns about Google's Authorized Buyers and the IAB Europe's OpenRTB framework, the two programs that write the rules around what goes into just about every bid request in the world. His main argument: These organizations have no control over what happens to the data they broadcast through real-time bidding, and thus, are violating a core principle of GDPR that requires that data be "processed in a manner that ensures appropriate security of the personal data."

Ryan's findings soon became the basis of identical complaints across Europe. Regulators took notice. In May 2019, Ireland's Data Protection Commissioner said it would investigate Google's compliance with GDPR based, in part, on Ryan's complaint. The British ICO similarly cited Ryan's work in its own report last June, which gave adtech players six months to change their ways. In a statement to Protocol, Ireland's DPC said only that its Google investigation is "ongoing."

These investigations made Google blink. Last year, the tech giant announced it would expand audits of its Authorized Buyers program and strip out the content categories that describe the type of web page a user is browsing from bid requests. Those categories had included things like "male impotence" and "substance abuse," according to Ryan's research.

This appeared to be enough to satisfy the British Information Commissioner, at least for now. The regulator issued a blog post in January saying it was "encouraged" by Google's actions and would "continue to look at the changes Google has proposed."

In a statement to Protocol, a Google spokesperson said the company doesn't serve personalized ads or send bid requests out without user consent. "We have strict policies in place to protect user privacy, and we take action if we find that our policies have been violated," the spokesperson said.

IAB Europe, meanwhile, directed Protocol to its past statements on Ryan's complaints. One such statement argues that GDPR doesn't require "the absolute technical impossibility for data to be processed unlawfully."

"Automobiles are not required to integrate functionality that absolutely prevents them from exceeding the speed limit," one February 2019 blog post read. "Instead, drivers are educated and trained in traffic rules, and drivers who violate speed limits are sanctioned with fines and/or deprived of their permits."

Ryan believes real-time bidding has created the "biggest data breach of all time."

Naik, however, says the IAB is using the wrong analogy. "This isn't equivalent to broad rules of the road," he says. "This is like building a car with no windshield wipers or seatbelts."

Still, in the nearly two years since GDPR went into effect, no regulator has taken action on Ryan's claims. That explains his plan B.

Ryan believes real-time bidding has created the "biggest data breach of all time." But he says the way companies like Google and Facebook mine data internally across a range of products is just as troubling. Not only does it keep users in the dark about how their data is processed, he argues, but it also entrenches incumbents, who have built a data moat around themselves.

He's not alone in making this case. Last year, France's data protection regulator fined Google $57 million for failing to give users enough information about how their data is being processed before giving their consent. A month later, Germany's antitrust authority ruled that Facebook would have to get consent from users before combining their data with third party sources or using that data across its family of apps. A court later reversed that ruling.

Get in touch with us: Share information securely with Protocol via encrypted Signal or WhatsApp message, at 415-214-4715 or through our anonymous SecureDrop.

Google does seek people's consent to personalize their services across products, but Naik says this kind of broad disclosure is exactly what the European Commission hoped to avoid under GDPR. Indeed, in guidelines released in 2017, the EU's Data Protection Working Party specifically listed the phrase "we may use your personal data to offer personalized services" as a "poor practice example."

Ryan views all of this as a clear violation of GDPR's purpose limitation requirements. He believes people should be able to give up their location data to access a map without having that data used in another context later on. If people could pick and choose the data they share, Ryan says, "The next time there's a delete Facebook moment, people won't have to delete Facebook. They'll lobotomize it."

For Ryan — and for Brave — that would be just fine.


You need a healthy ‘debate culture’

From their first day, employees at Appian are encouraged to disagree with anyone at the company — including the CEO. Here’s how it works.

Appian co-founder and CEO Matt Calkins wants his employees to disagree with him.

Photo: Appian

Matt Calkins often hears that he’s polite, even deferential. But as CEO of Appian, he tells employees to challenge each other — especially their bosses — early and often.

“I love arguments. I love ideas clashing,” Calkins said. “I regard it as a personal compliment when someone respectfully dissents.”

Keep Reading Show less
Allison Levitsky
Allison Levitsky is a reporter at Protocol covering workplace issues in tech. She previously covered big tech companies and the tech workforce for the Silicon Valley Business Journal. Allison grew up in the Bay Area and graduated from UC Berkeley.

Some of the most astounding tech-enabled advances of the next decade, from cutting-edge medical research to urban traffic control and factory floor optimization, will be enabled by a device often smaller than a thumbnail: the memory chip.

While vast amounts of data are created, stored and processed every moment — by some estimates, 2.5 quintillion bytes daily — the insights in that code are unlocked by the memory chips that hold it and transfer it. “Memory will propel the next 10 years into the most transformative years in human history,” said Sanjay Mehrotra, president and CEO of Micron Technology.

Keep Reading Show less
James Daly
James Daly has a deep knowledge of creating brand voice identity, including understanding various audiences and targeting messaging accordingly. He enjoys commissioning, editing, writing, and business development, particularly in launching new ventures and building passionate audiences. Daly has led teams large and small to multiple awards and quantifiable success through a strategy built on teamwork, passion, fact-checking, intelligence, analytics, and audience growth while meeting budget goals and production deadlines in fast-paced environments. Daly is the Editorial Director of 2030 Media and a contributor at Wired.

Gopuff says it will make it through the fast-delivery slump

Maria Renz on her new role, the state of fast delivery and Gopuff’s goals for the coming year.

Gopuff has raised $4 billion at a $15 billion valuation.

Photo: Gopuff

The fast-delivery boom sent startups soaring during the pandemic, only for them to come crashing down in recent months. But Maria Renz said Gopuff is prepared to get through the slump.

“Gopuff is really well-positioned to weather through those challenges that we expect in the next year or so,” Renz told Protocol. “We're first party, we control elements of our mix, like price, very directly. And again, we have nine years of experience.”

Keep Reading Show less
Sarah Roach

Sarah (Sarahroach_) writes for Source Code at Protocol. She's a recent graduate of The George Washington University, where she studied journalism and criminal justice. She served for two years as editor-in-chief of GW's independent newspaper, The GW Hatchet. Sarah is based in New York, and can be reached at


AT&T CTO: Challenges of the cloud transition are interpersonal

Jeremy Legg sat down with Protocol to discuss the race to 5G, the challenges of the cloud transition and nabbing tech talent.

AT&T CTO Jeremy Legg spoke with Protocol about the company's cloud transition and more.

Photo: AT&T

Jeremy Legg is two months into his role as CTO of AT&T, and he has been tasked with a big mandate: transforming the company into a software-driven business, with 5G and fiber as core growth areas.

This isn’t Legg’s first CTO gig, just his biggest one. He’s an entertainment biz guy who’s now at the center of the much bigger, albeit less glamorous, telecom business. Prior to joining AT&T in 2020, Legg was the CTO of WarnerMedia, where he was the technical architect behind HBO Max.

Keep Reading Show less
Michelle Ma

Michelle Ma (@himichellema) is a reporter at Protocol, where she writes about management, leadership and workplace issues in tech. Previously, she was a news editor of live journalism and special coverage for The Wall Street Journal. Prior to that, she worked as a staff writer at Wirecutter. She can be reached at


How Canva uses Canva

Design tips and tricks from the ultimate Canva pros: Canva employees themselves.

Employees use Canva to build the internal weekly “Canvazine,” product vision decks, team swag and more.

Illustration: Christopher T. Fong/Protocol

Ever wondered how the companies behind your favorite tech use their own products? We’ve told you how Spotify uses Spotify, How Slack uses Slack and how Meta uses its workplace tools. We talked to Canva employees about the creative ways they use the design tool.

The thing about Canva is that it's ridiculously easy to use. Anyone, regardless of skill level, can open up the app and produce a visually appealing presentation, infographic or video. The 10-year-old company has become synonymous with DIY design, serving as the preferred Instagram infographic app for the social justice “girlies.” Still, the app has plenty of overlooked features that Canvanauts (Canva’s word for its employees) use every day.

Keep Reading Show less
Lizzy Lawrence

Lizzy Lawrence ( @LizzyLaw_) is a reporter at Protocol, covering tools and productivity in the workplace. She's a recent graduate of the University of Michigan, where she studied sociology and international studies. She served as editor in chief of The Michigan Daily, her school's independent newspaper. She's based in D.C., and can be reached at

Latest Stories