yesIssie LapowskyNone
×

Get access to Protocol

I’ve already subscribed

Will be used in accordance with our Privacy Policy

People

Meet Johnny Ryan, the thorn in Google’s side

The chief policy officer for Brave came for ad markets first. Now, he wants regulators to crack down on tech giants' "internal data free-for-alls."

Johnny Ryan

Brave CPO Johnny Ryan believes people should be able to give up their location data to access a map without having that data used in another context later on.

Photo: Rune Hellestad/Getty images for ANFO

Johnny Ryan has spent the last year and a half trying to convince European regulators that the business model that props up the biggest tech companies in the world — behavioral advertising — is illegal. Now, he is gearing up for a new fight. This time, he wants regulators to crack down on how tech giants use data inside their own virtual walls.

The charismatic Irishman is the chief policy officer for the web browser company Brave. Back in 2018, he filed a complaint with Ireland's Data Protection Commissioner accusing Google and the Interactive Advertising Bureau in Europe of violating European data protection laws through the wanton broadcasting of sensitive personal information in online ad exchanges. Flexing his media savvy, Ryan drummed up tons of press about it, and strategically coordinated with other data rights groups throughout Europe to file similar complaints. It caused a stir.

Get what matters in tech, in your inbox every morning. Sign up for Source Code.

His complaint ricocheted around Europe and has since been replicated in more than a dozen countries across the European Union, sparking investigations and reviews by data regulators in Ireland, the United Kingdom and Belgium.

But those complaints only address what happens when companies share data externally, Ryan says. The flip side of that problem is what tech giants are doing with customer data internally.

"Right now, big tech companies are taking data from one bit of their business, and they have an internal free-for-all that allows them to use that data to prop up another bit of their business," Ryan says. Ryan argues that's illegal under GDPR, which says that data must be processed in a "transparent manner" for "specified, explicit and legitimate purposes."

He wants regulators to step in. And so, Ryan is in the process of preparing another legal complaint against one of the Silicon Valley giants. He's not saying who just yet, but earlier this month, Ryan laid out a withering case against Google's internal uses of data in a letter to the U.K.'s antitrust regulator.

"Preliminary analysis conducted by Brave indicates that Google has several hundred processing purposes that are conflated in a vast, internal data free-for-all," Ryan wrote in the letter. "Google's internal data free-for-all should therefore be remedied by data protection enforcement."

If European regulators were to enforce these so-called "purpose limitation" requirements against even one company, Ryan and his attorney Ravi Naik of the London-based law firm AWO say it could have a domino effect across the continent. "If it applies to one company, it applies to all companies," Naik says. "If anyone has a policy that's not transparent, they should be paying attention."

If it applies to one company, it applies to all companies. — Ravi Naik, Ryan's attorney

Ryan wasn't always such a skeptic about technology. Quite the opposite. In his 2011 book, "A History of the Internet and the Digital Future," Ryan, then a doctoral candidate at the University of Cambridge, marveled at the "newly enfranchised internet activists" reinventing democracy.

Almost a decade later, Ryan confesses, "I was far too utopian." He went on to become chief innovation officer of The Irish Times, where, he says, he had little idea how much personal data might have been driving the ads that landed on the page.

All that changed when Ryan began working for PageFair, an ad tech company that helped publishers measure and counter the impact of ad-blocking technology. That gave him his first look under the hood of real-time bidding markets. He came to understand that billions of times every day, companies like Google are broadcasting granular data about what people are looking at when they're browsing the web, in order to find them just the right ad at just the right time. This information is packaged up into bid requests and disseminated instantaneously to so-called "demand side platforms," which take bids from advertisers. In some cases, Ryan found, those bid requests include sensitive data, like precise GPS coordinates and URLs that might hint at a person's sexual orientation or ethnicity.

In January 2018, Ryan wrote an email to the United Kingdom's Information Commissioner's Office, which oversees violations of data privacy law, saying he wanted to report a data leak.

"I want to very privately whistle blow, and I am unsure of how to do so," Ryan wrote in an email reviewed by Protocol. He says at first they were interested. He spoke on the phone a few times with ICO officials. But after a while, he says he heard nothing back. GDPR went into effect four months later, and the behavioral advertising industry went on largely uninterrupted. That is, except for the widespread proliferation of pop-up notices asking people for consent to do who knows what with their data. That, to Ryan, didn't constitute consent at all.

Under the law, he says, "You cannot even ask for my consent unless you know what's going to happen to the data so you can tell me. If you have no idea and no control, you're not in a position to ask."

Ryan decided the only way to get regulators' attention was through a formal complaint. This wasn't an exclusively altruistic endeavor. By then, Ryan was working for Brave, a company whose main product is a browser that tries to distinguish itself from, say, Google Chrome, by blocking behavioral ads and trackers. Its co-founder and CEO, Brendan Eich, co-founded Mozilla.

"I think it's fair to say it's no different than when Apple or Tim Cook speaks out on privacy," says Jason Kint, CEO of Digital Content Next, a trade association representing digital companies. "The common refrain is, 'That will help Apple's business because they don't have ads.' Yeah, sure, but the fact that Apple is making that human right a priority that aligns with their business interest is great."

Ryan says Eich was immediately on board with the idea. "With the privacy wave rising in Europe and the U.S., it is crucial that regulators are aware of what's happening behind the scenes in tech so that they can best protect users," Eich told Protocol in a statement.

Ryan got to work on what would become known as the Ryan Report, a 32-page document that summarized his concerns about Google's Authorized Buyers and the IAB Europe's OpenRTB framework, the two programs that write the rules around what goes into just about every bid request in the world. His main argument: These organizations have no control over what happens to the data they broadcast through real-time bidding, and thus, are violating a core principle of GDPR that requires that data be "processed in a manner that ensures appropriate security of the personal data."

Ryan's findings soon became the basis of identical complaints across Europe. Regulators took notice. In May 2019, Ireland's Data Protection Commissioner said it would investigate Google's compliance with GDPR based, in part, on Ryan's complaint. The British ICO similarly cited Ryan's work in its own report last June, which gave adtech players six months to change their ways. In a statement to Protocol, Ireland's DPC said only that its Google investigation is "ongoing."

These investigations made Google blink. Last year, the tech giant announced it would expand audits of its Authorized Buyers program and strip out the content categories that describe the type of web page a user is browsing from bid requests. Those categories had included things like "male impotence" and "substance abuse," according to Ryan's research.

This appeared to be enough to satisfy the British Information Commissioner, at least for now. The regulator issued a blog post in January saying it was "encouraged" by Google's actions and would "continue to look at the changes Google has proposed."

In a statement to Protocol, a Google spokesperson said the company doesn't serve personalized ads or send bid requests out without user consent. "We have strict policies in place to protect user privacy, and we take action if we find that our policies have been violated," the spokesperson said.

IAB Europe, meanwhile, directed Protocol to its past statements on Ryan's complaints. One such statement argues that GDPR doesn't require "the absolute technical impossibility for data to be processed unlawfully."

"Automobiles are not required to integrate functionality that absolutely prevents them from exceeding the speed limit," one February 2019 blog post read. "Instead, drivers are educated and trained in traffic rules, and drivers who violate speed limits are sanctioned with fines and/or deprived of their permits."

Ryan believes real-time bidding has created the "biggest data breach of all time."

Naik, however, says the IAB is using the wrong analogy. "This isn't equivalent to broad rules of the road," he says. "This is like building a car with no windshield wipers or seatbelts."

Still, in the nearly two years since GDPR went into effect, no regulator has taken action on Ryan's claims. That explains his plan B.

Ryan believes real-time bidding has created the "biggest data breach of all time." But he says the way companies like Google and Facebook mine data internally across a range of products is just as troubling. Not only does it keep users in the dark about how their data is processed, he argues, but it also entrenches incumbents, who have built a data moat around themselves.

He's not alone in making this case. Last year, France's data protection regulator fined Google $57 million for failing to give users enough information about how their data is being processed before giving their consent. A month later, Germany's antitrust authority ruled that Facebook would have to get consent from users before combining their data with third party sources or using that data across its family of apps. A court later reversed that ruling.

Get in touch with us: Share information securely with Protocol via encrypted Signal or WhatsApp message, at 415-214-4715 or through our anonymous SecureDrop.

Google does seek people's consent to personalize their services across products, but Naik says this kind of broad disclosure is exactly what the European Commission hoped to avoid under GDPR. Indeed, in guidelines released in 2017, the EU's Data Protection Working Party specifically listed the phrase "we may use your personal data to offer personalized services" as a "poor practice example."

Ryan views all of this as a clear violation of GDPR's purpose limitation requirements. He believes people should be able to give up their location data to access a map without having that data used in another context later on. If people could pick and choose the data they share, Ryan says, "The next time there's a delete Facebook moment, people won't have to delete Facebook. They'll lobotomize it."

For Ryan — and for Brave — that would be just fine.

Politics

'Woke tech' and 'the new slave power': Conservatives gather for Vegas summit

An agenda for the event, hosted by the Claremont Institute, listed speakers including U.S. CTO Michael Kratsios and Texas Attorney General Ken Paxton.

The so-called "Digital Statecraft Summit" was organized by the Claremont Institute. The speakers include U.S. CTO Michael Kratsios and Texas Attorney General Ken Paxton, as well as a who's-who of far-right provocateurs.

Photo: David Vives/Unsplash

Conservative investors, political operatives, right-wing writers and Trump administration officials are quietly meeting in Las Vegas this weekend to discuss topics including China, "woke tech" and "the new slave power," according to four people who were invited to attend or speak at the event as well as a copy of the agenda obtained by Protocol.

The so-called "Digital Statecraft Summit" was organized by the Claremont Institute, a conservative think tank that says its mission is to "restore the principles of the American Founding to their rightful, preeminent authority in our national life." A list of speakers for the event includes a combination of past and current government officials as well as a who's who of far-right provocateurs. One speaker, conservative legal scholar John Eastman, rallied the president's supporters at a White House event before the Capitol Hill riot earlier this month. Some others have been associated with racist ideologies.

Keep Reading Show less
Emily Birnbaum

Emily Birnbaum ( @birnbaum_e) is a tech policy reporter with Protocol. Her coverage focuses on the U.S. government's attempts to regulate one of the most powerful industries in the world, with a focus on antitrust, privacy and politics. Previously, she worked as a tech policy reporter with The Hill after spending several months as a breaking news reporter. She is a Bethesda, Maryland native and proud Kenyon College alumna.

The current state-of-the-art quantum computers are a tangle of wires. And that can't be the case in the future.

Photo: IBM Research

The iconic image of quantum computing is the "Google chandelier," with its hundreds of intricately arranged copper wires descending like the tendrils of a metallic jellyfish. It's a grand and impressive device, but in that tangle of wires lurks a big problem.

"If you're thinking about the long-term prospects of quantum computing, that image should be just terrifying," Jim Clarke, the director of quantum hardware at Intel, told Protocol.

Keep Reading Show less
Dan Garisto
Dan Garisto is a freelance science journalist who specializes in the physical sciences, with an emphasis on particle physics. He has an undergraduate degree in physics and is based in New York.
Election 2020

Google says it’s fighting election lies, but its ads fund them

A new report finds that more than 1,600 brands, from Disney to Procter & Gamble, have advertisements running on sites that push pro-Trump conspiracy theories. The majority of those ads are served by Google.

Google is the most dominant player in programmatic advertising, but it has a spotty record enforcing rules for publishers.

Photo: Alex Tai/Getty Images

Shortly after November's presidential election, a story appeared on the website of far-right personality Charlie Kirk, claiming that 10,000 dead people had returned mail-in ballots in Michigan. But after publishing, a correction appeared at the top of the story, completely debunking the misleading headline, which remains, months later, unchanged.

"We are not aware of a single confirmed case showing that a ballot was actually cast on behalf of a deceased individual," the correction, which quoted Michigan election officials, read.

Keep Reading Show less
Issie Lapowsky
Issie Lapowsky (@issielapowsky) is a senior reporter at Protocol, covering the intersection of technology, politics, and national affairs. Previously, she was a senior writer at Wired, where she covered the 2016 election and the Facebook beat in its aftermath. Prior to that, Issie worked as a staff writer for Inc. magazine, writing about small business and entrepreneurship. She has also worked as an on-air contributor for CBS News and taught a graduate-level course at New York University’s Center for Publishing on how tech giants have affected publishing. Email Issie.
Politics

Silicon Valley is cracking down on Congress

Big Tech's pause on PAC contributions highlights how powerful it's become.

Democrats are particularly frustrated by Facebook, Google and Microsoft's decision to halt PAC contributions altogether, rather than targeting particular Republican lawmakers.

Photo: Tobias Hase/Getty Images

Congress has failed to act on every opportunity it had to seriously rein in the power of Big Tech over the last several years. Negotiations over a federal privacy bill fell apart last year, antitrust reform hit partisan headwinds and every debate over content moderation since 2016 has devolved into a theatrical yelling match that left the parties more divided over solutions than ever.

And now, the bigger-than-ever Silicon Valley is flexing its muscles with impunity as companies cut off violent extremists and wield the power of their political donations, acting more like a government than the U.S. government itself. They're leaving Republicans and Democrats more frustrated and powerless than ever in their wake.

Keep Reading Show less
Emily Birnbaum

Emily Birnbaum ( @birnbaum_e) is a tech policy reporter with Protocol. Her coverage focuses on the U.S. government's attempts to regulate one of the most powerful industries in the world, with a focus on antitrust, privacy and politics. Previously, she worked as a tech policy reporter with The Hill after spending several months as a breaking news reporter. She is a Bethesda, Maryland native and proud Kenyon College alumna.

Trump wants to spend his final week as president getting back at Twitter and Facebook for suspending him.

Photo: Oliver Contreras/Getty Images

President Trump has been telling anyone who will listen that he wants to do something to strike back at Big Tech in the final days of his presidency, promising a "big announcement" soon after Twitter permanently banned him last week.

In a statement that Twitter has taken down multiple times, Trump hammered usual targets — Section 230, the "Radical Left" controlling the world's largest tech platforms — and pledged he would not be "SILENCED." But at this point, as he faces a second impeachment and a Republican establishment revolting against him in the waning days of his presidency, there's likely very little that Trump can actually do that would inflict long-lasting damage on tech companies.

Keep Reading Show less
Emily Birnbaum

Emily Birnbaum ( @birnbaum_e) is a tech policy reporter with Protocol. Her coverage focuses on the U.S. government's attempts to regulate one of the most powerful industries in the world, with a focus on antitrust, privacy and politics. Previously, she worked as a tech policy reporter with The Hill after spending several months as a breaking news reporter. She is a Bethesda, Maryland native and proud Kenyon College alumna.

Latest Stories