Meet Johnny Ryan, the thorn in Google’s side

The chief policy officer for Brave came for ad markets first. Now, he wants regulators to crack down on tech giants' "internal data free-for-alls."

Johnny Ryan

Brave CPO Johnny Ryan believes people should be able to give up their location data to access a map without having that data used in another context later on.

Photo: Rune Hellestad/Getty images for ANFO

Johnny Ryan has spent the last year and a half trying to convince European regulators that the business model that props up the biggest tech companies in the world — behavioral advertising — is illegal. Now, he is gearing up for a new fight. This time, he wants regulators to crack down on how tech giants use data inside their own virtual walls.

The charismatic Irishman is the chief policy officer for the web browser company Brave. Back in 2018, he filed a complaint with Ireland's Data Protection Commissioner accusing Google and the Interactive Advertising Bureau in Europe of violating European data protection laws through the wanton broadcasting of sensitive personal information in online ad exchanges. Flexing his media savvy, Ryan drummed up tons of press about it, and strategically coordinated with other data rights groups throughout Europe to file similar complaints. It caused a stir.

Get what matters in tech, in your inbox every morning. Sign up for Source Code.

His complaint ricocheted around Europe and has since been replicated in more than a dozen countries across the European Union, sparking investigations and reviews by data regulators in Ireland, the United Kingdom and Belgium.

But those complaints only address what happens when companies share data externally, Ryan says. The flip side of that problem is what tech giants are doing with customer data internally.

"Right now, big tech companies are taking data from one bit of their business, and they have an internal free-for-all that allows them to use that data to prop up another bit of their business," Ryan says. Ryan argues that's illegal under GDPR, which says that data must be processed in a "transparent manner" for "specified, explicit and legitimate purposes."

He wants regulators to step in. And so, Ryan is in the process of preparing another legal complaint against one of the Silicon Valley giants. He's not saying who just yet, but earlier this month, Ryan laid out a withering case against Google's internal uses of data in a letter to the U.K.'s antitrust regulator.

"Preliminary analysis conducted by Brave indicates that Google has several hundred processing purposes that are conflated in a vast, internal data free-for-all," Ryan wrote in the letter. "Google's internal data free-for-all should therefore be remedied by data protection enforcement."

If European regulators were to enforce these so-called "purpose limitation" requirements against even one company, Ryan and his attorney Ravi Naik of the London-based law firm AWO say it could have a domino effect across the continent. "If it applies to one company, it applies to all companies," Naik says. "If anyone has a policy that's not transparent, they should be paying attention."

If it applies to one company, it applies to all companies. — Ravi Naik, Ryan's attorney

Ryan wasn't always such a skeptic about technology. Quite the opposite. In his 2011 book, "A History of the Internet and the Digital Future," Ryan, then a doctoral candidate at the University of Cambridge, marveled at the "newly enfranchised internet activists" reinventing democracy.

Almost a decade later, Ryan confesses, "I was far too utopian." He went on to become chief innovation officer of The Irish Times, where, he says, he had little idea how much personal data might have been driving the ads that landed on the page.

All that changed when Ryan began working for PageFair, an ad tech company that helped publishers measure and counter the impact of ad-blocking technology. That gave him his first look under the hood of real-time bidding markets. He came to understand that billions of times every day, companies like Google are broadcasting granular data about what people are looking at when they're browsing the web, in order to find them just the right ad at just the right time. This information is packaged up into bid requests and disseminated instantaneously to so-called "demand side platforms," which take bids from advertisers. In some cases, Ryan found, those bid requests include sensitive data, like precise GPS coordinates and URLs that might hint at a person's sexual orientation or ethnicity.

In January 2018, Ryan wrote an email to the United Kingdom's Information Commissioner's Office, which oversees violations of data privacy law, saying he wanted to report a data leak.

"I want to very privately whistle blow, and I am unsure of how to do so," Ryan wrote in an email reviewed by Protocol. He says at first they were interested. He spoke on the phone a few times with ICO officials. But after a while, he says he heard nothing back. GDPR went into effect four months later, and the behavioral advertising industry went on largely uninterrupted. That is, except for the widespread proliferation of pop-up notices asking people for consent to do who knows what with their data. That, to Ryan, didn't constitute consent at all.

Under the law, he says, "You cannot even ask for my consent unless you know what's going to happen to the data so you can tell me. If you have no idea and no control, you're not in a position to ask."

Ryan decided the only way to get regulators' attention was through a formal complaint. This wasn't an exclusively altruistic endeavor. By then, Ryan was working for Brave, a company whose main product is a browser that tries to distinguish itself from, say, Google Chrome, by blocking behavioral ads and trackers. Its co-founder and CEO, Brendan Eich, co-founded Mozilla.

"I think it's fair to say it's no different than when Apple or Tim Cook speaks out on privacy," says Jason Kint, CEO of Digital Content Next, a trade association representing digital companies. "The common refrain is, 'That will help Apple's business because they don't have ads.' Yeah, sure, but the fact that Apple is making that human right a priority that aligns with their business interest is great."

Ryan says Eich was immediately on board with the idea. "With the privacy wave rising in Europe and the U.S., it is crucial that regulators are aware of what's happening behind the scenes in tech so that they can best protect users," Eich told Protocol in a statement.

Ryan got to work on what would become known as the Ryan Report, a 32-page document that summarized his concerns about Google's Authorized Buyers and the IAB Europe's OpenRTB framework, the two programs that write the rules around what goes into just about every bid request in the world. His main argument: These organizations have no control over what happens to the data they broadcast through real-time bidding, and thus, are violating a core principle of GDPR that requires that data be "processed in a manner that ensures appropriate security of the personal data."

Ryan's findings soon became the basis of identical complaints across Europe. Regulators took notice. In May 2019, Ireland's Data Protection Commissioner said it would investigate Google's compliance with GDPR based, in part, on Ryan's complaint. The British ICO similarly cited Ryan's work in its own report last June, which gave adtech players six months to change their ways. In a statement to Protocol, Ireland's DPC said only that its Google investigation is "ongoing."

These investigations made Google blink. Last year, the tech giant announced it would expand audits of its Authorized Buyers program and strip out the content categories that describe the type of web page a user is browsing from bid requests. Those categories had included things like "male impotence" and "substance abuse," according to Ryan's research.

This appeared to be enough to satisfy the British Information Commissioner, at least for now. The regulator issued a blog post in January saying it was "encouraged" by Google's actions and would "continue to look at the changes Google has proposed."

In a statement to Protocol, a Google spokesperson said the company doesn't serve personalized ads or send bid requests out without user consent. "We have strict policies in place to protect user privacy, and we take action if we find that our policies have been violated," the spokesperson said.

IAB Europe, meanwhile, directed Protocol to its past statements on Ryan's complaints. One such statement argues that GDPR doesn't require "the absolute technical impossibility for data to be processed unlawfully."

"Automobiles are not required to integrate functionality that absolutely prevents them from exceeding the speed limit," one February 2019 blog post read. "Instead, drivers are educated and trained in traffic rules, and drivers who violate speed limits are sanctioned with fines and/or deprived of their permits."

Ryan believes real-time bidding has created the "biggest data breach of all time."

Naik, however, says the IAB is using the wrong analogy. "This isn't equivalent to broad rules of the road," he says. "This is like building a car with no windshield wipers or seatbelts."

Still, in the nearly two years since GDPR went into effect, no regulator has taken action on Ryan's claims. That explains his plan B.

Ryan believes real-time bidding has created the "biggest data breach of all time." But he says the way companies like Google and Facebook mine data internally across a range of products is just as troubling. Not only does it keep users in the dark about how their data is processed, he argues, but it also entrenches incumbents, who have built a data moat around themselves.

He's not alone in making this case. Last year, France's data protection regulator fined Google $57 million for failing to give users enough information about how their data is being processed before giving their consent. A month later, Germany's antitrust authority ruled that Facebook would have to get consent from users before combining their data with third party sources or using that data across its family of apps. A court later reversed that ruling.

Get in touch with us: Share information securely with Protocol via encrypted Signal or WhatsApp message, at 415-214-4715 or through our anonymous SecureDrop.

Google does seek people's consent to personalize their services across products, but Naik says this kind of broad disclosure is exactly what the European Commission hoped to avoid under GDPR. Indeed, in guidelines released in 2017, the EU's Data Protection Working Party specifically listed the phrase "we may use your personal data to offer personalized services" as a "poor practice example."

Ryan views all of this as a clear violation of GDPR's purpose limitation requirements. He believes people should be able to give up their location data to access a map without having that data used in another context later on. If people could pick and choose the data they share, Ryan says, "The next time there's a delete Facebook moment, people won't have to delete Facebook. They'll lobotomize it."

For Ryan — and for Brave — that would be just fine.


How the creators of Spligate built gaming’s newest unicorn

1047 Games is now valued at $1.5 billion after three rounds of funding since May.

1047 Games' Splitgate amassed 13 million downloads when its beta launched in July.

Image: 1047 Games

The creators of Splitgate had a problem. Their new free-to-play video game, a take on the legendary arena shooter Halo with a teleportation twist borrowed from Valve's Portal, was gaining steam during its open beta period in July. But it was happening too quickly.

Splitgate was growing so fast and unexpectedly that the entire game was starting to break, as the servers supporting the game began to, figuratively speaking, melt down. The game went from fewer than 1,000 people playing it at any given moment in time to suddenly having tens of thousands of concurrent players. Then it grew to hundreds of thousands of players, all trying to log in and play at once across PlayStation, Xbox and PC.

Keep Reading Show less
Nick Statt
Nick Statt is Protocol's video game reporter. Prior to joining Protocol, he was news editor at The Verge covering the gaming industry, mobile apps and antitrust out of San Francisco, in addition to managing coverage of Silicon Valley tech giants and startups. He now resides in Rochester, New York, home of the garbage plate and, completely coincidentally, the World Video Game Hall of Fame. He can be reached at

While it's easy to get lost in the operational and technical side of a transaction, it's important to remember the third component of a payment. That is, the human behind the screen.

Over the last two years, many retailers have seen the benefit of investing in new, flexible payments. Ones that reflect the changing lifestyles of younger spenders, who are increasingly holding onto their cash — despite reports to the contrary. This means it's more important than ever for merchants to take note of the latest payment innovations so they can tap into the savings of the COVID-19 generation.

Keep Reading Show less
Antoine Nougue,

Antoine Nougue is Head of Europe at He works with ambitious enterprise businesses to help them scale and grow their operations through payment processing services. He is responsible for leading the European sales, customer success, engineering & implementation teams and is based out of London, U.K.

Protocol | Policy

Why Twitch’s 'hate raid' lawsuit isn’t just about Twitch

When is it OK for tech companies to unmask their anonymous users? And when should a violation of terms of service get someone sued?

The case Twitch is bringing against two hate raiders is hardly black and white.

Photo: Caspar Camille Rubin/Unsplash

It isn't hard to figure out who the bad guys are in Twitch's latest lawsuit against two of its users. On one side are two anonymous "hate raiders" who have been allegedly bombarding the gaming platform with abhorrent attacks on Black and LGBTQ+ users, using armies of bots to do it. On the other side is Twitch, a company that, for all the lumps it's taken for ignoring harassment on its platform, is finally standing up to protect its users against persistent violators whom it's been unable to stop any other way.

But the case Twitch is bringing against these hate raiders is hardly black and white. For starters, the plaintiff here isn't an aggrieved user suing another user for defamation on the platform. The plaintiff is the platform itself. Complicating matters more is the fact that, according to a spokesperson, at least part of Twitch's goal in the case is to "shed light on the identity of the individuals behind these attacks," raising complicated questions about when tech companies should be able to use the courts to unmask their own anonymous users and, just as critically, when they should be able to actually sue them for violating their speech policies.

Keep Reading Show less
Issie Lapowsky

Issie Lapowsky ( @issielapowsky) is Protocol's chief correspondent, covering the intersection of technology, politics, and national affairs. She also oversees Protocol's fellowship program. Previously, she was a senior writer at Wired, where she covered the 2016 election and the Facebook beat in its aftermath. Prior to that, Issie worked as a staff writer for Inc. magazine, writing about small business and entrepreneurship. She has also worked as an on-air contributor for CBS News and taught a graduate-level course at New York University's Center for Publishing on how tech giants have affected publishing.

Protocol | Workplace

Remote work is here to stay. Here are the cybersecurity risks.

Phishing and ransomware are on the rise. Is your remote workforce prepared?

Before your company institutes work-from-home-forever plans, you need to ensure that your workforce is prepared to face the cybersecurity implications of long-term remote work.

Photo: Stefan Wermuth/Bloomberg via Getty Images

The delta variant continues to dash or delay return-to-work plans, but before your company institutes work-from-home-forever plans, you need to ensure that your workforce is prepared to face the cybersecurity implications of long-term remote work.

So far in 2021, CrowdStrike has already observed over 1,400 "big game hunting" ransomware incidents and $180 million in ransom demands averaging over $5 million each. That's due in part to the "expanded attack surface that work-from-home creates," according to CTO Michael Sentonas.

Keep Reading Show less
Michelle Ma
Michelle Ma (@himichellema) is a reporter at Protocol, where she writes about management, leadership and workplace issues in tech. Previously, she was a news editor of live journalism and special coverage for The Wall Street Journal. Prior to that, she worked as a staff writer at Wirecutter. She can be reached at
Protocol | Fintech

When COVID rocked the insurance market, this startup saw opportunity

Ethos has outraised and outmarketed the competition in selling life insurance directly online — but there's still an $887 billion industry to transform.

Life insurance has been slow to change.

Image: courtneyk/Getty Images

Peter Colis cited a striking statistic that he said led him to launch a life insurance startup: One in twenty children will lose a parent before they turn 15.

"No one ever thinks that will happen to them, but that's the statistics," the co-CEO and co-founder of Ethos told Protocol. "If it's a breadwinning parent, the majority of those families will go bankrupt immediately, within three months. Life insurance elegantly solves this problem."

Keep Reading Show less
Benjamin Pimentel

Benjamin Pimentel ( @benpimentel) covers fintech from San Francisco. He has reported on many of the biggest tech stories over the past 20 years for the San Francisco Chronicle, Dow Jones MarketWatch and Business Insider, from the dot-com crash, the rise of cloud computing, social networking and AI to the impact of the Great Recession and the COVID crisis on Silicon Valley and beyond. He can be reached at or via Signal at (510)731-8429.

Latest Stories