Meet Johnny Ryan, the thorn in Google’s side

The chief policy officer for Brave came for ad markets first. Now, he wants regulators to crack down on tech giants' "internal data free-for-alls."

Johnny Ryan

Brave CPO Johnny Ryan believes people should be able to give up their location data to access a map without having that data used in another context later on.

Photo: Rune Hellestad/Getty images for ANFO

Johnny Ryan has spent the last year and a half trying to convince European regulators that the business model that props up the biggest tech companies in the world — behavioral advertising — is illegal. Now, he is gearing up for a new fight. This time, he wants regulators to crack down on how tech giants use data inside their own virtual walls.

The charismatic Irishman is the chief policy officer for the web browser company Brave. Back in 2018, he filed a complaint with Ireland's Data Protection Commissioner accusing Google and the Interactive Advertising Bureau in Europe of violating European data protection laws through the wanton broadcasting of sensitive personal information in online ad exchanges. Flexing his media savvy, Ryan drummed up tons of press about it, and strategically coordinated with other data rights groups throughout Europe to file similar complaints. It caused a stir.

Get what matters in tech, in your inbox every morning. Sign up for Source Code.

His complaint ricocheted around Europe and has since been replicated in more than a dozen countries across the European Union, sparking investigations and reviews by data regulators in Ireland, the United Kingdom and Belgium.

But those complaints only address what happens when companies share data externally, Ryan says. The flip side of that problem is what tech giants are doing with customer data internally.

"Right now, big tech companies are taking data from one bit of their business, and they have an internal free-for-all that allows them to use that data to prop up another bit of their business," Ryan says. Ryan argues that's illegal under GDPR, which says that data must be processed in a "transparent manner" for "specified, explicit and legitimate purposes."

He wants regulators to step in. And so, Ryan is in the process of preparing another legal complaint against one of the Silicon Valley giants. He's not saying who just yet, but earlier this month, Ryan laid out a withering case against Google's internal uses of data in a letter to the U.K.'s antitrust regulator.

"Preliminary analysis conducted by Brave indicates that Google has several hundred processing purposes that are conflated in a vast, internal data free-for-all," Ryan wrote in the letter. "Google's internal data free-for-all should therefore be remedied by data protection enforcement."

If European regulators were to enforce these so-called "purpose limitation" requirements against even one company, Ryan and his attorney Ravi Naik of the London-based law firm AWO say it could have a domino effect across the continent. "If it applies to one company, it applies to all companies," Naik says. "If anyone has a policy that's not transparent, they should be paying attention."

If it applies to one company, it applies to all companies. — Ravi Naik, Ryan's attorney

Ryan wasn't always such a skeptic about technology. Quite the opposite. In his 2011 book, "A History of the Internet and the Digital Future," Ryan, then a doctoral candidate at the University of Cambridge, marveled at the "newly enfranchised internet activists" reinventing democracy.

Almost a decade later, Ryan confesses, "I was far too utopian." He went on to become chief innovation officer of The Irish Times, where, he says, he had little idea how much personal data might have been driving the ads that landed on the page.

All that changed when Ryan began working for PageFair, an ad tech company that helped publishers measure and counter the impact of ad-blocking technology. That gave him his first look under the hood of real-time bidding markets. He came to understand that billions of times every day, companies like Google are broadcasting granular data about what people are looking at when they're browsing the web, in order to find them just the right ad at just the right time. This information is packaged up into bid requests and disseminated instantaneously to so-called "demand side platforms," which take bids from advertisers. In some cases, Ryan found, those bid requests include sensitive data, like precise GPS coordinates and URLs that might hint at a person's sexual orientation or ethnicity.

In January 2018, Ryan wrote an email to the United Kingdom's Information Commissioner's Office, which oversees violations of data privacy law, saying he wanted to report a data leak.

"I want to very privately whistle blow, and I am unsure of how to do so," Ryan wrote in an email reviewed by Protocol. He says at first they were interested. He spoke on the phone a few times with ICO officials. But after a while, he says he heard nothing back. GDPR went into effect four months later, and the behavioral advertising industry went on largely uninterrupted. That is, except for the widespread proliferation of pop-up notices asking people for consent to do who knows what with their data. That, to Ryan, didn't constitute consent at all.

Under the law, he says, "You cannot even ask for my consent unless you know what's going to happen to the data so you can tell me. If you have no idea and no control, you're not in a position to ask."

Ryan decided the only way to get regulators' attention was through a formal complaint. This wasn't an exclusively altruistic endeavor. By then, Ryan was working for Brave, a company whose main product is a browser that tries to distinguish itself from, say, Google Chrome, by blocking behavioral ads and trackers. Its co-founder and CEO, Brendan Eich, co-founded Mozilla.

"I think it's fair to say it's no different than when Apple or Tim Cook speaks out on privacy," says Jason Kint, CEO of Digital Content Next, a trade association representing digital companies. "The common refrain is, 'That will help Apple's business because they don't have ads.' Yeah, sure, but the fact that Apple is making that human right a priority that aligns with their business interest is great."

Ryan says Eich was immediately on board with the idea. "With the privacy wave rising in Europe and the U.S., it is crucial that regulators are aware of what's happening behind the scenes in tech so that they can best protect users," Eich told Protocol in a statement.

Ryan got to work on what would become known as the Ryan Report, a 32-page document that summarized his concerns about Google's Authorized Buyers and the IAB Europe's OpenRTB framework, the two programs that write the rules around what goes into just about every bid request in the world. His main argument: These organizations have no control over what happens to the data they broadcast through real-time bidding, and thus, are violating a core principle of GDPR that requires that data be "processed in a manner that ensures appropriate security of the personal data."

Ryan's findings soon became the basis of identical complaints across Europe. Regulators took notice. In May 2019, Ireland's Data Protection Commissioner said it would investigate Google's compliance with GDPR based, in part, on Ryan's complaint. The British ICO similarly cited Ryan's work in its own report last June, which gave adtech players six months to change their ways. In a statement to Protocol, Ireland's DPC said only that its Google investigation is "ongoing."

These investigations made Google blink. Last year, the tech giant announced it would expand audits of its Authorized Buyers program and strip out the content categories that describe the type of web page a user is browsing from bid requests. Those categories had included things like "male impotence" and "substance abuse," according to Ryan's research.

This appeared to be enough to satisfy the British Information Commissioner, at least for now. The regulator issued a blog post in January saying it was "encouraged" by Google's actions and would "continue to look at the changes Google has proposed."

In a statement to Protocol, a Google spokesperson said the company doesn't serve personalized ads or send bid requests out without user consent. "We have strict policies in place to protect user privacy, and we take action if we find that our policies have been violated," the spokesperson said.

IAB Europe, meanwhile, directed Protocol to its past statements on Ryan's complaints. One such statement argues that GDPR doesn't require "the absolute technical impossibility for data to be processed unlawfully."

"Automobiles are not required to integrate functionality that absolutely prevents them from exceeding the speed limit," one February 2019 blog post read. "Instead, drivers are educated and trained in traffic rules, and drivers who violate speed limits are sanctioned with fines and/or deprived of their permits."

Ryan believes real-time bidding has created the "biggest data breach of all time."

Naik, however, says the IAB is using the wrong analogy. "This isn't equivalent to broad rules of the road," he says. "This is like building a car with no windshield wipers or seatbelts."

Still, in the nearly two years since GDPR went into effect, no regulator has taken action on Ryan's claims. That explains his plan B.

Ryan believes real-time bidding has created the "biggest data breach of all time." But he says the way companies like Google and Facebook mine data internally across a range of products is just as troubling. Not only does it keep users in the dark about how their data is processed, he argues, but it also entrenches incumbents, who have built a data moat around themselves.

He's not alone in making this case. Last year, France's data protection regulator fined Google $57 million for failing to give users enough information about how their data is being processed before giving their consent. A month later, Germany's antitrust authority ruled that Facebook would have to get consent from users before combining their data with third party sources or using that data across its family of apps. A court later reversed that ruling.

Get in touch with us: Share information securely with Protocol via encrypted Signal or WhatsApp message, at 415-214-4715 or through our anonymous SecureDrop.

Google does seek people's consent to personalize their services across products, but Naik says this kind of broad disclosure is exactly what the European Commission hoped to avoid under GDPR. Indeed, in guidelines released in 2017, the EU's Data Protection Working Party specifically listed the phrase "we may use your personal data to offer personalized services" as a "poor practice example."

Ryan views all of this as a clear violation of GDPR's purpose limitation requirements. He believes people should be able to give up their location data to access a map without having that data used in another context later on. If people could pick and choose the data they share, Ryan says, "The next time there's a delete Facebook moment, people won't have to delete Facebook. They'll lobotomize it."

For Ryan — and for Brave — that would be just fine.


Apple's new payments tech won't kill Square

It could be used in place of the Square dongle, but it's far short of a full-fledged payments service.

The Apple system would reportedly only handle contactless payments.

Photo: Nathan Dumlao/Unsplash

Apple is preparing a product to enable merchants to accept contactless payments via iPhones without additional hardware, according to Bloomberg.

While this may seem like a move to compete with Block and its Square merchant unit in point-of-sale payments, that’s unlikely. The Apple service is using technology from its acquisition of Mobeewave in 2020 that enables contactless payments using NFC technology.

Keep Reading Show less
Tomio Geron

Tomio Geron ( @tomiogeron) is a San Francisco-based reporter covering fintech. He was previously a reporter and editor at The Wall Street Journal, covering venture capital and startups. Before that, he worked as a staff writer at Forbes, covering social media and venture capital, and also edited the Midas List of top tech investors. He has also worked at newspapers covering crime, courts, health and other topics. He can be reached at or

Sponsored Content

A CCO’s viewpoint on top enterprise priorities in 2022

The 2022 non-predictions guide to what your enterprise is working on starting this week

As Honeywell’s global chief commercial officer, I am privileged to have the vantage point of seeing the demands, challenges and dynamics that customers across the many sectors we cater to are experiencing and sharing.

This past year has brought upon all businesses and enterprises an unparalleled change and challenge. This was the case at Honeywell, for example, a company with a legacy in innovation and technology for over a century. When I joined the company just months before the pandemic hit we were already in the midst of an intense transformation under the leadership of CEO Darius Adamczyk. This transformation spanned our portfolio and business units. We were already actively working on products and solutions in advanced phases of rollouts that the world has shown a need and demand for pre-pandemic. Those included solutions in edge intelligence, remote operations, quantum computing, warehouse automation, building technologies, safety and health monitoring and of course ESG and climate tech which was based on our exceptional success over the previous decade.

Keep Reading Show less
Jeff Kimbell
Jeff Kimbell is Senior Vice President and Chief Commercial Officer at Honeywell. In this role, he has broad responsibilities to drive organic growth by enhancing global sales and marketing capabilities. Jeff has nearly three decades of leadership experience. Prior to joining Honeywell in 2019, Jeff served as a Partner in the Transformation Practice at McKinsey & Company, where he worked with companies facing operational and financial challenges and undergoing “good to great” transformations. Before that, he was an Operating Partner at Silver Lake Partners, a global leader in technology and held a similar position at Cerberus Capital LP. Jeff started his career as a Manufacturing Team Manager and Engineering Project Manager at Procter & Gamble before becoming a strategy consultant at Bain & Company and holding executive roles at Dell EMC and Transamerica Corporation. Jeff earned a B.S. in electrical engineering at Kansas State University and an M.B.A. at Dartmouth College.

Why does China's '996' overtime culture persist?

A Tencent worker’s open criticism shows why this work schedule is hard to change in Chinese tech.

Excessive overtime is one of the plights Chinese workers are grappling with across sectors.

Photo: VCG/VCG via Getty Images

Workers were skeptical when Chinese Big Tech called off its notorious and prevalent overtime policy: “996,” a 12-hour, six-day work schedule. They were right to be: A recent incident at gaming and social media giant Tencent proves that a deep-rooted overtime culture is hard to change, new policy or not.

Defiant Tencent worker Zhang Yifei, who openly challenged the company’s overtime culture, reignited wide discussion of the touchy topic this week. What triggered Zhang's criticism, according to his own account, was his team’s positive attitude toward overtime. His team, which falls under WeCom — a business communication and office collaboration tool similar to Slack — announced its in-house Breakthrough Awards. The judges’ comments to one winner highly praised them for logging “over 20 hours of intense work nonstop,” to help meet the deadline for launching a marketing page.

Keep Reading Show less
Shen Lu

Shen Lu covers China's tech industry.

Boost 2

Can Matt Mullenweg save the internet?

He's turning Automattic into a different kind of tech giant. But can he take on the trillion-dollar walled gardens and give the internet back to the people?

Matt Mullenweg, CEO of Automattic and founder of WordPress, poses for Protocol at his home in Houston, Texas.
Photo: Arturo Olmos for Protocol

In the early days of the pandemic, Matt Mullenweg didn't move to a compound in Hawaii, bug out to a bunker in New Zealand or head to Miami and start shilling for crypto. No, in the early days of the pandemic, Mullenweg bought an RV. He drove it all over the country, bouncing between Houston and San Francisco and Jackson Hole with plenty of stops in national parks. In between, he started doing some tinkering.

The tinkering is a part-time gig: Most of Mullenweg’s time is spent as CEO of Automattic, one of the web’s largest platforms. It’s best known as the company that runs, the hosted version of the blogging platform that powers about 43% of the websites on the internet. Since WordPress is open-source software, no company technically owns it, but Automattic provides tools and services and oversees most of the WordPress-powered internet. It’s also the owner of the booming ecommerce platform WooCommerce, Day One, the analytics tool and the podcast app Pocket Casts. Oh, and Tumblr. And Simplenote. And many others. That makes Mullenweg one of the most powerful CEOs in tech, and one of the most important voices in the debate over the future of the internet.

Keep Reading Show less
David Pierce

David Pierce ( @pierce) is Protocol's editorial director. Prior to joining Protocol, he was a columnist at The Wall Street Journal, a senior writer with Wired, and deputy editor at The Verge. He owns all the phones.


Spoiler alert: We’re already in the beta-metaverse

300 million people use metaverse-like platforms — Fortnite, Roblox and Minecraft — every month. That equals the total user base of the internet in 1999.

A lot of us are using platforms that can be considered metaverse prototypes.

Illustration: Christopher T. Fong/Protocol

What does it take to build the metaverse? What building blocks do we need, how can companies ensure that the metaverse is going to be inclusive, and how do we know that we have arrived in the 'verse?

This week, we convened a panel of experts for Protocol Entertainment’s first virtual live event, including Epic Games Unreal Engine VP and GM Marc Petit, Oasis Consortium co-founder and President Tiffany Xingyu Wang and Emerge co-founder and CEO Sly Lee.

Keep Reading Show less
Janko Roettgers

Janko Roettgers (@jank0) is a senior reporter at Protocol, reporting on the shifting power dynamics between tech, media, and entertainment, including the impact of new technologies. Previously, Janko was Variety's first-ever technology writer in San Francisco, where he covered big tech and emerging technologies. He has reported for Gigaom, Frankfurter Rundschau, Berliner Zeitung, and ORF, among others. He has written three books on consumer cord-cutting and online music and co-edited an anthology on internet subcultures. He lives with his family in Oakland.


Lyin’ AI: OpenAI launches new language model despite toxic tendencies

Research company OpenAI says this year’s language model is less toxic than GPT-3. But the new default, InstructGPT, still has tendencies to make discriminatory comments and generate false information.

The new default, called InstructGPT, still has tendencies to make discriminatory comments and generate false information.

Illustration: Pixabay; Protocol

OpenAI knows its text generators have had their fair share of problems. Now the research company has shifted to a new deep-learning model it says works better to produce “fewer toxic outputs” than GPT-3, its flawed but widely-used system.

Starting Thursday, a new model called InstructGPT will be the default technology served up through OpenAI’s API, which delivers foundational AI into all sorts of chatbots, automatic writing tools and other text-based applications. Consider the new system, which has been in beta testing for the past year, to be a work in progress toward an automatic text generator that OpenAI hopes is closer to what humans actually want.

Keep Reading Show less
Kate Kaye

Kate Kaye is an award-winning multimedia reporter digging deep and telling print, digital and audio stories. She covers AI and data for Protocol. Her reporting on AI and tech ethics issues has been published in OneZero, Fast Company, MIT Technology Review, CityLab, Ad Age and Digiday and heard on NPR. Kate is the creator of and is the author of "Campaign '08: A Turning Point for Digital Media," a book about how the 2008 presidential campaigns used digital media and data.

Latest Stories