Seeing an ad for something you just searched online isn't the Orwellian experience it may have once been; it's now normal to be tracked. But when the ad in question is targeted based on highly sensitive medical or financial information—say, if you were searching for guidance on how to file for bankruptcy—things can get dicey pretty quick.
According to a new report by the Office of the Privacy Commissioner of Canada (OPC), Google is taking peoples' sensitive searches and using that data to serve ads, a practice referred to as Online Behavioural Advertising (OBA), despite being warned by the commissioner's office in the past. Using sensitive information to target ads is also against Google's own policies.
Google was taken to task by the OPC last year for using the browsing history of a man suffering from sleep apnea to target ads for medical devices to him. In response, Google changed its procedures around OBA to make sure that user data was not used to target ads related to these specific medical devices.
"Our policies prohibit advertising to people on the basis of sensitive personal information"
According to the OPC report, these changes appear to have worked, but after analyzing 9,000 ads on 46 popular Canadian sites, Google was found to still serve ads relating to embarrassing topics like bankruptcy based on recent browsing history. Moreover, the ads were not always accompanied by a blue AdChoices logo, an industry standard that lets users opt out of being tracked.
"Most of the ads on sensitive topics did appear with the AdChoices icon," the report states, "but it is interesting to note that one organization (Google) placed the same ads for bankruptcy services with the icon on some sites and without it on others."
Watch more from Motherboard: All the Ways to Hack Your Phone
According to Leslie Church, a Google spokesperson, the company isn't exactly bristling at the report, but it is taking it seriously.
"We welcome this report and note that our policies prohibit advertising to people on the basis of sensitive personal information," Church wrote me in an email. "We will continue to work within the industry to ensure that people have simple, useful tools to control their online advertising experience."
Google recently added a feature called My Account that lets users opt out of interest-based ad tracking, although the OPC report notes that most of the targeted ads they came across appeared to be based on recent searches, not interest categories. According to the report, "we never observed an interest category being created when conducting any of the tests on sensitive topics."
The use of sensitive personal information to target ads is concerning
While the use of sensitive personal information to target ads is concerning, it's worth noting that the sample size in the OPC report is very small. Just 46 Canadian websites governed by the country's PIPEDA privacy legislation were tested. And, encouragingly, of the 9,000 ads that were analyzed, 96.3 percent were served with an AdChoices logo when tracking techniques were used. There were just 11 cases where an ad that appeared to use sensitive data didn't have the logo.
Also, causation between recent searches and ads served may be difficult to establish because of the black box that envelopes the process of how user data gets from point A, as a keyword, to point B, as an ad.
Because of these limitations, Google may have some difficult work ahead of it to figure out how its targeted ads managed to slip through the cracks. But, since using sensitive information to advertise products is against the company's own policies and the guidelines set out by Canada's privacy watchdog, it might want to at least try.