Jedi Blue: How Google and Facebook circumvent data privacy

27 December 2021

Google’s unofficial motto has long been the simple phrase ‘don’t be evil’. But that’s over, according to the code of conduct that Google distributes to its employees. The phrase was removed sometime in spring 2018 – see in the Wayback Machine.

At the end of 2020, a lawsuit was filed and the process is ongoing. On 22nd of October, a New York judge unsealed previously redacted documents in the lawsuit against Google led by several US states. One of the main allegations of the antitrust lawsuit is that Google and Facebook colluded to rig ad prices and ‘kill header bidding’. It might take months before the process is fought, but the “Jedi” affair has already damaged Google’s reputation.

Hindrance to competition

In order to understand the meaning of the lawsuit, one must consider how the market for online advertising works: Whenever users call up a website, advertising banners are auctioned automatically within milliseconds to the party who offers the most for the respective advertising space. The auction takes place on a kind of exchange for online advertisements, Ad Exchange.

There are a handful of such exchanges around the world, but Google’s platform is the undisputed market leader with a share of around 70%.

To counter the dominance of Google, smaller companies developed the concept of header bidding in the 2010s. Website operators can offer their advertising space on several exchanges at the same time instead of being tied to a specific ad exchange. Header bidding compiles the offers from individual providers in a comparison portal.

In the header bidding, the advertiser wins the auction for the individual advertising banner that bids the most across all exchanges. Website operators, such as media companies, may be able to earn more with this model because they are guaranteed to find the highest bidding advertising customer.

Header bidding endangers Google’s market position. After all, advertisers in this model do not care whether they book ads via the Google platform or any other ad exchange. According to the complaint which is quoted from internal company documents, Google anticipated a drop in sales of around 20% because of the header bidding, which the company internally assessed as an “existential threat”. Google makes over 80% of its sales with advertising; if the company loses market share, this quickly has a negative impact on the balance.

However, Google downplayed the model in public. ‘We do not see header bidding as a threat to our business at all,’ the complaint quotes a statement from the company. Google nevertheless created incentives behind the scenes to keep its advertisers away from independent header bidding projects, the plaintiffs write.

Google employees had spoken of a “jedi mind trick” that was intended to dissuade advertisers from collaborating with others. To this end, the company opened its own header bidding platform and manipulated auctions on it, so that the Google ad exchange partially won the bid for advertising banners, although other advertising exchanges made a better offer. Google also charged website operators with higher fees if they had cooperated with other, independent ad exchanges.

In the 2010s it was only small providers who wanted to make header bidding big, but in March 2017 the number two in the advertising market, Facebook, began building such a platform. Google feared that Facebook’s support of header bidding would crack its publisher ad server monopoly. The wider industry thought Facebook was prepared to challenge Google’s primacy.

Google started monitoring Facebook’s initiative in header bidding. According to metrics posted in Facebook’s public blog, Facebook was helping publishers and advertisers match two to three times more users in auctions and increase third-party publishers’ revenue by 10-30%. That was not good news to Google.

Conversely, internal Facebook communications indicate that Facebook’s March 2017 announcement was mainly intended to signal Facebook’s willingness to compete with Google. Facebook knew that Google would see its participation in header bidding as a major threat. Evidently, Facebook was merely executing a planned long-term strategy – ’18-month header bidding strategy to minimize tax’ – by threatening to expose the hidden costs Google charges publishers. In other words, Facebook wanted to draw Google in.

Within months, Google and Facebook began formal negotiations. Facebook was highly interested in a successful outcome. As internal Facebook documents reveal, Facebook ‘believed strongly’ that partnering with Google was ‘relatively cheap compared to build/buy and compete in a zero-sum ad tech game.’ A team outlined that Facebook had three options: to ‘invest hundreds more engineers’ and spend billions of dollars to lock up inventory to compete, exit the business, or do the deal with Google. Facebook chose to cut a deal with Google. ‘Jedi Blue’ was used internally in Google to refer to the Google-Facebook agreement.

Only a year after the announcement, Facebook stopped the project abruptly.

With the Jedi Blue agreement, Google granted Facebook a large-scale concession and let FAN circumvent exchanges and bid directly into Google’s ad server. Instead of paying normal exchange fees, Google charged Facebook a lower 5 to 10% fee. Furthermore, Google allowed Facebook almost twice as much time to place the ads: 300 milliseconds instead of the usual 160. On top, Google informs Facebook which impressions are likely identified to be spam. Facebook does not have to pay for those impressions. Google did not offer any other advertising customer such conditions.

Google and Facebook did not publicly communicate their collaboration in any way. In the agreement, the companies promise each other to coordinate inquiries from regulators and public statements.

Google and Facebook reject the allegations and point out that the court case has not yet been decided. Google told the Financial Times that prices for digital advertisements have fallen in the past ten years, which shows that the online advertising market is a highly competitive industry. Facebook told the Wall Street Journal that such “partnerships” as they exist between Google and Facebook are not unusual in the advertising market and that Facebook has similar agreements with other companies. ‘Any suggestions that these types of agreements harm competition are baseless’, Facebook said in a statement.

Circumvention of data protection

Google states that data privacy is important, but – it seems – only as long as it does not contradict their own business model. Some examples are that Google knowingly failed to disclose the lack of privacy of its Google Drive service and that it has met secretly with competitors to ‘slow down’ efforts to enhance user privacy.

#1 Product promotion: Google Drive

Around July of 2015, Google, through its cloud backup service Google Drive, entered into an exclusive agreement with Facebook’s private messaging service WhatsApp. As provided in that agreement, starting around October 2015, WhatsApp users on Google-Android devices were presented with the option to back up their WhatsApp messaging history, photos, video, and audio files to Google Drive.

A 2016 report from Lifehacker stated: ‘WhatsApp can also backup your messages to Google Drive, though they’re encrypted so that shouldn’t be that big of a deal. Even if law enforcement requested it from Google, they wouldn’t be able to read it.’ However, this was not true. Conceding the fact in a June 2016 memo, Google wrote that ‘when WhatsApp media files are shared with 3rd parties such as Drive, the files are no longer encrypted by WhatsApp’. What this meant was that Google, as a third party, could in fact access the content that users thought they had shared privately on WhatsApp.

Google did nothing to correct this misunderstanding. Rather, it failed to disclose the relevant information to its customers, with the intent to sign up more users of Google Drive. The terms of service at the time even permitted Google the ability to use its access to users’ private WhatsApp communications in Google Drive to sell advertising.

This service resulted in increased demand for Google’s backup service. Users rapidly signed up for Google Drive backup of WhatsApp communications. By June of 2016, about 434 million WhatsApp users backed up approximately 345 billion WhatsApp files to Google Drive, resulting in about a quarter of a billion new Google Drive customers. By May of 2017, Google Drive had gained approximately 750 million new WhatsApp backup accounts. In short, Google had no problem violating the privacy of almost a billion users if it helped them to grow their business.

#2 Promote secret agreements

The way in which Google has actively worked with Big Tech competitors to undermine users’ privacy further illustrates Google’s pretextual privacy concerns. For example, in a closed-door meeting on August 6, 2019, between the five Big Tech companies – including Facebook, Apple, and Microsoft – Google discussed forestalling consumer privacy efforts. In a July 31, 2019 document prepared in advance of the meeting, Google memorialized: ‘we have been successful in slowing down and delaying the [ePrivacy Regulation] process and have been working behind the scenes hand in hand with the other companies.’

Behind the scenes Google coordinates closely with the Big Tech companies to lobby the government to delay or destroy measures that would in fact protect users’ privacy. Of course, effective competition is concerned with both price and quality and the fact that Google coordinates with its competitors on the quality metric of privacy underscores Google’s selective promotion of privacy concerns only when doing so facilitates its efforts to exclude competition.

#3 Closing off competition

Google’s publicly stated reason for its publisher ad server cutting off publishers’ ability to share their ad server user IDs with non-Google exchanges is the purported protection of users’ privacy.

However, Google prevented consumers from having similar privacy benefits when a publisher or advertiser used Google’s network, or Google’s exchange, or when an advertiser used Google’s ad buying tools.

It seems that Google is more interested to prevent other companies from creating deeper and more comprehensive user profiles by combining different sets of user data. This way, only Google can combine the data sets to create wide user profiles and deliver more targeted advertising.

#4 Circumvention data privacy

In spring 2021, Apple introduced the Tracking Transparency (ATT) app. This means that iOS users must actively consent to tracking by third parties – which had previously led to a lot of annoyance among advertisers and companies. Above all, Facebook had criticized that this data protection approach would damage the (advertising) business of many companies. The social network even issued warnings to advertisers in its own advertising network.

In fact, current figures and surveys show that the ATT has inhibited the business of Facebook and mobile marketing in general. Apple itself, on the other hand, has recently been able to significantly increase its advertising revenue in the mobile sector and is essentially making money from its own data protection policy.

However, Facebook and Google are said to have acted unfairly against these. The companies have been working together to improve Facebook’s ability to recognize users using browsers with blocked cookies on Apple devices and on Apple’s Safari browser. For instance, according to an April 2, 2019 discussion between Facebook employees, Facebook was having trouble matching users on Apple’s Safari browser. They noted, however, that Google was ready to (Quote) ‘initiate a detailed discussion with Product and Legal to allow FB to collect signals on the client (using a javascript) and G passing it to the bid request.’ Google offered to help Facebook to better identify users using JavaScript on publisher properties.

Jedi Blue: Why should we care?

There is high potential that publishers have been earning less for their placements, while advertisers have been paying more due to Google’s alleged collusion with Facebook to essentially rig the ad market. According to the claim in Google’s own words, the Jedi program ‘generates suboptimal yields for publishers and serious risks of negative media coverage if exposed externally’.

Despites Google’s advertising of FLoC, FLEDGE, and other projects for privacy protection in the open web, it can be called into question after the exposure of business practices in this claim. Especially if the company is sharing sensitive data with other companies only if they agree to the terms.

Many advertisers complain about the quality and reach of competitive ad exchanges These documents show that Google wanted to ‘kill’ the competition.

Sequel follows…

Meanwhile, further investigations into competition issues against Google are ongoing in both the US and Europe. Because of its dominance in the advertising market, the company has already paid billions in fines.

However, the group is no longer just threatened with fines, but also with extensive regulation. In the EU, the Digital Markets Act is intended to create a law that could even split tech companies under certain circumstances, throw them out of the EU market or forcing them to share data with the competition. In the US, the parliament has been discussing options for tech regulation since 2019 as well. Six proposals for a new antitrust law are currently under discussion in Congress.

FLoC: The abbreviation stands for “Federated Learning of Cohorts” and describes a new technology from Google that combines a large number of Internet users in a cohort or group and tries to work out commonalities from the characteristics of the group and from their surfing behavior.

FLEDGE: Understanding user interests can enable more relevant ads than simply choosing ads based on site content (contextual targeting) or by using information that the user provided to the site on which the ad appears (first-party-data targeting).

Back to top