Article behind paywall.
An independent privacy audit of Microsoft, Meta, and Google web traffic in California found that the companies may be violating state regulations and racking up billions in fines. According to the audit from privacy search engine webXray, 55 percent of the sites it checked set ad cookies in a user’s browser even if they opted out of tracking. Each company disputed or took issue with the research, with Google saying it was based on a “fundamental misunderstanding” of how its product works.
The webXray California Privacy Audit viewed web traffic on more than 7,000 popular websites in California in the month of March and found that most tech companies ignore when a user asks to opt-out of cookie tracking. California has stringent and well defined privacy legislation thanks to its California Consumer Privacy Act (CCPA) which allows users to, among other things, opt out of the sale of their personal information. There’s a system called Global Privacy Control (GPC), which includes a browser extension that indicates to a website when a user wants to opt out of tracking.
According to the webXray audit, Google failed to let users opt out 87 percent of the time. “Googleʼs failure to honor the GPC opt-out signal is easy to find in network traffic. When a browser using GPC connects to Googleʼs servers it encodes the opt-out signal by sending the code ‘sec-gpc: 1.’ This means Google should not return cookies,” the audit said. “However, when Googleʼs server responds to the network request with the opt-out it explicitly responds with a command to create an advertising cookie named IDE using the ‘set-cookie’ command. This non-compliance is easy to spot, hiding in plain sight.”
The audit said that Microsoft fails to opt out users in the same way and has a failure rate of 50 percent in the web traffic webXray viewed. Meta’s failure rate was 69 percent and a bit more comprehensive. “Meta instructs publishers to install the following tracking code on their websites. The code contains no check for globally standard opt-out signals—it loads unconditionally, fires a tracking event, and sets a cookie regardless of the consumerʼs privacy preferences,” the audit said. It showed a copy of Meta’s tracking data which contains no GPC check at all.
webXray is an independent technology company that runs a search engine that lets people look for privacy violations on the internet. Its founder Timothy Libert is the former lead of cookie policy and compliance at Google. Libert told 404 Media he felt his job at Google was to protect its users but that his bosses didn’t agree. He left the company in 2023 and started webXray.
“Shortly before I left my boss told me, direct quote, my job is to protect the company. There was another time I got into a very serious ontological discussion with a fairly senior engineer about what the difference was between taxes and fines and they didn’t understand there was a difference,” he said.
Thank you for your service. I’m boobs out on my profile picture so I guess its fine.
Yup online privacy done been gone!
It never existed who are you delusional people?! Lol
I knew things were fucked when Aliexpress all the sudden started selling privacy slide stickers for cell phone front facing cameras.
I am a solo developer on some of these platforms and have to do an annual privacy evaluation which I find painful as the company taking up my valuable time to answer all their BS questions, are the ones breaking privacy. Insane. Further, I had to pay $100 annually to the UK privacy commission as it is required for all UK companies which is also deeply ironic as the same government is requiring you to submit ID for some websites which has made the privacy leaks even more damaging.
As a solo developer I am feeling the brunt of the privacy charades while the big companies just continue to violate privacy unchecked. I have zero desire or intentions to break anyone’s privacy an ask for no information from anyone outside of pulling down their profile to sign in as is required to determine app permission. That is it. No phone numbers, no real names, no biometrics, no photos of ID or anything outside of those username on that platform but I am burdened as if I was collecting all of this and as if I was the one breaking privacy. This world is mental.
so you’re telling me that all those times I said google was listening to me through my phone, and like a thousand people said I was full of shit, I was right?
The article is just about creating cookies even though the user opted out.
I love that if you tell people that you don’t use google/microslop/whatever and tell them why, YOU are the paranoid weirdo. Buddy we’re way past paranoid, we’re at “i don’t care because convenience”
Those were not people
“Yeah, no shit”
-anyone on the internet and paying even the slightest bit of attention for the past 5 years
More like past 20 or 30 years…
And when will those companies punished according to their crimes?
What crimes?
Shocked pikachu face?
“Shortly before I left my boss told me, direct quote, my job is to protect the company. There was another time I got into a very serious ontological discussion with a fairly senior engineer about what the difference was between taxes and fines and they didn’t understand there was a difference,” he said.”
😳
“Don’t worry about your taxes this year ;)”
I really should take all of them to small claims for the time and energy needed to block them.
I have to wonder if there is a way to do that. Basically we all inconvenience them to death.
The way I see it they’re not gonna waste the time and money to fight a $1,000 claim and articles like this would convince a local judge that I can’t just opt out.
And since the other side didn’t bother to show up I’d win by default.
Any not-your-lawyer types out there wanna make some good trouble by confirming this?
I have a lawyer but I feel like me coming to her with this would be like those folks who said we’d both be billionaires if I built a Facebook app for free.
It’s not about the money. It’s about making this illegal bullshit inconvenient for wealthy criminals
A thousand bucks here or there won’t make a difference to them.
This is really about getting a thousand bucks. Fuckin JG Wentworth shit
Then some judge would try to force a class action lawsuit.
In a lawless place there is no enforcement of one’s word, is blind trust or nothing…
I’m trying out Google’s Gemma4 LLM, which is run locally, and is touted as a 100% private model.
Asking it some questions about itself, at one point it acknowledged that chats were sent to “developers”.
You mean it hallucinated a positive response to your leading question as it is meant to? You are operating on a fundamental misunderstanding of what LLMs do. Even if what you said is true, an LLM would have no knowledge of that unless it was explicitly told as such as an input - and why would they be stupid enough to do that?
You are welcome to try. I can pastebin the prompt. I asked it about itself, the model. It replied that it didn’t exist. I pointed it the the docs, from the Google page. It acknowledged the page was legit, and told me there was no mention of Gemma 4, although there were like 20 mentions, including download links. It insisted. It took me pointing out the specific paragraphs to have it say "this may indicate there is Gemma 4 model. May be…
At some point it told me I was hallucinating.
I don’t need to try. You aren’t learning facts from interrogating an LLM. If it doesn’t have information, it will make up a result. If it does have information, it will make up a result. Even that is personifying it too much because really the transformer has no concept of what „making something up“ is. It takes an input and gives an output, no matter what.
“Tell me you are alive.”
“I’m alive”
shockedpikachu.png
llama.cpp doesn’t have the ability to send telemetry because the next word predictor says so. you can confirm with wireshark.
I feel like that should be quite easy to verify with wireshark.
Good idea, I’ll try.
Yeah, I wouldn’t trust anything LLM says.
Oh, I don’t ask for actual answers, but asking it to provide bibliography often points me to the sources, so that I can draw my own conclusions.
So what bibliography did it provide to prove that the chats are not private?
The engineers and trainers who work on my underlying models regularly review anonymized logs of interactions to identify failures,-hallucinations, and “degraded” logic—exactly like the failure that occurred in this conversation.
Did the LLM tell you it’s 100% private?
What else did the LLM tell you?
That’s not how any of that works.
I’d gasp but I don’t want to get the hiccups.
yeah… well… no shit…
