ByteHaven - Where I ramble about bytes Avatar
ByteHaven - Where I ramble about bytes

Read Receipt

Part of the ongoing Big Tech's War on Users series.

There's a thing called the Global Privacy Control. GPC. It's a signal your browser can send that tells websites, in plain technical terms: do not sell or share my data. The California Attorney General endorses it. It's legally required to be honored under CCPA. It's not a polite request. It's law.

When your browser sends GPC it includes a header. Sec-GPC: 1. Simple. Unambiguous.

webXray just audited 7,634 popular websites from a California residential IP to see what happens when that signal gets sent.

You already know the answer.

194 advertising services ignore it outright. 55% of sites set advertising cookies anyway. 125,106 cookies placed on devices that explicitly said no. Potential aggregate liability: $5.8 billion. Actual consequences to date: a rounding error.

This is Do Not Track. Different acronym. Same outcome.

DNT was proposed around 2009. The ad industry spent years lobbying it into irrelevance, slow-walked the standards process, and simply never implemented it. By the time it died nobody was even pretending to care. GPC is the legally-mandated successor with actual enforcement teeth — Sephora paid $1.2 million in 2022, Disney paid $2.75 million earlier this year — and they're doing the same thing. Ignoring it and paying the occasional fine as tuition.

The math works in their favor and they know it.

Google receives the signal. Google sets the cookie anyway.

Not a bug. A server response. When your browser sends Sec-GPC: 1 to Google's ad servers, Google responds with a command to create an advertising cookie named IDE. Two year expiry. Domain: .doubleclick.net. The opt-out signal is right there in the network request. The cookie is right there in the response.

Hiding in plain sight.

The fix takes one line of code. Return a 451 status — Unavailable For Legal Reasons — and set nothing. Google knows this. Google employs people whose entire job is knowing this. $2.3 billion in privacy fines across fourteen years and they have not made that change.

Microsoft does the same thing with their MUID cookie on Bing. LinkedIn cookies fire regardless. Meta's pixel — the one they publish publicly and tell every publisher to copy-paste into their site — contains no GPC check at all. Not a broken check. Not a check that fails sometimes. No check. The code to look for navigator.globalPrivacyControl does not exist in what Meta ships. It was never written. It loads unconditionally and fires regardless.

$9.3 billion in privacy fines. Zero lines of opt-out code.

And Google — the biggest offender in the audit — certifies the Consent Management Platforms that are supposed to solve this. Every single one of the eleven CMPs evaluated failed. 100%. The company most responsible for the problem is certifying the tools meant to fix it. That's not irony. That's a business model.

But here's the thing about all of this.

If you were logged in, none of it mattered anyway.

Apple's privacy brand has an asterisk. GitHub's default-on Copilot training has an asterisk. YouTube's avatar data grab has an asterisk. Microsoft's Copilot terms have an asterisk. The cookie banner has an asterisk so large it swallows the original statement.

The asterisk is always the same. Terms and conditions apply. You agreed to them when you made the account.

Logged into Google? The cookie is redundant. And it doesn't require an Android device — though Android makes it mandatory at activation, which is its own conversation. Signed into Chrome on your Windows machine. Signed into Gmail in any browser. Signed into YouTube. Any of those. The account is the tracker. The device is almost incidental. They have your search history, your Gmail, your location data, your YouTube watch history, your Chrome sync data. The advertising cookie being set in defiance of California law is basically bookkeeping at that point. They're not learning anything new. They're extending the profile to the three sites where you happened not to be logged in.

Logged into Microsoft? Xbox, Windows, Teams, Outlook, OneDrive — LinkedIn already knows who you are the moment you show up. The MUID cookie is a formality.

Same with Amazon, Walmart, any platform you've ever created an account with. The "recently viewed" machine, the recommendation engine, the behavioral profile — that consent wasn't collected at the banner. It was collected on page 6 of the terms you agreed to when you made the account. Clause 14-something. "To enhance your shopping experience we may use your browsing and purchase history." You clicked agree to make the account work. Done. Banked. The banner they show you now is legal theater performed for an audience of regulators.

And if you weren't logged in, they had a different strategy.

Annoy you into compliance.

The cookie banner was never a consent tool. It was a conversion funnel pointed at your data.

"Accept All" — big button, friendly color, primary position.

"Manage Preferences" — grey, smaller, buried.

Manage Preferences opens a second screen. Forty-seven toggles. All pre-checked. Some of them don't actually toggle because "legitimate interest" is a separate legal basis that conveniently doesn't require consent at all.

And here's the catch-22 nobody talked about enough: rejecting cookies meant your preference couldn't be stored. Because storing your preference requires a cookie. The one you just rejected. So you came back the next day and the banner was back. You cleared your cache and the banner was back. You opened incognito and the banner was back. Every. Single. Time.

Meanwhile the accept cookie lasted two years. The reject preference lasted until you closed the tab — if they bothered storing it at all. A lot of implementations appear to have used nothing more than a session variable checked on load. Close the browser, come back an hour later, open a new tab. Banner's back. Every. Single. Time.

That's not an oversight. That's a priority queue. One outcome got real engineering attention. The other got the minimum viable compliance fig leaf.

The asymmetry was not accidental.

The path of least resistance was always consent. Wear you down until you click Accept just to make it stop. That was the design. The annoyance was the feature.

Meta deserves its own section because Meta is doing something categorically different.

Google and Amazon need some kind of relationship with you to bootstrap your profile. An account. A device. A login. Meta decided that was an unnecessary constraint.

The shadow profile. If you have never had a Facebook account: your friends who do have uploaded their contacts. Your email is in there. Your phone number possibly too. Every site you visited that had the pixel — which per this audit fires unconditionally with zero opt-out logic in the code — has been reporting your behavior back to Meta. Including, in documented cases, healthcare providers. Which means Meta potentially has behavioral data from medical contexts on people who never signed up for anything. Never made an account. Never saw a banner. Never had a choice presented to them.

By the time you actually create an account Meta already has a partial profile waiting. The onboarding experience that feels immediately well-targeted isn't clever. It's because you were never actually new to them.

The onboarding doesn't collect information. It confirms it.

"Do you know these people?" — yes, we know you know them. We've had their contact lists for years.

"Add your phone number for security" — thanks. That's the missing key that ties your shadow profile to three other data sources we had but couldn't confidently merge until now.

"Here are some pages you might like" — based on the pixel data we accumulated before you had an account.

Every step that looks like collection is actually verification. The graph was already drawn in pencil. You just handed them the pen.

And on mobile they didn't even wait for you to visit a site in a real browser. The Facebook and Instagram apps have a long documented history of using their own in-app browser when you tap a link rather than handing off to Safari or Chrome. Which conveniently meant their JavaScript ran on pages you visited from within their apps, outside the protections of the system browser entirely. Apple's App Tracking Transparency in 2021 was partly aimed at closing this — and Meta publicly complained about the revenue impact. Which told you everything you needed to know about how load-bearing that mechanism was for their mobile data collection. They weren't using an in-app browser for your convenience.

And then there's the thing Meta scoffs at but nobody who's paid attention can quite dismiss. Talk about something you've never searched. Never typed. Never looked up. Something arbitrary. Watch the algorithm surface it — sometimes in under five minutes. My wife and I ran this as a deliberate informal experiment. Repeatedly. It held up. Microphone permission disabled. App open. Phone idle, face up on the table. We'd ruled out accidentally triggering anything. What we couldn't rule out — and this is the part Meta would like you to skip past — is whether the permission was actually honored. There are Meta employees who say it isn't. That's not citable. It's also not nothing.

And as the Apple post in this series documents, Meta has enough documented mechanisms — deterministic matching, push notification fingerprinting, camera roll access, in-app browser tracking, sensor data — to reconstruct a remarkably complete picture without confirmed audio access. Maybe it's the mic ignoring the permission. Maybe it's everything else assembled so completely that the mic is redundant. Meta would like you to debate which one. The more honest question is why you'd give them the benefit of the doubt either way. Confirmation bias starts requiring more faith than the alternative at some point. Meanwhile somewhere in a congressional hearing room, Mark Zuckerberg is doing his best impression of a man who finds all of this just as troubling as you do. A man who is richer than most countries. Who goes home to a bunker compound in Hawaii. Very concerned. Very humble. Very sorry you feel that way.

Now think about what it physically takes to store all of this. (Stay with me — it circles back.)

Three billion active Meta users. Shadow profiles on top of that. Every post, every photo — including ones you deleted, because deletion has historically meant "no longer visible to you" — every reaction, every message's metadata, every device fingerprint, every behavioral telemetry point. Location data. Inferred political leaning. Inferred income bracket. Inferred health conditions. Advertising interaction history. Pixel data from third party sites. All of it versioned over time because who you were in 2012 is a different ad target than who you are now.

Google's footprint is arguably larger because the surface area of collection is broader. Search. Gmail. Maps. YouTube. Android. Chrome. Your daily life, not just your social graph.

The drives holding all of this aren't permanent. Flash storage has finite write cycles. High write workloads — and behavioral telemetry being written constantly at this scale is about as high-write as it gets — burn through those cycles fast. Drive lifecycle at this scale isn't reactive maintenance. It's actuarial. You know statistically what percentage of a drive cohort fails within a given timeframe. You schedule around predicted failure before it happens. Google published some of their drive failure research years ago — effectively running the largest longitudinal drive reliability study in history as a byproduct of just operating.

The drives that get retired don't go in a dumpster. They get cryptographically wiped or physically destroyed. Because the alternative is unthinkable given what they contain.

Your data outlives the hardware it was stored on. Multiple times over.

They preached privacy. Loudly. Repeatedly.

Google builds privacy into everything we do. Meta heard you and is making changes. Microsoft: privacy is a human right.

Meanwhile the signal that says do not track arrives at their servers and they issue a two-year cookie in response. The pixel has no opt-out check in the code they publish. The cookie banner was engineered to wear you down. The account agreement did the real work years ago on a page you didn't read. The profile exists whether you have an account or not. And somewhere in a data center drawing enough power to run a small city — because that's not an AI exclusive, these things have been running hot for years (and yes, most of these same companies are also running AI data centers on top of all of this) — drives are being rotated out on a maintenance schedule, physically destroyed on retirement, because what's on them is too sensitive to risk any other outcome.

That's what free costs.

And if you think this is just a cookie story — what gets built from that data, who accesses it, and what it's been used for before is a thread worth pulling. That one's coming.

The signal was received. Sec-GPC: 1. Read. Ignored.


Find me on Mastodon at @ppb1701@ppb.social. The thread is still going.

Part of the ongoing Big Tech's War on Users series.

bigtech blog ccpa cookies google gpc meta microsoft privacy userhostile