Google toys with the EU

Android Choice Screen: Google is Toying With the EU

Android Choice Screen: Google is Toying With the EU

Google wants to charge alternative search providers to be the Android default in Europe. Thus, the Internet giant disregards the EU’s clear political will.

Google toys with the EU

Björn Greif

It’s the height of audacity. Instead of showing remorse after the EU’s €4.34 bn ($5 bn) antitrust fine and fulfilling the requirements of the regulators in the best possible way, Google prefers to play power games.

In July 2018, the European Commission ordered the Internet giant to stop making its search engine the default on Android devices and forced it to display a choice screen with alternative search engines (and browsers) in Europe. Google now implements this requirement in its very own way: It will ask other search providers to pay for the privilege to be listed as one of three alternative suggestions on the planned Android choice screen.

Brash, Brazen, Google

This “solution” is a slap in the face for regulators, competitors and users. Google’s unofficial message is: “Europe, you’re a digital colony. We do what we please! And we found a way to extract even more money out of our colony.”

Marc Al-Hames, Managing Director of Cliqz, comments:

The audacity with which Google disregards the EU’s clear political will astonishes me again and again. Google wants to show who’s in charge. And this is only possible because there are still no competitive European providers in the field of digital infrastructure. It just shows that how much we depend on the big tech groups from the U.S. and that we allowed them to make Europe their playground.

According to Google, other search providers must state the price by September 13, 2019 that they are willing to pay each time a user makes their search engine the default in the initial setup process of an Android device. Such an auction is planned once per year in each EU country. Google also mentions a minimum bid threshold, without defining it further. What other providers are bidding won’t be made public.

The three highest bidders that meet or exceed the bid threshold for a given country will appear in the Android choice screen for that country. In the event that fewer than three eligible search providers meet or exceed the bid threshold, Google will fill any remaining slots randomly from the pool of eligible search providers. The choice screen will be introduced to new Android phones in Europe in early 2020.

This is how the Android choice screen planned by Google will look like (Source: Google).
This is how the Android choice screen planned by Google will look like (Source: Google).

Google Perverts the Intention of Regulators

Google calls the auction format “a fair and objective method to determine which search providers are included in the choice screen.” But in fact, the allocation of slots becomes a financial power play that only Google, Bing and their resellers can play. The latter include all search engines that use Google’s or Bing’s index and ads. Truly independent search engines such as Cliqz, which use their own index and are not financed by Google or Bing ads, cannot compete.

“To speak of fairness in this context is absurd,” says Al-Hames.

If the highest bidder wins the contract and not the best search engine, then the user is the biggest loser. The choice should be about selecting the most private or innovative provider. Google can drive up the price arbitrarily so that the bidding search engines have to recoup their investments by aggressive advertising or the sale of data. In the end, the consumer pays. This move obstructs the market entry for competitors and reverses the EU’s intention to regulate Google’s market domination to the opposite.

If Europe wants to be more than just a digital colony of US companies like Google, Facebook or Amazon, it needs to invest in its own digital infrastructure. And search is a core part of the digital infrastructure. As such, it must either be more strictly regulated or more invested in it to foster competition. That’s the only way Europe can free itself in the long run from the hold of US big tech.

Browser choice screen for Android must offer real alternatives

Browser choice screen for Android must offer real alternatives

Without truly independent vendors, there is no real choice. If there are only sham alternatives to choose from, that use Google technology and are financed by Google advertising, Google will benefit again in the end.

Björn Greif

Google will show Android users in Europe a selection of browsers and search engines that they can use on their mobile device, as the company announced in a blog post last week. Google is thus reacting to an antitrust decision taken by the European Union in July 2018, which obliged them to pay a record fine of €4.34 billion ($5 bn).

Google abused its dominant position, among other things, by requiring Android device manufacturers to pre-install the Chrome browser and the Google search app. The Internet giant must abandon this practice of hindering competition in the mobile sector, which was condemned by the EU Commission. In order to comply with EU requirements, Google will probably take a similar approach as Microsoft with their browser choice box for Windows users.

Free browser choice for Android users

“We’ve seen in the past that a choice screen can be an effective way to promote user choice,” says Margrethe Vestager, European Commissioner for Competition. “In the Google Android case, it has the potential to give users a real choice about what search provider and browser they want on Android devices. We will be watching closely to see how the choice screen mechanism evolves.”

There are dozens of browsers and search apps for Android. Therefore, Google will have to pre-select which alternatives it wants to show users. However, the criteria according to which this preselection will take place are still open.

“In order to guarantee truly fair competition, smaller European providers with innovative, data protection-friendly and Google-independent business models must also be featured prominently on the browser choice screen,” says Marc Al-Hames, Managing Director of Cliqz. “This is the only way for truly independent players to have a real chance in the market. Otherwise, the Google monopoly will merely become a US duopoly with a lot of Google and a little Microsoft.”

Nearly all are dependent on Google or Microsoft

In order to create fair competition, the antitrust authorities must above all examine the business models of “alternative” vendors. Most Android browsers use Google as their default search engine because they are paid for this. The money comes from Google’s billion-dollar war chest, which is always bulging thanks to their highly lucrative search engine advertising business.

Google has virtually monopolized access to customers through unfair practices, dictating prices to advertisers and not even paying taxes on its billions in profits. Google is always in a position to outbid competitors – if necessary – in order to drive them out of the market. And this is exactly what Google has done systematically for years. No one can compete with that – not even Microsoft, although it is pursuing a similar strategy with Bing.

Like most browsers, “alternative” search engines are often either dependent on Google or Microsoft because they use their search index or finance themselves through Google or Bing advertising. Therefore, they are often mere sham alternatives because the data and thus the money end up again with Google or Microsoft.

In addition, most Android browsers use Google’s Chromium as code base (this even applies to Microsoft Edge in the future). This is problematic because Google can determine the direction in which Chromium browsers will evolve, among other things, by setting rules for API usage. By modifying APIs, Google would always be able, for example, to kill off unwanted content-blocking browser extensions such as ad blockers or privacy protection tools in order to protect its advertising and data collection business. This became apparent with the latest draft specification for Chrome extensions (Manifest V3), which was heavily criticized by the developer community.

Real alternatives instead of mere sham alternatives

There are only very few truly independent vendors who do not have any business relationship with Google or Microsoft. The following overview illustrates this:

Most Android browsers are in some ways depending on Google or Microsoft: many use Google’s Chromium code base, Google search as default, Google’s or Microsoft’s search index and are financed by Google or Microsoft Bing ads. The only provider that is truly independent of Google and Microsoft is Cliqz.

If the EU really wants to guarantee Android users a free choice of browsers and search engines, it must ensure that Google not only features sham alternatives on their selection screen, but also truly independent European and privacy-friendly alternatives such as Cliqz or Qwant. The fact that such real alternatives undermine Google’s data collection and business model must not play a role in the pre-selection process.


Google partly backtracks on ad blocker modifications for Chrome

Google partly backtracks on ad blocker modifications for Chrome

After harsh criticism, the planned API changes to Chrome and Chromium-based browsers, which would have virtually killed off external ad and tracking blockers, will not come – for the time being.


Björn Greif

After massive criticism from extension developers, Google has for now moved away from its original plans to make fundamental technical changes to Chrome and all Chromium-based browsers that would have rendered ad blocker and privacy extensions largely useless.

One of the arguments the company used to justify the API modifications was that existing content blocking extensions had a negative impact on browser performance. However, this argument was invalidated by a study by Cliqz, the owner of Ghostery and Only a few hours after its publication, Google developer Devlin Cronin of the Chrome team announced they would backtrack on some planned modifications and make further changes to Manifest V3.

Google’s performance argument does not hold

The Cliqz study found that common ad blocker extensions only have a minimal impact on browser performance. The time they need to decide whether or not to block a network request is usually less than a millisecond. This sub-millisecond impact can hardly be called a performance hit.

“From the measurements, we do not think this claim holds, as all popular content blockers are already very efficient and should not incur any noticeable slow-down for users,” write the study authors. “Moreover, the efficiency of content-blockers is continuously improving, either thanks to more innovative approaches or using technologies like WebAssembly to reach native performance.” According to the benchmark results, Ghostery is the fastest ad blocker in comparison with uBlock Origin, Adblock Plus, Brave and DuckDuckGo.

Old webRequest API to be retained for now

Google developer Cronin emphasizes that the exact API changes to Chrome/Chromium that will be implemented as part of Manifest V3 are far from being finalized. He asked the developer community to continue giving feedback on the proposed changes. Cronin also clarified that the old webRequest API is not going to be fully removed as part of Manifest V3. It should – at least for the time being – be kept parallel to the new declarativeNetRequest API.

While Google relaxed some constraints on the declarativeNetRequest API, it seems they still plan to proceed and cripple the old webRequest API. Current browser extensions can use the webRequest API to block requests, which is the prerequisite to block ads and more importantly tracking scripts used to monitor users’ behavior and build personal profiles.

The outcome is still open

Initially, Google had planned to replace the old webRequest API with the new declarativeNetRequest API. This would have brought exactly the application programming interface under Google’s control that ad and tracking blockers need to run efficiently. This would virtually kill off external ad blockers and privacy tools because they would not be able to offer any substantial added value over Google’s built-in technology, which of course does not block Google’s own ads and trackers. In the end, the Internet giant would again have abused its dominant market position.

Although Google has now accommodated the developers of ad and tracking blockers, the final changes to Manifest V3 are still unclear. For example, Google still wants to limit the number of blocking rules that extensions can register for performance reasons. Depending on the level of this upper limit, users might be left with only very limited ways to prevent third parties from intercepting their surfing behavior or to get rid of unwanted content. Not only Chrome users would be affected by this, but also users of Brave, Opera, Vivaldi and future versions of Microsoft Edge, which all build on Chromium. But fortunately, there are still browsers that are not based on Google technology:

Bundeskartellamt vs Facebook

Germany prohibits Facebook from collecting user data on third-party sites

Germany prohibits Facebook from collecting user data on third-party sites

According to the German antitrust office, the company abuses its dominant market position and violates European data protection regulations. Without the users’ voluntary consent, it is virtually no longer allowed to collect or merge any data.

Bundeskartellamt vs Facebook

Björn Greif

The Bundeskartellamt has prohibited Facebook from gathering an almost unlimited amount of user data from sources outside of its social network. According to the German antitrust authorities, the extent to which the company collects, merges and uses data in user accounts constitutes an abuse of its dominant market position.

In the future, Facebook is only allowed to collect data from third party websites and assign it (as well as data from company-owned services such as WhatsApp or Instagram) to Facebook user accounts if users gave their voluntary consent. “Voluntary consent means that the use of Facebook’s services must not be subject to the users’ consent to their data being collected and combined in this way,” clarifies Andreas Mundt, President of the Bundeskartellamt. “If users do not consent, Facebook may not exclude them from its services and must refrain from collecting and merging data from different sources.”

Marc Al-Hames, Managing Director at Cliqz, welcomes the decision of the German antitrust office:

It is high time to regulate the Internet giants effectively! Unregulated data capitalism inevitably creates unfair conditions. Just look at Facebook’s messenger WhatsApp: It’s simply indispensable for many young people today. This is where conversations and friendships are happening. If you want to be a part of it, you have to join. Social media create social pressure. And Facebook exploits this mercilessly: give me your data or you’re an outsider. That’s clearly an abuse of a dominant market position!

Google is even worse than Facebook

But that’s not all: Facebook monitors our activities regardless of whether we are a member of one of its networks or not. Even those who consciously renounce the social networks for the sake of privacy will still be spied out. According to statistics from, every fourth of our website visits are monitored by Facebook’s data collection technologies, so-called trackers.

But Facebook is only number two. By far the most important data monopolist is Google (or its parent company Alphabet). With Google search, the Android operating system, the Play Store app sales platform and the Chrome browser, the Internet giant collects data on virtually everyone in the Western world. And even those who want to get free by using alternative services stay trapped in Google’s clutches: With a tracker reach of nearly 80 percent of all page loads, Google probably knows more about them than their closest friends or relatives. “When it comes to our data, the top priority of the market regulators shouldn’t be Facebook, it should be Google!” says Al-Hames.

Facebook will take action against the decision

As a result of the antitrust decision, Facebook must adapt its data processing. However, it has already announced that it will appeal the decision in court. The company argues that although its social network is popular, it does not have a dominant market position. In addition, it disagrees with the antitrust authorities’ view that the terms of service and the manner and extent to which it collects and uses data are in violation of the European data protection rules to the detriment of users.

The German Federal Data Protection Officer Ulrich Kelber endorses the Bundeskartellamt’s decision. He said: “After the Bundeskartellamt, I now see a particular duty on the part of the European data protection authorities to follow up and work together to ensure that past infringements are eliminated and that all data protection requirements are met in the future. Companies like Facebook can’t just go on like this.”

But in the universe without borders known as cyberspace, data protection laws and regulation will never be able to form an invincible shield from the omnipresent trackers. Therefore, Internet users who want to protect their privacy have to take matters into their own hands. One simple and efficient step you can take is to use anti-tracking tools like Ghostery or the Cliqz Browser with built-in tracking protection:

Zuckerberg's “facts about Facebook” - the peak of hypocrisy

Zuckerberg’s “facts about Facebook” – the peak of hypocrisy

In a guest article, the Facebook CEO defends the data collection and claims that users now have more control. His statements, however, show that he does not understand the basic problem.

Björn Greif

In a guest contribution for the Wall Street Journal, Facebook CEO Mark Zuckerberg defends the advertising-based business model of his company and once again claims that Facebook gives its users more control. “You control whether we use your data for advertising,” writes Zuckerberg. The only question is why users can’t control whether Facebook is allowed to collect data or not.

“If Zuckerberg was really serious, he would give users the ability to turn off the monitoring of their activities on websites and apps,” comments Cliqz CEO Marc Al-Hames. “Everything else is hypocrisy.”

Facebook monitors nearly 25 percent of all web traffic

Facebook tracking scripts monitor almost a quarter (24.1 percent) of all Internet traffic according to current statistics from In other words: Big F intercepts every forth web page you load. The social network collects data about users outside its platform, which inevitably results in shadow profiles of non-members. Zuckerberg does not say a word about this in his guest article – as he did in the hearings before the US Congress and representatives of the European Parliament last year.

He also conceals that the “control options” are only available to Facebook members. Anyone who has never opened a Facebook account and does not use any of its services will still be tracked by Facebook without ever having agreed to it. Non-members cannot even view the data collected by Facebook or request its deletion. So if you want to have your data deleted, you first have to log in to Facebook and disclose further data!

Flimsy justification for comprehensive tracking

As an explanation for the comprehensive collection of data on and off the Facebook platform, Zuckerberg once again puts forward security reasons in his guest article. “That information is generally important for security and operating our services as well. […] We don’t let people control how we use this information for security or operating our services,” it states.

To detect bots or fraudulent login attempts, third-party tracking is probably helpful, but not needed at all. A company like Facebook certainly can find less invasive methods to strengthen security, which are not so much at the cost of the privacy of all Internet users.

All in all, Zuckerberg’s statements once again prove that he obviously doesn’t care about or simply doesn’t understand the concept of privacy.

With the Cliqz Browser you can escape Facebook’s tracking:


Will Google block ad blockers and privacy extensions?

Will Google block ad blockers and privacy extensions?

Proposed changes to Chrome and all Chromium-based browsers would virtually kill off external ad blockers and privacy tools – to the disadvantage of all users.


Björn Greif

Google engineers proposed some fundamental changes to the Chrome desktop browser and all other browsers using the open source Chromium code base (which would include future versions of Microsoft Edge). The proposed API modifications will break existing content-blocking browser extensions such as ad blockers and privacy protection tools.

Marc Al-Hames, Managing Director at Cliqz, says:

This would basically mean that Google is destroying ad blocking and privacy protection as we know it. They pretend to do this for the sake of privacy and browser performance, however in reality, users would be left with only very limited ways to prevent third parties from intercepting their surfing behavior or to get rid of unwanted content. Whether Google does this to protect their advertising business or simply to force its own rules on everyone else, it would be nothing less than another case of misuse of its market-dominating position. If this comes true, we will consider filing an anti-trust complaint.

Chrome will only allow limited blocking

Today, browser extensions can use Chrome/Chromium’s webRequest API to block requests, which is the prerequisite to block ads and more importantly tracking scripts used to monitor users’ behavior and build personal profiles.

In the proposed new model, the webRequest API will be replaced by the new declarativeNetRequest API. Essentially, this means an extension can send Chrome/Chromium a list of blocking patterns and Chrome/Chromium will do the blocking based on these patterns. It will, however, no longer be possible to modify or kill potentially dangerous or privacy-invading requests.

Serious consequences for developers and users

The current proposal would impose huge limitations on extension developers:

  • The patterns are less flexible than what is used in all modern anti-tracking tools and ad blockers today (there might be more breakage, or extension developers might not be able to specify some of the rules with this limited “syntax”).
  • There is a hard limit of 30k rules that extensions can register (as a quick comparison, most blockers usually load more than 100k rules by default, and sometimes more to fine-tune the behavior depending on the user). Sophisticated ad blockers with larger lists of rules would lose their competitive edge over the more basic ones. Competition would be destroyed. Innovation would cease to exist and Google’s own ad blocker implemented in Chrome (that does not block Google’s ads and trackers) might get a competitive advantage.
  • This system is a black box, which means no one may be able to figure out how and if the blocking rules are really applied, know which requests are really blocked, etc. It becomes very hard to investigate issues as well, since developers probably will not have access to the “blocking engine”.
  • The pattern lists for blocking have to be hard-coded and static and sent to Chrome/Chromium for reviews, a process which would cost time (today the extension review process can take weeks!). It would give ad tech and tracking vendors the opportunity to constantly implement changes to their products, making them undetectable for the blockers. In other words, there’s a risk that the “blocker database” would always be outdated.
  • It would mean the end of dynamic technologies that today update their blocking lists every few hours or even detect new tracking scripts in real-time, such as Ghostery’s and Cliqz’s AI-based anti-tracking that would no longer work with the new API.

In the end, users will suffer the most from the changes as they will make it harder for users to effectively block ads and tracking scripts and thus protect their privacy on the web. But fortunately, there are other browsers:

Sheryl Sandberg DLD Munich 19 (Source: Picture Alliance for DLD)

DLD: Facebook COO talks about change - but data collection continues

DLD: Facebook COO talks about change – but data collection continues

We are not the same company as we were a year ago, Sheryl Sandberg assured at the DLD in Munich. In terms of tracking and data collection, however, nothing has changed for the better at Facebook.

Sheryl Sandberg DLD Munich 19 (Source: Picture Alliance for DLD)
(Picture Alliance for DLD)

Björn Greif

At the Burda digital conference DLD, Facebook COO Sheryl Sandberg asserted on Sunday that the social network had changed since the Cambridge Analytica scandal. “We are not the same company as in 2016 or even a year ago,” Sandberg assured. Among other things, Facebook has given users more control over their privacy and improved data protection, she claimed.

However, the numbers speak a different language: According to current statistics from Cliqz and Ghostery, Facebook’s tracking scripts are still present on every fourth website (25.03%) loaded in Germany. Only Google has a greater tracking reach.

Top 5 Web Trackers in Germany

Android Apps share tons of data with Facebook

Facebook also still uses APIs to evaluate user activities in mobile apps. For example, popular Android apps such as Spotify, Shazam and Yelp use these APIs to send detailed usage data to Facebook without users’ consent, even if the app user has never signed up for Facebook. This is confirmed by a study published by Privacy International at the end of December.

As a matter of fact, Facebook’s monitoring software continues to collect disturbingly detailed data about the behavior of all Internet users. Being tracked by Facebook and ending up in shadow profiles is still unavoidable. And this is completely independent of whether you use Facebook services or not.

In addition, internet users are widely tricked and deceived, for example through dark patterns: Manipulative design is intended to deter users from strict privacy settings. To be fair: not only Facebook does this, but also Google and many other companies.

Antitrust authorities do more for privacy than politics

To this day, neither consumer nor data protection law has effectively curbed the Internet giants’ greed for data. So far, it is only the initiatives of the antitrust authorities that give cause for hope.

At the end of 2017, the Bundeskartellamt accused Facebook of abusive data collection and threatened it with sanctions. According to recent media reports, the German regulator will soon take action against the social network and at least partially prohibit it from collecting user data in Germany.

“Privacy is not an obstacle for innovation”

Marc Al-Hames at DLD (Source: Andreas Gebert / Picture Alliance)
Marc Al-Hames at DLD (Source: Andreas Gebert / Picture Alliance)

Big companies like Facebook and Google often argue that data protection that is too strict prevents innovation. Marc Al-Hames, Managing Director at Cliqz, contradicted this at the DLD: “This is a lie! Privacy is not an obstacle for innovation. We really have to get that lie out of people’s heads. It’s one of the biggest factors that stop privacy becoming mainstream.”

Therefore, Al-Hames calls for a new way of thinking: “We have to get to the point where people say: I only collect what I really need, and I’ll leave everything that I don’t need at the user’s device.” Cliqz follows this principle consistently – both with its privacy browser and its own search engine, as well as with its business model MyOffrz. Although this makes some things more difficult, in the end almost everything is technically feasible, even when the strictest possible data protection is taken into account.

Google+ data leak: just the tip of the iceberg?

Google+ data leak: just the tip of the iceberg?

The most intimate data about you is stored on Google’s servers. As the recent scandal has shown, there is no 100% security at Google either. Do you really want to entrust your entire digital life to this company?

Björn Greif

A vulnerability in the Google+ social network exposed the personal data of up to half a million members. The bug gave third-party apps access to information on a person’s Google+ profile that can be marked as private. The data that was exposed included full names, email addresses, occupation, birth dates, gender, relationship status, and more.

According to Google, it discovered and fixed the vulnerability as early as March. But the company opted not to disclose the data breach until the beginning of this week. Google executives did not want to invite regulatory scrutiny from lawmakers and to cause reputational damage (as it was the case with Facebook’s Cambridge Analytica scandal), according to a report Monday by The Wall Street Journal.

Google knows virtually everything about you

Such behavior raises the question of trustworthiness. Especially since Google stores considerably more personal data on its servers than just the data of Google+ members. The company knows virtually everything about your digital (and thus real) life. Via its search, products such as YouTube and Android, as well as its trackers, Google collects tons of user data.

Do you really want to entrust your entire digital life to a company that obviously can’t adequately protect its users’ data and doesn’t even consider it necessary to inform affected people about a data leak?

Google trackers monitor 78% of the web traffic and track everything from page views to highly sensitive information, whether the site visitor has ever used a Google product or not. Based on this data, Google could easily deanonymize any Internet user, inevitably creating shadow profiles.

Data allow deep insights into your life

The evaluation of “only” one third of all the websites you visit is enough to know more about you than your closest relatives do: Your Internet history reveals almost everything about your buying and travelling habits, your financial status, your state of health, your sexual preferences, your political attitudes, etc. Those who have access to this data get detailed insights into your way of life.

Anti-tracking tools such as Cliqz or Ghostery protect your personal data from being accessed by Google and others. They reliably prevent third-parties from spying on your browsing behavior and ensure that your privacy is preserved online.


EU fines Google a record €4.34 bn for Android antitrust violations

EU fines Google a record €4.34 bn for Android antitrust violations

Google abused its dominant market position, among other things, by requiring Android device manufacturers to pre-install the Chrome browser and the Google Search app.

Björn Greif

The European Commission ordered Google to pay a record €4.34 bn ($5 bn) antitrust fine for exploiting its dominant market position in search engines, mobile operating systems and app stores for Android. This means that the Commission did not fully exhaust the available framework of fines of up to 10 % of the annual worldwide turnover. In the case of Google and its parent company Alphabet, a fine of up to $11 bn would have been possible.

However, Google is likely to be hit even more by the fact that it must not continue its anti-competitive practices in the mobile sector condemned by the EU Commission. Google must now bring the conduct effectively to an end within 90 days or face penalty payments of up to 5% of the average daily worldwide turnover of Alphabet.

Commissioner Margrethe Vestager, in charge of competition policy, said:

Our case is about three types of restrictions that Google has imposed on Android device manufacturers and network operators to ensure that traffic on Android devices goes to the Google search engine. In this way, Google has used Android as a vehicle to cement the dominance of its search engine. These practices have denied rivals the chance to innovate and compete on the merits. They have denied European consumers the benefits of effective competition in the important mobile sphere. This is illegal under EU antitrust rules.

Update from October 10th, 2018: Google has filed an appeal against the antitrust fine at the General Court of the European Union in Luxembourg. The complex case could take several years before judges rule on it.

How Google abuses its market power

According to the Commission, Google has engaged in three separate types of practices, which all had the aim of cementing its dominant position in general internet search:

  1. Illegal tying of Google’s search and browser apps
  2. Illegal payments conditional on exclusive pre-installation of Google Search
  3. Illegal obstruction of development and distribution of competing Android operating systems

In particular, Google:

  • has required manufacturers to pre-install the Google Search app and the Chrome browser, as a condition for licensing Google’s Play Store;
  • made payments to certain large manufacturers and mobile network operators on condition that they exclusively pre-installed the Google Search app on their devices; and
  • has prevented manufacturers wishing to pre-install Google apps from selling even a single smart mobile device running on alternative versions of Android that were not approved by Google (so-called “Android forks”).

(Source: European Union)
(Source: European Union)

These illegal restrictions made it impossible for Android device manufacturers, for example, to pre-install only the Play Store without additional Google apps, or Firefox instead of Chrome, or any map service other than Google Maps. They were forced to discriminate against Google’s competitors if they wanted to distribute devices running the free Android operating system.

Marc Al-Hames, Managing Director of Cliqz, explains:

In the analog world, no one would dare to come up with an idea like this: A powerful corporation like Nestlé would be allowed to take over the infrastructure and store fixtures of virtually all supermarkets and then provide the equipment to store operators at no charge. In return, the stores would not sell any products by Nestlé’s competitors. But this is exactly what is happening in the digital world. The EU’s decision to force the market-controlling Android platform to be opened to other providers is long overdue. We are calling on the EU to prevent Alphabet from binding browser developers such as Mozilla/Firefox and Apple/Safari to Google’s search engine by offering them lucrative contracts.

As the biggest provider of online advertising by far, Alphabet can always spend more money than the competition can. The Internet giant takes in more than $100 billion from ads each year. And most of this money comes from search-engine advertising. This is why it makes sense for Alphabet to pour more than $20 bn into traffic acquisition costs each year to underpin and expand its dominant market position. Al-Hames: “It is time for Europe to finally step in and create a fair competitive environment for all search engines.”


MyOffrz: Marketing innovation combines targeting and privacy

MyOffrz: Marketing innovation combines targeting and privacy

MyOffrz shifts the storage and processing of browsing data from the server side to the client side. Cliqz thus offers a GDPR-compliant, privacy-friendly alternative to the advertising models of Google and Facebook.

Björn Greif

Cliqz has officially launched MyOffrz after a successful pilot phase. The innovative business model is based on a new concept called browser-based performance marketing which combines addressing individual consumers with concrete purchasing interests and the greatest possible protection of privacy. With this, Cliqz proves that successful marketing on the Internet is also possible without collecting and storing vast amounts of user data.

Companies like Google and Facebook collect as much information as possible about users for marketing purposes and store it in profiles on servers in their data centers. This way, users lose ownership and control of their data that can contain highly sensitive information. Based on this data, advertising providers then display targeted ads to individual users.

Your browser knows everything, Cliqz knows nothing

MyOffrz’s innovative browser-based performance marketing works completely differently: The storage and processing of data is shifted from the server side to the client side. The MyOffrz software recognizes purchase intentions locally, i.e. on the user’s device. This ensures that the data remains in possession and under full control of the user and their privacy is always protected.

MyOffrz ist eine datenschutzfreundliche Alternative zu bestehenden Werbemodellen.

What data does MyOffrz use to identify interests? The MyOffrz technology only has access locally on the device to the visited websites and web searches. This is data accumulated in the browser anyway (prior to MyOffrz) and stored in the history. If the user expressly permits it MyOffrz will also have access to their approximate location. If the user clears the browser history or uninstalls the browser, all data disappears. Since no personally identifiable data is stored or processed on the server side, MyOffrz is GDPR-compliant and also absolutely future-proof with regard to the upcoming ePrivacy regulation.

Paradigm shift

“Shifting the targeting logic from the server side to the client side is a real paradigm shift. The data remains in the possession and under the control of users yet targeting-based business models are still possible. With our innovation, we have proven that addressing consumers individually and respecting their privacy work together,” says Jean-Paul Schmetz, founder and CEO of Cliqz:

MyOffrz as a proof-of-concept is a clear signal to politicians not to be deceived by those who claim that without the possession of data about users, business on the Internet would not function. Google could, for example, easily offer browser-based performance marketing with Chrome or refrain from storing search entries if they only wanted to.

Alternative to the duopoly

A test phase with selected pilot customers has proven that MyOffrz is absolutely competitive in terms of performance with conventional offers. As the GDPR strengthens the duopoly between Google and Facebook even more, it is even more important to be able to contribute to more competition with our alternative model.

MyOffrz is an integral part of the Cliqz Browser and browser extensions for Windows, Mac, Android and iOS. Cliqz will use this innovative online marketing model to monetize its free offerings such as the privacy browsers, the quick search engine, and the anti-tracking technologies of the Cliqz and Ghostery brands.


After Gmail controversy: How to revoke app access to your Google account

After Gmail controversy: How to revoke app access to your Google account

If you grant a third-party app access to Gmail, you must expect the developer’s staff to read your private messages. Check access rights now!

Björn Greif

Earlier this week an article in the Wall Street Journal recalled a long-known problem and raised concern: Developers of third-party apps can read the emails of millions of Gmail users. What experts call “common practice” is called a “dirty secret” by the newspaper because not all users are aware of this fact.

According to the WSJ, Google does little to police those app developers whose machines and, in some cases, employees sift through “hundreds of millions of emails of users”. The report says:

One of those companies is Return Path Inc., which collects data for marketers by scanning the inboxes of more than two million people who have signed up for one of the free apps in Return Path’s partner network using a Gmail, Microsoft Corp. or Yahoo email address. Computers normally do the scanning, analyzing about 100 million emails a day. At one point about two years ago, Return Path employees read about 8,000 unredacted emails to help train the company’s software, people familiar with the episode say.

And that is just one example the WSJ gives. There is no indication that developers of Gmail add-ons have misused data of users, the newspaper states. However, opening access to email data (including message content, subject and various metadata) is risky in general.

Google plays down the issue

To defend itself and to reassure its users, Google writes in a blog post that it only reads emails in “very specific cases”, for example to investigate a bug or abuse, and only if the person concerned consents. “We continuously work to vet developers and their apps that integrate with Gmail,” Google says. According to the internet giant, users always have control over which apps can access their Google and Gmail accounts since third-party apps require the user’s consent to access accounts.

However, probably not every user pays attention to what permissions he grants which app. And some people may have simply forgotten that they allowed an app to access their email account at some point. Fortunately, you can revoke third-party app access to your Google account. Here’s what to do:

  1. Open the page in your browser.
  2. Sign in with your Google account.
  3. Click on „Apps with account access“ in the „Sign-in & security“ section.
  4. Under „Apps with account access“ select „Manage apps“. (Alternatively, you can directly follow this link and then sign in with your Google account.)
  5. On the “Apps with access to your account” screen you can now view which apps have access to what parts of your account and remove access.

In general, it’s a good idea to check the list of apps that have access to your Google account regularly and to remove any that you no longer use. Ideally, before using an app or extension, you carefully consider what access rights you want to grant them.


Net neutrality is dead, but clean and fast web browsing is still possible

Net neutrality is dead, but clean and fast web browsing is still possible

While the ultimate impact of the loss of net neutrality is still to be determined, tools like Ghostery or Cliqz ensure optimal website performance.

Deanna Sheward
Growth Marketing Manager, Ghostery

The Federal Trade Commission’s (FTC) repeal of net neutrality legislation, which required Internet Service Providers (ISPs) in the United States to treat all online content and data equally, began on June 11, 2018. The latest net neutrality rules from 2015, enacted by the Obama administration, ensured that ISPs would not block, censor or charge more for certain types of content. This assurance is over, and net neutrality advocates argue that the repeal of these rules gives ISPs too much control over how content is delivered, and subsequently consumed.

For example, without net neutrality, ISPs may choose to censor certain content or require online content providers to pay additional fees to be part of the Internet “fast lane”. And what happens if you can’t pay these additional fees? Well, then you get placed in the so-called “slow lane”. This process of separating data transmission into two distinct lanes is known as throttling.

What does this mean for you?

You might be reading this blog post and thinking to yourself: Okay, so content providers will be affected by the repeal of these rules, but what does this mean for me? The 2015 regulatory rules were meant to address the rapid evolution of the Internet. They not only prohibited blocking certain websites and apps, censoring content and throttling data transmissions, they also stopped ISPs from demanding consumers pay premium fees to be part of the fast lane, which would consequently force those who don’t pay these premiums into the slow lane. Those in favor of net neutrality are concerned that without these regulations in place, ISPs may begin to function akin to cable providers, where services are sold in bundles, with premium content bundled together at a higher price point.

It will take some time to see the full effects of this change. In May, the Senate passed a measure to repeal the FTC’s recently adopted rules and most recently, many of these senators pushed House Speaker Paul Ryan to schedule a vote on this matter. By the end of May, 29 states had introduced bills aimed at preserving net neutrality for their respective constituents. Some of these bills have since failed and others are still pending — how things will fully shake out is unclear right now.

What can you do?

You might consider using a product like Ghostery or Cliqz, which provides cleaner, faster and safer web browsing by blocking ads and trackers and removing clutter from pages to speed up page loads.

A recent Ghostery and Cliqz study, entitled “The Tracker Tax: the impact of third-party trackers on website speed in the United States”, looked at how the presence of these trackers on websites affects page performance for the top 500 websites in the United States, as determined by Alexa. The study found nearly 90% of page loads had at least one tracker on them and over 20% had 50 or more trackers.

These trackers have a measurable impact on page performance: The study revealed that on average, websites take more than twice as long to load when trackers are not blocked (19.3 seconds), compared to when the Ghostery browser extension is used to block all trackers (8.6 seconds). What does this mean? You spend an extra 10 seconds per load when trackers are present on the sites you visit.

While the ultimate impact of the loss of net neutrality is still to be determined, tools like Ghostery or Cliqz ensure optimal website performance. Ghostery also offers invaluable insight: knowing what is happening on the websites you visit, why they are slowing down and having granular control to block trackers and speed up your page loads is one step towards improving online experiences for Internet users.


Cliqz makes you a World Cup expert: fun facts about FIFA World Cup 2018

Cliqz makes you a World Cup expert: fun facts about FIFA World Cup 2018

You want to impress family, friends or colleagues with your football expertise? No problem: We gathered interesting and curious facts about the World Cup in Russia.

Björn Greif

The FIFA World Cup in Russia is entering the knockout stage. The participants of the round of 16 have been determined. The remaining 16 teams had to travel home early, including the German national team. This is the third time in a row and the fourth time in the last 20 years that the reigning World Cup champion has been eliminated in the group stage.

Before Germany, the “curse of the World Cup champions” hit France (2002), Italy (2010) and Spain (2014). Only record World Cup champion Brazil escaped in 2006 and reached the quarter-finals (0-1 vs. France).

With our World Cup widget in the Cliqz Browser for Windows and Mac you won’t miss a single goal and you’ll always be well informed. It provides you with all relevant match information such as kick-off times, fixtures, and (live) results. Just open a new tab and click on the soccer ball icon in the upper left-hand corner. Or just follow this link to

Below you will find even more interesting and fun facts about the FIFA World Cup:

  • Brazil has won the most World Cup titles so far (5: 1958, 1962, 1970, 1994, 2002). It thus has one more title than Italy (1934, 1938, 1982, 2006) and Germany (1954, 1974, 1990, 2014).
  • The record for most World Cup matches played (25) is held by Lothar Matthäus (GER). He’s followed by Miroslav Klose (GER, 24), Paolo Maldini (ITA, 23), Uwe Seeler (GER, 21) and Diego Maradona (ARG, 21).
  • The player who scored the most goals in World Cup history is Miroslav Klose (GER) with 16 goals in 24 matches. Other very successful scorers are Ronaldo (BRA, 15/19), Gerd Müller (GER, 14/13), Just Fontaine (FRA, 13/6) and Pelé (BRA, 12/14).
  • Russia’s Oleg Salenko scored the most goals in a single World Cup match in 1994, contributing 5 goals to the 6-1 win over Cameroon in the group stage.
  • The match with the most goals at a World Cup took place in 1954 between Austria and host Switzerland. The final score was 7-5 NOT on penalties, but after regular playing time! The total average of 5.4 goals per match at the 1954 World Cup is also likely to remain a record for eternity.
  • The World Cup match with the most cards was the round of 16 match between Portugal and the Netherlands 2006 in Nuremberg, Germany (later came to be known as the Battle of Nuremberg). The Russian referee Valentin Ivanov was forced to show 16 yellow and 4 red cards. Later he admitted that this was “the toughest match of my career.”
  • The World Cup match with the best attendance of all time is the match between Uruguay and the host Brazil at the 1950 World Cup. An unbelievable 173,850 spectators watched the match at the Estádio do Maracanã in Rio de Janeiro. By comparison, only 74,738 spectators were admitted to the 2014 World Cup final between Germany and Argentina in the modernized Maracanã Stadium.

  • 32 teams take part in the World Cup tournament. Including the automatically qualified host Russia, a total of 14 European nations are represented. In addition, there are 5 teams each from the African, Asian and South American confederations and 3 teams from North and Central America.
  • Argentina (together with Costa Rica) is the oldest team of the World Cup with an average age of 29.6 years. The youngest team in the tournament is Nigeria, with 25.9 years on average. The mean age of the reigning world champion Germany is 27.1 years, that of record world champion Brazil 28.6 years.
  • The 32 participants compete for 31 days for the World Cup trophy, which measures 14.5 inch in height and weighs 13.6 lbs. The trophy is worth around $140,000, but invaluable in sentimental value.
  • In addition to fame and glory, the world champion will receive $38 million in prize money. The loser of the final can console himself with $28 million. Those who survive the group phase will receive $12 million. This means that the prize money is about 12 percent higher than at the 2014 World Cup in Brazil.
  • Based on the players’ market value, the participating teams have a total market value of 10.45 billion euros. France has the most expensive squad with 1.08 billion euros, followed by Spain (1.03 billion), Brazil (981 million), Germany (883 million) and England (874 million). The squad value of the World Cup debutant Panama amounts to just 8.43 million euros. The most expensive single player is the Brazilian Neymar with an estimated market value of 180 million euros. (Source: as of 11.06.2018)
  • Approximately 2.4 million tickets were sold for the 64 matches at the 2018 World Cup. The most tickets (871,797) were bought by Russians, followed by fans from the USA (88,825), Brazil (72,512), Colombia (65,234), Germany (62,541) and Mexico (60,302).
  • A ticket for the 2018 World Cup costs between 85 and 892 euros. The official ticket prices for the 2014 World Cup in Brazil were between 69 and 730 euros. On the black market, tickets for the final were traded at prices of up to 30,000 euros four years ago.
  • The largest of the 12 World Cup stadiums is the Luzhniki Stadium in Moscow with a total capacity of 80,000. On July 15th, the final will also be played there. Second largest stadium is the Saint Petersburg Stadium in St. Petersburg (67,000), followed by the Fisht Stadium in Sochi (44,287), where the opening ceremony of the Winter Olympics took place in 2014. The smallest stadiums are the Kaliningrad Stadium and the Ekaterinburg Arena with 33,973 and 33,061 seats respectively.

  • Brazil is the only nation to have participated in every FIFA World Cup. With 20 participations to date, the South Americans have won 5 world championship titles, making them record holders. They are followed by Germany, Italy (18/4 each) and Argentina (16/2). Mexico have taken part in 15 World Cups but always left empty-handed.
  • Iceland and Panama qualified for the World Cup for the first time. Panama’s president declared October 11th, the day of successful qualification, a national holiday. 66,000 Iceland fans are said to have applied for World Cup tickets. This corresponds to 20 percent of the population of the island state – “Huh!”
  • Egypt are back in the World Cup for the first time since 1990, thanks to a last-minute goal from national hero Mo Salah, who received 5% of the vote in Egypt’s last presidential election, even though he was not even nominated.
  • Peru are back at the World Cup for the first time since 1982, overcoming the longest lean period of any team that has ever qualified before.
  • South Korea is playing its tenth World Cup and thus has the most participations of all Asian nations.
  • Nigeria qualified for the World Cup six times since its debut in 1994 – more often than any other African country.
  • This year’s World Cup host Russia has never been beyond the group stage. However, in 1966, the former Soviet Union achieved 4th place.
  • Italy did not qualify for the World Cup for the first time since 1958.
  • The USA are not qualified for the World Cup for the first time since 1986. This is particularly annoying for Fox Sports, which paid more than $400 million for the English-language broadcast rights in the United States for the 2018 and 2022 World Cups.
  • Aside from Italy and the USA, other football-loving nations are also not represented at this year’s World Cup, including Algeria, Cameroon, Chile, Ecuador, Ghana, Ireland, the Netherlands, Turkey and Venezuela.

  • The World Cup will be held for the 21st time in 2018, but for the first time in Russia.
  • For the first time the World Cup will take place on two different continents: Asia and Europe.
  • The matches will be played in twelve stadiums at eleven host cities in Russia: Moscow (two stadiums and final venue), Saint Petersburg, Ekaterinburg, Kazan, Samara, Volgograd, Nizhny Novgorod, Saransk, Rostov-on-Don, Kaliningrad and Sochi.
  • The distance between the most western (Kaliningrad) and the most eastern venue (Ekaterinburg) is almost 2500 km (1550 miles), roughly the distance between Moscow and London. Between the most northern (St. Petersburg) and most southern venue (Sochi) lie more than 1900 km (1180 miles), which corresponds approximately to the distance between Moscow and Munich.
  • This year’s World Cup mascot is a wolf called Zabivaka, which means “the one who scores” or “little scorer” in Russian.
  • With an estimated cost of 10 billion euros, the World Cup in Russia is considered the most expensive tournament in the history of the FIFA World Cup.

Within the next week we will add more interesting and fun facts about the world’s biggest sporting event. Stay tuned!


Icons by Skyclick

Letter to Facebook - What do you know about me?

Letter to Facebook – What do you know about me?

Article 15 of the GDPR grants EU citizens the right to request information from a company on whether personal data concerning them is being processed. Cliqz’s Thomas Konrad made use of this right and sent a request for information to Facebook.

Icons by Skyclick

Thomas Konrad
PR & Communication Lead

As of today, the new General Data Protection Regulation (GDPR) is enforceable, which allows residents of the EU to assert rights against companies regarding the processing of personal data. This also includes a duty of disclosure and the obligation of companies to delete certain data upon request.

I sent a letter today to the Data Protection Officer (DPO) at Facebook’s European headquarters in Ireland to get full information about what Facebook knows about me. I was very disappointed not to find an email address of the DPO on the Facebook website despite intensive searches. I just sent the request for information as per Article 15 GDPR by post – of course by registered mail.

You can find the letter below.

I will keep you informed of further progress in the exercise of my rights under the GDPR!

Facebook Ireland Ltd.
–Data Protection Officer–
4 Grand Canal Square
Grand Canal Harbour
Dublin 2 Ireland


Munich, May 25, 2018

Dear Sir or Madam,
I am a EU citizen and resident and would like to ask you to provide me all data your company (including all affiliates) collected about me, including all data provided to your company by third parties and including all data your company collected with tracking scripts or other software on any website or app operated by other companies. The data I’m interested in include all pseudonymized data that contain any form of online identifier. Please send me all “raw” data stored on your servers (including all URLs, identifiers, time stamps and behavioural data) unchanged and in full.

Furthermore, I’m interested in what your company reads out of this data. Please send me the end products of the processing of the above-mentioned data, including the information about the purpose and the categorization of the processed data. Please also send me information about the existence of automated decision making, including profiling and information about the logic involved.

Please inform me in which country the above-mentioned data is stored and processed by your company. I also request information whether your company stores any of the above-mentioned data in a way that would make it possible to attribute the data (e.g. by using identifiers, fingerprinting, session-based or other technologies) about my internet, shopping, traveling, and other activities on and off Facebook to my Facebook, WhatsApp and Instagram account or any other forms of identification used by your company and whether and how your company combines the data attributed to those accounts or identities. I also request information if and how your company uses or used technology to de-anonymize any data attributed to online identifiers that could be attributed to me or identify me as a specific user or concrete person. I also request information whether your company stores and processes data about my online identities at services that are not operated by your company (e.g. my Google, Twitter, Amazon, or email account) and about the purpose of the data processing.

Does or did your any of your company’s software (e.g. APIs or tracking scripts) collect data about the content of any websites or apps that are not operated by your company and if yes, are these data stored in combination with any form of online identifiers? Do or did your company’s software (e.g. APIs or tracking scripts) collect data about an internet user’s behaviour (e.g. clicks, scrolls) and/or an internet user’s input on these websites or apps (e.g. when filling in personal information in a web form) in combination with any form of online identifiers? If this should be the case, I request access to this information as per Art. 15 GDPR as well.

Information about my accounts with your company
Facebook:[account name]
Instagram: [account name]
WhatsApp: [mobile number]
To prove my identity, I enclosed a copy of my passport.

Unfortunately, I haven’t found any contact information to make this request by electronic means. I would be grateful if you could provide me the information and answers to my questions in an electronic format, be it by a secure download option (preferred) or a physical digital storage medium. My email address is [name@domain]. For further communication, please provide details about how to contact your DPO by electronic means.

In addition to my request for information as per Art. 15 GDPR, please answer the following questions:

Did any other party get access (unintentionally or intentionally) to any personal information (including pseudonymized data combined with any form of identifier) your company collected about me or my behaviour?

What online identifiers other than the account ID does your company store and process, and for what purpose?

How can I correct, delete, or transfer the above-mentioned data?

How can I opt-out of any further data collection by your company when I use websites or apps that are not operated by your company?

Yours faithfully,

Thomas Konrad


EU hearing: Zuckerberg gives no answer regarding shadow profiles

EU hearing: Zuckerberg gives no answer regarding shadow profiles

As before in the US Congress, the Facebook CEO avoided the most important question of whether Facebook also collects and stores data about non-members. Instead, he again cited security purposes.

Björn Greif

Yesterday’s hearing with Mark Zuckerberg before the group chairmen and selected Members of the European Parliament in Brussels was supposed to shed light on how Facebook deals with confidential data and privacy. And MEPs’ questions were indeed much more pointed and sharper than those of their colleagues in the US Congress a few weeks ago. But due to an odd format, in which MEPs first asked all their questions at the beginning and then let Zuckerberg answer everything at the end, the Facebook CEO was more or less able to avoid inconvenient questions.

In the end, he once again failed to provide a clear answer to the most crucial question: whether Facebook is collecting and storing non-users’ data, which would inevitably result in shadow profiles. There was also no answer on whether non-members can see what data Facebook collected, delete it or whether it’s used commercially.

Zuckerberg again puts forward security reasons

It was only after Syed Kamall, co-President of the European Conservatives and Reformists Group (ECR), asked several times that Zuckerberg set about answering the question on shadow profiles, which was obviously unpleasant for him. It was all excuses though: First, he explained that Facebook users could delete data collected about them on third-party websites and in apps by using the recently announced Clear History feature. As before in the US Congress, he cited security purposes for tracking-based data collection outside the Facebook platform.

When Kamall asked again how non-Facebook users can stop that data from being transferred, Zuckerberg briefly repeated: “On a security side, we think it is important to keep it to protect people in our community.” Then he quickly changed the subject, which the MEPs let him get away with due to a lack of time.

A clear violation of GDPR

“His attempts to justify the surveillance of everyone’s browsing behavior, regardless of whether he or she is a Facebook user or not, with security reasons is very unsettling as it reveals that he has no idea of the concept of privacy,” says Jean-Paul Schmetz, Managing Director and Founder of Cliqz. “As a society, we’d never allow the police to intercept all citizens’ browsing activities for security reasons. Why should we allow Facebook?”

To detect bots or fraudulent login attempts, third-party tracking is probably helpful, but not needed at all. A company like Facebook certainly can find less invasive methods to strengthen security, which are not so much at the cost of the privacy of all Internet users.

Zuckerberg also said in the hearing that Facebook will be fully GDPR compliant on May 25th. However, without a Facebook profile users can’t access or delete the data Facebook has collected about their browsing behavior and which they never gave their consent for in the first place. That’s a clear violation of GDPR and exposes Zuckerberg’s disrespect of the right of privacy.

Massive criticism of the hearing format

Immediately after the meeting, many participants criticised the format of the hearing: “unfortunately the format was a get out of jail free card and gave Mr. Zuckerberg too much room to avoid the difficult questions.”, Syed Kamall wrote on Twitter.

His colleague Guy Verhofstadt, President of the Group of the Alliance of Liberals and Democrats for Europe (ALDE), who asked Zuckerberg, among other things, about adequate compensation for users in return for the data collected for advertising purposes, made a similar statement:

We can only hope that the pledged written answers to the many outstanding questions will finally create the transparency that Zuckerberg never grows tired of promising. We will stay tuned!


Open letter to MEPs: The most crucial question to ask Mark Zuckerberg

Open letter to MEPs: The most crucial question to ask Mark Zuckerberg

Cliqz suggests the MEPs to ask the Facebook CEO directly about shadow profiles and off-Facebook browsing data collected from non-Facebook users.

Björn Greif

Facebook’s Mark Zuckerberg finally will be questioned by Members of the European Parliament on Tuesday, May 22. Cliqz asks MEPs in an open letter to interrogate Mr. Zuckerberg on the most crucial question about the privacy of all internet users: shadow profiles and off-Facebook surveillance.

Update May 22: Other than initially planned, the hearing will be open to the public. You can watch it live on the European Parliament website. The broadcast will start at 6:20 PM CEST.

Please find hereafter the open letter.

Dear President of the European Parliament,
Dear Members of the Conference of Presidents,
Dear Members of the European Parliament,
Dear Members of the LIBE Committee,

A few weeks ago, the members of the US Congress let Mark Zuckerberg get away with feigning ignorance on the most critical questions about the privacy of all Internet users: Does Facebook create “shadow profiles” – i.e. profiles of non-members – and does Facebook collect information about people outside of the Facebook platform. We are hopeful and confident that our representatives will be more tenacious.

Since the parliamentary hearing was organized as a closed-door meeting to respect Mr. Zuckerberg’s privacy, allow us to suggest some key questions to ask him directly:

Mr. Zuckerberg: Cliqz’s researchers have established that Facebook’s tracking scripts are on more than 1 out of 3 pages of the web, collecting people’s browsing behavior combined with unique identifiers. The Cambridge Analytica data leak affected 2.7 million EU citizens whereas off-Facebook data collection affects every single internet user in the world, regardless whether he or she is a Facebook member of not.

Why do you collect this data and do you store this data?

You have announced a few weeks ago that you will offer Facebook members the possibility of deleting this data (which suggests that you do store this data). When will people see the data you have collected and stored? How many months of browsing history did you store? Will non-Facebook members be offered the possibility to see and destroy their data?

Where exactly in your past privacy policies did you tell your users that you were collecting and storing this data? Did you seek to receive consent for this sort of collection from your users in preparation for GDPR?

Dear Members of Parliament, please do not allow Mr. Zuckerberg to plead ignorance on these important question as he did in front of the US Congress. Even if he did not know at the time, he does know as his announcement a few weeks later made clear. Please insist on clear answers about the extent of tracking of users and non-users outside of Facebook properties. You can pin him down with one simple, unambiguous question: Do you store off-Facebook browsing data collected from non-Facebook users?

For our part, we build tools to keep Facebook and others from creating shadow profiles of internet users. We are a German start-up backed by Burda and Mozilla and we build browser, search and data protection technologies. Our Cliqz and Ghostery browsers make the hidden surveillance network of tracking scripts visible for everyone.

Our data scientists would be more than happy to show you, dear Members of the Parliament, some examples of how dangerous tracking-based data collection is.

Please, do not allow the strong platforms of this world to destroy the privacy of your citizens. As proud citizens of the EU, we count on you!

Yours faithfully,

The Cliqz Team

Marc Al-Hames
Managing Director, Cliqz GmbH

Jean-Paul Schmetz
Founder, Cliqz GmbH


Open letter to Mark Zuckerberg: „Stop lying!”

Open letter to Mark Zuckerberg: „Stop lying!”

The Facebook CEO claims to know nothing about shadow profiles. We at Cliqz consider this statement to be not very credible and ask him to respect everyone’s privacy in an open letter.

(Icons by Smashicons, Icon Pond

Björn Greif

At a hearing before the US Congress Facebook CEO Mark Zuckerberg claimed that he did not know anything about shadow profiles. Cliqz now confronts him with this obvious lie in an open letter that has appeared in leading German and European media today:


Some lawmakers embarrassed themselves when they questioned you in front of the US Congress. It was a bit like watching one‘s grandparents trying to be cool on social media. At times the ladies and gentlemen there seemed a little out of their depth, there were a few awkward moments – in fact the entire event could have been quite amusing, and you and your shareholders had every reason to feel relieved.

However, upon a closer look, none of it was funny. What you told the world was a lie. You evaded the question about the fact that Facebook has us all under surveillance, regardless of whether we are actually signed up to Facebook or not by claiming some obscure “security purposes”. That is one conscious aspect of your business model which is not funny at all.

Let us look forward to a better future. You have told the media that this is what you intend to do. You have been given a chance to do things better. Keep your word! Prove that you really intend to implement the changes to your company you have promised to the public. Show your users some respect – and respect everyone’s privacy.


Dr.-Ing. Marc Al-Hames
CEO Cliqz GmbH

Jean-Paul Schmetz
CEO Cliqz GmbH

Zuckerberg’s statements are not very trustworthy

With the Cambridge Analytica scandal, Facebook came into the public eye as one of the actors of the otherwise covert surveillance economy. At first glance, users of the major Internet platforms only see a social network, a search engine, a map service, a video portal. In the background, however, data is collected and turned into money. It was long overdue that the data collection practice of Facebook – representing all major advertising-funded Internet giants – was put to the test.

Asked about shadow profiles by Congressman Ben Lujan, Zuckerberg said: “I’m not familiar with that.” Shadow profiles are the data that Facebook collects and stores even about those Internet users who never signed up to Facebook or who deliberately left the network. The founder of the Social Network allegedly knows nothing about this practice? Pretty unlikely!

Zuckerberg actually knows very well that Facebook’s tracking scripts are integrated into thousands of websites. They even allow Facebook to see what we are all doing outside its platform. This data is an essential part of their business model. The information reveals a lot about what we want to buy or where we will travel to – ideal for targeting for marketing purposes.

Facebook tracks nearly 30% of global website traffic, as a study by Cliqz and Ghostery shows. The evaluation of “only” one third of all the websites we visit is enough to know more about us than our closest relatives do: whether we have debts, suffer from a serious illness, cheat on our partner, look for a new job, and what political attitudes and sexual preferences we have – our Internet history reveals it all.

This is how privacy works!

Cliqz respects and protects your privacy. The anti-tracking technology built into our Cliqz and Ghostery browser products reliably prevents you from being tracked across the web. Tracking scripts are either blocked from the outset or the personal data they request is replaced by a generic placeholder. With this combination of blocklist-based anti-tracking and the AI-powered removal of user identifiers, Cliqz is the innovation leader.

In addition, Cliqz only stores strictly anonymous, merely statistical data on its servers without any reference to individual users. This anonymous statistical data is the foundation of our independent web index, used by our quick search engine that is built into the Cliqz Browser, among others. Nevertheless, Cliqz is able to individualize services. But all data related to individual users always remain on the user’s device, in their possession and under their control. This client-side data aggregation is the privacy-friendly counter model to storing profiles on servers in data centers.

Cliqz’s business model MyOffrz also follows the principle “the browser knows everything, we know nothing”: Cliqz users see attractive offers based on the websites they visit and the search queries they enter. The matching of interests and offers takes place locally in the browser on the user’s device; no data related to individual users is sent to the Cliqz servers. This innovative technology, called Browser-based Performance Marketing, is a proof of concept for a consistently privacy-friendly business model of the future. It proves that no profiles need to be stored on servers to build an ad-based business model.

Let’s see Facebook & Co. do that!


Ghostery Open Source

Cliqz open-sources anti-tracking tool Ghostery

Cliqz open-sources anti-tracking tool Ghostery

You can now review and contribute to the software code on GitHub. With this move, Cliqz and Ghostery demonstrate their commitment to transparency and an open internet.

Ghostery Open Source

Björn Greif

Just over a year after it was acquired by Cliqz, the anti-tracking tool Ghostery goes Open Source. Like the complete client-side software code of Cliqz, Ghostery’s source code of its popular browser extension is now publicly available on GitHub. This move demonstrates Cliqz’ and Ghostery’s commitment to transparency.

By reviewing the software code, you can now see for yourself how Ghostery works and what types of data it collects. In addition, the worldwide developer community and Ghostery’s highly committed user community get the opportunity to contribute directly to the source code and to Ghostery’s effort to make the internet cleaner, faster and safer.

Transparency through open source

“When it comes to putting users in control of their data, privacy and transparency are equally important. Only when individuals clearly understand what data digital products are collecting can they make meaningful decisions about what information they share and with whom,” said Jeremy Tillman, Director of Product at Ghostery:

Our software lets users see who tracks them and provides transparency into the impenetrable and secretive world of commercial online surveillance. In an effort to be as open as possible with our own users, we are following the example of our parent company, Cliqz, to publish Ghostery’s source code and make it freely available to the world.

Ghostery has a very passionate and active user community. Most users already voluntarily contribute to statistics that are used by Ghostery and its parent company Cliqz to discover new trackers and unveil the invisible tracking ecosystem that pervades the web. These strictly anonymous statistics are also used to assess the relevance and safety of websites. The technical basis for this data contribution is the Human Web, an open source data architecture built by Cliqz that uses anonymization and encryption technologies to prevent interception and to ensure these statistics contain no data about individual influencers, ensuring total privacy and transparency.

Ghostery’s privacy-enhancing browser extensions are available for free download for all popular browsers, including Cliqz. The mobile app for Android or iOS can be downloaded free of charge from Google’s Play Store and Apple’s App Store. Ghostery’s software code is available here:


Icon made by Freepik from

Cliqz researchers discover privacy issue on and other Microsoft sites

Cliqz researchers discover privacy issue on and other Microsoft sites

Popular sites like, and leaked an identifier that could be used to deanonymize users. Microsoft acknowledged and fixed this issue. Cliqz and Ghostery users were not affected.

Icon made by Freepik from

Sam Macbeth
Software Engineer

At Cliqz we have developed an algorithm for detecting unique identifiers sent in the URL parameters of third-party requests. We use this in our anti-tracking system in order to detect and remove browser fingerprints being sent to third-party trackers. After detecting some anomalous behavior, we decided to run this on the third-party hostnames in our data.

What we found

Running this analysis, we found several services which seemed to send requests to hostnames which contained a user identifier. Initial inspection suggested that the requests were to APIs which were used once a user had logged in. Further investigation would be required to see if other layers of access control existed to protect these APIs, or just this identifier was enough to access them.

Hostnames are not private

When sending data over HTTPS we expect the data sent to be private, as it is encrypted between your browser and the host server. However, the address the data is to be sent to, i.e. the hostname, is not encrypted: it can be leaked by a DNS lookup or when making a HTTPS handshake. As this information is not private, sending user identifiers in the hostname can lead to both security and privacy issues:

  • If this user identifier can be used for authentication, a network snooper would be able to steal this token and use it to authenticate as the user.
  • As the user identifier is constant over time, the network snooper can track the activity of a particular user over the whole time frame that they are using this network. An attacker able to observe many different networks (for example, an ISP), would be able to track users across networks.

Our data found hosts with user identifiers under the subdomain. These were in the format cid-[16 digit hex] Requests to these hosts were done from several different Microsoft sites, including,, and Local testing showed that this happened when logged in to a Microsoft account on these domains, and this API was used to download and display the user’s avatar in the page.

Microsoft uid hostname

As the affected Microsoft sites are popular, the privacy implications of the leak of a user identifier were significant. The theoretical attack of tracking users across networks becomes more feasible the more often the user would be expected leak this information. If a user were to use Bing search, or was working on documents in Office 365, they would make these requests often, improving the resolution of the tracking.


Having found the ids being leaked, we looked to see if there were any further attacks possible beyond activity tracking.

The first discovery was that the user identifier was sufficient to download a user’s avatar from their Microsoft account. A request could be made to https://cid-{id}{id}/myprofile/expressionprofile/
which would return the avatar if one existed. Thus, users could be potentially deanonymized from this leaked identifier.

Further research found that this issue was previously reported in a blog post in 2015, and was also covered in the tech press. As well as the avatar download, the post described other attacks to extract data from the OneDrive API for a user. For example, one can read and download the contents of this user’s public OneDrive folders by accessing the following URL:


As well as listing the files in the public directory of the user’s OneDrive, this API gives the space used and granted for this account. While gaining access to public files is not exactly a serious flaw, many users would not expect that these files are so exposed to the outside world. Users using the public folder to share files with friends and business associates may not expect that these files can also be downloaded by others with whom the link was not shared.


We were able to find a fix which solved the privacy issue for our users with no negative effect on them or the Microsoft sites they were using. The API requests made to this hostname also included the user identifier as a query string parameter. We found that if the identifier in the hostname is changed or removed it did not affect the result of the request. Therefore, we shipped a rule to our anti-tracking which would rewrite any cid-{id} hostname to The prevented network snoopers from seeing user identifiers anymore.

This fix was also included with Ghostery 8, as part of the AI-antitracking feature, extending protection to this group of users too.

Fixing for non-Cliqz users

We reported the issue to the Microsoft Security Response Center at the end of April 2017. After providing a Proof of Concept of this exploit, they confirmed the issue in August, and credited us on their Security Researcher Acknowledgement page. When we went to verify the fix, we found the following:

  • Fixed 30.07.2017.
  • Fixed 30.07.2017.
  • Fixed 06.12.2017.
  • Fixed 19.02.2018.

While Microsoft acknowledged and started fixing this issue promptly, the delay rolling the fix out to all properties shows the difficulties in fixing such issues in large organizations, particularly when, as in this case, the issue lies in a consumer-facing API which has strong dependencies across multiple teams.



Chrome's default ad blocker strengthens Google's data-driven advertising platforms

Chrome’s default ad blocker strengthens Google’s data-driven advertising platforms

Google’s browser now blocks certain ad formats by default. This move is less about improving the browsing experience and more about forcing publishers and advertisers to switch to Google’s data-driven advertising platforms.


Björn Greif

Google has turned on the default ad blocker within its Chrome browser, which it announced in June 2017. However, not all ads are blocked but only those that do not comply with the standards of the Coalition for Better Ads, co-founded by Google. The blocked ads include, for example, pop-up ads, prestitial ads, auto-play video ads with sound and flashing animated ads.

From a consumer’s point of view, less intrusive ad formats are of course desirable. Google’s approach is therefore basically heading in the right direction. From a privacy perspective, however, the “Better Ads” are no less aggressive than previous forms of advertising. Highly targeted ads based on detailed user profiles work subtle. They replace aggressive visuals with targeted manipulation.

Such intrusive ad formats will automatically be blocked by Chrome in the future (Source: Coalition for Better Ads).
Such intrusive ad formats will automatically be blocked by Chrome in the future (Source: Coalition for Better Ads).

Google forces websites to meet its ad standards

Violations of the Better Ads standards are reported to site owners. They will have 30 days to make changes and to submit their site for re-review. If the violations have not been fixed within this period, Chrome will automatically remove the ads in question from the site. This way, Google ultimately forces the entire ecosystem to switch to data-driven advertising. In the growth market of data-driven ads, only very few companies will be able to succeed, and Google does everything to stay on the top.

“This new Chrome feature is less an ad blocker and more of an ad enforcer. If you’re looking for motivation behind Chrome’s built-in ad blocker, it’s less about improving the browsing experience for users and more about forcing publishers and advertisers towards ad standards that benefit Google,” says Ghostery’s Director of Product Jeremy Tillman. “The fact that it is threatening to block all ads on pages that fail to meet its standards within 30 days seems like an obvious ploy to move more publishers to Google’s advertising platforms, which relies on deep and exhaustive data collection that Google has no incentive to curb.”

This is why Google will never stop grabbing as many data as possible about you. As the knowledge about the consumer becomes even more valuable in the market of data-driven ads, surveillance will grow.

Internet users can hardly escape Google

Google does not only collect ad-relevant data about you with their own browser, search engine, and other services, but also by tracking you on other websites. According to a study by Ghostery and Cliqz, Google is the largest operator of third-party tracking scripts. On 6 out of 10 websites you visit, Big Google is watching you. Even if you’ve never used one of their products, Google probably knows all about you and your browsing habits.

Therefore, users who value their privacy should continue to use standalone ad blockers and anti-tracking tools such as Ghostery, Adblock Plus, Privacy Badger, uBlock origin, or the Cliqz Browser. This way, they can be sure, that their privacy is protected. Additionally, by blocking ads and the associated tracking scripts, websites look cleaner and load considerably faster.