Imagine waking up to discover your browser has been secretly enlisted in a cyber army, tracking your every click, scroll, and search, all without your knowledge. That’s the chilling reality of a botnet — a massive network of hijacked devices turned into remote-controlled zombies by hackers.

But what if I told you a similar setup exists right under our noses, powered not by malware but by tech giants like Google? Using your browser as the unwitting tool, they track your every move across sites with a persistent ID you never agreed to. And you shouldn’t wonder why Google knows your every preference, idea, opinion, and connection. People, you are also vulnerable. I call this the Google botnet.

This isn’t a traditional botnet of malware-infected computers, but a vast army of web servers willingly embedding Google’s code, turning visitors like you into data sources for a third-party empire. I’ve tried explaining this for years, but today we go through the tech straight from Google’s code to show you exactly how your behavior is harvested. No theory, just proof. And I’ll reveal why my go-to solution, browser isolation, blocks it flawlessly. This is privacy warfare 101. Stay right there.

Our approach today: I will not bore you with theoretical talk. What I will do instead is demonstrate exactly how things work. To accomplish this, I wrote some code to show you the detail. Those who are very techy can repeat the demo and examine the data more closely. If you’re not super techy, just grasp the main concept, which I will state at the end of each section. I’m just trying to show you that there’s proof to this, not FUD.

The basic tools for this demonstration include a website I built just for this demo, which I will leave with the original credentials for a short while after I release this video. After that, I will delete the Google credentials, so if you’re watching this later, it may not function completely as shown. This website is Brax.live.

Next, I will demonstrate this using two browsers. The first browser will be Chrome, and the other browser will be Brave. Let’s get started.

The Google ID

I’ll state it directly now: the problem is the Google ID. When you log into Google on a browser, your Google ID is translated into a bunch of identifiers that are obfuscated by Google to appear anonymous. The idea is that third parties cannot directly translate these identifiers to your original Google ID, which is typically a Gmail address.

However, let’s make it clear that Google made these anonymous identifiers so they can translate them back to your original account.

Let’s look at a Chrome browser that’s logged into Google. We’ll start from google.com to make this clear. What we’re going to do is look at the cookies on this computer. To do that, I right-click on the browser and click “Inspect.” This launches DevTools, which we will use a lot today. We click the Application tab, then select the cookie section for www.google.com.

There are several Google domains, but it doesn’t matter which one you pick. The Google identifiers will be the same. Look at these cookie values: Secure 1PSID, SID, HSID. These are Google’s master keys to your account. They are anonymized, so they don’t look like your email address, but Google can reverse them to your original Google ID.

Now let’s switch to Brave. Using google.com again, here I did not log into Google. Using the same procedure, I check the cookies for www.google.com. You will see that the values Secure 1PSID, SID, and HSID are missing. Clearly, when you do not log into Google on a browser, the browser has no trace of Google identifiers.

If you’re trying to duplicate this, make sure to clear cookies on Brave before starting, in case you logged into Google in the past.

Summary:
If you don’t log into Google, Google ID identifiers are not on your browser. Google IDs on one browser don’t transfer to another browser.

The Botnet Demo

To demonstrate a website that behaves like it’s part of a botnet, I made a page on Brax.live. Here it is. This web page includes standard features installed by many websites: Google Analytics, Google Tag Manager, and Google AdSense. I won’t demonstrate AdSense since there are no ads, but the concept is the same.

You can look at the source code anytime. Even if you’re not techy, I will scroll through the source code and highlight the modules we’re discussing.

The Embedded Google Website

This is the secret that enables the surveillance we’re talking about. It’s specific to only a few companies, notably Google and Facebook, but I’ll focus on Google here.

If I open DevTools for Brax.live, you will see not only cookies for Brax.live but also cookies for google.com. Normally, only the domain owner can see its own cookies. So how is google.com showing here?

Because Brax.live has an embedded google.com site inside it.
This is done through something called an iframe — a website within a website.

The iframe is sized to be 1 pixel by 1 pixel, meaning it is invisible. It won’t interfere with the appearance, but it brings Google’s cookies into scope.

Summary:
Because third-party websites embed a hidden Google website inside their site, they can access Google identifiers stored in cookies.

The CID

Now I will show you the final identifier used by the website to pass your identity to Google.

Aside from the iframe, Google JavaScript is embedded into the site. JavaScript is the programming language used by browsers. Various scripts are embedded per Google’s instructions.

One of the first things the Google code does is take the original Google identifiers from google.com and translate them into something the third-party site can use. This anonymized identifier is called the Client ID (CID). You will see it as a cookie on Brax.live. Google can translate the CID back to your real Google account.

If you’re logged into multiple devices or browsers, each device will have a different CID, but Google can link them all to the same real ID.

On Android, even if you don’t log into Google on a browser, the device itself is logged into Google. The alternate identifier is the GAID (Google Advertising ID), which serves the same function.

Summary:
Websites obtain an anonymous Client ID that identifies you to Google.

The Bombshell: The Botnet Calls Home

When I say Google can track every click on a website, I mean that literally. To demonstrate, I created a “Click Me” button.

With the Network tab open in DevTools, I click the button. Immediately, a request appears labeled collect. Inside this request are:

→ Your CID
→ The website’s Google Analytics ID
→ The Tag Manager ID
→ The window text
→ The specific label of the button
→ Details of the click itself

Now repeat this test on Brave. On Brave, which has no Google ID, the collect event fails.

Summary:
Whatever you click on a non-Google website is seen and collected by Google, but only if there is a Google ID.

The Fingerprinting Back Door

A direct match of your Google ID is only possible when logged in. But two browser sessions can still be connected through browser fingerprinting. If two separate sessions show the same CID, they’ve been correlated.

This is why privacy windows or isolated tabs are not reliable. The best solution is using separate browsers.

The Browser Isolation Strategy

Since we cannot avoid Google entirely, the strategy is to contain the Google ID.

You should have three browsers:

1. Chrome — for Google only (logged in)
2. Brave — for everything else (never logged in to Google)
3. Firefox — for visiting Google sites without logging in

Google already knows what you do on YouTube or Google Earth, so there’s no additional exposure. The danger comes from visiting non-Google sites with a Google ID present.

Never use Chrome as the default browser. Use Brave or Firefox instead.

On mobile, the issue becomes the device-level ID (GAID). Production phones always identify you to Google. The solution is a de-Google phone like Brax 3, which has no Google code.

Final Thoughts

The Google botnet is not sci-fi. It is real and embedded in up to 80% of websites. You can see it live on Brax.live. Facebook has a similar system, and in my opinion, it is more dangerous.

Use the three-browser strategy:
Chrome for Google, Brave as default, Firefox for Google not logged in.
Use a de-Google phone.
Protect your privacy.

We also invite you to join our Brax.me community. We offer products like Brax Virtual Phone, Brax Mail, BytesVPN, and the Brax 3 phone. Thank you to everyone who supports us.

See you next time.

If you’d like this in a Word doc, PDF, email format, or speaker-ready script, just tell me.

See more of Rob Braxman Tech on their Public Channel and the MPN Rob Braxman Tech channel.