Mozilla on Wednesday published an assessment of two proposed ad tracking mechanisms intended to fill the void left by third-party cookies and found that both make web privacy worse.
Third-party cookies – files deposited by code on websites to track people online and serve them targeted ads – are on their way out, eventually. Google and the rest of the online ad industry have been working feverishly to come up with replacement technology that allows the lucrative business of ad targeting to continue in a way that preserves user privacy, at least enough to satisfy regulators.
Google and its ad tech allies are doing so through a set of proposals referred to as the Privacy Sandbox, which have suffered some setbacks.
Rival ad firms, worried that Google's next-generation ad targeting scheme will leave them at a disadvantage because of all the data the search giant can bring to bear from its widely used online products and services, have put forth a separate set of proposals to shift the center of gravity in the ad targeting business away from Google while accommodating regulatory concerns and fostering a competitive environment more to their liking.
SWAN is backed by 51Degrees, Engine Media Exchange, OpenX, PubMatic, Rich Audience, Sirdata, and Zeta Global – and is not to be confused with SWAN (Storage With Access Negotiation), a separate proposal within the Privacy Sandbox backed by European data management platform 1plusX.
Unified ID 2.0 is backed by The Trade Desk, Criteo, Magnite, OpenX, Oracle, and many others.
Both SWAN and Unified ID 2.0 aspire to provide each web user with a pseudonymous identifier that ad companies can use for tracking and targeting. And as Mozilla sees it, both fail.
"From a purely technical standpoint, these proposals are a regression in privacy in that they allow tracking of users who are presently protected against tracking," said Mozilla CTO Eric Rescorla and distinguished engineer Martin Thomson, in their assessment of the two projects [PDF]. "Moreover, the techniques used here – especially redirect tracking but also identifier-based tracking – are already ones which most major browsers attempt to prevent."
SWAN imagines a system of intermediaries – operators – who oversee the mapping of users to pseudonymous identifiers and ask internet users for tracking consent, all subject to policy rules referred to as Model Terms.
- Privacy proves elusive in Google's Privacy Sandbox
- Google promises its days as a cold-eyed API-killer are behind it
- Google updates timeline for unpopular Privacy Sandbox, which will kill third-party cookies in Chrome by 2023
- Google herds FLoC back to the lab for undisclosed post-third-party-cookie ad tech modifications
Unified ID 2.0 takes a simpler approach by using email addresses as an initial value that gets salted and hashed to form a pseudonymous identifier.
The problem Mozilla sees with these systems is that both require participants to abide by policies without offering any way that internet users can confirm compliance and both deliberately take steps to bypass anti-tracking protection built into browsers.
The Register contacted James Rosewell, CEO of digital services company 51Degrees and a SWAN.community founder, while on holiday for comment. But he asked that we commit to running his remarks unedited or with any edit subject to his approval – not something The Register does. Suffice to say that he disagrees with Mozilla's conclusions and argues browser makers alone should not decide how the web works.
In a message to The Register, Zach Edwards, co-founder of web analytics biz Victory Medium, said he largely agreed with Mozilla's takedown of SWAN.
"It's slightly odd that Mozilla combined UID2 + SWAN into one paper, but that, in my opinion, is a huge snub by Mozilla of these two growing standards, and proof that Mozilla wants to compete with the Chromium browsers for privacy," he said. "Basically Mozilla saying we can't have policies that dictate trust, we must build technical walls that don't allow nuance or require trust-falls." ®