Shot down: Google's grand fancy plan for pro-privacy targeted ads
W3C's techies have a few choice words for the Chocolate Factory
Google's plan to reinvent ad targeting for the postponed post-cookie era has again been complicated by privacy concerns.
After the Chocolate Factory's Federated Learning of Cohorts (FLoC) proposal for delivering interest-based ads in a privacy-preserving way turned out to have less privacy than the package's ingredient list suggested, the ad biz reworked the technology and rebranded it Topics.
The Topics API, one of a number of ostensibly privacy-protecting technologies being developed under the Privacy Sandbox brand, has been sold as a way for web browsers to watch what people do online in a non-creepy way. It's intended as a mechanism to determine and report people's interests – such as hiking or fitness, to pick two innocuous examples – without revealing people's identities to website operators and advertisers.
Third-party cookies, beloved by advertisers as a way to track people online, are on their way out because they're a privacy disaster. Originally, this was supposed to have happened by the end of 2022, but cookies – identifiers servers deposit in client browsers – keep getting reprieves in the absence of any viable replacement. And the process has become slower still due to the intervention of regulators, roused by complaints from Google's ad industry rivals that Privacy Sandbox tech might actually enable privacy and leave ad firms starved of precious data.
In the year since January 2022, when Topics displaced FLoC, various technical types have been kicking the tires of Topics and probing Google's claims about the technology.
Last week, the Technical Architecture Group (TAG) of the World Wide Web Consortium (W3C), the web's technical body, weighed in with its assessment of the Topics API. The group's findings are not good news for Google.
In a post to the Topics code repository, TAG member from Digital Bazaar Amy Guy said the Topics API, intended to facilitate the sharing of interest data with third-parties while preserving privacy, does not achieve its goals.
"The Topics API as proposed puts the browser in a position of sharing information about the user, derived from their browsing history, with any site that can call the API," explained Guy. "This is done in such a way that the user has no fine-grained control over what is revealed, and in what context, or to which parties."
"It also seems likely that a user would struggle to understand what is even happening; data is gathered and sent behind the scenes, quite opaquely. This goes against the principle of enhancing the user's control, and we believe is not appropriate behavior for any software purporting to be an agent of a web user."
- Google's first report on Privacy Sandbox hits UK watchdog's inbox
- Google's FLoC flopped, boffins claim, because it failed to provide promised privacy
- Google starts testing fenced frames to guard its Privacy Sandbox
- Google resumes shoveling stuff into its 'Privacy Sandbox'
Aram Zucker-Scharff, engineering lead for privacy and security compliance at The Washington Post, offered a similarly skeptical review of Topics last August, writing that he did not believe Topics represented a desirable proposal, though he allowed it might be improved.
TAG's Guy went on to identify various concerns about how Topics could facilitate browser fingerprinting, could be used to craft discriminatory content, dealt inadequately with "sensitive" interests and failed to provide necessary user controls.
Guy expressed appreciation for Google's effort to provide privacy-respecting targeted ads, but said the proposal falls short: "In summary, the proposed API appears to maintain the status quo of inappropriate surveillance on the web, and we do not want to see it proceed further."
TAG has been a thorn in Google's side for a while. In 2021, the web architecture group opposed Google's First-Party Sets, another post-cookie plan to treat multiple domains as a single domain for the benefit of advertisers. More recently, it ignored objections by Google, Mozilla, and others by supporting the Decentralized Identifiers specification. But this latest rebuff dismisses years of work and casts doubt on the revenue potential of targeted ads in an environment where privacy concerns can no longer be ignored as if they were just another ineffective Do Not Track signal.
At the same time, Google has been accused of dominating the W3C in order to advance its ad-focused interests and to protect its ability to innovate – to move fast and break things, as Facebook once put it – without the burden of seeking permission or consensus first.
For example, in 2019 Google blocked a proposal revising the charter of the W3C's Privacy Interest Group (PING) based on its concern that the new wording would empower an unchecked "authoritarian review group" capable of creating "significant unnecessary chaos in the development of the web platform."
The Chocolate Factory's attitude toward the W3C can be seen in a 2021 W3C Web Community Interest Group meeting about Google's FLEDGE Privacy Sandbox tech. In reference to technical trade-offers between various proposals, Google software engineer Michael Kleber observed, "The W3C doesn’t get to be the boss of anyone" as he described how browser makers would come to their own decisions and then try to reconcile their choices with those of rivals.
Asked about TAG's unenthusiastic review of Topics, a Google spokesperson suggested Topics is a better alternative than either the paywalls that would inevitably cordon off the web in the absence of content-funding interest-based ads or than the privacy-harming cookie substitutes other marketers would no doubt propose.
"Topics supports interest-based ads that keep the web free and open, and significantly improves privacy compared to third-party cookies," a Google spokesperson told The Register in an emailed statement. "Removing third-party cookies without viable alternatives hurts publishers, and can lead to worse approaches like covert tracking. Many companies are actively testing Topics and Sandbox APIs, and we’re committed to providing the tools to advance privacy and support the web."
Via the wreckage of Twitter, Robin Berjon, a former TAG member who currently works on governance and standards at Protocol Labs, responded to Google's commitment to carry on by noting, "I guess that maintaining the revenue stream from disinformation – which is a key part of what Topics does – is more important to Google in a downturn than keeping the standards process credible." ®