This article is more than 1 year old
Google Chrome pushes ahead with targeted ads based on your browser history
YMMV, based on where you are
Google has been gradually rolling out Chrome's "Enhanced Ad Privacy." That's the technology that, unless switched off, allows websites to target the user with adverts tuned to their online activities and interests based on their browser histories.
A popup announcing this functionality has been appearing for some folks since the July release of Chrome 115, which included support for Google's Topics API, which is part of the tech titan's Privacy Sandbox project.
It would appear more and more people are now seeing this popup as those not keen on Chrome mining their browsing histories to support Google's advertising profits have been speaking up. We understand a small percentage of Chrome's users are being pulled into the Topics API regime at a time, so you may not have noticed or been offered or alerted to anything. And how the Chocolate Factory asks you to agree to or accept the ad targeting depends on where you live, or rather, the laws of where you live.
Google next year aims to drop support for third-party cookies, which store browser data that ad companies use for tracking and analytics – to the frequent detriment of user privacy. The US mega-corp has developed a variety of replacement technologies, such as the Topics API that will allow ad targeting to continue without cookie-based tracking and – it's claimed – no privacy consequences.
Topics essentially works like this: rather than using cookies to track people around the web and figure out their interests from the sites they visit and the apps they use, websites can ask Chrome directly, via its Topics JavaScript API, what sort of things the user is interested in, and then display ads based on that. Chrome picks these topics of interest from studying the user's browser history.
So if you visit lots of financial websites, one of your Chrome-selected topics may be "investing." If a site you visit queries the Topics API, it may learn of this interest from Chrome and decide to serve you an advert about bonds or retirement funds. It also means websites can fetch your online interests straight from your browser.
Some people presented with the notification of the new regime complain it's a dark pattern – a term Googlers consider unfairly provocative – as Chrome users may think they're accepting or enabling "enhanced" privacy from ads when in actual fact the Topics API is already enabled, and will remain enabled, and has to be disabled in the browser's settings. That is to say: the popup is a notice that you've been opted in with a little link to your settings to disable the tech if you so wish.
Will Dormann, a security researcher with the Carnegie Mellon Software Engineering Institute's CERT Coordination Center, noted last week that Google's popup provides a default "Got It" button that dismisses the popup pane and does "the exact opposite of what the title text describes" – it leaves Chrome's ad targeting based on browsing history active.
It's worth noting that this popup does explicitly say, "you can make changes in Chrome settings," and that you can switch off the Topics API support using those linked controls. It otherwise doesn't change the status quo. Where third-party cookies were previously used to deliver targeted ads, Chrome users also had to take steps to disable them.
Nonetheless, there's more push back now against the norms preferred by Google and other ad industry firms.
Matthew Green, a cryptography professor at Johns Hopkins University in the US, just encountered the popup and expressed his dismay.
I definitely don’t want my browser sharing any function of my browsing history with every random website I visit
"I don’t want my browser keeping track of my browsing history to help serve me ads, and I definitely don’t want my browser sharing any function of my browsing history with every random website I visit," he said via Twitter.
And VC Paul Graham has derided ad targeting tech as spyware.
Google has offered repeated reassurances that its Topics API does not allow companies to identify those whose interests inform its ad API. But some developers claim Topics may be useful for browser fingerprinting and both Apple and Mozilla have said they won't adopt Topics due to privacy concerns.
Google's popup appears to have regional variations that make the call to action and the button labels clearer and more consistent. One version that's been reported is titled "Turn on an ad privacy feature" and there's a button that says, "Turn it on."
- Privacy Sandbox, Google's answer to third-party cookies, promised within months
- Google ready to kick the cookie habit by Q3 2024, for real this time
- Google asks websites to kindly not break its shiny new targeted-advertising API
- Maker of Chrome extension with 300,000+ users tells of constant pressure to sell out
Unlike the highlighted "Got It" button cited by Dormann and its unadorned "Settings" companion that defers any decision until the linked menu is loaded, "Turn it on" in this variant menu is the same color as the "No thanks" alternative and performs the action suggested by the popup title.
This variation reflects different legal regimes. Unlike America, where opt-out is acceptable and opt-in requirements are broadly opposed by marketers, EU data privacy rules are more demanding in the way data choices are presented.
So if you see a pop-up with "Got It," you've probably been opted-in, based on where you are, and you need to turn off the Topics API support in your Chrome settings if you don't like it; and if you have the option to "Turn it on," you're being asked to opt in or out as you're in a region that requires it.
Depending on what Chrome version you're using, and whether you've been selected to start using Topics API, you can switch this functionality off and on by visiting chrome://settings/adPrivacy
and/or chrome://settings/privacySandbox
– cut'n'paste these URLs into your address bar to jump straight to the controls.
Screenshot of Google Chrome's Topics API settings, via chrome://settings/adPrivacy
though yours may be at chrome://settings/privacySandbox
... Click to enlarge
"Users in the UK, EEA, and Switzerland who have not already opted out of the Chrome trials will be presented with an invitation to participate in Topics, and manage their participation in Measurement and Protected Audience (formerly FLEDGE)," Google explained to The Register.
"All users will have robust controls, and can make individual choices, per API, at any point. Chrome will continue to evolve the user controls carefully and in consultation with regulators, and will have more to share once they've evaluated this initial rollout to a small percentage of users. All users will have robust controls, and can opt out of eligibility for the trials at any point." ®
Droidnote
Meanwhile, Android 14, which is set to be released later this month, is separating CA certificates from the operating system image so they can be updated remotely without an OS update.
As noted by Tim Perry, creator of the open source HTTP Toolkit, in a blog post, while this is a worthwhile defense against untrustworthy Certificate Authorities, its design will make life more difficult for developers and security researchers.
"Unfortunately though, despite those sensible goals, the reality of the implementation has serious consequences: system CA certificates are no longer loaded from /system, and when using root access to either directly modify or mount over the new location on disk, all changes are ignored by all apps on the device," wrote Perry. "Uh oh."
The Register asked Perry to elaborate and he explained that this doesn't mean much for alternative Android distributions like LineageOS and GrapheneOS because they can disable this feature if necessary.
"This will most seriously affect security & privacy researchers and reverse engineers, who all need to be able to inspect traffic from third-party apps to fully understand the apps' behavior," he said. "[It] will also cause daily practical problems for the many Android developers & testers who use HTTP debugging tools like HTTP Toolkit and others with their own applications. In the development case, it adds significant friction, but it's possible to work around this for your own single app with more complex setup work."
Perry said the change will be a huge problem for security researchers who will have to rely on alternative versions of Android that don't have this change and which may not behave in the same way. And many apps won't run in these alternative Android builds due to protections like Google's Play Integrity API.
Perry said that mobile devices have become increasingly locked down, and even on Linux, restrictions to tools like Flatpak and Snap are moving toward the sandbox model inspired by phones.
"The underlying reasons for locking down like this aren't bad – both desktop computers and mobile phones are huge targets for attackers, and this restriction and others like it will help to protect day to day users from serious risks," he said. "The issue though is that the needs of security and privacy researchers and developers are completely ignored. While it's important to protect devices by default, there need to be practical and officially supported mechanisms for advanced users who know what they're doing to override these protections."