EFF urges Chrome users to get out of the Privacy Sandbox
Google says Topics warning is anti-innovative fearmongering
The Electronic Frontier Foundation has urged folks to switch off several Privacy Sandbox settings in Google Chrome to mask their online habits, or to consider switching to Mozilla Firefox or Apple Safari.
Chrome's Privacy Sandbox is neither private – preventing one from being observed – nor a sandbox – an environment in which code can be executed in isolation. Rather it's a suite of advertising, analytics, anti-spam, and anti-tracking technologies. The goal for some of these is to replace third-party cookies.
Third-party cookies, because they harm privacy by permitting people to be tracked online, are scheduled to be phased out next year in Chrome. But the online advertising industry isn't entirely sold on Google's replacement technology, and it may be that antitrust cases or other regulatory pressure will lead websites away from Privacy Sandbox and toward industry-backed ad tech like IAB's Seller Defined Audiences.
Google says its Privacy Sandbox has five major goals: fighting spam and fraud on the web; showing relevant ads and content; measuring digital ads; strengthening cross-site privacy boundaries; and limiting covert tracking.
But there are some awkward Topics
The proposal that most troubles the EFF in this instance is Topics, an API for delivering ads based on interests inferred from the web histories of Chrome users.
"Topics is a response to pushback against Google’s proposed Federated Learning of Cohorts (FLoC), which we called 'a terrible idea' because it gave Google even more control over advertising in its browser while not truly protecting user privacy," said Thorin Klosowski, EFF security and privacy activist, in a web essay.
"While there have been some changes to how this works since 2019, Topics is still tracking your internet use for Google’s behavioral advertising."
Basically, Topics, which became generally available in early September, allows websites to query visitors' Chrome browsers – or any other compliant browser – for a recent interest identifier associated with a taxonomy that currently includes 469 interest categories.
Google Chrome Privacy Sandbox open to all: Now websites can tap into your habits directly for adsTOPICS IN-DEPTH
Websites supporting Topics get up to three numbers representing a subset of the visitor's top five interests, some of which may be random if the user has insufficient browsing history. For example, a web publisher querying the Topics API during a visit by someone who views dog-oriented websites might receive the number 268, which corresponds to the interest category "/Pets & Animals/Pets/Dogs." And knowing that the publisher's ad tech might load the visited page with a dog-related ad.
Thus, with Topics, websites can ask browsers directly what someone is interested in, based on their web browsing history, and serve up ads and perhaps other content based on that.
Presently, Topics is available in Google's Chrome browser. Microsoft hasn't committed but is testing some Privacy Sandbox technologies in its Edge browser, which uses Chrome's Chromium engine. Mozilla and Apple have rejected Topics in Firefox and Safari respectively due to privacy concerns. And earlier this year, the Technical Architecture Group (TAG) of the World Wide Web Consortium (W3C), the web's technical body, panned Topics for being opaque and diminishing user control.
Google characterizes Topics as an improvement over the not-very-private status quo in which advertising and analytics firms can follow people across websites.
"With Topics, the specific sites you’ve visited are no longer shared across the web, like they might have been with third-party cookies," the cloud giant says, without mentioning that Google doesn't really need third-party cookies because it already knows a lot about people's web activities from those who use Chrome while signed in to their Google Account.
The EFF argues that Google shouldn't be using the term privacy at all.
Privacy, that word does not mean what you think it means
"Google referring to any of this as 'privacy' is deceiving," said the foundation's Klosowski.
"Even if it's better than third-party cookies, the Privacy Sandbox is still tracking, it's just done by one company instead of dozens. Instead of waffling between different tracking methods, even with mild improvements, we should work towards a world without behavioral ads."
Klosowski explains that for those who won't give up Chrome there's a way to opt out of Topics, of ad retargeting, and of giving advertisers storage space in your browser for ad performance data. Doing so requires navigating through Chrome's three-dot icon to the ad privacy settings page:
(⋮) > Settings > Privacy & Security > Ad Privacy. Or copy this URL
chrome://settings/adPrivacy into the address bar and press enter.
Once there, he advises disabling Ad topics, Site-suggested ads, and Ad measurement.
The EFF also makes Privacy Badger, a browser extension for blocking tracking scripts that was just recently updated to remove tracking links.
- Google Chrome Privacy Sandbox open to all: Now websites can tap into your habits directly for ads
- Google Chrome pushes ahead with targeted ads based on your browser history
- Google opens up Chrome 117 Developer Tools box, drops in a few spanners
- Google's next big idea for browser security looks like another freedom grab to some
Google contends the EFF is just spreading fear, uncertainty, and doubt.
"We believe the safe use of data can improve user experiences," a Google spokesperson told The Register in an email.
"With daily life’s growing reliance on digital technology, we want to ensure that user data is being used even more responsibly. Privacy-enhancing technologies like on-device storage and differential privacy are at the core of Privacy Sandbox, making it possible for users to get relevant ads without sharing their identity across websites.
"These types of innovative, privacy-preserving personalization approaches are critical to re-imagining a private internet where businesses can thrive. Ignoring how Privacy Sandbox works is at worst fear mongering without cause, and closed mindedness to innovation at best." ®