Google dragged to UK watchdog over Chrome's upcoming IP address cloaking
Marketers tell antitrust cops privacy proxy will make it harder to protect kids online, etc etc
Exclusive Google's plan to prevent marketers from tracking Chrome users across different websites by anonymizing IP addresses is being challenged by, surprise surprise, a marketing advocacy group.
The Movement for an Open Web (MOW), an organization that has lobbied against Google's Privacy Sandbox initiative by claiming it's harmful to rival internet advertising businesses, has filed a complaint with the UK's Competition and Markets Authority (CMA) over Google's IP Protection proposal.
IP Protection, previously referred to as "ip-blindness" or "Gnatcatcher," is a proxy system similar to Apple's Privacy Relay. It's designed to run Chrome browser connections through two proxies, one operated by Google and one operated by a third-party (eg, Cloudflare), so that the true public IP address of the user is obscured, hopefully thwarting attempts to track them around the web using that address.
IP Protection is expected to appear in a future version of Chrome, possibly as soon as January 2024 with the debut of Chrome 122.
The Google-run proxy can observe the user's IP address but not the websites being visited and the third-party proxy can see the web servers being visited but not the IP address of the visitor. By separating the user's IP address from the user's destination through Google's service, websites and intermediaries cannot (without additional information) link people's IP addresses to their browsing habits to create marketing profiles.
Initially, IP Protection will be opt-in, but Google intends to make it the default setting for the Chrome browser.
MOW objects to this project as a violation of Google's commitments to the CMA, a set of promises the ad biz made to the UK competition watchdog to win approval for its plan to replace third-party cookies with Privacy Sandbox technologies.
"Google's IP Protection means ISPs will no longer have visibility of data via an IP address whist leaving Google with the ability to monitor and process data at all times," says a letter from MOW's London-based legal representative Preiskel & Co LLP to the CMA and to UK telecom regulator Ofcom, which was provided to The Register.
"This will make the provision of child protection services more difficult for ISPs."
The CMA declined to comment though acknowledged receipt of MOW's complaint.
- Google - yes, that Google - testing proxy scheme to hide IP addresses for privacy
- Online tracking is alive and well in link decoration
- EFF urges Chrome users to get out of the Privacy Sandbox
- Google Chrome Privacy Sandbox open to all: Now websites can tap into your habits directly for ads
The need to protect children has become a common rationale for efforts to weaken encryption in Europe, the UK, and the US. And marketers, like law enforcement agencies, fear that privacy technologies will leave them in the dark and without the lucrative data they've come to depend upon.
Such concerns have already surfaced in the IP Protection GitHub repo. For example, one pseudonymous individual who claims to help advertising clients optimize Google AdWords campaigns says that IP addresses play a critical role in fraud prevention.
"By monitoring individual IP address activity for each campaign and those IP addresses clicking on keywords 10+ times per day, we have been able to exclude these IP addresses," the purported marketer wrote in early August.
"The result is that we have maintained the performance of each campaign but significantly reduced the monthly spend for our clients. If we do not have access to granular IP addresses, we will no longer be able to help our clients save money, this will lead to reduced campaign performance and will no doubt lead to us turning off a number of campaigns as the economics will no longer work."
For MOW, the concern is that Google would still have data denied to rivals.
IP Protection is an anti-competitive technology that Google is attempting to impose upon the web under the veil of privacy
"This is a blatant and egregious breach of the commitments made by Google to the CMA to prevent it acting in an anti-competitive fashion," said Tim Cowen, co-founder of MOW, in a statement provided to The Register. "They have started to roll out a clearly self-preferencing technology as part of Privacy Sandbox without adequate notice or testing.
"As with all aspects of the Sandbox, IP Protection is an anti-competitive technology that Google is attempting to impose upon the web under the veil of privacy. It removes an important piece of data from Google’s competitors whilst they can continue to make use of it."
MOW's letter to the CMA cites specific objections as to why IP Protection contravenes Google's promises to the agency. IP Protection, it's claimed, makes it more difficult for VPN operators to compete; restricts access to data that Google's ad systems rely on; lacks the testing Google promised to do; and removes functionality without proof of its effectiveness.
The missive also notes that Google has not sought a design review from the W3C's Technical Architecture Group (TAG). According to MOW, the likely reason is to avoid criticism "for the feature's anticompetitive impact and its blatant attempt to privatize the Open Web."
Spokespeople for Google were unavailable for comment. ®
Updated to add
In a statement provided to The Register after this story was published, a Google spokesperson said:
Critics claiming that our IP Protection proposal is self-preferential to Google are either knowingly misrepresenting the facts, or simply don’t understand what is being proposed.The IP Protection proposal includes a two-hop proxy system, with one proxy being operated by a third-party.
This means that Google, along with the rest of the industry, will not be able to see both the client IP address and user destination. Currently, we are testing IP Protection internally at Google, and in Chrome pre-stable builds, on traffic for Google Ads. So any claims that this feature is being ‘rolled out’ to the broader web without ‘notice or testing’ are untrue.