Brit watchdog thinks Google's tweaked Privacy Sandbox still isn't cricket
Good start, but we want further reassurance, says Competition and Markets Authority
Google so far has lived up to its commitments to make room in its Privacy Sandbox for rivals, though the UK's Competition and Markets Authority says a number of concerns still have to be addressed before the web giant's ambitious advertising technology gets its blessing.
The Privacy Sandbox is Google's name for a set of advertising-oriented APIs in its Chrome browser designed to be more privacy-preserving than current privacy-trampling web advertising tech – namely third-party HTTP cookies.
For instance, rather than using these third-party cookies to track a netizen's interests and activities, websites can instead query Chrome directly, via a Privacy Sandbox API, for a list of the user's interests – such as news, gardening, and live music – and then show them ads and special offers based on that. This list of topics is generated by the browser from the user's browsing history.
Technically speaking, Privacy Sandbox can be implemented by other browsers, though Apple and Mozilla, to name two, have rejected aspects of the technology for Safari and Firefox – such as the aforementioned Topics API.
"We are particularly keen on resolving any remaining concerns relating to the design of the Privacy Sandbox tools and to ensure that Google does not use the tools in a way that self-preferences its own advertising services," the Competition and Markets Authority (CMA) explained in an update [PDF] published on Wednesday. "As part of this, we are also looking to clarify the longer-term governance arrangements for the Privacy Sandbox."
Since Google currently has significant control over the direction and development of the Privacy Sandbox, the UK watchdog believes this creates self-preferencing risks. The CMA also wants assurances that Google won't develop its ad technology in a way that reinforces its power over existing ad infrastructure – specifically Google Ad Manager, which supplies more than 90 percent of the display ads served in the UK.
The CMA began investigating Google's Privacy Sandbox plan in January 2021 under Chapter II of Britain's Competition Act 1998. To mollify the watchdog, Google agreed in 2022 to a set of commitments to ensure its ad tech doesn't put competitors at a disadvantage. The CMA's update on this process is the latest quarterly report from the government agency.
We have identified a series of areas that could raise competition concerns
"Based on our current understanding of the APIs and concerns raised with us by stakeholders, we have identified a series of areas that could raise competition concerns," the report reads. "This does not mean that we currently think the Privacy Sandbox changes cannot go ahead, but it is important that the concerns are resolved, either through design changes, assurances from Google about action it will take or refrain from, or other evidence which resolves our concerns."
Google argues that the Privacy Sandbox aims to allow online publishers to continue to operate and generate revenue from ads amid evolving privacy regulations.
"The Privacy Sandbox initiative is focused on keeping people's activity private across an open and free internet," a Google spokesperson declared in a statement emailed to The Register.
"The goal from the outset has been to enable a robust, ad-supported ecosystem that is more privacy preserving for users while enabling businesses to thrive online. More organizations are leaning into this change and showing it's possible to evolve their existing solutions, and build new ones, using Privacy Sandbox and other privacy-preserving technologies."
The goal has been to enable a robust, ad-supported ecosystem that is more privacy preserving for users
HTTP cookies consist of data deposited in web browser files that get used for both necessary functions – such as determining whether a visitor is logged in to a website – and for discretionary functions – like advertising analytics and tracking.
Scripts allowed to run on websites may give third-party partners of the website publisher the ability to read and write cookie files. But because of the associated privacy risks – third-party marketing firms being able track people across all the sites they visit – third-party cookies have been blocked by default in browsers like Firefox and Safari for several years.
Google senior director of product management Victor Wong earlier this month argued that Google's proposed APIs are necessary to support online publishers and that the effort to simply block third-party cookies "makes it harder for publishers to support their content and services, and it's bad for user privacy because it leads to more covert forms of user tracking."
Left unaddressed in this observation is the possibility that more covert forms of tracking may not be legal. As Wong notes elsewhere in his post, "Today, more than half the world is covered by comprehensive privacy and data protection laws, and these requirements are increasing."
So perhaps blocking third-party cookies is not so much bad for privacy as it is bad for scofflaw advertisers who risk fines by flouting legal obligations.
- Google Chrome Privacy Sandbox open to all: Now websites can tap into your habits directly for ads
- EFF urges Chrome users to get out of the Privacy Sandbox
- Google to start third-party cookie cull for 30 million Chrome users
- Google ready to kick the cookie habit by Q3 2024, for real this time
Google plans to drop support for third-party cookies in its Chrome browser by Q3 this year, once its Privacy Sandbox tech is deemed ready and meets with regulatory approval. Its cookie culling will be an event of some significance in the online ad world, given the dominance of Google Chrome and all the ad services that continue to rely on third-party cookies.
Privacy Sandbox APIs like Topics, Protected Audience, and Attribution Reporting remain controversial – at least among those who haven't boarded Google's bandwagon.
In a missive last week, for example, Jon von Tetzchner, CEO of browser maker Vivaldi, argued that Google's Topics API is no better than Federated Learning of Cohorts (FLoC) – a prior proposal for delivering ads based on people's interests that got shelved.
Your browser would still learn about your interests as you move around the web. So, it's basically spyware
"Topics has the same fundamental problem as FLoC: it enables third parties to build profiles, which is always problematic, no matter how many privacy mitigations you put around it," wrote von Tetzchner. "Your browser would still learn about your interests as you move around the web. So, it’s basically spyware."
In a statement to The Register, James Rosewell, co-founder of Movement for an Open Web, an interest group opposed to Google's ad tech, characterized the CMA's enumeration of ongoing concerns as "a major slap on the wrist for Google." He added, "The breadth and depth of these concerns clearly demonstrate that Privacy Sandbox is not fit for purpose, either in its functionality or in its competitive impact on the market."
Google has brushed off persistent criticism of its plans. Wong's post addresses various objections raised by privacy advocates, backers of rival technology, and others. His responses basically amount to "We disagree."
While not every API will be ready right away, the Privacy Sandbox will open for business soon enough, unless the CMA or another regulatory body intervenes.
The CMA noted, "We are gathering views from interested stakeholders on the issues set out in this report," and will accept feedback via email until February 27, 2024. ®