UK data watchdog questions how private Google's Privacy Sandbox is

Leaked draft report says stated goals still come up short

Google's Privacy Sandbox, which aspires to provide privacy-preserving ad targeting and analytics, still isn't sufficiently private.

According to a draft report from the UK's Information Commissioner's Office (ICO), obtained by the Wall Street Journal, the technology leaves gaps that can be exploited to deny privacy and track people online.

That's essentially the status quo today in an online ad ecosystem that exploits web cookies, cross-app identifiers, and browser fingerprinting to follow people on the internet and fling targeted ads at them.

But Google's Privacy Sandbox has been touted as a way "to make current tracking mechanisms obsolete, and block covert tracking techniques, like fingerprinting," while still serving business marketing needs. So if its privacy assurances aren't credible, the project has no reason for being.

Were the Privacy Sandbox to collapse under the weight of regulatory prodding, community suspicion, and competitive sniping, that would be just fine for ad tech rivals – they'd prefer to keep tracking people online as they have been or with some more modern method that involves Google less.

The draft report – on which an ICO spokesperson declined to comment – represents the latest in a series of setbacks for Google's effort to make ad targeting viable without violating privacy laws like Europe's General Data Protection Regulation.

Google's grand plan involves moving some of the mechanics of ad auctions – the selling of ad space and delivery of ads to fill that space – from remote servers to internet users' local devices, through web APIs, implemented in Chrome and soon Edge, and Android APIs.

One such API, Topics, has been available in Chrome since last year and purports to provide a way to convey the interests of browser users (e.g. shopping, sports, or the like) to advertisers in a way that prevents the person from being identified or tracked across websites.

The Electronic Frontier Foundation has called it "a terrible idea" because it still supports behavioral advertising. And the fact that Google has required advertisers testing the tech to promise to use the system in a non-abusive way suggests the privacy promises presently depend on good behavior rather than technical guarantees. Rival browser maker Vivaldi has described Topics as "basically spyware."

Given the money at stake, $690 billion in estimated 2024 global ad spend per eMarketer, it turns out there's some skepticism about rebuilding the internet's ad architecture on Google properties, given the Chocolate Factory's existing market dominance.

Just two months ago, the UK's Competition and Markets Authority, which has been overseeing the Privacy Sandbox effort based on antitrust concerns and commitments from Google to play nice, published an update that found the technology being developed still posed the potential to put competitors at a disadvantage.

With the ICO raising doubts about the privacy promises of the touted ad tech, Google may need to further delay its timeline for dropping third-party cookie support in Chrome.

Regulators are not the only ones raising concerns. Earlier this year, the Internet Advertising Bureau (IAB), an ad industry trade group, published its analysis [PDF] of the Privacy Sandbox.

"In its current form, the Privacy Sandbox may limit the industry's ability to deliver relevant, effective advertising, placing smaller media companies and brands at a significant competitive disadvantage," the IAB report states. "The stringent requirements could throttle their ability to compete, ultimately impacting the industry's growth."

Google in February published a lengthy rebuttal that suggests the IAB doesn't share its goal of enhancing privacy while allowing targeted advertising to continue.

And the ad slinger remains optimistic that it can resolve regulatory concerns.

"Privacy Sandbox technologies are designed to deliver meaningful privacy improvements and provide the industry with privacy-preserving alternatives to cross-site tracking," a Google spokesperson told The Register in an email. "We've been closely engaging with the ICO, and other privacy and competition regulators globally, and will continue to do that to reach an outcome that works for users and the entire ecosystem." ®

More about

TIP US OFF

Send us news


Other stories you might like