Google’s Sandbox Initiative, FLoC, and an end to third party cookies
In August 2019, Google announced its Privacy Sandbox initiative, ostensibly ‘a set of standards to fundamentally enhance privacy on the web’ (Chromium blog). A sandbox in the computing world is an isolated environment which allows users to run programmes or files without affecting the system or platform they run on, and they can be used to run suspicious code without risk of harm to the network. Google’s intention was to oversee a gradual phasing out of third-party cookies in Chrome, replacing them with more private browser features while continuing to allow advertisers to conduct tracking and measurement.
As a Chrome user, some websites you visit may add a third-party cookie on your device – these are set by a domain that you are not visiting directly. They are mainly used for tracking and online advertising and happen when a publisher adds third-party elements to their site. However, they also allow website owners to provide services to their customers such as chatbots and social plugins.
If Google does successfully remove third party cookies (anticipated by 2022), they won’t be the first to address the issue - Firefox blocked third party cookies in 2019, two years after Safari limited cookie tracking. However, given Google’s market share, their removal of third-party cookies could arguably have the biggest impact.
Google’s plan involves FLoC (Federated Learning of Cohorts), an AI system claiming to offer a privacy-first alternative to third party cookies that will categorise web users according to their history (among other things). By gathering users into flocks or cohorts based on browsing history, Google argues that individual preferences will remain hidden to advertisers and FLoC’s on-device processing will also keep everyone’s browsing history private. The information on these groups of users can then be used for ad targeting.
While these cohorts may sound like a good alternative to third party cookie information gathering, there is a cautionary note to be aware of. In 2019, eff.org highlighted the use of ‘flock names’ to identify types of web user. The flock name would be shared with everyone a user interacts with, acting like a ‘behavioural credit score’ that could reveal information about purchase history and user associates. Although Google has said that sensitive data can be omitted from browsing history, ‘sensitive’ data are different to different people.These flocks could become prey to discrimination from advertisers who would be able to filter out vulnerable groups, for example those most prone to descending into financial difficulty, or, worse still, group users by other attributes including race, sexuality or religious belief. Eff.org argues that ‘FLoC is the opposite of privacy-preserving technology. Today, trackers follow you around the web, skulking in the digital shadows in order to guess at what kind of person you might be. In Google’s future, they will sit back, relax, and let your browser do the work for them.’
FLoC will begin testing in March this year but it has already caught the eye of the CMA (Competition and Markets Authority) who announced on January 8th that it would investigate Google’s proposed Privacy Sandbox changes. The CMA will look to see whether Google’s proposals could distort competition, by concentrating advertising spend on Google at the expense of its competitors. The CMA’s investigation comes following a series of complaints from newspaper publishers and tech companies that believe Google is taking advantage of its market position. More information regarding the CMA’s investigation can be found here
It must be pointed out that FLoC is only one of 5 different Privacy Sandbox proposals being put forward by Google, with others including “fraud detection, the tailoring of content, first-party treatment of a company’s owned and related domains, ads measurement, and a private-by-default way to request browser info” (Chromium blog), so no one knows how this will all end. We can speculate on the outcome, and doubtless there will need to be compromises made on all sides, but for now all we can do is wait.
Google Logo, courtesy of Google Inc., Public domain, via Wikimedia Commons
