Privacy Sandbox
Formation | August 2019 |
---|---|
Founder | |
Type | Initiative |
Purpose | Development of web standards |
Website | privacysandbox |
The Privacy Sandbox is an initiative led by Google to create web standards for websites to access user information without compromising privacy.[1] Its core purpose is to facilitate online advertising by sharing a subset of user private information without the use of third-party cookies.[2]: 39 The initiative includes a number of proposals, many of these proposals have bird-themed names which are changed once the corresponding feature reaches general availability.[3] The technology include Topics API (formerly Federated Learning of Cohorts or FLoC),[4] Protected Audience, Attribution Reporting, Private Aggregation, Shared Storage and Fenced Frames as well as other proposed technologies.[5] The project was announced in August 2019.[6][7]
On September 7, 2023, Google announced general availability of Privacy Sandbox APIs, naming explicitly Topics, Protected Audience, Attribution Reporting, Private Aggregation, Shared Storage and Fenced Frames, meaning these features were enabled for more than half of Google Chrome users.[8][9] Privacy Sandbox features were also made available on Android around the same time.[10][11]
The initiative has been described as anti-competitive and has generated an antitrust response due to concerns that the introduced proposals limit tracking through traditional methods and push advertisers to use Google as a middleman in order to show advertisements.
Model
Proposals in the Privacy Sandbox follow the idea of k-anonymity and are based on advertising to groups of people called cohorts instead of tracking individuals. They generally place the web browser in control of the user's privacy, moving some of the data collection and processing that facilitates advertising onto the user's device itself.[2]: 41 There are three focuses within the Privacy Sandbox initiative: replacing the functionality of cross-site tracking, removing third-party cookies, and mitigating the risk of device fingerprinting.[2]: 45
Proposals
In January 2020, Google invited advertising technology companies to join the Improving Web Advertising Business Group (IWABG) of the World Wide Web Consortium (W3C) as a way to participate in the proposal process for the Privacy Sandbox.[12]
Proposal | Description | Status |
---|---|---|
Federated Learning of Cohorts (FLoC) |
The Federated Learning of Cohorts algorithm analyzed users' online activity within the browser, and generates a "cohort ID" using the SimHash algorithm[14] to group a given user with other users who access similar content.[15]: 9 |
Discontinued |
TURTLEDOVE | TURTLEDOVE, which stands for "Two Uncorrelated Requests, Then Locally-Executed Decision On Victory",[2]: 45 is a framework proposed by Google to serve ads through the browser.[2]: 49 | Partially implemented |
Private state tokens | Private state tokens will be able to be issued by websites to verify those browsers whose behavior denotes a real person rather than a bot or malicious attacker. Private state tokens are encrypted, so that an individual's identity is protected.[16] | Implemented |
Related Website Sets | Related Website Sets (formerly known as first-party sets) will allow domains that belong to the same entity, that have related sites with different domain names, to declare themselves, and be recognized, as a "related set." The exchange of information outside of a related website set is restricted to safeguard the privacy of users.[17] | Implemented |
CHIPS | CHIPS (Cookies Having Independent Partitioned State) takes into account that certain embedded services need to know a given user’s activity on a site to function. CHIPS are partitioned cookies that will inform browsers that the necessary cookie is allowed to function only between a particular site and another embedded site. | Implemented |
Storage Partitioning | Storage Partitioning will isolate certain web platform APIs that are used for storage or communication when used by an embedded service on a given site.This will enhance web privacy while still allowing web compatibility with existing sites.[18] | Implemented |
Network State Partitioning | Network State Partitioning will partition a browser’s network resources to prevent these resources from being shared across first-party contexts. It requires each request to have an additional "network partition key" for resources to be reused and safeguards user privacy by disallowing access to shared resources and metadata learned from loading other sites.[18] | Implemented |
Federated Credential Management | Federated Credential Management is an API that will provide support for single sign-on designs that previously depended on third-party cookies.[19] | Implemented |
Client Hints | Client Hints API allows sites to request required information directly rather than via a User-Agent String, a significant surface vulnerable to passive fingerprinting, therefore reducing details that can be shared about a user online.[20] | Implemented |
User Agent reduction | User Agent reduction minimizes the information in a User-Agent String thereby reducing its vulnerability to passive fingerprinting.[20] | Implemented |
Privacy Budget | Privacy Budget aimed to limit fingerprinting by restricting the identifying information that a site is allowed to access.[7] | Discontinued |
HTTP Cache Partitioning | HTTP Cache Partitioning assigns cached resources with a 'network isolation key' along with the resource URL, composed of the top-level site and current-frame site. This prevents other websites from being able to infer details about the status of cached resources on a different website.[21] | Implemented |
IP Protection | IP Protection is a proposal that will hide a user’s IP address from third parties using double-hop anonymous proxy.[22] | Proposed |
DNS-over-HTTPS | The DNS-over-HTTPS protocol prevents attackers from observing the sites a user visits by encrypting Domain Name System (DNS) queries.[23] | Implemented |
Topics API | Topics API aims to provide the means for advertisers to show relevant content and ads by sharing interest-based categories, or 'topics', based on recent browsing history processed on the user device.[24] | Implemented |
Fenced Frames API | Fenced frames are an embedded frame type that is not permitted to communicate with a given host page, making it safe to access its unpartitioned storage as joining its identifier with the top site is impossible. Advertisements using FLEDGE-based APIs will only be allowed to be displayed within Fenced Frames.[25] | Implemented |
Attribution Reporting API | The Attribution Reporting API facilitates conversion tracking, for example, recording whenever a click on an ad or a view results in a purchase, while suppressing the ability to track users across multiple websites.[26] | Implemented |
Protected Audience API | Protected Audience API is designed for targeting of interested audiences, including through retargeting. It allows vendors selected for advertising to take an advertiser’s website data and to place users in interest groups specifically defined for a given advertiser, meaning that users can see tailored ads, with no infringement on their privacy.[27] Prior to reaching global availability on August 17, 2023, the technology was known as "First Locally-Executed Decision over Groups Experiment", (FLEDGE).[28][29] | Implemented |
Private Aggregation | Private Aggregation API can be used to track aggregated statistics across ad campaigns.[30] | Implemented |
Privacy Sandbox for Android
For Android, Privacy Sandbox will use technology that operates without cross-app identifiers, such as Android/Google Advertising ID. SDK (Software Development Kit) Runtime will limit covert tracking and the collection of user data by way of a process for third-party code, e.g. used for advertising, that runs separately from a given app’s code.
For the measurement of digital ads, the Attribution Reporting API is intended to supersede current measurement methods with solutions not reliant on user-level tracking mechanisms.
In order to continue to show relevant ads and content on Android, Topics will present categories that are based on the use of apps on a user’s device and are selected only through a given device’s settings. To further supplement privacy on Android, FLEDGE will use “custom audiences” that are built by app developers based on interactions with their app, information that will be stored locally so that no individual identifiers are shared with external parties.
Testing
On March 31, 2022, Google announced the start of a single origin trial, for the Topics, FLEDGE and Attribution Reporting APIs. It allows sites to run unified experiments across the APIs.
In October 2022 RTB House published its findings of actively testing FLEDGE by adding users to interest groups. Google and Criteo, also ran tests. The report highlighted that, while positive, the FLEDGE origin trials were limited in scope. It noted that a number of essential features of FLEDGE, specifically k-anonymity requirements, were not available for testing, and will require adjustments after industry feedback.[31]
The scale of tests is increasing. Google Chrome aims to dedicate H1 of 2023 to developer testing, and make FLEDGE available for the entirety of Chrome users in H2 of 2023.[32]
In November 2022 the Competition and Markets Authority released a report on Google’s quantitative testing of its Sandbox technologies that highlighted the importance of the industry adopting a common testing framework so that performance tests can be conducted more widely across multiple testing entities. Google is developing such a framework in cooperation with the CMA and is seeking to drive engagement with market participants on the design of testing between now and at least the beginning of General Availability in Q3 2023.[33]
Criticism
Google's proposals during Privacy Sandbox surrounding privacy preserving ads have garnered significant pushback. Concerns have been raised that the proposals are anticompetitive and privacy compromising.[34] Google's initial proposal for privacy preserving ads under the Privacy Sandbox umbrella (codenamed FLoC) received significant opposition from browser vendors. Mozilla, the company that makes Firefox, released a statement committing to not implementing FLoC or other related web advertising proposals.[35][36] Apple, the makers of Safari took a negative position against the proposal.[37][38] Chromium derivatives like Brave, Vivaldi and Microsoft Edge disabled the feature by default on their browsers.[39] Concerns were raised that the FLoC's proposal could allow websites to track users in new ways that were previously not possible through third-party cookies, the technology that FLoC was meant to replace.[36] Multiple media outlets and privacy advocacy groups criticised Google's decision to enable the feature by default for all users during the testing phase.[40][41][35] This led to Google to withdrawing the proposal in early 2022.[42]
Google's replacement for FLoC, known as the Topics API,[43] faced similar criticism from various groups.[44][45] Mozilla pointed out flaws in the Topics API's design, highlighting that it could allow large advertising networks to reidentify and track users by aggregating their interests across numerous websites.[46] Apple echoed similar concerns, also noting that the proposal contradicted efforts made by other browsers to partition data on a per-site basis.[47] Furthermore, when the proposal was initially announced, there were uncertainties about how Google or other browser vendors would establish a taxonomy of topics, a critical aspect of the API that was left underspecified.[47][46] Alongside the Topics API, Google's other proposals within the Privacy Sandbox, such as Client Hints, have also sparked significant privacy concerns among other browsers. These concerns primarily revolved around the potential for Client Hints to expand the surface area for passive fingerprinting on browsers.[48]
Due to Google's ownership of the browser with the largest market share, concerns have been raised about the anticompetitive nature of its proposals. Consequently, in January 2021, the Competition and Markets Authority (CMA) in the United Kingdom announced plans to investigate the Privacy Sandbox initiative, with a focus on its potential impacts on both publishers and users.[49] CMA subsequently accepted legally binding commitments offered by Google concerning its proposals to remove third party cookies on Chrome and develop the Privacy Sandbox. The formal acceptance of these commitments by the CMA resulted in the closure of the investigation, with no decision on whether the Competition Act 1998 was infringed.[50] CMA reported that Google was complying with its legally-binding commitments between July 2022 and September 2022.[51] In March 2021, 15 attorneys general of U.S. states and Puerto Rico amended an antitrust complaint filed the previous December; the updated complaint says that Google Chrome's phase-out of third-party cookies in 2022[52] will "disable the primary cookie-tracking technology almost all non-Google publishers currently use to track users and target ads. Then [...] Chrome, will offer [...] new and alternative tracking mechanisms [...] dubbed Privacy Sandbox. Overall, the changes are anticompetitive".[53][54] The lawsuit suggests that the proposed changes in the Privacy Sandbox would effectively require advertisers to use Google as a middleman in order to advertise.[52]
References
- ^ Lardinois, Frederic (August 22, 2019). "Google proposes new privacy and anti-fingerprinting controls for the web". TechCrunch. Retrieved 2021-05-19.
- ^ a b c d e Geradin, Damien; Katsifis, Dimitrios; Karanikioti, Theano (2020-11-25). "Google as a de facto Privacy Regulator: Analyzing Chrome's Removal of Third-party Cookies from an Antitrust Perspective". Tilburg Law and Economics Center (DP2020-038). Rochester, NY. doi:10.2139/ssrn.3738107. ISSN 1572-4042. S2CID 234583355. SSRN 3738107.
- ^ Bohn, Dieter (2021-03-30). "Privacy and ads in Chrome are about to become FLoCing complicated". The Verge. Retrieved 2021-05-19.
- ^ Nield, David (2021-05-09). "What's Google FLoC? And How Does It Affect Your Privacy?". Wired. ISSN 1059-1028. Retrieved 2023-09-30.
- ^ Lardinois, Frederic (2023-07-20). "Google starts the GA rollout of its Privacy Sandbox APIs to all Chrome users". TechCrunch. Retrieved 2023-09-30.
- ^ Goodin, Dan (2020-01-15). "Google plans to drop Chrome support for tracking cookies by 2022". Ars Technica. Retrieved 2021-05-19.
- ^ a b Cyphers, Bennett (2019-08-30). "Don't Play in Google's Privacy Sandbox". Electronic Frontier Foundation. Retrieved 2021-05-21.
- ^ "Privacy Sandbox for the Web reaches general availability - The Privacy Sandbox". privacysandbox.com. Retrieved 2023-09-08.
- ^ Amadeo, Ron (2023-09-07). "Google gets its way, bakes a user-tracking ad platform directly into Chrome". Ars Technica. Retrieved 2023-09-08.
- ^ "Introducing the Privacy Sandbox on Android". Google. 2022-02-16. Retrieved 2022-11-15.
- ^ Vonau, Manuel (2022-11-15). "Google's third-party cookie killer is almost ready for beta testing on Android". Android Police. Retrieved 2022-11-15.
- ^ Schiff, Allison (2021-04-14). "Influential W3C Working Group Calls Privacy Sandbox Proposal 'Harmful'". AdExchanger. Retrieved 2021-05-21.
- ^ "Privacy Sandbox for the Web". Privacy Sandbox. Retrieved 2024-06-14.
- ^ Cyphers, Bennett (2021-03-03). "Google's FLoC Is a Terrible Idea". Electronic Frontier Foundation. Retrieved 2021-04-13.
- ^ Geradin, Damien; Katsifis, Dimitrios (2020-02-19). "Taking a Dive Into Google's Chrome Cookie Ban". Tilburg Law and Economics Center (DP2020-042). Rochester, NY. doi:10.2139/ssrn.3541170. ISSN 1572-4042. S2CID 216269022. SSRN 3541170.
- ^ French, Laura (2023-12-15). "Google Chrome will disable third-party cookies for millions of users on Jan. 4". SC Media. Retrieved 2024-06-14.
- ^ Kats, Daniel; Silva, David Luz; Roturier, Johann (2022). "Who Knows I Like Jelly Beans? An Investigation Into Search Privacy". Proceedings on Privacy Enhancing Technologies. 2022 (2): 426–446. doi:10.2478/popets-2022-0053. ISSN 2299-0984.
- ^ a b Snyder, Peter; Karami, Soroush; Edelstein, Arthur; Livshits, Benjamin; Haddadi, Hamed (2023-08-09). "Pool-party: exploiting browser resource pools for web tracking". Proceedings of the 32nd USENIX Conference on Security Symposium. SEC '23. USA: USENIX Association: 7091–7105. ISBN 978-1-939133-37-3.
- ^ Westers, Maximilian; Wich, Tobias; Jannett, Louis; Mladenov, Vladislav; Mainka, Christian; Mayer, Andreas (2023-02-02). "SSO-Monitor: Fully-Automatic Large-Scale Landscape, Security, and Privacy Analyses of Single Sign-On in the Wild". arXiv:2302.01024 [cs.CR].
- ^ a b Senol, Asuman; Acar, Gunes (2023-11-26). "Unveiling the Impact of User-Agent Reduction and Client Hints: A Measurement Study". Proceedings of the 22nd Workshop on Privacy in the Electronic Society. WPES '23. New York, NY, USA: Association for Computing Machinery. pp. 91–106. doi:10.1145/3603216.3624965. ISBN 979-8-4007-0235-8.
- ^ Knittel, Lukas; Mainka, Christian; Niemietz, Marcus; Noß, Dominik Trevor; Schwenk, Jörg (2021-11-13). "XSinator.com: From a Formal Model to the Automatic Evaluation of Cross-Site Leaks in Web Browsers". Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. CCS '21. New York, NY, USA: Association for Computing Machinery. pp. 1771–1788. doi:10.1145/3460120.3484739. ISBN 978-1-4503-8454-4.
- ^ "IP Protection | Privacy Sandbox". Google for Developers. Retrieved 17 January 2024.
- ^ "Google Makes DNS Over HTTPS Default in Chrome". Decipher. 2020-05-20. Retrieved 2024-06-14.
- ^ Alvim, Mário S.; Fernandes, Natasha; McIver, Annabelle; Nunes, Gabriel H. (2023-11-26). "A Quantitative Information Flow Analysis of the Topics API". Proceedings of the 22nd Workshop on Privacy in the Electronic Society. WPES '23. New York, NY, USA: Association for Computing Machinery. pp. 123–127. arXiv:2309.14746. doi:10.1145/3603216.3624959. ISBN 979-8-4007-0235-8.
- ^ Claburn, Thomas. "Google testing fenced frames to guard its Privacy Sandbox". www.theregister.com. Retrieved 2024-06-14.
- ^ Weatherbed, Jess (2023-07-20). "Google starts the next phase of its plan to kill third-party cookies". The Verge. Retrieved 2024-06-14.
- ^ Shields, Ronan (April 14, 2021). "Google Shelves Fledge Trials Until Late 2021". Adweek. Retrieved 2021-05-21.
- ^ "Protected Audience API: Our New Name for FLEDGE". privacysandbox.com. Retrieved 2023-09-11.
- ^ Weatherbed, Jess (2023-07-20). "Google starts the next phase of its plan to kill third-party cookies". The Verge. Retrieved 2023-09-11.
- ^ Claburn, Thomas. "How Google Chrome's Privacy Sandbox works and what it means". www.theregister.com. Retrieved 2024-06-14.
- ^ Rumiński, Mateusz (October 5, 2022). "[Whitepaper] Deep Insights From Early Fledge Experiments". RTB House. Retrieved 2023-01-18.
- ^ Trotz, Joey (November 10, 2022). "Privacy Sandbox for the web: Expanding testing into 2023". Retrieved 2023-01-18.
- ^ "Quantitative testing of Google's Privacy Sandbox technologies – seeking input from affected firms and others on the CMA's proposals" (PDF). Competition and Markets Authority. November 2022. Retrieved 2023-01-18.
- ^ Nield, David. "What's Google FLoC? And How Does It Affect Your Privacy?". Wired. ISSN 1059-1028. Retrieved 2024-06-23.
- ^ a b Amadeo, Ron (2021-04-20). "Everybody hates "FLoC," Google's tracking plan for Chrome ads". Ars Technica. Retrieved 2024-06-23.
- ^ a b "Privacy analysis of FLoC | The Mozilla Blog". blog.mozilla.org. Retrieved 2024-06-23.
- ^ Lardinois, Frederic (2022-01-25). "Google kills off FLoC, replaces it with Topics". TechCrunch. Retrieved 2024-06-23.
- ^ Nield, David. "What's Google FLoC? And How Does It Affect Your Privacy?". Wired. ISSN 1059-1028. Retrieved 2024-06-23.
- ^ Bohn, Dieter (2021-04-16). "Nobody is flying to join Google's FLoC". The Verge. Retrieved 2024-06-23.
- ^ Foundation, Electronic Frontier. "Am I FLoCed?". Am I FLoCed?. Retrieved 2024-06-23.
- ^ Amadeo, Ron (2022-01-25). "Google drops FLoC after widespread opposition, pivots to "Topics API" plan". Ars Technica. Retrieved 2024-06-23.
- ^ Claburn, Thomas (26 January 2022). "Google dumps interest-based ad system for another interest-based ad system". The Register. Retrieved 22 June 2024.
- ^ "Get to know the new Topics API for Privacy Sandbox". Google. 2022-01-25. Retrieved 2024-06-23.
- ^ Roth, Emma (2022-01-25). "Google abandons FLoC, introduces Topics API to replace tracking cookies". The Verge. Retrieved 2024-06-23.
- ^ Klosowski, Thorin (2023-09-28). "How To Turn Off Google's "Privacy Sandbox" Ad Tracking—and Why You Should". Electronic Frontier Foundation. Retrieved 2024-06-23.
- ^ a b Thomson, Martin (6 January 2023). "A Privacy Analysis of Google's Topics Proposal" (PDF). mozilla.github.io. Retrieved 22 June 2024.
- ^ a b Claburn, Thomas (27 Jun 2023). "Google asks websites to kindly not break its shiny new targeted-advertising API". The Register. Retrieved 22 June 2024.
- ^ Cimpanu, Catalin (16 May 2019). "Privacy concerns raised about upcoming Client-Hints web standard". ZDNET. Retrieved 2024-06-23.
- ^ Ikeda, Scott (2021-01-20). "UK CMA Plans to Investigate Google Chrome's 'Privacy Sandbox' for Potential Anticompetitive Behavior". CPO Magazine. Retrieved 2021-05-19.
- ^ "Investigation into Google's 'Privacy Sandbox' browser changes". Competition and Markets Authority. January 8, 2021. Retrieved 2023-01-18.
- ^ "CMA second update report on implementation of the Privacy Sandbox commitments" (PDF). Competition and Markets Authority. October 2022. Retrieved 2023-01-18.
- ^ a b Robertson, Adi (2021-03-16). "Google antitrust suit takes aim at Chrome's Privacy Sandbox". The Verge. Retrieved 2021-04-13.
- ^ Holt, K (December 16, 2020). "Texas announces a multi-state antitrust suit against Google". Engadget. Retrieved 2021-04-13.
- ^ Masnick, Mike (16 March 2021). "Google's Efforts To Be Better About Your Privacy, Now Attacked As An Antitrust Violation". Techdirt. Retrieved 2021-04-13.