I hope no one is saying Privacy Sandbox is worse than third party cookies, or is trusting this article to form an opinion about it. Web advertising was a $319 billion dollar industry in 2019. Does anyone wonder who may be lobbying their government to scrutinize Google and offer themselves for interviews for articles like this? Does anyone think the result of beating up Project Sandbox will be more radical privacy protection?
No, I don't think this article has anything really to do with a better privacy outcome and everything to do with watering down Google's stance to something more status quo for the advertising industry.
There are no actual critiques of Privacy Sandbox's APIs here. There's no mention of what critics stand to lose if Privacy Sandbox becomes the standard. There's merely hand wringing of "but do you trust Google?" Everyone who's made themselves available for quoting in this article is a web advertising professional, including the ones who come off as not[1][2]. None of them care about you.
[1] James Rosewell is cited as director of "Marketers for an Open Web." He's also the CEO of a company that specializes in device detection. His LinkedIn headline reads "THE Fastest and Most Accurate Device Detection = more profitable websites"
[2] Alan Chapell is sarcastic about Google attempting to do this openly through the w3c. He's cited as running a privacy law firm. Their web site says they represent tech companies navigating privacy issues. They aren't actual privacy advocates. https://chapellassociates.com/
> Web advertising was a $319 billion dollar industry in 2019. Does anyone wonder who may be lobbying their government to scrutinize Google and offer themselves for interviews for articles like this?
You do know that Google is a web advertising company first?
If they're proposing something, you can be damned sure that it was vetted first by people who know how to use it for ad tracking - because that's literally their bread and butter.
Chrome will never: ban 3rd party cookies, tell which sites track you etc. They're not going to shoot themselves in the foot without a plan.
There is no situation where Google will actually care about privacy, since their whole business model exists on the fact that they know everything about their users so they can target ads better.
Oh, they care about privacy just the way they care about security: valuable and actionable data about you should belong to them.
Their security people are top-notch. They guard your data very diligently. If they did not, you would not trust them with intimate details about your life.
Your privacy is the same. They will keep your data private *from their competitors*, but they will fully enjoy using it for their own purposes.
It is ludicrous to think that an advertising company, whose value proposition is precisely in its ability to target users accurately, would willingly impair their ability to do so.
They will, however, gladly make it difficult for their competition.
It will ban 3rd party cookies the moment Google decides it's time to kill off most of their competition. They have Chrome installed on most people's computers and smartphones so they hold tremendous power to dictate the direction of the web, while they keep tracking people through the browser, with a user login, basically cookie-less.
I thought that was addressed with “They're not going to shoot themselves in the foot without a plan”. I’d bet they would ban 3rd party cookies the microsecond after they made sure they had a proved workaround.
"Once these approaches have addressed the needs of users, publishers, and advertisers, and we have developed the tools to mitigate workarounds, we plan to phase out support for third-party cookies in Chrome. Our intention is to do this within two years [from January 2020]." -- https://blog.chromium.org/2020/01/building-more-private-web-...
Want to bet on whether Chrome still supports third-party cookies, say, by the end of 2023?
(Disclosure: I work for Google, speaking only for myself)
Google can probably track you without cookies if you use Google Chrome. If they remove alternative methods of tracking they end up eliminating competitors.
This exists and is used today in production. The feature is called "Google Signals." It can be used as a replacement for the identity signal (read: cookies) for Google Analytics and Google Ads.
Which would be great. Minus one surveillance corporation in the world - the better for humans in general. Then we either split and regulate Google by government if we are lucky, or it stays as a surveillance monopoly, but there will be less surveillance anyway.
Of course it isn't good. This is HN, and we want the web advertising industry to go away. However, that's not going to be the outcome. Antitrust scrutiny in this case means making it more fair to third party advertisers...the people who will be hit most by third party cookie disabling. As much as we want to hate on Google, articles like this won't make them move toward more privacy.
You present a false dichotomy. "Google's Privacy Sandbox" versus Third Party Cookies, as if those are the only alternatives. Now you are following along with another false dichotomy!
> This is HN, and we want the web advertising industry to go away.
Here's a crazy idea. We don't need either Google's monopoly preserving Privacy "Sandbox" or third party cookies... and we don't need to do away with web advertising. We're not in a black and white world.
Google can advertise on their home page and make money without all the crazy tracking bullshit. We know they can, because that's how they funded all the bullshit tracking.
I'll add a third option: neither! Seriously, I've had 3rd party cookies disabled four years and almost nothing breaks. The last time I remember needing to enable them was some online homework system that came with a math textbook.
I feel like there are some misunderstandings in this thread. Let me summarize my understanding:
Safari has effectively disabled third party cookies. Nothing broke. Chrome has announced that they will do the same in 2022. However, unlike Apple, Google doesn't want to cannibalize the ad industry so they decided to introduce this Privacy Sandbox which allows targeted advertising without sending a personal identifier to the server.
The article that we are discussing is saying that this Privacy Sandbox will favor Google Ads. The top comment said that this article is likely astroturfing. It written by people affiliated with other ad networks, whose goal is to water down the Privacy Sandbox proposal so that it enables more tracking.
Some people have said that they don't trust Google to implement Privacy Sandbox in a privacy friendly way, so it shouldn't exist at all. But that was never really on the table.
Fundamentally, Google—A company which has a history of over-reaching and lying about it—is implementing a solution which allows them to continue doing what Google does as best it can given the current atmosphere.
They could do what the other browser makers have done and just eliminate 3rd party cookies. They could make this feature opt in. The fact that people seem determined to assert Google must have this feature and we are all somehow better for it is absurd.
Edit: In retrospect there does seem to be a fundamental mis-understanding of sorts. If you fundamentally trust Google, I suppose this whole thing looks different with rose colored lenses on.
Actually, some things _did_ break and required wonky work-arounds (redirect through three top-level domains to set cookies so you can show the user a page composed from three different systems embedded widgets) and at some point we'll have to make it work better. But while Apple and company are aware of this use case they don't have a solution that can't be _also_ used by ad companies as well as integrators ... so it gets harder to integrate on the front end, unless you trust all the things being integrated implicitly (which you don't)
The issue here is excessively intrusive tracking, not the ads themselves.
Otherwise how are Youtube creators, newspapers, Firefox, etc going to operate with out it?
Companies adding multiple megabytes of JS tools is probably another issue entirely as they often involve a variety of crap like 2-3 ad publishers, content recommendation services (chum), 5 different analytics and automation tools from "marketing", regulatory compliance modals/monitoring, e-commerce tools. And all of this is before the regular JS stuff is added (CNN for ex: adds both jQuery, backbone.js, AND React). Those issues are solved by competent web teams and for certain market segments of mega-firms this likely wont go away any time soon, so the ad blocks (really JS blockers) will remain.
Just like "defund the police" is a stupid self-alienating stance to stake, so is expecting web ads to end.
I haven't see the stats on retargeting, but I wouldn't mind that goes (across 3rd-parties).
But I do see some value in demographic and behavioural ad targeting. If I have to see ads then I'd prefer they be targeted at me. I'm not sure what the solution here is but, outside of pseudo-anonymization.
Because at the end of the day all that matters privacy-wise is identity. I could feed an ad engine locally with my attributes without directly revealing identity, as is largely the case today. But even that is a tradeoff.
> Just like "defund the police" is a stupid self-alienating stance to stake, so is expecting web ads to end.
Don't go there, please. At the very least it reveals you don't understand what "defined the police" means, and at worst you're insulting those who are living in constant fear and daily trauma. There are better analogies to use.
I find attempts of forbidding discussions on certain topics because they are sensitive to specific classes of people offensive and dangerous to free thought and open discourse, two of the pillars of democracy.
Furthermore, I reject the claim that a significant number of people are living in constant fear and daily trauma in any western democracy. Such an extraordinary claim requires solid proof - statistical proof that people are suffering psychological and/or physical trauma.
And according to Wilfred Reilly it's actually happening: "In Los Angeles, similarly, the police budget was reduced by $150,000,000 “following calls to defund the police after George Floyd’s May 25 death.” By November 12th of the past year, these cuts had already resulted in the dissolution of the department’s entire Animal Cruelty Task Force, and more notably of the Sexual Assault/Special Victims unit “that investigated disgraced film producer Harvey Weinstein."
Did you really think that such a clear statement supported by politicians and mass media will not have any effects in the real world?
> I find attempts of forbidding discussions on certain topics because they are sensitive to specific classes of people offensive and dangerous to free thought and open discourse, two of the pillars of democracy.
Note that the topic of this discussion is Internet advertising. I would love to hear your opinion on how comparing the Internet advertising industry to the struggle for racial justice is promoting free thought and open discourse. Actually, I wouldn't, because any such comparison is absurd and is not initiating the conversation in good faith.
> Furthermore, I reject the claim that a significant number of people are living in constant fear and daily trauma in any western democracy
Note that I made no such claim. I would, however, love to hear your experience as a BIPOC in America.
« The issue here is excessively intrusive tracking, not the ads themselves.»
I use privacy badger as an ad blocker, even though it does not target ads. It somehow block privacy intrusive domains, which happen to be related to ads.
> This is HN, and we want the web advertising industry to go away.
Not go away. Just have their ability to invade privacy spayed and neutered. If it makes the industry smaller in aggregate, I'll take that as a beneficial side effect.
I’d think you’d find a broader consensus around “tracking must die” than “advertising must die”. Though advertising itself is often obnoxious and motivation for large-scale fraud.
Any evidence of that? Also, anti-advertising is not anti-business. And the good thing with a nightmare is that it disappears once you open your eyes and see what the reality actually is like.
> HN's anti-business consensus is a disturbing nightmare.
I see this tact in almost every thread about Google and Facebook. Right along with "HN (users) are against any advertising". This sort of ad-hominem approach to debate is non-constructive and frankly bullshit.
HN advertises. It's owned and operated by an actual profit making business. Nobody complains about that. People don't mind because fundamentally we know when we leave HackerNews, YCombinator isn't following us.
The consensus is largely not anti-business, it is against tracking.
If I'm anti-business, does that make you a Google shill? Let's try to talk about the topic and not the attitude of the people here.
> This is HN, and we want the web advertising industry to go away.
Sure let's go back to the ol' day where business would reach out to their clientele only on bill boards and news papers. Oh wait, I guess I should apply for a physical newspaper subscription too!
If advertisers can't violate one's privacy, that simply means they will pay less to the websites one uses, and that will lead to its quality deteriorating, or even more extreme content filters to appease advertisers and remain afloat.
If advertisers can't violate one's privacy, that simply means they will pay less to the websites one uses..
Why? Businesses ad spend budgets aren't going to be reduced simply because ads no longer track people. The same amount of money will go to advertisers. So long as ad companies can deliver a better return than other forms of advertising that competes for those budgets the online ad companies will be fine.
Or, alternatively, they will spend more (input) to produce the same amount of leads (output)? Practically, their margins shrink while the websites maintain revenue.
To be clear, I'm not saying the above effect will definitely happen, only pointing out that other outcomes are possible. In practice it will be some combination of the two.
The amount of money one can sell an advert for to the advertiser is of course related to expected return value for the advertiser of that ad.
The value something provides is relative to other things you might buy instead. If I have an ad budget of $1m, and I can't spend it on targeted ads then I'm going to spend it on the next best thing - if that's non-targeted ads then websites will still get my $1m.
You strangely assume that the advertisement budget will remain constant in a world where advertisement is less effective.
The very reason that adverts are then worth less, is because advertisement budgets will go down, given that advertisements provide less return for their money.
You strangely assume that the advertisement budget will remain constant in a world where advertisement is less effective.
It's not an assumption. I've worked in web stuff, including a lot of ad-driven businesses and businesses that buy ads, for a little over two decades. If one technology is removed businesses will spend the money on a different one. They will never step back and say "Oh well, I guess we'll have to spend less on advertising now."
It's even reasonable to believe a reduction in the effectiveness of ads would get companies to spend more on adverts in order to maintain the same level of growth.
> They will never step back and say "Oh well, I guess we'll have to spend less on advertising now."
Of course they do, what weird assumption is this?
If we lived in a world where advertisement was twice as effective at generating new revenue, far more money would be spent on it; if we lived in a world where it did nothing, no money would be spent on it and companies would search for other means to get new customers than advertisement.
It is certainly not as though the advertisement budged that companies have simply be a number they cling to on religious principle, rather than a number they have decided upon based on their perceived value of advertisement.
There’s a close enough to fixed amount of money people have to spend. Advertising doesn’t make them spend more (or less) of their budget, it just trys to convince people to buy your widgets instead of mine. When I need a phone, or a pair of sneakers, or a bottle of vodka - I’m going to buy one. Your flashy ad may convince me to buy your brand, but it’s not like I’d choose to not buy anything just because nobody advertised it to me. That even works of discretionary spending and impulse buys - I have a limited “uncommitted budget”, so maybe your ads could convince me to buy a new set of golf clubs instead of taking a trip to Vegas, but it’s all the same money that gets spent.
Even if you fully believe that privacy invasive targeted advertising is “the most effective” advertising, if it goes away the second best form of advertising will then become “the most effective” and will eat the lions share of the advertising spend. Or perhaps the market will dictate that instead of “targeted ads”, the most effective strategy will be to split the old google/Facebook ad spend across a combination of older (or newer) ad forms.
Toyota still want to sell Corollas. TAG still want to sell watches. So long as there’s a form of advertising that’s better than not advertising at all, the aggregate of all competitive sales teams will work out how to soak up all my budget somehow. Something will still me the most effective advertising. They’ll still spend their money to get more of that.
(If it turns out to be billboards or movie product placements or something, that’ll suck for web people who’s only possible way to sell advertising is banner ads, but that’s a different argue,ent...)
You strangely assume that advertising overall budget is related to the effectiveness of advertising.
The reason non-privacy invasive advertising is worth less is that tracking is more effective, so it changes the balance. If tracking becomes less effective, advertising money is more likely to go elsewhere than disappear.
You're assuming people won't create great things without ad profit. I submit Open Source and Wikipedia as evidence to the contrary. Not making a profit on the original creative act might lead to larger profits for society overall and indirect advantages to the original creators.
And usually content created for profit is quite untrustworthy, I prefer content created out of passion. It's the ad based content creators who are lacking in diversity, not the passionate creators who go in deep the rabbit hole.
Also, there's nothing wrong with ads, but they need to be topical to the content at hand, not targeted to users.
> You're assuming people won't create great things without ad profit. I submit Open Source and Wikipedia as evidence to the contrary. Not making a profit on the original creative act might lead to larger profits for society overall and indirect advantages to the original creators.
Both examples you listed are products that are feasibly created by the many small contributors. Many products cannot feasibly be created in such a manner and rely on some manner of income to remain feasible.
There are quite a few content creators that are capable of producing content because their efforts are supported by advertisement. It would be hard for them to operate on the many small contributions-model.
> And usually content created for profit is quite untrustworthy, I prefer content created out of passion.
Few men enjoy the luxury to devote so much time to their passions when other parts of their time are allocated to securing the income they need to feed themselves.
> Also, there's nothing wrong with ads, but they need to be topical to the content at hand, not targeted to users.
This situation would indeed benefit the visitor more; it would not benefit the advertiser, nor the middleman, nor the space where the advertisement stands.
> securing the income they need to feed themselves.
I have a feeling that to some extent this part is made unnecessarily hard due to how the capitalistic economy insists on employing all available resources in “productive” pursuits of producing even more content...
Perhaps not “content” all the time. But surely a lot of resources are spent towards wasteful, if not directly anti-productive, ends. Trading those for more leisure time might very well be a boon for economy
Ad spend is not going down. Yet publisher revenue is stagnant or worse. Look at every media outlet scaling back and/or crying poverty. This is the gateway to most of the worst of the advertising ecosystem. Nobody WANTS sleazy/creepy/loud/excessive ads on their sites, because it's their brand being ran down in the end. But it's seen as the only way to keep their heads above water.
I suspect the real story here is the growth of the middlemen and platforms. In 1990, when you called up your local newspaper and ordered a quarter-page ad for $50, the publisher got every cent of it. Now, you buy $50 of PPC ads, it gets routed through several layers of cross-selling and arbitrage, and $5 is actually distributed to publishers.
I'm surprised nobody's built a mutually owned co-op ad network. That would allow the participants to recapture most of the value lost to third party intermediaries. With so much less revenue leakage, they could offer tamer adds that paid as well as the current 82 banners, full tracking, and a chumbox design.
I don’t want the web advertising industry to go away. It’s benign. If you don’t want advertisers to track you you have the option to default browse without cookies. Even better, default browse without cookies and JavaScript. Yes, I do this.
If you understand how cookies work then this is a perfectly viable option for you. If you don’t, you likely don’t care about advertisers tracking you.
Well I just think that if you aren’t aware you are being tracked, you probably don’t really care too much.
People who care they are being tracked will take the time to learn how stop being tracked. That’s why I learned about cookies etc.
I think this is probably a way for google to assert further control over the advertising industry, using the guise of improving user privacy. Like I said, most users don’t really care because if they did they would just disable cookies, so I think they are solving a problem no one is actually having and that seems suspicious.
Yes, google is restricting the tech in a way that superficially helps consumers. But in the way that wall street is selectively deregulated to their advantage and everyone else's disadvantage, google is selectively closing data loopholes to their advantage. This may have positive short-term privacy effects, but long term will hurt it with a single giant company as the arbiter of all data.
This is basically an ad hominem argument. There is no room to discuss Sandbox on its merits with this stance. Yet we're debating this on an article whose every Sandbox criticism comes from other industry professionals who are just as worthy of being considered a malicious adversary.
I make no statement that Project Sandbox should not be scrutinized -- merely that it's better than third party cookies -- and I don't believe increased antitrust scrutiny of Google will lead to better user privacy.
> This is basically an ad hominem argument. There is no room to discuss Sandbox on its merits with this stance.
I respectfully disagree and defend the position you're replying to. I take issue with your provocation because I fear that asserting too much focus on a still-frame snapshot without looking at the full motion, that seems misguided. Politics constitute the motion around any spec snapshot.
Focussing only on the technical merit of the proposal without also prioritizing the living, moving context around it, that's advocating a sort of blindness imho
The solution isn't to (a) ignore the technical proposal and ignore the context, or (b) to ignore the context, and only focus on the technical proposal.
The problem is that nobody is bringing these two together. Don't just focus on context without reading the actual proposal. Your comment says nothing about the technical proposal.
You're ignoring the living, moving context that is the adtech industry. It's one with a much higher ratio of middlemen:customers than needed, representatives of whom appear in this article.
And, worth noting, the set of adtech industry persons includes all employees and contractors of Google. Google simple wouldn't exist if it weren't for adtech, and all cheques written by Google are dependent on adtech.
It's the largest, most invasive and pervasive privacy intrusion in history, and its beneficiaries includes many HN regulars.
I think I agree with you. I wholly support clamping down on adtech btw. I just don't support the "this article doesn't talk about the tech merit" angle of critique, as if that's so obviously a starting (or priority) point of departure.
No one is saying you shouldn't be sceptical. What OP is saying is only that you should not form an opinion on the subject based off of what some pro-third-party-cookies advertising-people are saying. He is pointing out that this is clearly an attack from someone with a lot to loose, not saying "trust google".
They aren't wrong when they point out that it gives a massive information advantage to Google; but the pro-privacy solution is neither 3rd party cookies nor the "privacy" API. Both provide a means by which to uniquely identify and track the behaviour of a person.
Besides, it's not wrong to listen to the losers; you might learn about some unfair competition.
IMO, Gogole having a monopoly on tracking me is clearly worse then the ability to track me being shared – and I can significantly hinder 3rd party tracking!
I'm far more afraid of Google strengthening its monopoly, on general principle.
I actually like the idea of Privacy Sandbox. It appears to enable sites which depend on ad revenue to continue to exist while seeking to eliminate the usual problem with current adtech: third party tracking.
I wrote up a more nuanced version of this opinion here:
I like your post. It does conflate Privacy Sandbox with one of the specific proposals, however: "there still exists an algorithm which is fed a user’s browsing history and that algorithm is used to put the user into an advertising cohort. However the interesting change with Privacy Sandbox is that this algorithm is run locally within the user’s browser, and never actually needs to transmit the user’s browsing history over the internet. Instead only a code for the identified cohort is transmitted, and a remote ad server can use that cohort directly." is describing https://github.com/WICG/floc
Another component of Privacy Sandbox is Turtledove (https://github.com/WICG/turtledove), where advertisers can tag a user as belonging to a "interest group" and then later on can target ads against that interest group. Which groups a user is in is maintained entirely by the browser, and never sent to the server, And any ads that are rendered based on interest group targeting have to execute in a special "fenced frame" which prevents them from leaking information to the surrounding page or to the advertiser in a non-aggregated way.
(Disclosure: I work on ads at Google, so I'm following these proposals. Speaking only for myself)
> I like your post. It does conflate Privacy Sandbox with one of the specific proposals, however: [...] https://github.com/WICG/floc
Thanks for the clarification Jeff.
> Another component of Privacy Sandbox is Turtledove (https://github.com/WICG/turtledove), [...]. Which groups a user is in is maintained entirely by the browser, and never sent to the server
Interesting. I'll plan to read up on this tonight and amend my post from what I learn.
> I hope no one is saying Privacy Sandbox is worse than third party cookies
It doesn't need to be worse for it to be unacceptable to privacy-concerned folks which don't trust Google. It is just about the same to them since an untrustable entity like Google is stewarding it.
Which BTW makes it worse since the solution is basically putting trust in Google which just brings on more and undefined privacy issues.
The argument in the linked post is not that Privacy Sandbox is "unacceptable to privacy-concerned folks which don't trust Google" but "unacceptable to ad tech companies who want to be able to continue to use third-party cookies".
> the solution is basically putting trust in Google
Fair enough, but by trust I meant trust in Google's stewardship of the initiative, not trust in the sense of them actually handling data. That is what -justly or not- concerns some of my friends.
It would be possible to write an extension to firefox or chrome that switched peoples third-party cookies around, polluting, potentially permanently, the targeting data. It does not seem possible to do this with whatever google is cooking up.
I think the argument that Google is trying to make is that Privacy Sandbox is better because it's our trusted friend Google that will control this information, not all these other organizations who don't have your best interests at heart. Which is hilarious, and not even original: governments and law enforcement have been making the same argument around privacy issues (to the sound of millions of rolling eyeballs) for decades.
I think no one (in the article) is saying it‘s worse for privacy, or if they do that‘s an easy lie. They are saying it‘s worse for competition. A competitive online advertising market may well be in opposition to the highest level of user privacy.
The EU has both antitrust and privacy concerns with big tech, but it‘s different fronts.
Removing third party cookies benefits the end users as a side effect.
But you could argue that advertisers are people too, and that Google are using their monopoly to reduce competition and drive up prices for a segment of the population.
Is there a rule that says if antitrust benefits one segment of people and hurts another the it's OK?
You're nuts if you think that giving Google (the largest web advertiser in the world) a proprietary monopoly on user tracking instead of having an open standard is somehow better.
Dismantle google to smaller companies and separate all the parts (from android, search engine to google earth) away from advertising part. Prevent them from sharing data. Dismantle facebook. Separate it from advertising part.
THEN we can praise Privacy Sandbox. The alternative is to NOT use chrome. Switch to Firefox.
Praising "privacy sandbox" where browser doesnt allow you to logout from your google account doesnt solve anything. I do care if there is 300 inefficient tracking companies in exchange for one that is extremely efficient and can push other 3rd party sites to use it. What do you think will happen?
First, other advertisers will be killed, google would offer its identifier to the sites and suddenly you wont be able to surf anywhere without google account and chrome. Nope, thank you very much for such "privacy sandbox".
Google's way of leveraging their browser dominance to use 3rd party cookies as a way to gain competitive advantage:
Step 1: Implement a whole new browser functionality where Google alone can track people.
Step 2: Eliminate 3rd party cookies so Google's competitors have to create increasingly unethical and invasive fingerprinting techniques to remain competitive.
Step 3: Increase advertising rates since they are the only company able to effectively target adverts on the web. (Profit)
Did I miss anything?
Google in their enthusiasm to prevent Microsoft from dominating the web has become worse than Microsoft was in its heyday.
I hear this argument a lot. Yes, you can turn off third party cookies, and I have as well, but the power to control the default behavior is very important. What we should be asking ourselves is "Does the average user turn off third party cookies?"
This is the same reason Facebook is throwing such a fit over apple's new prompt. It makes it easy and likely for the average user to disable something without having to dig through settings.
Google's identity signal that they have given themselves access to works across cross-domain and cross-device. First-party cookies do neither.
I would strongly prefer that everyone restrict themselves to the capabilities of first-party cookies. But it's still true that Google is not holding themselves to the same restrictions that they're trying to enforce on other parties.
How do advertisers reconcile cloaked first party subdomains? It requires fingerprinting, or the first party to tell the real 3rd party (cloaked as a first party) things like email or real name, that can be cross referenced, no?
Yes, that is generally how they resolve it. Apple has started to reduce the effectiveness of CNAME cloaking.
The goal is that advertisers will eventually be far better off working with a system like Private Click Measurement (in Safari betas now and set to be in next releases) than insecure things like CNAME cloaking.
How would third party JavaScript fingerprint users? Only if there’s a backend data broker aggregating identities based on a universal token (e.g. email). Or one of those super shady tech wizardry techniques like timing OpenGL calls.
The reason why subdomains work is that you can make the root domain go to your own site, while the subdomain goes to your ad provider. If you use a CNAME it's literally just a matter of publishing another DNS recod and you're done. Moving to a subdirectory requires setting up a reverse proxy on your existing infrastructure, and keeping it up to date every time your ad network switches domains. Hell, on a lot of platforms you don't even have the ability to reconfigure the server in such a way as to proxy through an entire ad network, so you'll have to use a platform or technology specific plugin if available.
That's why the ad industry used third-party domains in the first place, BTW - it's a zero-setup solution. Subdomains are minimal-setup; subdirectories are a huge hassle.
You wouldn't need to. Let's say they gave you a php script (any server side processing language) you could place it anywhere and it would download new ad content and show it as a first party ad.
No I don’t think so. DNS only works on the domain part of the url.
However a server like nginx can be set up to proxy requests matching a specific url pattern to another server. This would be a bit more work than adding a DNS entry and referencing that though.
Yeah... we're all too lazy to relay our data through our own backends. I recommend this to clients but there's always some killer analytics feature that requires the JS integration.
This is a good time to remind everyone that Google has planted a hard-coded "X-Client-Data" telemetry backdoor that is sent to DoubleClick domains, is never disclosed to users and is impossible to disable.
The header, which is not available to any of their competitors, contains unique information about the install that could allow them to track people better than anyone.
Thanks, removed Chrome ages ago in favor of Microsoft's Edge (the new one). Microsoft is fast becoming the good guys. It sets a default tracking level of Balanced, which blocks trackers from unvisited sites - you may then make it more strict if desired, out of the box with no extra plugins required.
I wonder if there is room here for an existing company that already makes money via a subscription, to pivot into search.
I could see Apple or Netflix or Amazon, try and expand their offering to include search. They already have income streams that rely on the consumer, so they can build products that are in our best interest.
TL;DR, they claim that this header is sent to all Google-owned domains, and describes the feature flags that your browser has enabled, and it doesn't contain any PII.
I guess the closest thing to a defence to your argument one could mount is "That's not true, Chrome sends it to all Google-owned domains!" which is... not a defence.
Even if that was the case, this is a bullshit argument. They don't need any PII, it's just more fingerprinting. They already have all the personal information they'll ever need by using all the other means.
Yep, they have GREASE TLS bytes, TLS resume ticket, RLZ value, X-Geo header, UA header, JS APIs with persistent random values (which they do indeed use on adsense! This is why you get surprise WebGL code seemingly doing nonsense once a while in adsense ads)
This cannot be a coincidence. They packed Chrome with fingerprints to work around GDPR by combining fingerprints on their side.
I believe they already did lawyerising, as written above.
They grabbed onto the wording of PII as "personally identifiable information" that information is identifiable, but not personally identifiable, so it is ok to use for ads.
"So here I was now, two years just to the day of being kicked and clanged into Staja 84F, dressed in the height of prison fashion, which was a one-piece suit of a very filthy like cal colour, and the number sewn on the groody part just above the old tick-tocker and on the back as well, so that going and coming I was 6655321 and not your little droog Alex not no longer."
Nothing like a little bit indirection to make it not true. It's blatantly obvious all the ways G can build a profile of someone by fingerprinting. Unfortunately it's not exactly an elevator pitch to make it a common knowledge thing.
I don't know, are fonts installed on your system PII? Because it can be used for fingerprinting. But I don't know the precise definition, so maybe you're right.
Perhaps a reasonable line to draw would be that if the content of the information is enough to fingerprint, the it is PII (regardless if broken into many messages) and the individual data doesn't matter.
If we talk purely about "reasonable", I don't think it's even possible to draw any line, besides something obvious like unique user identifiers. It's hard to predict what data can be used for fingerprinting until someone actually does it, just like it's hard to predict what bugs are actually possible to exploit. I could never predict some of those things being used for that and yet here we are. So it can be a cat-and-mouse type of situation. And some of that information is probably legit useful for purposes other than tracking.
Fingerprinting doesn't reveal an individual's name or passport number, so it's not PII. That's why PII is not a very useful concept in general, and why claims about privacy safeguards that over-focus on PII should be met with some skepticism.
The laws are catching up this in regard. GDPR uses "personal data" and CCPA uses "personal information," both of which more generally refer to data that identifies an individual.
At the same time let's not forget it's Google we're talking about. They are even parsing your emails to extract all the data from your transactions. They already have all your personal information, they just need to keep track of you when you're using other websites.
"The combined state of these variations is non-identifying, since it is based on a 13-bit low entropy value (see above). These are transmitted using the "X-Client-Data" HTTP header, which contains a list of active variations"[0].
The X-Client-Data header is still described as non-identifying. You're reaching for controversy where there is none. I've had this conversation with GP before[1], and it's always unenjoyable, because it's like talking to a conspiracy theorist. There's no rational basis for Google doing what you and they suggest that Google is doing. And you're willing to take events that aren't actually evidence of any kind of malaction (like rewording a document to mean essentially the same thing) and try and draw nefarious conclusions out of those things. Like, why?
If you start from the assumption that Google is acting unethically and is entirely untrustworthy, there are tons of other approaches they can take to do fingerprinting that wouldn't be detectable at all. If you're logged in, the entire conversation is moot. If they wanted to track you, they have your google account. So this only matters for logged out users, and even then, the value is marginal even if you assume Google isn't using any other form of nefarious tracking.
And again that all assumes Google is openly lying. If you don't include that in your threat model, well, then, Google probably isn't lying.
> The X-Client-Data header is still described as non-identifying.
That's a false description. 13 bits of entropy is more than most existing fingerprinting vectors. This header allows clients behind NAT to be identified with significantly greater precision.
> There's no rational basis for Google doing what people suggest it's doing.
There is. Their business lives and dies on their ability to track web users, and tracking methods are gradually being eliminated from web standards, therefore Google has a rational basis for adding new tracking methods that it can leverage - especially ones that only it can leverage.
> If you start from the assumption that Google is acting unethically and is entirely untrustworthy
I think the base assumption is less dramatic: that Google is simply acting in its own best interests by prioritizing growth over user privacy.
> If you're logged in, the entire conversation is moot. If they wanted to track you, they have your google account. So this only matters for logged out users, and even then, the value is marginal even if you assume Google isn't using any other form of nefarious tracking.
This is (obviously) about the hundreds of millions of Chrome users who are not logged in, and as I said above, 13 bits of entropy isn't marginal.
> And again that all assumes Google is openly lying. If you don't include that in your threat model, well, then, Google probably isn't lying.
Not necessarily. All it takes is a policy change. It looks like this:
1. Privacy regression is introduced and a restrictive policy is established, e.g. "we won't use that to track people".
2. 6-12 months go by; maybe a new VP gets hired, or a bizdev team discovers that this data could be leveraged for a significant bump in revenue.
3. The policy is relaxed to allow existing & future data to be used for fingerprinting.
Nobody "lied" per se, but the end result is the same.
> That's a false description. 13 bits of entropy is more than most existing fingerprinting vectors. This header allows clients behind NAT to be identified with significantly greater precision.
That doesn't make the X-Client-Data header identifying. Or, if it does, then your definition of "identifying information" is exactly equivalent to your definition of "information", because it is true that any particular axis or piece of data can be used to identify clients with greater precision. The rest is just how identifying the information is. Country is identifying, as is first digit of IP address, but both are less identifying than MAC address or first name. You're welcome to subscribe to such a definition, but it's not the normal one (which is usually that said piece of data can be tied to a specific individual, although you may not be able to correlate that particular individual with a name or similar).
Under this definition, I'd probably agree that the combination of IP address and X-client-data header is identifying, but that's also not a thing anyone is going to be using, because it's not particularly useful.
> There is. Their business lives and dies on their ability to track web users
Sort of. The value of tracking individual users at the granularity you suggest is, as far as I know, dubiously valuable, and importantly, there's no reason to believe it's done. Like there's no evidence to support this beyond the conjecture.
> This is (obviously) about the hundreds of millions of Chrome users who are not logged in, and as I said above, 13 bits of entropy isn't marginal.
But if you're in this situation, and again, Google is being unethical, there are a host of other tracking tools that provide 13 or more bits of entropy that they can use.
> Nobody "lied" per se, but the end result is the same.
I'd classify that as lying (for actually more than one reason). But I'll just leave you with the same point I made to 0xy the last time this was brought up: this X-client-Data header is nearly 9 years old. When it was introduced it was considered nonidentifying and was used for chrome experiments. It is still considered nonidentifying and used for chrome experiments.
And this is why the whole idea doesn't make sense: if the header was introduced now, I could see this train of thought making sense. But it wasn't recently introduced. They've had more than 8 years to use it while there have been all kinds of other ways to get additional bits.
So now your chain of reasoning is more like
1. Telemetry is introduced and a restrictive policy is established, e.g. "we won't use this to track people.
2. 6-12 years pass, multiple executives pass through the area. The CEO of the company changes twice. The entire org chart shifts and metamorphizes more than once. The policies are maintained.
3 [concurrently with 2]. A number of nations pass new privacy laws. Previously, using this particular set of data to track individuals would have been unethical, but legal. It is now both unethical and illegal in many places.
4. Google invests significantly in a different, somewhat privacy preserving alternative to individually identifying tracking technology which is openly criticized because it is mediocre in terms of privacy preservingness.
5. At some point between 2 and 4, they started actively breaking the law by using this can't-be-used-to-identify telemetry to identify unique users. And instead of completely hiding this fact, using it as a competitive advantage, and openly being a leader in privacy (for example by being an early proponent and supporter of things like 3rd party cookie restrictions), they don't do that, and instead suffer reputational harm due to the existing tracking, the telemetry illegally used for tracking, and the proposed new scheme for privacy preserving tracking that is inferior to the illegal telemetry-based approach.
It's a line of reasoning that requires that Google be simultaneously incredibly unethical and incredibly inept. It doesn't make sense.
The fact it is undisclosed to users, unjustified (they could get the same result by sending the header to GTM) and impossible to disable make it nefarious.
Google have a header being sent to advertising domains that can be used for tracking purposes, Google didn't ever disclose this fact, and Google made it impossible to disable.
Already that's nefarious.
"Just trust us, we won't abuse this!" is not good enough, considering the way it was implemented is already cloak-and-dagger suspicious.
If this were innocent, it'd be disclosed and you could opt-out. Google made a deliberate choice to not disclose this tracking to users, and made another deliberate choice to have it to be impossible to disable.
Coupled with the other highly questionable choices Google has made with Chrome, such as the giant amount of telemetry available through JavaScript that ad networks are actively abusing and it's hard not to think of Google as nefarious.
For ad networks, including Google's own ad department, Chrome is like a candy store. Firefox and Safari have tracking prevention and cookie mitigations. Chrome on the other hand has undisclosed, impossible to disable ad network tracking headers being sent to DoubleClick explicitly. Chrome's cookie security is similarly a joke, designed for the benefit of ad networks.
Chrome puts ease of tracking above security, time and time again. Not only is this choice made repeatedly, but billions of dollars are made in the process.
> they could get the same result by sending the header to GTM
Do you mean Tag manager, or some other GTM?
I also, and this'll be seriously counterintuitive, doubt that they could be quite as conscientious of user data if they were handled via GTM. To sketch out the concern here: Chrome telemetry that is not used to identify people and personal ad preferences/data tied to an individual user probably shouldn't be sent via the same channel or logged in the same place. They're used for different purposes, by different people, and likely have different infrastructural concerns related to storage and querying. In fact, it would be rather suspicious if chrome telemetry data was sent via Google's ads logging infrastructure. That would imply an odd level of co-design and coupling.
> sent to DoubleClick explicitly
And everything else owned by Google. It's not sent to Doubleclick specifically, which you never seem to acknowledge. It's sent to stuff that Google owns (and presumably, really just a large selection of things sitting behind the GFE[0]).
> For ad networks, including Google's own ad department, Chrome is like a candy store. Firefox and Safari have tracking prevention and cookie mitigations. Chrome on the other hand has undisclosed, impossible to disable ad network tracking headers being sent to DoubleClick explicitly. Chrome's cookie security is similarly a joke, designed for the benefit of ad networks.
Firefox does the same thing as chrome (via Firefox Telemetry). There's privacy tradeoffs between the two approaches, Firefox's allows the telemetry holder to reconstruct browsing data for a particular user (assuming the browser sends the data out of band to some central server). Google's approach doesn't allow that. There's also some technical advantages to Google's approach in terms of telemetry (both for Chrome and for Google sites), but those don't affect the privacy tradeoffs of how the telemetry is ultimately reported.
> Google didn't ever disclose this fact
You mean except in the Chrome whitepaper.
> "Just trust us, we won't abuse this!" is not good enough, considering the way it was implemented is already cloak-and-dagger suspicious.
But, like, it's not. The lengths you have to go to to make it appear suspicious (including lying repeatedly about how Google didn't disclose the feature) demonstrate how it's not in fact that suspicious. Yes, when you misrepresent the facts, it begins to sound suspicious. But that's because you're misrepresenting what was actually done.
The disconnect here seems to be that your position is that burying it in an obscure highly technical document is "disclosure", whereas 99.9999% of Chrome users don't even know this document exists, let alone how to find it or even how to read it.
That practice is worse than Facebook. Facebook at least makes some effort to explain privacy implications to users in human readable text that most people can understand.
So I still feel comfortable calling it an undisclosed and impossible to disable feature. Because for the vast majority of users, this is the case. It's not disclosed to them unless they go digging through websites for highly technical whitepapers they don't understand and can't read.
It's also mentioned explicitly, in plain language, in the privacy policy[0], which links to the whitepaper. This section, or something functionally equivalent has been present since (at least, that's as far back as you can check) 2014, still in plain language. The 2014 version links to a 2012 chromium blog post announcing that announced the fancy new field trials infrastructure[1]. Please stop lying about this it was not, and has not ever been "buried" or "undisclosed".
Of course, the privacy policy doesn't explain the precise methodology of how the telemetry is sent, so there's no "oh its done via an http header", because it's a nontechnical explanation with the goal of informing users how their data is being used, and not of giving them details of the method.
It's for tracking which chrome experiments are enabled, allowing chrome to check the impact of new chrome features by enabling them for only some populations and comparing the results. As it says in the white paper: "This header is used to evaluate the effect on Google servers - for example, a networking change may affect YouTube video load speed or an Omnibox ranking update may result in more helpful Google Search results."
That's describing it short-term at best, as some have pointed to you already.
Also, I don't see the important word "only" in the passage you're quoting, so given the usual MO of profit-driven corporations I'm just going to assume they omit other purposes of which there's at least a ton.
> so Google's competitors have to create increasingly unethical and invasive fingerprinting techniques to remain competitive.
Why would Google let their competitors to take advantages from fingerprinting if they can control the browser? In fact, Chrome explicitly mentioned anti-fingerprinting measures in their plan for 3rd party cookie deprecation, which is now called privacy budget.
You missed that Google isn't the only one that can track people under the Privacy Sandbox model - but it’s still advantageous for them since they can out-run their competitors on implementation speed and quality like they have with Chrome to capture more market share.
IPv6 may make fingerprinting harder since you might lose a single static identifier for users. Of course, you could gain a unique identifier per device on a subnet without security measures there.
However, it doesn't affect cookies which are bound to origin names rather than addresses.
Yes it does. Users now have a unique IP address that is now static. Yes you can rotate your exact IP inside your block but you still keep the same subnet.
Comcast gives you a /60 block that you can assign multiple /64's out of.
My computer rotates out IPv6 addresses every 30 minutes using SLAAC with privacy addresses.
While you can identify the /64, there is no guarantee that it is a single user, just like in IPv4 because of NAT there is no guarantee it is a single user. It'll identity a household, but that's it.
"Customers are allocated a /48 block of addresses - this is usually per customer, and so a customer with multiple circuits or sites will have a /64 allocated from the larger /48 block"
Spectrum assigns a /128 to your router via DHCPv6, but you also get a delegated prefix. That prefix seems to be a /64 by default, but you can request and receive a /56.
And Google is probably paying Mozilla so that they block those cookies too... I think that they might have paid them for other things too... like for blocking 99% of extensions on Firefox mobile (those are speculations, that are very probable).
No, pretty much just those. There are very few extensions available on new builds of mobile Firefox.
I got excited when the blog team announced that the were more available on the nightly buil, but after jumping through loads of hoops I found out there's just a couple of new ones and most extensions are still unavailable.
You most likely found some community suggested collection add-ons list. You can install any of the Firefox add-ons on mobile by adding them to your own curated collection.
The real question though is will all of them work?
I do too, but we don't get security updates. It is ridiculous that they went backward like this.
If someone has a better explanation then Google paying them for doing that, please let me know. I think Mozilla's new CEO is a sock puppet like most of the sheep out there (including me sometimes).
You have 20 extensions that were "approved" by mozilla more than a year ago! All the others are banned forever.
You can install uBlock, but not uMatrix. Many many extensions are banned just because they reviewed ONE extension that they preferred for a certain usecase. For example, for OLED phone night reading, there's the most installed at the time extension "Dark Background and Light text" that offered many customizations and worked on reader mode, and more importantly redish text/links. But too bad, because Mozilla picked the one with NO settings, but a nicer icon (which is literally disney's darth vader, but who cares) called "dark reader" which only have bright blue links and white text (and despite the name do not work on reader mode), and because there is already one extension with "dark mode" they will never whitelist the others, or even provide a setting to enable it on your own.
> You have 20 extensions that were "approved" by mozilla more than a year ago! All the others are banned forever.
This is a ridiculous lie, Mozilla has said repeatedly that more extensions are being enabled as support for more extension APIs are added, and it has been true. Several of my extensions which were previously disabled have come back online after updates.
I checked this three days ago after reading the Mozilla blig post, and literally none of the extensions I wanted (except the ones already available on stable) were available. The list of available extensions, even on nightly, is very small.
Perhaps it will grow but I'll wait to see that before I believe it.
I'm still waiting very basic and popular extensions (uMatrix anyone?) for SEVERAL MONTHS.
And try to offer community help. Ha!
mozilla have to die for firefox to live.
uMatrix and uBlock share the same base code, and we have uBlock but no uMatrix... it is all so rotten. Almost like mozilla is actively breaking firefox.
I can't imagine the kind of Stupids that are steering mozilla, but they definitely want people to move to chrome.
They disabled many loved extensions by power users for absolutely no reason at all! after those power users spend years bending to all their capricious changes. moving to webextension? done. moving to a new mobile UI? done. But, they still want you to move to chrome no matter what.
We should take firefox out of their hands before it is too late.
>They disabled many loved extensions by power users for absolutely no reason at all!
The reasons were stated repeatedly. They rewrote the mobile browser engine, which broke extension API support since all of the internal APIs changed, and they didn't have the resources to support both browsers simultaneously for a long period of time, so they prioritized the most-used extensions first and will enable more extensions as the APIs are hooked back up underneath.
This had tangible benefits - the new browser is significantly snappier and uses less power in my experience.
>We should take firefox out of their hands before it is too late.
It's open source, if you aren't satisfied with the speed of their progress, you can always help out. You say you'd like to take this work out of their hands? Well, here it is.
These are, specifically, unimplemented APIs and known API bugs in the new Firefox Mobile, that are on the Mozilla TODO list, and for which contributions would presumably be welcome. Enjoy.
Unless when you said "we", you actually meant "other people".
One problem is that it doesn't work as simply as "all APIs this add-on uses are supported, so let's enable it" – they instead still insist on explicitly whitelisting every individual add-on. So a few really popular extensions are whitelisted and the long tail is left behind, even if it might work perfectly well or at least useable enough.
I have for example one small extension that I maintain, which is basically little more than a glorified page script which therefore doesn't use any special extension APIs at all. Despite that, it took months for it to be enabled, and if it wasn't as popular as it is I might still be waiting even today.
> the new browser is significantly snappier and uses less power in my experience.
Ha! From a cold start, on my phone launching the new Firefox (with less add-ons) and loading a page seems to take approximatively twice as long as on Firefox 68, and still ~50 % more than even on Firefox 55.
Postscriptum: To be fair, after investigating a little more it seems that the cold start penalty with the new Firefox seems likely due to fixing a bug that meant uBlock and similar add-ons were previously unable to intercept the first few network connections that were happening right during startup.
So on the one hand fixing that bug makes sense and has some value, but on the other hand and in practice the increased startup time still feels rather quite annoying, too, given that my phone isn't the latest and fastest model.
> The reasons were stated repeatedly. They rewrote the mobile browser engine
*this have nothing to do with my comment*
I am talking two or three iterations AFTER that. please, stop commenting long posts where you have no idea.
yes, mozilla moved to a new engine. Before that they moved to a new extension format. etc etc etc.
All the extension developers worked on the ports already, *THEN* mozilla, only for mobile, enabled "recommended extensions" which was fine. Until they DISABLED the non-recommended (not non-updated to the new tech).
It have nothing to do with technology. In fact I have many of those extensions working on my phone by fiddling with their whitelist urls. No problem running them AT ALL.
And progress is being made. Like I said, I've personally seen most of my extensions that were initially disabled due to incompatibility, reenable themselves after update.
One needs to make a mozilla account to complete the last steps and that's where I've been holding off. Mostly out of laziness and also from lack of necessity since I just moved on to other browsers in the mean time.
So if I understand this correctly, then killing off 3rd party cookies is anti-competitive, leaving them in is anti-privacy, and putting out a privacy-enhancing alternative is also anti-competitive. Is there anything that can be done that would satisfy all regulations?
Also, this reminds me of a story I heard years ago, that a California oil change location needed to store oil above ground due to EPA regulations, but needed it stored underground to satisfy the fire department regulations. So they were constantly getting fined from one or the other, and had to just include those fines as a cost of doing business.
I think you're slightly off on that first one. Killing 3rs party cookies isn't anti-competitive, in fact I'd argue any decent browser should do it to protect their users' privacy.
What is possibly anti-competitive is their proposed alternative. And frankly I'm not sold on the supposed privacy of such an alternative either (which, in order to be functionally different from 3rd party cookies, will have to store personal identifying information in a location that users cannot access, edit and/or control).
Note also that (to my knowledge) browsers are not currently obligated to protect their users' privacy (though perhaps they should be, it makes more sense than punishing websites for sending cookies). This leaves google at least 2 completely legitimate options:
1. Keep 3rd party cookies.
2. Kill 3rd party cookies.
Sure the first will cost them their privacy conscious users and the second might hurt their ad business, but rejecting that choice on the sole grounds that it would hurt the bottom line of a different venture is textbook anti-trust. They'll probably list other reasons for not taking that second option, though I've not found them terribly convincing so far.
> Killing 3rs party cookies isn't anti-competitive
The problem is that when it comes to determining what's anti-competitive, yours is not the opinion that matters. According to the article, multiple US states, a US House submicommitee believe it is anticompetitive and now a UK regulator is also investigating whether it is. This is not a hypothetical like you think. It is what the people in power actually are on record about.
Your option 2 does not exist. Just full stop.
So we're left with the idea that every other browser in the world can improve privacy, but not the one that most people use. Do you seriously not see how fucked up that is? Why do you want to build up this garbage narrative about how it's not the fault of the authorities?
I'm having some trouble following your argument. You seem to be accusing me of the thing I'm against on the basis that my opinion isn't the one that matters.
Ok, then we're in the same boat because I also don't understand what you mean.
You're asserting that "killing 3rd party cookies is not anti-competitive". You presented no proof about this, it is just an opinion. Your entire point about what the valid options are is based on this assertion.
On the other hand, several US states and a US house committee apparently think otherwise, and the UK regulators think it at least merits investigation.
And yes, when evaluating whether there is regulatory risk from "killing 3rd party cookies", obviously the group from the previous paragraph is going to matter more than yours.
I am not "accusing you of the thing you're against". I'm not even sure what "you're against" or what the accusation is supposed to be.
Seems our communication has broken down somehow. So at this point I'm not sure how to continue this discussion, it might be better to just cut our losses. Your earlier questions are loaded in such a way that I'm afraid I don't see how I could begin to answer them in a way that still makes sense.
Perhaps it's time to recognize that the company simply need not exist in it's present form. If Google was required to spin off Chrome as an independent company, there would be no antitrust issue, and privacy protections Chrome made would not also include anti-privacy features designed to feed Google's ad business.
The reality is, Google needs to be broken up. Every fine they get makes that clear.
Yup, when there is nothing a company can do in a situation to avoid anti-trust regulation, that is a pretty good indication anti-trust regulation should have already happened.
Playing devil's advocate, how is Google & Chrome different from, say, Apple & App Store? Thinking about iOS like a browser, arguably what Privacy Sandbox does is not that different from iOS 14's AppTrackingTransparency Framework. Both require the operator of the internals not to abuse their position for there to be fair play.
The most generous thing I could say is that it feels different. However, Apple has a stronger hold on iOS than Google has on the web. On the web, at least you could switch to another browser to view the same content. Switching off iPhone requires a whole new ecosystem and hardware.
I hope people who argue for a certain treatment of Google in this case are at least consistent in the Apple case.
1. I think Apple wields a questionable monopoly with regards to the App Store. I think that they should be required to allow third party stores, at minimum, on the iPhone. I am very much hoping Epic wins their case here, and that we have a more open field on iOS in the future.
2. Apple's new privacy changes require that apps solicit user permission before doing any tracking. However, once the user has granted that, app developers are allowed to either use Apple's solution or their own.
> Thinking about iOS like a browser, arguably what Privacy Sandbox does is not that different from iOS 14's AppTrackingTransparency Framework
Apple's AppTrackingTransparency Framework harms a market that Apple is not a part of. That specific action doesn't have any monopoly connotations in my mind because it solely benefited the product that was changed. There are no knock on effects where now Apple Maps is worth more.
Also, in this case, the consumers that are harmed by Google's alleged monopoly are people who are buying ads, not people using Chrome. I don't do anything with ads, but the impression I got from other people is that it's much easier for a consumer to switch phones than it is for an advertiser to just not advertise with Google.
I do think Apple has monopoly issues, I just don't think ATT is part of it. That was a legitimate response to consumer demand for privacy.
As the window 70% of people access the Internet through globally, Chrome has nearly limitless options for monetization. Arguably, being part of Google hurts it, because it has to fit into Google's ideal business strategy.
So they’d be Firefox & wholly dependent on Google for search revenue money (I.e. ad money) anyway? Firefox already gets a lot of flack with their 3.65% & I don’t think that complaints about Chrome will stop if they’re still owning ~70% of browser market share with Google paying their bills.
The only solution that would actually work is better regulation of the advertising space, but all advertisers (Google included) actively fight this. For example, ban governments from purchasing personal information without a warrant. Ban the sale of any/all personal information between companies - any personal information transferred should be gratis with at most nominal costs for the cost of the transfer itself. But then you might have to actually start paying for some services rather than everything being totally ad supported. Not to mention that governments, despite all their outcries about “privacy” and “evil corporations” love the status quo because of how easy it makes to invade your privacy without a warrant.
Chrome already has an enterprise version with support and management tools (mostly for Chrome OS), that plus donations from Microsoft/Google could make it profitable for the team required. (Although it'd probably end up being a foundation like Mozilla)
The question is: can that income fund the Google-style salaries and benefits that are currently being payed for people working on it?
Otherwise lots of existing employees may not want to be part of this split company. If that is a large loss of talent (think veterans with lots of experience) that could hurt the quality (security, stability) and velocity of the project resulting in much less interest from those companies to pay the Chrome company for their services. What I'd suspect at that point is that Google might just fork it and develop it internally for internal use only (it's going to be hard to trust a third party browser to access internal confidential/critical resources when said third party has trouble maintaining high quality engineering talent). We're talking about state actors here that could have much easier time attacking a smaller Chrome company to introduce data exfiltration code.
Microsoft will probably have much of the high-quality engineering talent upstreaming work from Edge. Maybe Google will fork it, but nation-state actors haven't compromised Firefox (to our knowledge) even at its peak, why would they have more luck with Chrome?
No idea what icon you are speaking of. I don't use Chrome much and don't log into it when I do. I certainly don't think anyone is going to pay for the privilege.
OMG the lack of understanding of basic ad tracking in this forum baffles me.
Nobody is going to pay. But if google serve an ad for a logged out (or firefox) user, they get paid 0.05c if they serve the same ad to someone logged in (via that button or otherwise) they get paid 1.7usd.
the button is just to make you be always logged in.
You are paying all the time and don't even realize.
Chrome can not be sold for many reasons, being open source is not one of them, nothing prevents the selling of open source software, one just has to include the source or make the source available
Finding someone willing to buy chrome would be a harder problem
Indeed, especially when you have an official/trustworthy solution. For example, you could gate off value-adds for paying customers, whilst still making them open source. Sure, users can remove the "paid user" aspect and either compile it themselves or entrust that process to a third party. But the majority of users would not do so because of the effort or trust involved. (This is similar to movie piracy. Sure, it's trivial to pirate movies and music, but the majority of people pay for them.)
at the very least, Google could pay to be the default search provider... it works for Mozilla, so far, and if Google had to , even at arms length, separate Chrome from the rest of Google, it would strengthen, not weaken, the case for Google's investment in paying Apple and Mozilla for top placement, helping to reinforce competition on both the mobile and browser fronts.
It's data collection is in Chrome's DNA. They could just continue to collect data on browser usage, and then "sell" that data to Google. No need for sites to install Analytics into their website when they can get 100% of all site analytics viewed from within their browser.
A key difference here is that Chrome could sell aggregated analytics data for performance testing and such, but not allow the ad company to get user-targeting quality data. With them in the same company, this is a nearly impossible barrier to achieve.
I'll bite: why is this nearly impossible to achieve?
It may be nearly impossible to prove to you, but what makes it impossible, or even particularly difficult, to achieve if the company is interested in doing it?
limitless options? you mean ads. I don't think they can start charging users money. And if Chrome is forced to start directly monetizing, I can't see that ending well for the product. Any way they could possibly extract money from me would require it to do something I don't want, such as interjecting itself between me and an online merchant, or between me and content, or via integrations with partners I don't want (maybe even Google, which would defeat the purpose of the proposed split), or by selling a "premium" feature set. If Chrome had to make money it would suck as a product and everyone would move to safari/edge/etc bc they don't have the same pressure.
Wouldn't that make them entirely beholden to search engines that rely on ad revenue to pay Chrome? It doesn't seem to change the underlying incentives very much.
I'd say there's a big difference between having one primary customer and literally being owned by that customer. I would bet that a significant part Chrome's development is built around feeding data to other parts of Google, which would be more difficult and less appealing as a separate company.
Plus, there's no rule that says a browser has to get most of its revenue from selling Google Search placement. That just happens to be the case for the single independent browser that exists right now, one which isn't exactly renowned for great business leadership. I think if the Chrome team had a reason to explore self sustaining revenue models there's a good chance they would come up with some solid innovations.
It currently is completelly owned by Google (Alphabet) so your comment would be more of a "there is a possibility that they would end up still relying on Google's ad revenue".
It's also worth thinking that many of those big users are also the very adtech companies people are hating on here, but for some reason it's fine to fund kernels and not web browsers with ads.
It would be interesting to know if Google engineers regularly commit kernel patches breaking Microsoft's Azure integration while pushing people to Google cloud.
It survives because GPL forces it to be performed in the open, in a cooperative manner. This is not the case with browsers.
Both Linux kernel and web browsers are arguably too huge now to be even maintained entirely by a single organization, let alone to be developed from scratch by one.
Linux being under GPL kinda forces cooperation between businesses for their business needs, if they are going to tweak Linux. With browsers are you under impression that you can just fork Chromium maintained by someone else and then just add your business value for you alone to reap.
I guess ideally either Chrome or Firefox would be organized as a charitable trust with an endowment, its stated mission to service users of the web, and the EFF given a permanent seat on its board of directors.
Could go the same path as Brave: be a conduit for funding between consumer (me) and creator... then take a small percentage for facilitating the transactions.
On one end by almost literally being an extension of Google. On the other end by constantly laying off engineers. A big problem people are just handwaving away is that browsers are incredibly complex nowadays and how do you fund development of a browser engine? If you think the "Linux" model would work, well browsers already have that - it's called Mozilla and there is never any good news about them.
Brave is also funded by Google - Brave doesn't develop a browser, they develop a skin around a browser engine that Google pays millions to develop and has decided to open source.
Browsers are way more complex than OSs these days. Mozillas Servo project had over 40,000 commits and still wasn't ready for production and it was only a small part of the browser. I don't think there is anything else that could have 40k commits and still be a tech demo.
back in 1999 looking at nspr (Netscape Portable Runtime - the foundation of Mozilla) i remember thinking - it just can be packaged alone as an OS, similar to Java OS (which i had been working with before that our Mozilla project).
There is also another aspect to it - one can imagine that the time of an OS which would run web apps as first class citizens (in the correctly engineered sandboxes/etc.) just hasn't come yet. In the meantime the browsers are just ugly stop-gap 0.x version of such an OS (there is a reason they are "browsers" as their roots (incl. deep architectural roots) are in browsing of static content, and everything else is bolt-ons - the integration of JavaScript engine for example back then could be best described exactly as a "bolt-on").
I've been using Brave on mobile and my laptop (currently running Pop!_os) exclusively for about six months now, coming from Firefox. Your criticism isn't accurate, Brave doesn't insert ads into pages, it gives you the option of receiving ads in your notification stream. If you choose to allow the ads you are compensated with a small amount of a crypto currency, which you can opt to have automatically distributed to the participating sites you visit. Wikipedia, for example, is a participating site. These micropayments offer the only viable monetization alternative I'm aware of to charging for access, selling user data, or including advertising on your page. I've moved to using Brave exclusively because I want to live in a world where the web is free to access but my privacy is respected and my browser isn't crowded with ads.
Honestly several of these guys just want to promote 'break google up' every chance they get just because it makes them feel good - without understanding how bad the consequences would be.
One example: The road from security to revenue is a bit windy. So suppose chrome gets a revenue crunch after getting spun off, and lays off a bunch of the security group. Well, it turns out that security group is actually handling security for ALL of the browsers, because security is expensive, and none of the browsers are really making money, and chrome is open source. So now you've got reduced security in all of the browsers. Whoops?
Firefox is completely an independent entity from Google and the reality is that they needed to accept the manifest v3 because their survival entirely depends on Google's money. Why do you think the situation would be different from this if Chrome get broken up from Google?
No. The reason Google is killing third party cookies in Chrome (I firmly believe) is because Google—and only Google—doesn't need cookies to track you. Google owns the browser.
If Google was killing third party cookies in Chrome while also removing other tracking features, regulators wouldn't have a leg to stand on. But back in the real world, they are absolutely correct to see through Google's BS.
The claim that killing 3rd party cookies is anti-competitive is some Marketing Company Bullshit. A group in France is also suing Apple on antitrust grounds because they're going to ask users if they want to be tracked.
What's actually anti-competitive is the idea that Google will kill them off and replace it with a solution which they control, forcing advertisers to deal with them and their ad products directly in order to do anything.
Whether that's actually what's happening is another question entirely.
> needed to store oil above ground due to EPA regulations, but needed it stored underground to satisfy the fire department regulations.
Did they try building tanks both above and below ground, connecting them with two pipes so there's a circle, and constantly pumping it along that circle so it is not stored anywhere but merely in transit through both areas?
In a word, no. Google and other corporate monoliths like it depend on data, as much as they can get, as personal as it can be, and pervasive as the air we breathe. Consumers want privacy, control over their data, and the power to say no. The only sensible middle ground is for Google and others to be up front about the data, what they do with it, where it goes, etc. and the consumer having the ability to say no. Unfortunately Google, etc. cannot back away from their position because they risk losing a market edge. Perhaps PAYING users for their data, that would be an interesting middle ground, but the shareholders of the monoliths would likely reject such a proposal.
I think you're projecting the HN crowd a bit here.
The majority of normal people probably don't care as much about "privacy" as some of the vocal folks here do.
I'm not making a value judgement on that, it's simply how it is.
People want to use services like Facebook, Snapchat, Instagram or Google search/Gmail/Google Maps that have the functionality they enjoy.
If those companies can show them targeted ads vs random useless ads, the majority of people seem to be fine with that tradeoff.
I want it to be the year of the Linus desktop for a long while but I've made peace with the fact that's not the majority view. Most people are happy with a proprietary desktop that just works.
I think it is clear that the public cares about privacy but only when they are fully educated about what a given platform is doing. The public is not reading the privacy policies, or looking at the app permissions or do anything really to educate themselves on all the ways Google, Facebook, Twitter, etc are abusing their data
But if a high profile news story comes out about some privacy issue they are outraged about it.
This shows a education / knowledge gap, I dont know how to close it, or if it can even be closed but to say "no one cares about privacy" I believe is false
The public cares about privacy, yes. But only as long as its presence doesn‘t inconvenience them in any way.
People hate the GDPR pop ups. Most are badly designed (probably on purpose) and make it easy to accept all and difficult to customize/reject all. Most people are just going to click accept because it makes the box disappear faster.
Let‘s say we have the new Apple opt-in rules for Facebook. There‘s a pop-up some day asking users: „do you want facebook to be able to track you?“ many people will say no. But only because it‘s really easy/frictionless and the app presumably functions as normal.
So primarily users want to do want users want to do. They don‘t care about tracking/ads as long as avoiding them isn‘t completely simple.
The majority of users do care about privacy but its a concept they struggle to understand and they do not know when they are being tracked, what is being tracked or how to stop it.
The EU was on the right track about requiring tracking to be opt in while also having an option to say no without being blocked from the service.
> The majority of normal people probably don't care as much about "privacy" as some of the vocal folks here do.
I think you're correct, but then that makes it a no-brainer for Google. Let us opt-out, the other 99% will continue to be part of the data harvest (and they like it!). Google can say they give user's a choice.
It's a good analogy - like oil, companies industry-wide should reduce their dependence on data, and companies that still deal in it should be prepared to deal with heightened legal scrutiny and additional restrictions.
Wait wait. So Google kills off third party cookies, but then creates some new “more private” workaround, perhaps relying on some kind of trusted servers (called “FLEDGE” in the article).
And then, who gets to run those servers? Even if it’s not Google, it’s probably not just anyone, right? Does that lead to a situation where there’s some authority or group of authorities that decides whether you or your startup gets to track users? And would you suppose it would be free for anyone to join this list of approved advertisers? Or might there be a fee, or some conditions to apply?
This reminds me of a thread a few days ago where an open source browser was denied access to Google’s Widevine DRM, without which the browser would be pretty much useless for most consumers who’d like to be able to watch Netflix and such. No small-fry browsers allowed. Good luck getting out of that Catch-22.
And of another thread where it came up that if you’re trying to get a search engine off the ground, a large chunk of the internet will probably block your crawler bot, so good luck building up that search index.
Not all these things are Google’s doing (well, not that last one anyway)... but it sure starts to feel like the open web is closing up around us.
> And then, who gets to run those servers? Even if it’s not Google, it’s probably not just anyone, right? Does that lead to a situation where there’s some authority or group of authorities that decides whether you or your startup gets to track users? And would you suppose it would be free for anyone to join this list of approved advertisers? Or might there be a fee, or some conditions to apply?
This is how DNS, the IP address system, and the gTLD/ccTLD registrar list works, and it works just fine.
Maybe this is just my cynicism shining through, but I'm not sure I trust Google, or really most modern companies, to create something that wouldn't mainly be for their own benefit.
You don't really need to couch your statement with "Maybe this is just my cynicism" considering the daily news stories for years about the sociopathic behavior of many companies including google. It's absurd that anyone even defends these monstrosities let alone attacks anyone that suggests they are not trustworthy.
And now with Facebook and Twitter, the idea of the "open web" is irrelevant to most people since they get everything they want or need from those two places.
This will bounce back. What happened is that you have a large percentage of people who chose not to advance their computer skills. Instead they "mastered Microsoft Office suite" for a bullet point on a resume and were presented the internet as a suite of websites. These people are our peers.
However as more and more people are taught about coding and networking we will see a demise in the size of the former and the embrace of the open web again. They will be advertised the web as a platform for networking services and products.
Of course this all will take place by stopping Google and other corporations from monopolizing the web with help from our locked-in peers. ;)
It is so annoying to see that HN and general media have collectively decided that Google and everything it does is evil, but honestly you have no idea how good you have it right now. Google is not abusing your user data like you are made to think.
If you talk to a Google engineer, you would realise the countlesss number of measures they take to safeguard user's data - human access is next to impossible. Only machines roles are allowed to request for decryption keys and each access is logged and audited. And even the data a machine gets to see is annonymized and only aggregated analysis is usually allowed which is also required to be approved by dedicated Legal and Security teams.
Having worked at a start-up I know how much these smaller companies care about privacy - trust me you are way better with your data lying in Google servers than one of these random small companies claiming to 'protect your privacy'. I would rather trust the brilliant minds at Google to safeguard my data any day.
I would say that we have different definitions of 'abuse' in the case of Google. Of course, Google doesn't sell your data directly to anyone, allow anyone to get your metadata, or allow anyone to view your data. In that sense, I also completely trust Google to be good stewards of my data.
That said, while I agree that Google does not 'abuse' my data by giving it to others in any form, Google absolutely does use my data to try to sell me things. From my perspective, this is abuse. Google is using data that I generated to psychologically manipulate my behavior.
When Google Search, gmail, and other like services from Google were released, Google was a tech company first and foremost. These properties/services were offered for "free". At the time, most people didn't realize that "free" meant paying with your data. Now, Google is an advertising company and I do not want them to have my data because of that fact. In a similar vein, if The Trade Desk or another adtech company provided a "free" email service it would likely not be widely adopted as it would be well understood that users are paying with their data.
No, it manipulates me into seeing things it thinks won't make me kill the subscription, just like youtube doesn't suggest a good video, it suggest a video that I am likely to click on.
My problem is different, I was all in with google, and with all my data of 20 years, they couldn’t recommend me a good next video on YouTube or better search for long tail keywords for which I did found site on their very own search engine.
And I don't, but some people are more or less forced to use either Google or Microsoft products by their employers. I really wish the solution was as simple as that.
If I remember correctly you were also tracking logged out users. Are you still doing that or how do I opt out if I don't have an account? Do I have to install Chrome?
Everything below is my opinion, or information to the best of my personal knowledge. I don't speak for Google.
That lawsuit alleges that Google was tracking people (with analytics) during incognito mode, which is different from opting out of ad personalization. See https://news.ycombinator.com/item?id=23552967 for HN discussion on the topic.
Turning off ad personalization doesn't turn off tracking; it just prevents that data from being used in ads. If you want to turn off data collection altogether (for your Google account) you can manage activity altogether https://myactivity.google.com/activitycontrols. (I don't know whether this affects analytics; I assume it does, though.)
If you want to disable analytics tracking when you're logged out, you can install another extension (https://tools.google.com/dlpage/gaoptout) or just install a content blocker like uBlock Origin that blocks the analytics.js/gtag.js scripts altogether.
Though I do agree with your logic. Google won't need your login info to profile you any more than Facebook does.
Your browser FP (such as hardware device info), IP address, frequent search terms (browsing habits) and distinct pattern will be sufficient enough to identify you without logging in. Metadata is everything in locking down targets.
> but honestly you have no idea how good you have it right now.
Do me a favor:
Grab an Android phone with all the Google crap still on it, factory reset it, and actually read the obnoxious ways in which Google asks you to give it permission to track you.
"We want to improve your search results!!! Click yes!"
The small print: and thereby enable us to log EVERYWHERE you walk, drive, commute ALL DAY LONG.
And that example is rather poor, I can't even properly reiterate how brazenly they lie into your face when they make up reasons for those confirmation dialogs.
The last time I did this, I actually had to laugh at how shameless the text was worded. Everything is phrased as if it were 100% to your benefit even though it is 1% to yours and 99% to theirs.
And do not forget the fact that you cannot delete any of these apps, and IIRC Gboard (Google's keyboard) requires Internet access, does it not? In any case, I disabled all Google apps and replaced it with alternatives. I should just root my phone and delete all of it, but sadly I need "Courier Services" and whatnot. Google is everywhere, you cannot even get rid of it.
Though there's little you can do to escape Google if you are using Android, what gives me some sort of peace is blocking internet access to apps like gboard. (AFAIK it's the only keyboard with support to inline autofill; this is literally the only reason keeping me from torching the app)
Yeah, you can block Internet access, although still... I try to avoid such apps. I am using "OpenBoard". It has the same functionality from what I gathered, and it is open source IIRC. You can get it from F-Droid.
If I want (which I don't in general!) Google to serve me location specific results I will just enter the desired location into Google Maps along with the keywords.
No need to be tracked for that all day and possibly get implicated into random crimes because I happened to be near them.
That's an insanely disproportionate cost compared to the effort it spares of having to enter a location into Maps once every few weeks.
My worry is that one day Google may decide that they are going to severely abuse my data. If they build up the idea over the years that they have your data then the jump to abusing it will be much smaller.
Then ask them to delete it all. You, like most people, probably won't ask - because it's extremely convenient to have Google store all of this data. But if you think the upside isn't worth the risk, just ask and they will destroy it all for you. You don't even have to claim you live in the EU or California or somewhere else with at data protection law.
You'll probably have the choice of abandoning your account or consenting to let them use at least the new data. I know a lot of people who have decided they've had enough only to realize that so much of their life has been integrated into their Google/Apple account that they can't actually leave.
You can, but you obviously lose features [like most Google Assistant functionality if you turn off 'web and search activity' 1] or anti-features [can't view youtube or search ads if you install an ad blocker] by doing so.
I never understood why an individual would go out of their way to defend a corporation. Otherwise, found a "google engineer".
The issue most people have with it is the amount of data collected unnecessarily, rather than the practices around safeguarding it. Many "small startups" wouldn't collect it in the first place and it would be a non-issue. Even when "small startups" are collecting more information as they should, it's not in one basket and has less value without context.
This post got me into looking up what Google's privacy sandbox actually is. One proposal I found quite interesting was TURTLEDOVE, which proposes to move ad bidding onto the user device [1]. The current proposal of course uses bidding logic delivered by the ad seller. However, if this were to gain wide adoption, the step to imposing user control over bidding gets a bit smaller.
Imagine being able to tell advertisers "ok I'll look at any ad that pays me at least 50 cents" (~100X the typical price of an impression currently). If anyone wants to show you an ad at that price you know they think its going to be relevant. That's the kind of targeting I could get behind.
That would be interesting. One option that might be more practical would be to enable users to buy out the auction with a limit order. Users could say “I’ll pay at most 50 cents to view this ad-free.” Most of the time users who want to avoid ads end up paying a fraction of a cent. Sometimes users pay a little more. And occasionally somebody actually wants to target a user so they offer an actually valuable bid.
How is that inherently harmful? Doesn't charging a large sum for something offered by an ad mean, that the ad provided something of value to the user? My issue with personalized ads isn't that users end up spending money on what they offer; it's the potential for the collection of that pervasive data to negatively impact the user and broader society.
Aside from collected data being used for other purposes besides advertisement, when efficient, it allows charging the individual more than they "should" be paying. If an industry "knows" that your washing machine broke, it "knows" that you would be easier manipulated into paying a higher price (sorry for the simplification and the amount of quote marks).
>Doesn't charging a large sum for something offered by an ad mean, that the ad provided something of value to the user?
If a user was to be compensated, the payment for watching the ad is most definitely coming out from the product price in the end, so on the big scale there is no compensation.
>potential for the collection of that pervasive data to negatively impact the user and broader society.
> Aside from collected data being used for other purposes besides advertisement
In the case of the Turtledove API proposal (https://github.com/WICG/turtledove) the collected data stays in the browser and can only be used for privately targeting ads.
(Disclosure: I work for google, speaking only for myself)
This is the equivalent of saying Company X makes the best light bulbs, we fear consumers won't buy other brands and so we don't want to allow X to sell bulbs.
If anything this is a privacy concern, and a huge motivation for regulation. Cookies at least gives some iota of control to the user to stop tracking and know when its happening. However with the new approach users will be tracked all over incessantly. There is no stopping it
It's not that hard to see other companies will adopt the same architecture and kill cookies. For example, I can bet facebook is working on something similar.
Bad analogy. It's more like, the company that controls the light bulb market, also controls most of the light fixture market, and decides to push for a new type of socket that they control the IP for.
Except in the real world, unlike this analogy, they can magically change the socket of their own light bulbs and fixtures over the air at any time.
But if that socket uses 3x less power for the same light output, and the automatic update reduces the power usage of the entire world overnight, wouldn't it be a net positive? Although, I suppose it could still be viewed as an anti-competitive action.
No, this is nothing like lightbulbs. If you take the complaint at face value (limiting ad tracking for others more than yourself) it is a classic antitrust case: leveraging your earned position in one market to gain unearned advantage in an unrelated one. This disrupts the efficient functioning of markets, which makes it a problem.
Articles like this remind me of the fact Paul Graham noted a decade and a half ago that a substantial portion of "news" articles are written by PR firms.
It’s interesting how people don’t realize Google is basically saving these advertisers from bankruptcy, and yet they’re still complaining.
You realize Google could just have done what Apple is doing and completely get rid of all third party cookies with no replacement right? The privacy sandbox API is a lifeline to third party advertisers that otherwise would be completely screwed.
Once they remove cookies, Google will still be able to track you... they'll just restrict the ability of others.
Personally, I think anonymizing the web and de-incentivizing companies from collection data is a good thing, but privacy sandbox itself is just a ploy to kill competition.
Aside from the parties and parades that would be thrown over the removal of third-party cookies (were we not in a no-parties-allowed situation in 2021), it does seem a little troubling that they appear to be repeating the AMP strategy here 1:1, with an "open initiative" to replace cookies with something that is clearly owned and operated by Google for their interests with industry participation instead of an actual collaborative effort.
On the other hand, who would they collaborate with? Mozilla is busy selling VPNs or something and Apple wants nothing to do with Google's ad practices. Unpleasant all around.
This effort is similar to Chrome's previous implementation of a built-in ad blocker[1]. As before, the goal isn't to completely eliminate ads or tracking, rather it's to push the advertising industry in a direction that's more acceptable to users, with the understanding that that approach is likely better for the industry (and therefore Google) long-term.
In this case, Google wants to maintain the ability to target ads and detect click fraud, but eliminate server-side tracking as many users find the latter practice undesirable.
Given that these changes will affect the entire advertising industry, not just Google, it's unsurprising that their competitors would claim anti-trust. They have a point; Google undeniably _is_ using their control over the Chrome browser to make changes that directly impact their competitors. Google may genuinely believe these changes are good for the industry as a whole, but that might be hard to argue in court, particularly if competitors with particularly intrusive tracking mechanisms are disproportionately impacted.
Can somebody who has worked in this industry of user tracking/advertising please explain why this is still considered a technical issue as opposed to one about law/politics/social expectations/ideas, etc.? It seems that it is hard to technically prevent tracking because of things like browser and behavioural fingerprinting.
I don't intend to suggest that technical things are completely irrelevant: I'm simplifying drastically (for example, I have faith that providing software that makes decentralisation easier, and does security better will help the problem as I see it). But from my quick scan of the proposed changes from Google, I'm curious why the trackers won't just switch tactics to the next easiest thing? Don't they already do that for people who block third party cookies in fact?
As much as I want google to have competitors, I can think of no argument that disabling third-party cookies is anti-user. It is inevitable that these cookies will be blocked. I'm all for the news industry coming up with a counter-proposal but trying to keep the current, bad system is not it.
Mmm... Chrome won't accept 3rd party cookies to protect user's private. Meanwhile, Chrome is forcing all gmail users to upload their browse histories to Google. In the end, only Google has access to our browse history and can dominate the web ad market.
Is it possible that this is related to the recent Chromium sync changes?
If Privacy Sandbox adds APIs for tracking/advertising, it would be trivial for a Chromium rebuild to patch them out. If a user can use google sync with Chromium, it would be easy then to escape the tracking system. If you can only use sync with Chrome proper however, it becomes much more difficult.
Well I wonder if the alternative to cookies, the QUIC HTTP/3 Connection Migration IDs, are an end run around ad blockers, MAC spoofing, and other forms of anti-tracking measures. No way Google is going to make it harder to track people if they’re proposing a change and my understanding is that these IDs survive network switching, sessions, etc.
Good. But unfortunately there seems to be little chance of them ever actually being broken up. They're more powerful than the government of their host country at this point.
Their original "don't be evil" motto was always a little hypocritical, but now it represents a level of irony previously reserved for slave owners and religiously motivated genocide.
My heart goes out to all the other adtech companies, may you all go fuck yourselves and find you’re future endeavours in more ethical industries fulfilling.
You may not owe adtech companies better, but you owe this community better if you're participating here. We're hoping for curious conversation, not internet fulmination.
Google has dug themselves into a deep hole when it comes to anything remotely related to web advertising. They own the top 2 browsers (Chrome and Firefox), they own the largest web ad business, and a lot of web tracking technology is used for delivering ads.
Any changes they try to push for in web standards will incite an angry response even if there is the appearance/possibility of any advantage to google ads.
I think the correct way to deal with this is to do what people are expected to do in any conflict of interest case: recuse themselves from any and all web standard committees and orgs. If they aren't willing to do that, unfortunately they should prepare for an expansive anti-trust action.
No, I don't think this article has anything really to do with a better privacy outcome and everything to do with watering down Google's stance to something more status quo for the advertising industry.
There are no actual critiques of Privacy Sandbox's APIs here. There's no mention of what critics stand to lose if Privacy Sandbox becomes the standard. There's merely hand wringing of "but do you trust Google?" Everyone who's made themselves available for quoting in this article is a web advertising professional, including the ones who come off as not[1][2]. None of them care about you.
[1] James Rosewell is cited as director of "Marketers for an Open Web." He's also the CEO of a company that specializes in device detection. His LinkedIn headline reads "THE Fastest and Most Accurate Device Detection = more profitable websites"
[2] Alan Chapell is sarcastic about Google attempting to do this openly through the w3c. He's cited as running a privacy law firm. Their web site says they represent tech companies navigating privacy issues. They aren't actual privacy advocates. https://chapellassociates.com/