Google Quietly Drops New Privacy Sandbox Guidance, Clamps Down On Workarounds For Cross-Site Identity And Tracking

This article is sponsored by RTB House.

Google’s recently updated timeline for phasing out third-party cookies in Chrome wasn’t the end of the story.

Late on Friday, July 23, Google launched a dedicated website with a more detailed running timeline, which it plans to update every month. It announced the website’s launch via tweet rather than blog or press release. (You’d be forgiven for missing the news if you don’t already follow the Chrome Developers Twitter account.)

RTB House blogged about Google’s delay when it was announced, explaining why we thought it was a good move and making our own predictions about when ad tech players would need to begin their Privacy Sandbox studies to be ready for the shifted deadline.

Our estimates turned out to be quite accurate: With the new website giving more regular updates, it’s clear that advertising vendors without prototypes using Google Chrome advertising APIs built this year will have a hard time catching up to market leaders. The bottom line: The industry did not get an extra two years to prepare as previously assumed.

What can you expect next in leading Google’s Privacy Sandbox proposals?

Google’s official timeline states that proposals for both displaying and measuring ads will enter the Origin Trials phase in Q4 2021. However, the proposals aiming to strengthen cross-site privacy boundaries are planned for the second half of Q4. This is especially significant as the Fenced Frames API is among them, and it is one of the crucial elements of FLEDGE. It means Origin Trials for FLEDGE will start a little later than for FLoC, which has already been confirmed by Michael Kleber, Privacy Sandbox Lead Engineer.

It is also worth noting that the initial FLoC Origin Trials have just been finished. The setup of these tests, resulting in a scale limited to only around 0.5% of browser users from selected countries, did not allow participating entities to extract relevant insights. The next Origin Trials of FLoC – which, according to the presented timeline, are planned for Q4 2021 – are expected to be more extensive than the first.

Industry consensus is that FloC still allows potential bad actors to identify users and track them at the individual level. Mozilla’s extensive FLoC privacy analysis is a standout example of how the industry thinks about FLoC, and industry expert Łukasz Olejnik’s independent analysis has made striking conclusions about its current state (including that it can disclose information about browser use in incognito mode and that it can reveal website visit history). Obviously, these issues will need to be addressed in the next iteration of FLoC, and we’re still fairly optimistic about the ability of Chrome engineers to solve them.
Google publicly claimed that the recent Origin Trials were only the initial tests of FLoC on a small percentage of users in selected countries, and that Google “will expand to other regions as the trial expands globally.” We expect the following Origin Trials to be available in the EEA region to allow tech companies and publishers focused on the European region to test this API. Otherwise, Google will again face accusations of FLoC not being GDPR-compliant.

However, the biggest news from Google’s Friday announcement relates to the company’s updates regarding potential workarounds to FLoC. Google promised that it will share updates regarding the company’s work on reducing workarounds to cross-site tracking.

Proposals addressing covert tracking techniques, such as fingerprinting and network-level tracking, are designed to mitigate particular entropy (browser-side signals available via the network) that might be used to build server-side user/device profiles and thus functionally allow cross-site tracking without third-party cookies.

Out of all the announced proposals, three API groups seem to be particularly important because they may have a potential impact on the individual-based targeting methods:

  1. Mitigating usage of User-Agent string for building a user/device profile. [a. User-Agent Client Hints; b. User-Agent Reduction]
  2. Significantly reducing the usability of email as a cross-site identifier or for mitigating bounce tracking. [a. WebID API]
  3. Mitigating abuse of an IP address for building a user/device profile. (Yes, it is now official: Chrome plans to provide a mechanism which hides user/device IP address sharing in the second half of 2022.) [a. Gnatcatcher (IP blindness)]

Most of the presented APIs are planned to become available as soon as next year. However, there are no details as to whether the proposed dates indicate the start of testing or their final adoption. This is crucial, as these APIs will affect the targeting methods developed by vendors using browser-side signals for probabilistic identifiers working cross-site. According to various estimates, there are around 80 such vendors, and these changes will greatly limit their technological capabilities and efficacy.

These APIs may have a significant impact on cross-site identity and targeting in the cookieless future. Marketers also need to understand how the absence of particular entropies in data will affect the ultimate effectiveness of the particular audience-targeting method.

Enjoying this content?

Sign up to be an AdExchanger Member today and get unlimited access to articles like this, plus proprietary data and research, conference discounts, on-demand access to event content, and more!

Join Today!