Privacy Sandbox may have just hit a serious snag.
In a document published last week, the Technical Architecture Group (TAG), a prominent working group within the World Wide Web Consortium, referred to the first-party sets (FPS) proposal within the Privacy Sandbox as “harmful to the web in its current form.”
TAG also cast doubt on the viability of the Privacy Sandbox itself:
The “Privacy Sandbox” initiative proposes (among other things) to restrict "third-party cookies", which would align with other browsers and with general industry trends. However, this proposal seeks to redefine what it means to be a third-party cookie. In that context, the efficacy of the "Privacy Sandbox" initiative is thrown into question.
In other words, you can’t profess to be playing by the rules, then turn around and change the rules of the game.
You’re (not) it
TAG’s role is to review proposed changes to the web so as to determine the broader implications. The group helps document and build consensus around principles of web architecture.
The group has 10 members, including representatives from Samsung, Apple, Microsoft and Intel. (Google is not represented.)
TAG’s feedback came in response to a review request from a Google web security engineer who was essentially looking for the group’s blessing on the concept behind the FPS proposal. If TAG likes a proposal, that brings it one step closer toward getting on the recommendation track to becoming a web standard.
In this case, the blessing was not given.
First-party sets would allow a user’s identity data to be sent to related domains without violating privacy restrictions.
A collection of domain names owned by the same entity would be considered first party and therefore still be able to share data between them when Chrome stops supporting third-party cookies. Meredith, for example, could pass data between People, Better Homes & Gardens and Martha Stewart Living.
That may sound straightforward, but it’s less intuitive than it seems, said Joshua Koran, head of Zeta Innovation Labs, particularly for the consumer.
“The challenge with this proposal is that most people do not know the extent of corporate ownership over certain brands,” Koran said, “which is the real reason domain ownership is not a great boundary for interoperable data.”
For example, he said, most people probably don’t know that Dairy Queen, Geico and Duracell are all owned by Berkshire Hathaway.
“Should they be able to share data across these different companies, but their competitors – Baskin Robbins, Nationwide and Energizer – are prohibited?” Koran said. “This is the practice that is currently framed in the FPS proposal.”
TAG also takes issue with the fact that first-party sets, as currently designed, could override consumer choice in favor of “commercial considerations” by allowing user agents or browsers to “approve sites as a set in the interest of those sites or cookie-issuers (like advertisers), rather than in the interest of the user.”
But that’s not all: FPS could pose an anti-competition problem.
With first-party sets, Google could easily transfer data between its own properties, including YouTube.com, Fitbit.com, Google.com and Google.co.uk. Yet other publishers wouldn’t be able to take advantage of their second-party data partnerships.
“It is likely that this proposal only benefits powerful, large entities that control both an implementation and services,” TAG wrote in its response. TAG also acknowledged that there have been “strong objections” and “pushback” on first-party sets from multiple parties.
That’s a consequential statement coming from the W3C working group charged with the “stewardship of the Web architecture” as part of its remit.
“This is the first time to my knowledge that TAG have used their influence to raise matters related to competition, [and] if this is a signal of a change in thinking from TAG, then this will be significant for Privacy Sandbox and very welcome,” said James Rosewell, CEO of 51Degrees.
Not everyone think that Google’s first-party sets proposal is inherently problematic, though.
FPS is not perfect and the mechanism needs to be expanded and more clearly defined, said Jürgen Galler, CEO and co-founder of European cookieless DMP 1plusX, the company behind SWAN, another Privacy Sandbox proposal that aims to tweak the first-party sets API to make it more useful for publishers.
But to “label it as ‘harmful’ is going too far in my view,” Galler said.
“We are all out here to improve the web experience for users,” he said, “and [a first-party set] is actually a required basis to build good user experiences.”
Without a solution along the lines of first-party sets, publishers will be forced to bring all of their properties under one domain, he added, “which will likely impact the web and users much more than a controlled FPS setup.”
Getting chastised by TAG isn’t a good thing, but the W3C can’t force anyone to do anything. It’s a consensus-building body whose job is to get competitors and stakeholders to collaborate on common standards for the web.
The W3C can’t and won’t prevent a browser or any other type of company from deploying a piece of technology.
That means Google doesn’t have to continue pushing for general acceptance of its Privacy Sandbox proposals, including first-party sets. That being said, it wouldn’t be a good look to forge ahead with no consensus whatsoever.
The likeliest outcome here is that Google will address some of the concerns raised before making another attempt to achieve broader consensus and buy-in.
A Google spokesperson shared this statement: "The Privacy Sandbox proposals are developed as part of the collaborative, open web standards process. We look forward to responding to the feedback in ongoing discussions and continuing to work with the W3C and broader web community to find solutions that improve privacy while maintaining a healthy ecosystem."