The end of third-party cookies on Chrome and Privacy Sandbox: false privacy protection

Chrome says it will defend your privacy, but above all it is protecting its advertising model

Published by Pixel de Tracking on January 22, 2020

The end of third-party cookies on Chrome, within 2 years

Last week, Google announced the end of support for third-party cookies in Chrome within 2 years, as tweeted Justin Schuh, Chrome's Director of Engineering Trust & Safety.

Tweet_Justin_Schuh

This announcement had been expected for a long time, since Chrome was lagging behind other browsers when it comes to blocking third-party trackers, as John Wilander notes, the Apple engineer responsible for the privacy protection system Intelligent Tracking Prevention (ITP), integrated into Safari.

Tweet_John_Wilander

Google's motivations

Google had already hinted at its intentions last August, saying that it wanted to better protect the privacy of Chrome users while carefully differentiating itself from other browsers, which block third-party cookies directly without offering advertisers alternatives. The 2 arguments highlighted at the time :

  • Blocking third-party cookies encourages the use of fingerprinting, a process that creates a user's fingerprint from the characteristics of their browser, extensions, IP address, etc. Unlike cookies, the user cannot easily reset their fingerprint. Chrome's efforts to block fingerprinting are laudable (but far from unique: Firefox and Safari are already fighting fingerprinting), but this argument is fallacious to say the least: fingerprinting is a dirty practice, and cannot be used as an alibi to justify the use of third-party cookies.
  • Blocking third-party cookies reduces publishers' advertising revenue; Google bases this on an internal study that reports an average revenue drop of 52% when third-party cookies are removed. The figure is credible (in my experience, the drop is much more severe in RTB), but it is not very convincing to put forward a study based on the internal advertising tool DoubleClick, only 3 pages long and without any external audit.

Alternative proposals that respect privacy?

As alternatives, Google therefore created the “Privacy Sandbox” project in order to write down its initial ideas and preempt discussions with other browsers, the advertising ecosystem and the web in general. Google's stated goal is to create new privacy-preserving standards; Google's hidden goal is to allow its advertising model, based on surveillance capitalism, to flourish. Unlike Apple or Firefox, blocking third-party cookies without a plan B is not possible for Google, for several reasons:

  • Google would be shooting itself in the foot by killing DoubleClick, its dominant advertising tool among publishers and advertisers, as well as AdSense, its advertising network that is also dominant on the web.
  • Google could partly compensate for the loss of advertising revenue linked to DoubleClick and AdSense (commission on publishers' advertising revenues and on advertisers' advertising expenses) by transferring advertisers' expenses to its own sites (Google AdWords, YouTube, etc.), but would be attacked for abuse of a dominant position.
  • Google would attract the wrath of publishers due to significant losses in advertising revenue.

In order to move towards the creation of new standards, Google therefore invites stakeholders from the web and the advertising ecosystem to participate in discussions within the W3C Web Advertising Business Group on its proposals. By the end of 2020, Google aims to carry out the first tests, first on conversion measurement, then on personalized advertising. But if we look in detail, as the EFF does, at Google's Privacy Sandbox proposals, it appears that they do not protect user privacy, but rather Google's advertising model: surveillance capitalism.

Conversion measurement

Today, this measurement is possible without third-party cookies, but only for analytics tools. When clicking on an ad (for example, a sponsored link on Google), the user is redirected to the advertiser's site with a tracking parameter in the URL. This parameter is captured by the analytics tool, which places a first-party cookie. This cookie is then sent to the analytics tool while the user browses the site, until a possible purchase, making it possible to link the purchase back to the initial click. If conversion measurement is carried out by the tool that serves the ad (examples: the Criteo retargeter or the advertiser's ad server), that tool serves from its own domain and therefore places a third-party cookie. The advertiser must install a script from this tool on their conversion page to carry out the measurement.

How can this be done without third-party cookies? It should be noted here that Apple has already proposed a W3C technique to measure conversions without tracking users, called "Private Click Measurement". Google copies Apple with its “Conversion Measurement API”, but in a crude way: the advertiser can add metadata to the click on an ad, including the URL of the conversion page, the conversion reporting URL, and an additional identifier. This information is then stored by the browser, which can then return the additional identifier to the reporting URL if the user converts. Problem: Apple passes 6 bits of information in the additional identifier (i.e. 2^6 = 64 different values, which allows the advertiser to know which advertising campaign and which ad "converted", but does not allow individualized tracking), while Google passes 64 bits of information (2^64 different values), which makes it possible to track each user.

Personalized advertising

Google proposes here to use the user's browsing history in order to assign them to a cohort. The process, called “Federated Learning of Cohorts” (or FLoC), allows machine learning models to be used locally and updated without sharing all user information (browsing history) with the network (if you want to know more about Federated Learning, I recommend Google's excellent comic strip on the subject).

All this seems promising. The problem is that, according to Google's proposal, the cohort in which your browser classifies you will be sent in the HTTP header of all sites with which you interact (actively or passively, so advertisers are included). This will allow the same advertisers who track you today almost everywhere on the web to infer a lot of additional information about you from this cohort (a bad credit score, belonging to a minority, what you like, where you go...), without any transparency (a local machine learning model). E-commerce sites will be able to study cohort behavior and adapt their message and pricing to the target. Also, websites that currently respect your privacy (by not using third-party cookies) will not be able to choose not to receive your cohort.

Conclusions

While it is too early to judge the alternatives that the Chrome team will put in place to replace third-party cookies, the first proposals suggest that Google will first prioritize its advertising business model, not respect for the privacy of its browser users.