Google’s Privacy Sandbox
First, large scale blocking of cookies undermine people’s privacy by encouraging opaque techniques such as fingerprinting. With fingerprinting, developers have found ways to use tiny bits of information that vary between users, such as what device they have or what fonts they have installed to generate a unique identifier which can then be used to match a user across websites. Unlike cookies, users cannot clear their fingerprint, and therefore cannot control how their information is collected.
This has been criticized unfairly, I think. Mass cookie blocking really did start an arms race that led to fingerprinting. And now we can’t turn back the clock to when the old privacy techniques worked. He’s not saying that turning off cookie blocking will improve your privacy; it’s a comment on the second order effects of everyone blocking them.
Second, blocking cookies without another way to deliver relevant ads significantly reduces publishers’ primary means of funding, which jeopardizes the future of the vibrant web.
This part is also disputed, the implication being that advertisers are vastly overpaying for targeting that doesn’t actually work. I suppose that’s possible, but I don’t find it intuitive.
We want to find a solution that both really protects user privacy and also helps content remain freely accessible on the web. At I/O, we announced a plan to improve the classification of cookies, give clarity and visibility to cookie settings, as well as plans to more aggressively block fingerprinting. We are making progress on this, and today we are providing more details on our plans to restrict fingerprinting. Collectively we believe all these changes will improve transparency, choice, and control.
But hidden behind the false equivalencies and privacy gaslighting are a set of real technical proposals. Some are genuinely good ideas. Others could be unmitigated privacy disasters. This post will look at the specific proposals under Google’s new “Privacy Sandbox” umbrella and talk about what they would mean for the future of the web.
Of course, none of this is to say that Google isn’t also doing all sorts of stuff to track you.
Previously:
- Safari’s Intelligent Tracking Prevention
- How Your Phone’s Battery Life Can Be Used to Invade Your Privacy
- Canvas Fingerprinting Instead of Cookies
- Why Refusing Third-Party Cookies Will Be Worse for Privacy
8 Comments RSS · Twitter
@Jean-Daniel No doubt the abuse happened first. But there’s no race without two sides competing.
Also, even without any cookie blocking, advertisers would have done fingerprinting anyway, to work around the users control and ability to delete cookies. So realistically, blocking cookies did not cause advertisers to aggressively violate norms of privacy - advertisers were already doing this, and would have continued to do this regardless.
Here’s my solution for targeting advertising - let me select the areas I am interested in voluntarily. Have the web browser provide that list (with random additions and subtractions each time to avoid fingerprinting). Then I can get ads that vaguely interest me, and the advertisers can get off my damn lawn!
Quite poor form from Google to blame fingerprinting on third-party cookie blocking. Fingerprinting has been on the privacy radar for many years – I think it was around 2010-2011 that the various browser makers started to (seriously) tighten the information about the user-system that browser would display. The EFF’s panopticlick tool (https://panopticlick.eff.org) has a long history highlighting those fingerprinting/profiling issues.
> Mass cookie blocking really did start an arms race that led to fingerprinting
This might technically be true, or it might not, but either way, it's a very strange point to make. It's a bit like saying "sorry about all of the people being shot, but it's only because you banned knives."
> advertisers are vastly overpaying for targeting that doesn’t actually work
Isn't the actual problem the opposite? Marketing spending on the web is way behind what it was on print. So it sounds like targeted advertising is actually less valuable than non-targeted advertising. So the whole premise that you have to have targeted ads in order to make money just doesn't track with what happened in the real world; the more targeted ads became, the less money they generated.
@Lukas The linked piece says that targeting does generate more money, just not very much more. There are lots of potential reasons for Web spending to be lower. First, the ad budget is being shared with other media. It’s also possible that businesses were willing to spend more when they couldn’t measure results as well. When they have proof that it wasn’t working as well as they thought, they scale back.
> Marketing spending on the web is way behind what it was on print.
Do we have numbers on that?
Could it be that there's been a race to the bottom in advertising, similar to the app store race to the bottom? We have a similar situation where a couple of companies, Google and Facebook, have come to dominate the market, and part of this is by undercutting the competition in price. So web spending would be overall lower both because the prices are lower and because there are fewer places to spend ad budgets: you pay Google and Facebook, with not a lot of other choices. Google and Facebook benefit from this situation, but nobody else does.
> It’s also possible that businesses were willing to spend more when they couldn’t measure results as well
I think that's exactly the problem: measuring the direct impact of advertising does not actually measure the results of advertising, it only measures the most basic way in which people might respond to an ad. But that's not the actual value of advertising. If I see an ad for a Coke and don't immediately go to the store and buy a Coke, does that mean that the ad had no value? Certainly not; even though most people don't react to Coke ads in that way, it's pretty obvious that Coke's ads are a major reason for its dominant market share.
This goes alongside targeting. I think targeting also devalues advertising, because it assumes that the goal of advertising is to find "vulnerable" individuals, and then trigger them to act in a specific way. Clearly, ads don't actually work like that in most cases, which is why, when you value ads by this yardstick, they're worthless.
The more we provide these kinds of tools for targeting and measuring ads, the more we measure their value by this weird, niche definition of effectiveness, and the less valuable they become.
>Do we have numbers on that?
I don't know if there are hard numbers, but multiple publications have noted that their online ad revenue is a fraction of their offline ad revenue, even if the reach of the online ads is much higher. It's pretty obvious that measuring and targeting devalues advertising.
> Google and Facebook benefit from this situation, but nobody else does.
I don't think Google and Facebook benefit from lowering the value of advertising.
"Mass cookie blocking really did start an arms race that led to fingerprinting“
It's hard to argue that mass cookie blocking "start" the arm race. It was done in result to mass cookie abusing by ad networks.