Source: securityboulevard.com – Author: Richi Jennings
Privacy Sandbox inching towards reality. But concerns remain.
Google’s plan to kill the third party cookie is moving forward. Remember when I told you last year that this whole thing was on hold? Well, we’re rolling again.
The Privacy Sandbox ad-tech APIs are close to being finalized, but there’s more testing to be done. In today’s SB Blogwatch, we can’t wait another 18 months.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Science+Eurovision.
Om Nom Nom Nom Nom Privacy
What’s the craic? Frederic Lardinois reports—“Google will disable third-party cookies for 1% of Chrome users in Q1 2024”:
“Able to start testing”
Google’s Privacy Sandbox aims to replace third-party cookies with a more privacy-conscious approach, allowing users to manage their interests and grouping them into cohorts based on similar browsing patterns. That’s a major change for the online advertising industry, and after years of talking about it … it’s about to get real: … Starting in early 2024, Google plans to migrate 1% of Chrome users … and disable third-party cookies for them.
Deprecating third-party cookies for 1% of Chrome users doesn’t sound like it would have a major impact, but … it will help developers assess their real-world readiness for the larger changes coming in late 2024. … Developers will also be able to simulate their third-party cookie deprecation readiness starting in Q4 2023, when they’ll be able to test their solutions by moving [some] users to Privacy Sandbox.
With the launch of Chrome 115, most adtech developers should be able to start testing their solutions at scale. … Users can already turn on the Privacy Sandbox trials in Chrome … since the launch of the Chrome 101 beta.
Remind me: What’s in Privacy Sandbox? Abner Li obliges—“Privacy Sandbox APIs”:
Google’s work on Privacy Sandbox continues with key APIs for publishers and advertisers going live in the Chrome browser … from July (version 115) onward. These privacy-preserving alternatives to third-party cookies include:
- Topics: “Generate signals for interest-based advertising without third-party cookies or other user identifiers that track individuals across sites.”
- Protected Audience (previously called “FLEDGE”): “Select ads to serve remarketing and custom audience use cases, designed to mitigate third-party tracking across sites.”
- Attribution Reporting: “Correlate ad clicks or ad views with conversions.”
- Private Aggregation: “Generate aggregate data reports using data from Protected Audience and cross-site data from Shared Storage.”
- Shared Storage: “Allow unlimited, cross-site storage write access with privacy-preserving read access.”
- Fenced Frames: “Securely embed content onto a page without sharing cross-site data.”
Horse’s mouth? Google’s Anthony Chavez blogs about “scaled testing”:
“Operate without third-party cookies”
Over the past three years, we’ve collaborated with the web ecosystem to develop new, privacy-preserving technologies that don’t rely on cross-site tracking identifiers or covert techniques like fingerprinting. … We’re encouraged by the ecosystem engagement on Privacy Sandbox and will continue to work with the industry on how these technologies can support the transition to a more private web … for everyone.
Starting with the July Chrome release … developers can utilize these APIs to conduct scaled, live-traffic testing, as they prepare to operate without third-party cookies. … In Q1 of 2024, we plan to deprecate third-party cookies for one percent of Chrome users. This will support developers in conducting real world experiments.
All smiles and roses, then? Lara O’Reilly ain’t so sure—“Advertising and privacy groups aren’t convinced”:
“Google is overlooking big concerns”
Publishers are still greatly concerned the technologies meant to replace cookies will hurt them by preventing them from fully controlling their revenue-driving online ad businesses. Third-party cookies … allow a hotel, for example, to target ads to users who had recently been checking flight prices — and they help advertisers measure whether their campaigns are working.
In its eagerness to forge ahead with its 2024 cookie expiry date, Google is overlooking big concerns from publishers that its Privacy Sandbox technologies aren’t nearly yet up to snuff. Movement for an Open Web [said it] could hinder publishers’ ability to effectively run ad auctions, which take place in the milliseconds it takes for a web page to load, and could harm their revenue. … The nonprofit organization Prebid [has] concerns that [it] reduces the amount of control publishers have over how their ad inventory is monetized — and that it could harm competition … because it favors Google.
ELI5? phantomfive explains like we’re five:
They are moving their ad logic into the browser. Basically, the browser tells the website what “topics” you are interested in, and [the site] serves you ads based on that.
Privacy Sandbox? Whatever happened to FLoC? Richi explainifies, over at our sister site:
Federated Learning of Cohorts … (FLoC) is a flop. … Third-party cookies will soon go away, because people are fed up with being tracked. But Google’s FLoC proposal wasn’t the answer.
Google doesn’t want to invade your privacy. But Google does want to sell well-targeted ads. The key difference between FLoC and Topics is that FLoC buckets were automatically generated—and hence opaque, risking overlap with “protected categories” [such as] race or gender. But the topic classifications in the Topics API are curated and have user-visible, descriptive names.
So Google gets to track me, but other AdTech firms can’t? swillden says that’s “incorrect”:
Google is trying to move to a world in which they don’t track users at all. Google doesn’t actually want to know about you: It’s bad for PR, creates legal liability and causes them to have to deal with an endless stream of subpoenas and warrants for user data.
Google does want to do … targeted advertising … but they believe they have a scheme where the browser can do all of the tracking and analysis itself and then it will tell the ad networks (all of them, not just Google’s) what sorts of ads to show, but without giving them any user identity.
Rather than the servers figuring out that user 3824337234 is interested in monster trucks and pink tutus (oh, and incidentally that his name is John Smith, he lives at 125 Elm Street in Springville, Indiana, is an assistant manager at Wal-Mart … and is cheating on his wife) … the user’s browser will … tell the ad servers that he’s interested in monster trucks and pink tutus, and nothing else.
Fire up the Firefox fanbois? Pieroxy doesn’t disappoint:
The web works fine with Firefox because they did implement it right. Third party cookies are segregated by top level domain, so an iframe on site A can drop a cookie with no problem. The same iframe will not find its cookie when invoked from site B, but can drop a new one. That addresses the privacy issue and still allow an iframe to drop a session cookie.
Meanwhile, u/lo________________ol is amused by talk of third party cookies being turned off for 1% of users:
That’s funny. Firefox already turned it off for 100% of users.
Soph says, “Watch me unravel as I give one fact for every Eurovision finalist.”
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: Vyshnavi Bisani (via Unsplash; leveled and cropped)
Recent Articles By Author
Original Post URL: https://securityboulevard.com/2023/05/google-3rd-party-cookies-privacy-sandbox-richixbw/
Category & Tags: Analytics & Intelligence,API Security,Application Security,Cloud Security,Cyberlaw,Cybersecurity,Data Security,DevOps,Editorial Calendar,Endpoint,Featured,Governance, Risk & Compliance,Humor,Identity & Access,Identity and Access Management,Industry Spotlight,Mobile Security,Most Read This Week,Network Security,News,Popular Post,Security Awareness,Security Boulevard (Original),Security Operations,Spotlight,Threat Intelligence,Threats & Breaches,Chrome,cookie,cookies,FLoC,google,omnomnomnomnomnomcookie,Privacy,Privacy Sandbox,SB Blogwatch,Topics,tracking cookies – Analytics & Intelligence,API Security,Application Security,Cloud Security,Cyberlaw,Cybersecurity,Data Security,DevOps,Editorial Calendar,Endpoint,Featured,Governance, Risk & Compliance,Humor,Identity & Access,Identity and Access Management,Industry Spotlight,Mobile Security,Most Read This Week,Network Security,News,Popular Post,Security Awareness,Security Boulevard (Original),Security Operations,Spotlight,Threat Intelligence,Threats & Breaches,Chrome,cookie,cookies,FLoC,google,omnomnomnomnomnomcookie,Privacy,Privacy Sandbox,SB Blogwatch,Topics,tracking cookies