Google Chrome and the Future of ePrivacy
The web cookie has been commonplace since the late 90s—and third-party cookies were abundant online by 2011 when the EU and U.S. started making laws to restrict their use.
But in March 2021, Google confirmed numerous changes to its Chrome browser supposedly designed to “address the growing concerns people have about their privacy.”
Google’s proposals, which form part of its “Privacy Sandbox” project, could spell the end of third-party cookies—and would introduce a range of measures designed to protect people’s online identities.
But Google’s plans are controversial among privacy and tech experts.
What is Google’s Privacy Sandbox?
The Privacy Sandbox is a project overseen by Google’s Chromium team—the people responsible for developing Google’s open-source Chromium browser, upon which browsers including Chrome, Brave, and Opera are based.
The Chromium team describes the Privacy Sandbox as involving three “distinct tracks”:
- Creating new cross-site tracking methods
- Gradually eliminating third-party cookies
- Mitigating tracking workarounds
Let’s briefly consider what each of these three tracks involves.
1. Creating New Tracking Methods
While Google is planning to phase out certain tracking methods, the firm notes that tracking across websites is an important functionality in certain contexts, including fraud detection, authentication, and—of course—ad-targeting.
Therefore, Google is developing new “privacy-conscious” tracking methods, including:
- Federated Learning of Cohorts (FLoC): A method of clustering users into groups based on their browsing history and serving interest-based ads to all members of a particular group.
- TURTLEDOVE: An API to facilitate on-device interest-based advertising.
- Trust Token: A Privacy Pass-based API to enable fraud prevention.
2. Eliminating Third-Party Cookies
Arguably, the biggest change associated with Google’s Privacy Sandbox is the elimination of third-party cookies. This effort will involve:
- Requiring web developers to label and separate first- and third-party cookies.
- Using “first-party sets” to group related domains.
- Ultimately, removing third-party cookies.
3. Mitigating Workarounds
If there are no third-party cookies, advertisers might look for alternative means to identify, track, and profile users across websites. Some of these “fingerprinting” methods might be as invasive as third-party cookies—if not more so.
As such, an important part of the Privacy Sandbox project involves identifying and mitigating these alternative tracking methods, for example through a Privacy Budget, which will limit the amount of personal information collected about a user.
Are Google’s changes good for Privacy?
From the user’s perspective, will Google’s Privacy Sandbox proposals protect privacy?
Bennett Cyphers from the Electronic Frontier Foundation (EFF) calls FLoC (the most high-profile element of Google’s Sandbox proposals) a “terrible idea” that will create a host of new issues beyond privacy, including “discrimination” and “predatory targeting.”
Johnny Ryan of the Irish Council of Civil Liberties (ICCL) also points out that there may still be privacy issues inherent to targeting users based on a cohort rather than a unique identifier.
Furthermore, since cutting out third-party cookies means cutting out third parties, several competition regulators are investigating what Google’s proposals mean for the firm’s market dominance, including the U.K.’s Competition and Markets Authority (CMA).
Preparing for Google’s Chrome changes
Google hasn’t provided an exact date from when its Chrome changes will take effect. The proposals are still in development.
However, remember third-party cookies have been “off” by default on popular browsers for several years, including Firefox and Safari—and that Google’s changes don’t apply to Android apps.
Plus, preliminary testing of Google’s FLoC targeting model suggests that it is 95% as effective at targeting ads as Google’s previous methods (though industry groups have expressed scepticism).
Businesses seeking to prepare for the oncoming changes should consider how they can utilise first-party datasets, including mailing lists and information gathered from first-party cookies.
However, there’s a good chance that Google’s Privacy Sandbox won’t affect advertisers as much as they fear.