Google’s Chrome team on Thursday proposed a “privacy sandbox” that’s designed to give us the best of both worlds: ads that publishers can target toward our interests but that don’t infringe our privacy. It’s a major development in an area where Chrome, the dominant browser, has lagged competitors.
Browsers already include security sandboxes, restrictions designed to confine malware and limit its possible damage. Google’s proposed privacy sandbox would similarly restrict tracking technology, according to proposal details Google published.
The privacy sandbox is “a secure environment for personalization that also protects user privacy,” said Justin Schuh, a director of Chrome engineering focused on security matters, in a privacy sandbox blog post. “Our goal is to create a set of standards that is more consistent with users’ expectations of privacy.”
For example, Chrome would restrict some private data to the browser — an approach that rival Brave Software has taken with its privacy-focused rival web browser. And it could restrict sharing personal data until it’s shared across a large group of people using technologies called differential privacy and federated learning.
Privacy is a major concern among tech giants, with Apple leading the charge in many ways. The debate has proved challenging for Google, which offers useful, free services like search and Gmail that show ads. It’s also one of the biggest companies other website and app publishers use to show ads. The issue has been especially pointed for Chrome, where protecting our privacy is at odds with its ad business.
The privacy sandbox, the result of months of work by Google researchers, is a major step that, if it works and is accepted by websites and advertisers, could help Google out of its privacy pickle.
It’s not clear what the ultimate effect of Google’s privacy sandbox work will be, but it’s notable that the company is even considering changes. About 83 percent of $33 billion in total — so the company has a powerful incentive to keep online ads as profitable as possible.came from advertising —
Targeted ads — those that are customized according to preferences websites and advertisers infer from our online behavior — are worth more to publishers. Google also released study figures that say publishers’ ad revenue drops 52% when browsers block the text files called cookies used to track our behavior and target ads.
It’s good to hear Google talking seriously about privacy, said Brave Chief Executive Brendan Eich, who previously led Mozilla’s Firefox browser. But he also voiced skepticism about how successful Google’s effort will be.
Tracker blocking becomes commonplace
Blocking cookies that track us across sites is becoming common. Apple’s Safari is the highest-profile browser that does so, with technology called intelligent tracking prevention. Firefox has begun blocking tracking by default, too, and Brave has done so since its launch in 2016. Microsoft’s new Chromium-powered Edge also will block tracking.
Another problem with blocking tracking cookies is that websites and advertisers continue to keep tabs on us using technology called fingerprinting. It’s not as strong a signal as tracking with cookies, but it can help identify us, and all major browsers are working on approaches to block fingerprinting.
“Unlike cookies, users cannot clear their fingerprint, and therefore cannot control how their information is collected. We think this subverts user choice and is wrong,” Schuh said.
Online advertising has acquired a stigma because of privacy concerns. If you aren’t buying a product, you are the product, a popular saying goes. Translation: Free, ad-supported sites and apps survive by selling your personal data to advertisers.
But simply making everybody pay for everything brings other problems. News publishers are increasingly relying on paywalls that restrict free articles, but that also restricts their readership and means wealthier people have an easier time protecting their privacy.
“Blocking cookies without another way to deliver relevant ads significantly reduces publishers’ primary means of funding, which jeopardizes the future of the vibrant web,” Schuh said.
But privacy can’t wait and “the status quo is simply not tenable,” said Peter Dolanjski, Mozilla’s director of security and privacy products. Mozilla contacted publishers before enabling its anti-tracking technology by default, he said. “While acknowledging that there’s a negative revenue impact, many publishers we’ve talked with view this as a short term issue while online advertising catches up to the new reality,” he said. “Essentially, they view privacy as being part of their long-term strategic business interests.”
Nuts and bolts of Google’s privacy sandbox
Google’s proposal has several mechanisms to shut down conduits that today leak personal and identifying information. Among them:
- An idea called federated learning of cohorts (FLOC) that uses machine learning software in the browser itself to assess people’s interests. That information can then be shared with advertisers only when it reflects large groups of people — yes, flocks — so ads can be targeted without advertisers knowing individuals’ personal details.
- A trust token that advertisers and publishers can use to reduce ad fraud by grouping web users into two segments — trusted and untrusted. Ad fraud involves bogus views and clicks of ads that mean advertisers have to pay even when no human is actually seeing the ad. Ad fraud efforts today often track only individuals.
- A conversion measurement technology that’ll let advertisers figure out which ads lead to successful outcomes like people buying an advertised product. That’s complicated, especially given that people might view an ad on one site and buy the product on another, but Google acknowledges its proposal has weaknesses even for more straightforward cases. Its conversion measurement technology is therefore likely to be one of many efforts needed “to reproduce valid advertising use cases in the web platform in a privacy preserving way,” Google said.
- A “privacy budget” that would limit how much personal information a website can access, part of the effort to thwart fingerprinting.
Google’s proposal, while comprehensive, also brings plenty of challenges. Its success hinges on winning over publishers, advertisers and other browser makers. And Google is proposing new standards for the web — a collaborative development process that often takes years.
Originally published Aug. 22, 7:20 a.m. PT.
Updates, 9:49 a.m.: Adds comment from Brave; 10:26 a.m.: Includes further background; 1:09 p.m.: Adds further background; 2:06 p.m: Adds comment from Mozilla.