Mozilla Asks: Will Google's Privacy Sandbox Protect Advertisers (and Google) More than You?

On Mozilla's blog, engineer Martin Thomson explores Google's "Privacy Sandbox" initiative (which proposes sharing a subset of private user information — but without third-party cookies).

The blog post concludes that Google's Protected Audience "protects advertisers (and Google) more than it protects you." But it's not all bad — in theory: The idea behind Protected Audience is that it creates something like an alternative information dimension inside of your (Chrome) browser... Any website can push information into that dimension. While we normally avoid mixing data from multiple sites, those rules are changed to allow that. Sites can then process that data in order to select advertisements. However, no one can see into this dimension, except you. Sites can only open a window for you to peek into that dimension, but only to see the ads they chose...

Protected Audience might be flawed, but it demonstrates real potential. If this is possible, that might give people more of a say in how their data is used. Rather than just have someone spy on your every action then use that information as they like, you might be able to specify what they can and cannot do. The technology could guarantee that your choice is respected. Maybe advertising is not the first thing you would do with this newfound power, but maybe if the advertising industry is willing to fund investments in new technology that others could eventually use, that could be a good thing.
But here's some of the blog post's key criticisms:

• "[E]ntities like Google who operate large sites, might rely less on information from other sites. Losing the information that comes from tracking people might affect them far less when they can use information they gather from their many services... [W]e have a company that dominates both the advertising and browser markets, proposing a change that comes with clear privacy benefits, but it will also further entrench its own dominance in the massively profitable online advertising market..."

• "[T]he proposal fails to meet its own privacy goals. The technical privacy measures in Protected Audience fail to prevent sites from abusing the API to learn about what you did on other sites.... Google loosened privacy protections in a number of places to make it easier to use. Of course, by weakening protections, the current proposal provides no privacy. In other words, to help make Protected Audience easier to use, they made the design even leakier..."

• "A lot of these leaks are temporary. Google has a plan and even a timeline for closing most of the holes that were added to make Protected Audience easier to use for advertisers. The problem is that there is no credible fix for some of the information leaks embedded in Protected Audience's architecture... In failing to achieve its own privacy goals, Protected Audience is not now — and maybe not ever — a good addition to the Web."

Yes.

[iAmWaySmarterThanYou]

Eom

Re:

[Anonymous Coward]

Google will do anything if they think they will make more money from it. Making more money is the **ONLY** thing they care about. There is nothing wrong with making money, but it should be done fairly and responsibly.

They don't care about you, they don't care about privacy. Any talk about those subjects is merely a smoke-screen to distract you from what they are really doing. You can have privacy or you can use Google's services. You can't have both.

Re:

[JustAnotherOldGuy]

Don't worry, I'm sure it'll be completely safe and bug-free and that there will no possible way to exploit any part of it.

This is Google's big move

[Press2ToContinue]

in the ad game. It's supposed to keep your browsing private while still slinging ads your way. But, here's the kicker: it boosts Google's grip on ads, leaving the little guys out in the cold. And for all its talk about privacy, there are holes you could drive a truck through. So, while it sounds all high-tech and privacy-friendly, it's not hitting the mark. It will make Google even tougher to beat in the ad world.

Re:

[Anonymous Coward]

I don't weep for the would-be small-time advertising operators. I've been doing my best to keep them out of my browser for many years.

And it's very hard to sympathize with users who choose Chrome.

Re:

[AmiMoJo]

The holes are smaller than the existing ones, and there is a timeline to remove them. Plus it doesn't interfere with privacy enhancements or introduce new forms of tracking if you don't opt in.

If it does give Google ads an advantage, well they are already under investigation over there ad business so... If true, it seems unwise.

Re:

[WaffleMonster]

The holes are smaller than the existing ones, and there is a timeline to remove them.

Most people tend to grade the intentional making of new holes on a slightly different curve than fixing existing design defects. This is especially true for holes your competitors fixed years ago by default without introducing new holes.

Plus it doesn't interfere with privacy enhancements or introduce new forms of tracking if you don't opt in.

Regarding privacy the privacy sandbox is opt-out not opt-in.

Re:

[AmiMoJo]

They aren't new holes. They are just delaying cutting off the existing ones, because they are being investigated for unfair practices against other advertising companies. They are giving them more time to adapt, which sucks because it means it takes longer for us to get better privacy.

That said it doesn't affect me because I block all that stuff anyway.

Re:

[bradley13]

This. Google is trying to make all the right noises to deceive the public into thinking they care about privacy. What they are really doing, is erecting a moat around their advertising data. Anyone with any concern about privacy should - indeed must - object to this.

It is far better to keep 3rd party cookies, which you can block.

Hey, we were using that!

[The New Guy 2.0]

Sites like Google and CJ usually pay if a user still has a cookie or other sign that says they came from a sponsored site... up to about 30 days later.

Now, if you go from one browser to another, they have only the IP address to go on... come on, we don't want to tie up these networks any further. "Privacy" is one thing... but didn't the whole world register from DoubleClick when they offered a million dollar contest back in 1999? When there's free content, the ad has to work... or do you want a paywalled everything?

Re:

[Iamthecheese]

Ads don't need tracking to work. If a company needs to track me to survive it can die a very swift death, and that includes web sites of every type.

Re:

[The New Guy 2.0]

Uh, you're on free Slashdot... this site uses tracking ads.

Re: Hey, we were using that!

[pitch2cv]

Cookies rejected and AdAway, and I browse only ever in Private tabs. Can't remember last time that I've seen an advertisement on any of my devices or machines.

If you see them and let them track your browsing, that's your own choice. Good boy.

Re:

[Teun]

It's a while that I read Slashdot and the only time ever that I saw ads they were not on my computer.

Re:

[AmiMoJo]

There is a new API. Actually two, Apple has their own version. It sends a ping at a random time up to a week after the ad was clicked, and with a limited amount of information so that is verifiable as unique and genuine, but not identifiable.

This is obviously the reason

[Kyogreex]

"[E]ntities like Google who operate large sites, might rely less on information from other sites. Losing the information that comes from tracking people might affect them far less when they can use information they gather from their many services... [W]e have a company that dominates both the advertising and browser markets, proposing a change that comes with clear privacy benefits, but it will also further entrench its own dominance in the massively profitable online advertising market..."

Google also supported the GDPR even though they have since paid major fines because of it, and I'd bet they would do it again.

That's not to say that increased privacy is somehow a bad thing, but that Google wants to use it to destroy the competition. I think that needs to be addressed somehow.

Re:

[rudy_wayne]

Google also supported the GDPR even though they have since paid major fines because of it

Google supported the GDPR because it doesn't matter to them.

When you have as much money as Google, laws no longer apply to you. You can literally do anything you want, and if anyone tries to stop you, you just keep throwing more lawyers at them until the problem goes away. Or bribe a few more politicians to get the law changed. In the rare case when this doesn't work, you agree to pay a fine that amounts to less that the profits you have made in the last 27 minutes.

Re:

[AmiMoJo]

It seems impossible, short of breaking up all the big networks. Did you have a solution in mind?

Re:

[Opportunist]

Why would you assume that shaking Americans out of their funk would do any of this?

I'm fairly sure, most Russians by now know what's going on in their country. But I fail to see the mass uprising.

No thanks

[PPH]

If this is possible, that might give people more of a say in how their data is used.

"If this is possible". No thanks, Google. I'm not falling for your prevarication. How about you just don't collect information about me. And your customers collect only that information necessary to complete a transaction*. And then don't share that with anyone else. I don't need a "say" in how my information is used if you don't have it in the first place.

*I am shocked and saddened that vendors don't see a problem with leaking the customers' data to third parties. Third parties that may very well become competitors and steal business from them at some point.

Re:

[AmiMoJo]

That's exactly what this does. It stops Google and anyone else collecting info about you, beyond what they can gather from their own websites.

Instead of site operators collecting data, the browser does. It takes content signals from sites you view, and compiles a list of interests. Sites can then request a short list of interests, which the browser randomly selects from its longer one. There are protections to prevent things like repeating requests. You can also send an empty list, which is what what incogn

Re:

[PPH]

Instead of site operators collecting data, the browser does.

I don't really care where they get it from. So they're storing stuff on my computer instead of on their server. That just relieves them of storage costs. Plus provides an easier link between what I search for/buy on various sites. It all comes from my PC so no need to cross reference between various sites data.

I clear my cookies off for much the same reason. If I'm interested in something, I'll search for it. I'm not really sure about these "incognito modes". Sites can certainly tell the difference between

Re:

[AmiMoJo]

No, you don't understand. They can't get that data. It's not even synced with your other devices. It never leaves your local machine.

I'm not saying it's flawless, there are issues such as some of the categories might be an issue for some people in some cultures, but that's still better than the current situation.

Re:

[TractorBarry]

> some of the categories might be an issue for some people in some cultures.

If they're running a Debian based O/S they can probably fix this with a simple "apt-get update && apt-get upgrade culture".

Re: No thanks

[guruevi]

I can see a millÃon ways to abuse this. First of all, a website or Google can store a unique tag and then identify that across platforms as long as there is a backchannel between the sites, itâ(TM)s basically a third party cookie by another name. Even if you say it is randomized, you can still ask a million times and turn it into a unique fingerprint.

From what I understand about the design it works only if the website you visit, Google and the advertiser have absolutely no connections at all and n

Re:

[AmiMoJo]

Why don't you head over to their Github and discuss it? That's what I did, and some of my input contributed to them dropping the old FLoC implementation in favour of this one, which does address many of the issues raised.

I don't know what this "unique tag" you talk about is supposed to be, but Chrome won't allow cross site access to data in the browser. Third party cookies are the only way at the moment, and those are going away this year. And as I said, they can't ask a million times. It creates a list per

Re: No thanks

[guruevi]

So then you can uniquely identify based on the list itself generates and how long it stays the same. As long as I can query ANY information about preferences and exchange said information for money it will be abused.

The correct way of solving this would be the other way around, load 1000 ads in your privacy buffer unrelated to the website you are visiting, randomly pick with the rate and interests a user wants it to show until a certain quota has been (both views and times) met that refreshes the buffer. Wi

Re:

[AmiMoJo]

The list is per domain, so it only works for tracking on a single site, which they can easily do anyway with local cookies, IP address, Javascript, local storage etc. Of course, you can block it, like you already block those other things. Or screw with them and send a random list every time.

Your idea of pre-loading ads is interesting, but has some issues. First it means it needs to download 1000 ads, a major issue on metered connections, and requiring some of the user's storage. Second, it would be a nightm

Re:

[guruevi]

The domains for ads are all very similar, they all come from the same domain exactly for the current method of cookie tracking which is generally also restricted by domain. So as I said, this is just cookie by another name.

Re:

[AmiMoJo]

So given that clearly contains less information that a cookie, mathematically speaking, and that you can easily block it... What's the problem?

Re:

[strikethree]

How about you just don't collect information about me. And your customers collect only that information necessary to complete a transaction*. And then don't share that with anyone else. I don't need a "say" in how my information is used if you don't have it in the first place.

If everyone is doing it, then it is clearly authorized by the US government. Good luck fighting THAT battle. The US government is directly benefiting from outside sources keeping full track of who you are because it contains a LOT of data that the US government is strictly prohibited from collecting.

TL;DR, fighting an end-run around the Constitution will require a full on revolution. There is no other way to change the state of affairs.

Re:

[strikethree]

If everyone is doing it, then it is clearly authorized by the US government.

Smoking weed?

I dunno bro. How many people do you see sitting in prison for collecting information that the federal government wants and how many people do you see sitting in prison for smoking weed?

Nuke it from the orbit

[sinij]

I have no other words but this.

Perfect for a data randomizer

[Drakker]

All the data is in one place, and everyone has access to it? That's the perfect tool for privacy. Let's make data randomizer plugins/extensions for all major browsers that puts meaningless garbage in there and by all means, there you go advertisers, you can use all the data in this superb sandbox! It's all yours! Take it, I insist!

Re:

[KiloByte]

AdNauseam.

Re:

[AmiMoJo]

That's what it does. Sends a random selection of the larger list, with protections to stop things like repeatedly querying or correlation. Stuff like font and plugin detection is simply being removed.

Re:

[Growlley]

just send them back 'kitty litter' to clean up their shit

Never happen

[La Onza]

A Google that doesn’t surreptitiously collect user information is not a Google.

How about this?

[jenningsthecat]

How about we just get loudly, gratingly, demandingly insistent that our elected representatives and legislators put an end to all of this raping of our privacy? Surrendering our personal data should NEVER have become a condition for using the Web.

Will they say it's difficult at this late stage to claw our privacy back? Too bad - do it anyway. Will they say that companies will have lower profits and may go out of business because of it? Good! Victimization shouldn't be a business model, and the more brutally that lesson is delivered the less likely the perpetrators will be to repeat the crime.

Google is effectively saying "we'll only rape your privacy a little bit and we'll give you a say in the process". That's the ploy of a wheedling extortionist and should be treated as such. As I've said before - fuck Google, NOT gently, with a chainsaw, sideways.

The EU seems to be showing some spine when it comes to dealing with corporate tech overreach - I can only hope that North America follows their example.

Re:How about this?

[gweihir]

The EU seems to be showing some spine when it comes to dealing with corporate tech overreach - I can only hope that North America follows their example.

The only way this will ever happen is when giving money to politicians gets recognized as the corruption it is and gets outlawed. Will this happen? Very, very unlikely in a nation that prays to the great God Mammon.

Re:How about this?

[bradley13]

I heard an alternative proposal that was at least funny: Require politicians to wear the logos of their sponsors, just like the Formula 1 racers. That way, it would at least be clear which company had bought which politician.

Re:

[gweihir]

That would be funny! Would probably not fix the problem though.

Re:

[sabbede]

If nobody could donate to political candidates, then who could run for office except the very wealthy?

Re:

[gweihir]

And how do you think Europe does it? The way this works is that a _party_ gets government funding if it reaches a certain number of votes. Using your own money in a campaign is at least frowned upon and in some countries illegal. You know, somewhat fair conditions for everybody running for office.

Re:

[JustAnotherOldGuy]

How about we just get loudly, gratingly, demandingly insistent that our elected representatives and legislators put an end to all of this raping of our privacy?

Good luck with that.

I mean, I feel the same way, but the chance of this happening is microscopic. Our elected representatives and legislators can't agree on the simplest of things, let alone anything that requires some real work and cooperation.

You could float a resolution saying "Puppies are cute", and 30% would disagree because that's all they know how to do. Being opposed to things and fucking shit up are the only tools in their box.

Obviously

[gweihir]

Google does not do anything to protect its customers willingly. They protect a) their advertisers and b) their reputation (well, sort of). The only reason for this "privacy" sandbox is that Google thinks it can get them more ad revenue.

Users should be in charge of privacy

[u19925]

I always use Safari private mode. Every tab is a separate clean private session with no crappy information dimension or lurking third party cookies.

If I log into any site, then that tab is exclusively used for that login session and nothing else and I close the tab when done with that website. All other tabs are just anonymous that I continuously recycle and keep destroying my ad profile built by cookies. Since I am not logged into any of those tabs, the life cycle of my profile is only till I destroy the t

time for a

[Growlley]

Suppository in their repository.

That will be fixed

[NotEmmanuelGoldstein]

... your choice is respected.

That flaw will be fixed in version 2.0.

NO and NO :)

[Mirnotoriety]

NO and NO :)

Yes. Duh.

[Opportunist]

It's Google's job to piss in your cereal bowl and your job to find a way to eat around it.

Side channel attacks?

[juancn]

If we can get information from branch mis-predictions to read memory, it looks like being able to query this thing to select ads, could expose a side channel to extract the hidden information.

I'm not sure it protects that much, and might expose much more to a determined attacker.