Third-party cookies have been the lynchpin of online advertising for many years. Plans to phase cookies out forever continue to run at a steady pace, with Google in the driving seat. In 2019, it announced its vision for a “Privacy Sandbox”. The building blocks for this were essentially:
- Most aspects of the web need money to survive, and advertising that relies on cookies is the dominant revenue stream.
- Blocking ads or cookies can prevent advertisers from generating revenue, threatening #1.
- If you block easily controllable methods like cookies, advertisers may turn to other techniques, like fingerprinting, that are harder for users to control.
The Privacy Sandbox mission is to “Create a thriving web ecosystem that is respectful of users and private by default”. The intention is to create a set of rules that will work well for everybody. No third-party cookies, no incredibly specific individual marketing profiles, and data is kept on your device as much as possible. User data is anonymised and grouped into “cohorts”, and those cohorts with similar interests will then see targeted ads. In this way, users aren’t compromising privacy and advertisers can still deliver targeted ads, but will struggle to map out individual identities.
Broadening the scope of user privacy
This all sounds reasonable enough. A push for standards where user data sharing is greatly reduced, but ads can still function as intended is likely much better than what we have now. The wheels often come off on long-term plans like this, so it is to their credit it’s still very much happening.
You can see some aspects of web control already offered by Google in this blog from 2019:
- My Activity: Look at searches, websites visited, videos watched. It’s sort of like your browser history, but on a grand Google scale, with options to disable aspects of search or location.
- Ad Settings: Possibly the most relevant to this subject, as it shows how your ads are personalised. This is done via data you’ve added, Google’s best guesses, and data from advertisers partnered with Google. My standout highlight was the assumption I’m into extreme sports, flower arranging, and country music. I guess I’m obscuring my actual interests in a very privacy conscious fashion.
Slow and steady wins the race?
Tackling third-party cookies isn’t a particularly new idea, and both Safari and Firefox have been bringing the hammer down, to various degrees of severity. But the companies behind those browsers don’t depend on ad revenue in the way that Google does. Which is why what Google is attempting is not a straightforward ban; it’s trying to find ways to replace the old system entirely. There are many, many arguments about this subject. Some advertisers claim organisations are doing this to keep users behind their own walled garden of advertising and tracking. Others say whatever you replace the old system with, will either be ignored or worked around.
This last point has some validity to it. While the major advertising players will probably work with the new methods, this leaves a gap in the market for shenanigans. Not everybody will play nice. Many smaller networks are entirely reliant on individual tracking. In some cases, they may not be able to adapt—or might not want to.
Tearing up the rulebook
CNAME cloaking, where analytics firms make third-party cookies look like first-party cookies to get around ad-blocking, has been in the news recently. We can expect a lot more of these tactics as the inevitable demise of third-party cookies draws closer.
Much is still unknown about the proposed replacements too. We don’t know exactly how people might extract themselves from specific cohorts should they feel the need to, for example. Or even if it will be possible. If I see targeted, extreme-sport-flower-arranging ads all over the place, what options are available to “fix” it?
These are good questions to ponder while Privacy Sandbox continues its 2 year plan to bring the curtain down on the ubiquitous third-party cookie. We look forward to seeing what comes next, and cast a cautious eye in the direction of ad networks everywhere.
The post Will Google’s Privacy Sandbox take the bite out of tracking cookies? appeared first on Malwarebytes Labs.