4 Big Questions about Google’s new privacy position

This note examines Google's planned advertising system, and highlights privacy, data protection, and competition questions. 

Author: Dr Johnny Ryan 

In January 2020 Google announced that it was considering a major change in how its online advertising system operates.[1] Hidden machines on the Internet (servers) would no longer track a person and haggle over which ad to show them. Instead, this process would happen privately on the person’s own device.  To do this, Google’s web browser (which is called Chrome) would take over some of the most important functions of the online advertising industry.

This approach is not entirely new. My previous employer, Brave, launched a similar system in 2019.[2] A few months after Google’s January 2020 announcement, it hired Brave’s Chief Product Officer, David Temkin.

On 3 March 2021, Temkin published a remarkable statement on Google’s blog. The statement confirmed that Google would radically change its online advertising system. It also said that Google now opposes “any technology used for tracking individual people as they browse the web”.[3]

That statement also said that “advertisers don’t need to track individual consumers across thew web to get the performance benefits of digital advertising”.[4] This is a remarkable claim for Google, because it is the market leader of tracking-based advertising.

A technical note provides more detail on how Google’s new advertising system will work.[5] Publishers, advertisers, and adtech firms decide whether to categorise a person as part of an “interest group”, and the Chrome browser stores this categorisation on the person’s device and then runs auctions to determine which ad is shown to the person, and how much is paid:

“For each interest group, the browser stores information about who owns the group, what ads the group might choose to show, various javascript functions and metadata used in bidding and rendering, and what servers to contact to update or supplement that information.”[7]

Google uses the language of “membership” and “joining”[6] as though a person has consciously classified him or herself. This rhetorical trick may be reflected in the message that Google starts to shows Chrome users in April.

Google will trial its new advertising system with advertisers in the next few months.[8] This raises four big questions.

Four Big Questions

  1. It is not clear whether Google’s new approach protects privacy, because critically important aspects of the system have not been defined.
  2. Google may expose itself to competition complaints on two fronts.
  3. It is not clear how the creation of a new market for “interest groups” impact on legitimate publishers.
  4. Algorithmic discrimination.
Question 1: Too many unknowns to judge whether Google’s new ad system protects privacy

Google has not yet provided sufficient information for one to judge whether its new advertising system will end the enormous data free-for-all among thousands of companies active online advertising industry. It relies on privacy safeguards such as “trusted servers”, isolating data on the person’s device, and targeting groups of people rather than individuals. However, these safeguards are vaguely described.

i) “Trusted server” system is not defined

Google’s new system relies on what it calls “trusted servers”. They receive information about everyone, and operate according to currently undefined principles that make them trustworthy.[9] These servers are responsible for delivering advertisements, for reporting to advertisers and website owners,[10] and providing other information.[11]

While it is possible to create confidential systems,[12] Google’s documentation hints that it may cut corners to achieve a quick launch:

“We expect a robust discussion in early 2021 on what sort of server-trust models seem feasible to browsers and buyers, with the expectation that initially productization speed is essential, but trust requirements may increase over time”.[13] (emphasis added)

Google also suggests that selected buyers can receive “contextual signals about the page that come from the buyer’s server, if the seller is an SSP which performs a real-time bidding call to buyer servers and pipes the response back, or if the publisher page contacts the buyer’s server directly”.[14] Google does not appear to describe how this could be done without comprising privacy.

ii) Important thresholds not defined

Google’s new ad system will group people who share similar advertising targeting characteristics into “interest groups”. But it has not yet defined the minimum threshold (“k-anonymity threshold”) for the size of an interest group and the degree of uniqueness of characteristics of people within it.

Also, Google plans to set a minimum number of people that can be shown a particular ad, to avoid microtargeting.[15] But, as Google acknowledges, this number is not yet defined.

iii) Important privacy technology not yet defined

As a general note, and as Google acknowledges, there is little technical detail in Google’s documents.[16] For example, Google plans to use what it calls “worklets” to isolate each auction on the device, so that the data used in each is not linked.[17] There is no detail on how these will work.

Question 2: Competition and self-preferencing

Google said that it would not use unique identifiers in its own advertising products.[18] However, at least three competition and self-preferencing questions arise:

First, it is not clear whether this also means that Google’s advertising products will refrain from using the data it collects about people who use Google services, or about people who use websites and apps that rely on various behind the scenes Google infrastructure and products. It may be possible that Google can do so without using identifiers.

If so, then Google will continue to benefit from its vast and unlawful internal data free-for-all, but will close off the external data leakage that allowed competitors to unlawfully operate in the conventional online advertising system.[19]

Second, it may be that Google’s ownership of Chrome allows it to create the most valuable interest groups, and thereby dominate the new market of interest groups. 64% of Internet users use Google’s Chrome browser.[20] Google would have an overwhelming ability to create high value interest groups if the browser can create interest groups.

Google’s documentation says that “the browser will only allow the joinAdInterestGroup() operation with the permission of both the site being visited and the group's owner.”[21] This appears to suggest that Google cannot create interest groups except where it owns the sites concerned, or has the permission of the owner of that site. Complete certainty is important on this point.

Third, Google has been accused of advertising auction rigging in the past. For example, ten United States Attorneys General filed a lawsuit against Google late last year that alleges, among other things, that Google was “literally manipulating the auction”[22] to advantage itself and Facebook. Google will be subject to complaints unless it can demonstrate that the auctions it now controls within Chrome are immune to such interference.

Google will be exposed to competition complaints and litigation if it leaves any room for doubt on any of these three points. This could undermine the viability of a new approach to privacy.

Question 3: how will the creation of a new market for “interest groups” impact on legitimate publishers

Google’s plan will create a new market for interest groups. This is potentially valuable for legitimate publishers:

“A publisher (or a third party working on the publisher's behalf) might create and own an interest group of people who have read a certain type of content on their site. Publishers can already use first-party data to let advertisers target their readers on the publisher site. A publisher-owned interest group could let publishers do the same even when those people are browsing other sites. Publishers would presumably charge for the ability to target this list.”[23]

For a decade, conventional tracking-based advertising technology has exposed legitimate publishers’ audiences to “third-party” technology companies, who can then identify them when they appear on other websites and apps. As a result, publishers have surrender their ability to exclusively sell their own audiences over the last decade. The publisher of Recode explained how this works:

“I was seated at a dinner next to a major advertising executive. He complimented me on our new site’s quality... I asked him if that meant he’d be placing ads on our fledgling site. He said yes, he’d do that for a little while. And then, after the cookies he placed on Recode helped him to track our desirable audience around the web, his agency would begin removing the ads and placing them on cheaper sites our readers also happened to visit. In other words, our quality journalism was, to him, nothing more than a lead generator for target-rich readers, and would ultimately benefit sites that might care less about quality.”[24]

This is what publishers have been allowing “ad tech” companies to collect for free for years. Even as Mathias Döpfner, the CEO of the big Axel Springer publishing group, wrote an open letter decrying the theft of his audience data by Big Tech firms,[25] data about the people visiting its websites to read his letter was leaked to hundreds of ad tech firms. In Google’s new ad system this cross-site tracking and audience leakage will presumably no longer happen.

However, Google says “the default policy is to allow all in the top-level page”. Unwary publishers may therefore continue to leak their audiences to other companies.[26] In addition, as noted in Question 2, above, the question of whether Chrome itself can create interest groups is critically important. Publishers should demand clarity the exact meaning of section 1.1 of Google’s FLEDGE document, and whether Chrome is able to create its own interest groups.[27] They should constantly monitor any changes that Google makes to that arrangement in the future.

Question 4: Algorithmic discrimination

Subject to the issues identified in Question 1, above, Google’s new ad system may remedy part of the data protection crisis that Google and others have created in the online advertising system. If this happens, the hazard of data-based discrimination will be reduced. However, a central system can discriminate against a category of person without receiving data about individual people. It will still be possible to discriminate (against minorities, for example) by using targeting on people’s devices. Google does not mention this problem, though it does discuss the hazard of micro-targeting. If 2021 does mark the start of a new system for online advertising, it would be wise to design better for the hazards to come.

Conclusion

Despite saying that it will launch this new system in the next few months, Google has published very little detail about it. It is not possible to know whether Google’s new approach will protect privacy, or whether it will advantage Google.

Data protection and competition supervisory authorities must obtain answers from Google. It is essential that it conduct thorough data protection impact assessments, and that the Irish Data Protection Commission examine this in detail.[28]

Notes

[1] Michael Kleber, "TURTLEDOVE", Web Incubator Community Group, January 2020 (URL: https://github.com/WICG/turtledove/blob/master/Original-TURTLEDOVE.md).

[2] “Brave launches the first advertising platform built on privacy”, Brave, 24 April 2019 (URL: https://brave.com/brave-ads-launch/).

[3] David Temkin, "Charting a course towards a more privacy-first web", Google, 3 March 2021 (URL: https://blog.google/products/ads-commerce/a-more-privacy-first-web/).

[4] ibid. 

[5] Michael Kleber, "First Experiment (FLEDGE)", Web Incubator Community Group, 22 January 2021 (URL: https://github.com/WICG/turtledove/blob/master/FLEDGE.md).

[6] For example, the technical instructions specified by google are “joinAdInterestGroup” and the example interest group is titled “myGroup” in ibid.  

[7] ibid.

[8] ibid.

[9] See Design Elements in ibid.

[10] Section 5 in ibid.  

[11] Section 3.2 also says that trusted servers (using key-value protections) will receive real-time information without k-anonymity protection. See section “3.1 Fetching Real-Time Data from a Trusted Server” in ibid.

[12] Brave had already implemented technologies that maintain anonymity during advertising reporting. See https://github.com/brave/brave-browser/wiki/Security-and-privacy-model-for-ad-confirmations and https://github.com/brave/brave-browser/wiki/Randomized-Response-for-Private-Advertising-Analytics and https://brave.com/privacy-preserving-product-analytics-p3a/ So it is likely that Google can develop similar solutions. These solutions will need to be carefully scrutinised.

[13] Michael Kleber, "First Experiment (FLEDGE)", Web Incubator Community Group, 22 January 2021 (URL: https://github.com/WICG/turtledove/blob/master/FLEDGE.md).

[14] Section 3.2 also says that trusted servers (using key-value protections) will receive real-time information without k-anonymity protection. See section “3.1 Fetching Real-Time Data from a Trusted Server” in ibid.

[15] Sections 1.2 and 3.3 in ibid. 

[16] For example, Temkin’s post refers a Google white paper on Federated Learning of Cohorts (FLoC), but the paper merely presents “a good starting point for experimentation within the browser”. Deepak Ravichandran & Sergei Vassilvitski, "Evaluation of Cohort Algorithms for the FLoC API", Google (URL: https://github.com/google/ads-privacy/blob/master/proposals/FLoC/FLOC-Whitepaper-Google.pdf).

[17] See Design Elements and section 2.1 of Michael Kleber, "First Experiment (FLEDGE)", Web Incubator Community Group, 22 January 2021 (URL: https://github.com/WICG/turtledove/blob/master/FLEDGE.md).

[18] David Temkin, "Charting a course towards a more privacy-first web", Google, 3 March 2021 (URL: https://blog.google/products/ads-commerce/a-more-privacy-first-web/).

[19] Johnny Ryan and Cristina Caffarra, "Ending the ‘Data Free-For-All’: Antitrust Vs GDPR enforcement", Euractiv, 22 January 2021 (URL: https://www.euractiv.com/section/digital/opinion/ending-the-data-free-for-all-antitrust-vs-gdpr-enforcement/), and Johnny Ryan, "Failure to enforce the GDPR enables Google’s monopoly", Brave Insights, 18 February 2020 (URL: https://brave.com/competition-internal-external/).

[20] According to StatCounter (URL, https://gs.statcounter.com/, reported on 8 March 2021).

[21] Section 1.1 in Michael Kleber, "First Experiment (FLEDGE)", Web Incubator Community Group, 22 January 2021 (URL: https://github.com/WICG/turtledove/blob/master/FLEDGE.md).

[22] paragraph 14 of Texas, Arkansas, Idaho, Indiana, Kentucky, Mississippi, Missouri, North Dakota, South Dakota, Utah, v Google, Case 4:20-cv-00957, 16 December 2020(URL https://www.courtlistener.com/recap/gov.uscourts.txed.202878/gov.uscourts.txed.202878.1.0.pdf).

[23] Design Elements in Michael Kleber, "First Experiment (FLEDGE)", Web Incubator Community Group, 22 January 2021 (URL: https://github.com/WICG/turtledove/blob/master/FLEDGE.md).

[24] See “Mossberg: Lousy ads are ruining the online experience”, The Verge, 30 January 2017 (URL: https://www.theverge.com/2017/1/18/14304276/walt-mossberg-online-ads-bad-business). Hat tip to Alan Toner who found this quote.

[25] Mathias Döpfner "It's time for Europe to take private data from the hands of powerful tech monopolies and give it back to the people", 27 January 2021 (URL: https://www.businessinsider.com/big-tech-private-data-facebook-google-apple-europe-eu-2021-1).

[26] Section 1.1 in Michael Kleber, "First Experiment (FLEDGE)", Web Incubator Community Group, 22 January 2021 (URL: https://github.com/WICG/turtledove/blob/master/FLEDGE.md).

[27] ibid. 

[28] See Article 35, GDPR.