A very good read from a respected source!
FORBES. Google Chrome Will Track You For The Next 200 Days—Then It May Get Worse. 17 JUNE.
Zak Doffman
Google had planned to kill Chrome’s devilish little tracking cookies by now. But that hasn’t happened; it has been hit by delay after delay. Google’s latest updatesuggests—but does not assure—that so-called “cookie deprecation” will proceed “starting early next year.” That’s 200 days from now. It means at least 200 more days of the kind of Chrome user tracking that should have been banished years ago.
When those cookies go, they’ll be replaced with something Google says will “both protect people’s privacy online and give companies and developers tools to build thriving digital businesses.” This so-called Privacy Sandbox “reduces cross-site and cross-app tracking while helping to keep online content and services free for all.”
But the new risk for users is that those cookies might actually give way to something much worse from a privacy, security and tracking perspective.
Right now, Google is caught in a painful back and forth with regulators over how to kill tracking cookies without also killing the entire online marketing industry that relies on them. This Privacy Sandbox—put at its simplest—collects users into likeminded groups that can be served up to advertisers for targeted content rather than have them build or buy individual profiles based on digital fingerprinting.
And so, 200-plus days from now, the hope is that cookies go and something else is used instead. But there’s much to be done between Google, regulators—especially the UK’s Competition and Markets Authority (CMA), and advocates for the rest of the industry, which has argued that Google will tilt the playing field in its favor, further consolidating its position as the world’s most valuable marketing machine.
But before we celebrate any bright new future, there’s now a catch—and it’s a big one. AI. We know that search itself is likely to be reinvented by AI, a threat to Google’s dominance. We also know that Google, unsurprisingly, is retrofitting AI across its suite of platforms and services. Chrome is no different.
While the industry is caught in the debate between current tracking cookies and the new, anonymized Privacy Sandbox, AI might just sweep in and change the game enough to make that debate moot. If AI has access to a user’s search history and device-side browsing activity—theoretically, then this becomes a much more powerful and accurate form of tracking from which to infer user buying propensity. The current regulatory environment doesn’t cater for this potential.
As reported by Android Police, “we spotted the first definitive signs of [Google] adding in a new feature potentially powered by AI to make your browsing history more searchable. Alongside recent confirmation of AI’s involvement comes an entire debate about how much of our usage history we want AI to see and learn from?”
It would be straightforward to delineate between on-device and off-device processing, to create and share markers without exfiltrating an entire on-device search history, but that misses the point.
As I have already commented when it comes to Messages and Gmail, Google’s proposals to search user data archives to sharpen the context for its generative AI and tighten the parameters around its marketing machine carry grave privacy risks. As AI search becomes more predominant, the platforms with the more extensive models and the better access to data inevitably win. And access to user search history potentially adds very specific online activity and behavioral markers—akin to tracking.
All this is made worse because AI privacy policies are complex and are being ignored by an excited user base with more of a new toy overload than a spoiled kid at Christmas.
As Android Police warns, “with great convenience comes great concern… just like cloud backups, which involve entrusting a random server on the internet with your cherished memories, involving AI to make your history searchable comes with the similar privacy risk of tech companies potentially honing AI models on your data.”
They’re absolutely right—but the risk is more extensive. This privacy debate is currently being framed around AI model training, but a browser with AI markers and inferences is very capable of honing live search results as well, caveated as “on-device.” This is a one-way street we need to consider now, and not leave until it’s too late. The site reports a disclaimer within the beta code “stating Google and its human reviewers may have access to your data. Specifically, the company says it will collect your History search terms page content of the best matches, and the generated model outputs.” Take note.
Google will no doubt offer a range of tweaks and opt-outs as well as a revised privacy policy and in-app notifications if and when this AI fully hits. But most of this will be ignored. No-one has a grip yet on the implications from all this fast change, not the industry and certainly not its regulators. An urgent game of catch-up is required.
If the future prospect of Google’s AI storing and processing your entire search history isn’t thought provoking enough, the company’s Privacy Sandbox has just taken another very public hit that might give Chrome’s users a more immediate concern.
With echoes of Google’s ironic interpretation of “incognito,” a European privacy advocacy organization has just filed a claim with regulators, alleging that Chrome’s “users have been gradually tricked into enabling a supposed ‘ad privacy feature’ that actually tracks people. While the so-called ‘Privacy Sandbox’ is advertised as an improvement over extremely invasive third-party tracking, the tracking is now simply done within the browser by Google itself.”
Noyb has taken its complaint to the Austrian GDPR regulator, arguing that to do this, Google “theoretically needs the same informed consent from users. Instead, Google is tricking people by pretending to ‘Turn on an ad privacy feature’.”
The base of the claim is Google’s use of words and how those words are presented, that it says “trick” users into agreeing something they believe to be private but, it argues, is actually anything but. This doesn’t make the Privacy Sandbox proposals any worse than the current tracking cookies—tracking is tracking after all, but it does cast some doubt as to what will actually be deployed and illustrate how transparent explanations will need to be for users to understand what is happening.
For its part, Google has responded (courtesy of statement given to The Register) that “this complaint fails to recognize the significant privacy protections we’ve built into the Privacy Sandbox APIs, including the Topics API, and the meaningful privacy improvement they provide over today’s technologies, including third-party cookies.”
The Topics API is that initiative to anonymize groups of like-minded users based on their likes and areas of interest, and serve up that information to advertisers, preventing any specific individuals from being identified or followed.
“Privacy Sandbox,” Google says, “is designed to improve user privacy and provide the industry with privacy-preserving alternatives to cross-site tracking. We’ve been closely engaging with privacy and competition regulators globally, and will continue to do that to reach a balanced outcome that works for users and the entire ecosystem.” The challenge is that a “balanced outcome” still seems far from reach. I have approached Google for any comment on Noyb’s claims and its AI plans.
All very confusing for Chrome’s users, no doubt. And to be fair, there is a lot happening at once and it’s hard to keep up. Meanwhile, the irony for its 3-billion-plus users is that even the promised land of a cookie-free future will be less private than other browsers offer today—Safari, Firefox, Brave, DuckDuckGo…
That’s for now, at least. But AI will have an as yet unknown impact across the board. The industry and its regulators need to provide guidance and a set of standards. Maybe a traffic light system for tracking, data storage, model training, human review. Users will not continually monitor privacy policies, if they ever read them at all.
None of this was in evidence when Google first promised to kill off tracking cookies—but it is now. Before we get to that proposed start date in early 2025, 200 days from now, we need to refresh the debate. Otherwise what we get risks being much worse.
Zak is a widely recognized expert on surveillance, cyber and the security and privacy risks with AI, big tech, social media and smartphones. He is regularly cited in the media, with appearances on BBC, Sky, NPR, NBC, Channel 4, TF1, ITV and Fox. Zak has 25-years real-world experience in AI, cyber and surveillance. He is the CEO of Digital Barriers, which develops AI video technologies for security and defence agencies in the US, Europe and Asia. Email zak@duck.com or Signal zak.01
LEARN MORE
THE REGISTER. Google’s Privacy Sandbox more like a privacy mirage, campaigners claim. Chocolate Factory accused of misleading Chrome browser users. 13 Jun 2024
Richard Speed
Privacy campaigner noyb has filed a GDPR complaint regarding Google’s Privacy Sandbox, alleging that turning on a “Privacy Feature” in the Chrome browser resulted in unwanted tracking by the US megacorp.
The Privacy Sandbox API was introduced in 2023 as part of Google’s grand plan to eliminate third-party tracking cookies. Rather than relying on those cookies, website developers can call the API to display ads matched to a user’s interests.
In the announcement, Google’s VP of the Privacy Sandbox initiative called it “a significant step on the path towards a fundamentally more private web.”
However, according to noyb, the problem is that although Privacy Sandbox is advertised as an improvement over third-party tracking, that tracking doesn’t go away. Instead, it is done within the browser by Google itself.
To comply with the rules, Google needs informed consent from users, which is where issues start.
Noyb wrote today: “Google’s internal browser tracking was introduced to users via a pop-up that said ‘turn on ad privacy feature’ after opening the Chrome browser. In the European Union, users are given the choice to either ‘Turn it on’ or to say ‘No thanks,’ so to refuse consent.”
Users would be forgiven for thinking that ‘turn on ad privacy feature’ would protect them from tracking. However, what it actually does is turn on first-party tracking.
Max Schrems, honorary chairman of noyb, claimed: “Google has simply lied to its users. People thought they were agreeing to a privacy feature, but were tricked into accepting Google’s first-party ad tracking.
“Consent has to be informed, transparent, and fair to be legal. Google has done the exact opposite.”
Noyb noted that Google had argued “choosing to click on ‘Turn it on’ would indeed be considered consent to tracking under Article 6(1)(a) of the GDPR.”
The Register asked Google to comment on noyb’s complaint filed with the Austrian data protection authority and will update this article should we receive a response.
Google’s Privacy Sandbox initiative is not going smoothly. In April, the UK’s Competition and Markets Authority expressed concerns about privacy and competition, and Google decided to push back the deprecation of third-party cookies in Chrome to early 2025. ®
Updated to add
Google has defended its stance, in a statement after this article was published.
“This complaint fails to recognize the significant privacy protections we’ve built into the Privacy Sandbox APIs, including the Topics API, and the meaningful privacy improvement they provide over today’s technologies, including third-party cookies,” a spokesperson told us.
“Privacy Sandbox is designed to improve user privacy and provide the industry with privacy-preserving alternatives to cross-site tracking. We’ve been closely engaging with privacy and competition regulators globally, and will continue to do that to reach a balanced outcome that works for users and the entire ecosystem.”
Richard Speed Richard is The Register’s Microsoft ecosystem reporter, focusing not just on the Windows and Azure giant but also suppliers, customers, and rivals in its orbit. He also reports on software in general and space. Beyond journalism, Richard has decades of experience working in IT, with roles ranging from software developer and development team leader to director of engineering.