Google To Start Third-party Cookie Cull For 30 Million Chrome Users

From today there will be a great disturbance in Chrome – as if millions of browser cookies suddenly cried out in terror and were suddenly silenced.

On Thursday, Google is expected to begin publicly testing a version of its web browser that by default cuts out third-party cookies – bits of data deposited in the browsers of website visitors for ad-related tracking and analytics.

An estimated 30 million Chrome users – representing roughly one percent of the user base – will be involved in this experiment, which lays the groundwork for a broader third-party cookie phaseout in the second half of 2024. Since the last few months of 2023, users have been able to opt-in to third-party cookie deprecation, and now it's starting to roll out as a default to selected netizens.

Third-party cookies have proven to be harmful to privacy, so Google – motivated by rivals that are already blocking third-party cookies by default, and by regulators – has been preparing its Privacy Sandbox to give advertisers a place to play once cookies no longer satisfy the data hunger of ad tech firms.

The Privacy Sandbox is a set of APIs for delivering and measuring online ads in a way that, hopefully, avoids privacy problems.

And according to privacy researcher Dr Lukasz Olejnik, Google has more or less accomplished its goal with Protected Audience – one of the Privacy Sandbox features. On Tuesday Olejnik published his University of Edinburgh law school dissertation [PDF], titled "Reconciling Privacy Sandbox initiatives with EU data protection laws."

And his assessment of Protected Audience, formerly known as FLEDGE, is that "it is possible to use this system in ways compliant with EU data protection law."

It may even be implemented, Olejnik suggests, in a way that doesn't process personal data at all – thereby avoiding the need to present a consent prompt under Europe's General Data Protection Regulation (GDPR).

That doesn't mean the technology is flawless or unburdened by other legal obligations, like Europe's related ePrivacy Directive. But Olejnik's assessment is likely to be welcomed at Google and by other organizations looking to adopt the Chocolate Factory's purportedly privacy-preserving ad tech.

The low-down

Protected Audience, as Google describes it, is a way "to serve remarketing and custom audiences, without cross-site third-party tracking."

Here's a simplified version of how it might work. When a user is browsing a website that has implemented Protected Audience scripts, those scripts may run and place the user's browser in various interest groups (which are "owned" by a specific ad seller or demand-side platform). These groups may be informed by the related Topics API – but they exist separately.

So a visit to a bicycle website might get the user's browser added to the bike interest group. This designation exists locally in the client, and not on the server, as a privacy protection.

At some other website, the "remarketing" occurs. Protected Audience scripts might run an in-browser ad auction that incorporates the locally stored interest information – this user likes bikes – and advertisers who want to reach bike-interested folk might bid to present a related ad to the user.

The ad for the auction winner would then be presented in a Fenced Frame – a variation on the HTML inline frame element designed to prevent the site publisher from making inferences about the interests of visitors based on ad auctions initiated through site scripts.

Olejnik does not entirely give Google a pass. There is still the possibility that Europe's ePrivacy Directive could require user consent prior to ad delivery because it covers "information” collection, rather than the narrower category "personal data."

But Olejnik argues that the ePrivacy Directive is no longer suited to current technology like the Privacy Sandbox and needs to be amended – a process that European lawmakers are working on through an update called the ePrivacy Regulation. He also points out that the Privacy Sandbox has competitive implications, which is something the UK's Competition and Market Authority, among others, has been scrutinizing.

Even if Google – by Olejnik's measure – has managed to hit the mark in terms of privacy, there are other aspects of Privacy Sandbox that merit further scrutiny.

• Google pencils in limited third-party cookie purge for January
• Google dragged to UK watchdog over Chrome's upcoming IP address cloaking
• Google - yes, that Google - testing proxy scheme to hide IP addresses for privacy
• Online tracking is alive and well in link decoration

Beyond the adversarial possibilities that won't become apparent until this technology is widely deployed and challenged by efforts to break it, there are concerns about the impact of shifting ad tech auctions onto mobile devices.

Last November, Dan Appelquist, a member of W3C Technical Architecture Group (TAG), responded to a long-running request for a TAG review of Protected Audience by noting, “We remain concerned with the processing burden that this spec proposes to place on the user’s device (in terms of battery life, bandwidth, performance in general).”

Appelquist also said it appears users have no control over the interest groups they’ve been placed into. Google does say that websites and users can opt-out of the Protected Audience API, but Appelquist suggested that may not be sufficient.

“Even if the user has the ability to opt out of being part of such a group, given the number of possible groups they could be part of, this could constitute unreasonable privacy labor,” he wrote, adding that similar concerns surfaced when TAG looked at the related Topics API.

Appelquist told The Register he doesn’t have any data to quantify the resource usage of Protected Audience.

The resource cost of playing in the Privacy Sandbox was raised in December by Brave – a rival browser maker and ad seller that has been highly critical of Google's Privacy Sandbox project. "To carry out on-device ad auctions, your local instance of Chrome will download and carry around all the ads and other resources relevant to you in a catalog stored in your browser," the developer argued.

"The on-device auctions also mean your browser might be loading javascript from, say, 50 different advertisers at once just to determine which ad you'll see. In this way, users will pay for a bit more privacy with their device resources: speed, available memory, and battery life will take major hits."

The Protected Audience specification limits the owners of interest groups (ad sellers) to no more than 10MB of on-device storage space – per owner – across all interest groups. And there can be no more than 2,000 stored interest groups and 20,000 negative interest groups. It's unclear how many interest group owners can take up space on a given device.

But that does not cover ad image assets. As the Android documentation for Protected Audience explains: "In contrast to storing ads entirely on servers today, audience information and remarketing ads are stored on the device."

The Register asked Google whether it has any data to share about the resource usage and battery impact of Privacy Sandbox APIs. A spokesperson is looking into this but we've not yet heard back.

Current ad tech already imposes a significant resource burden among those using the internet, with ad trackers representing almost 20 percent of network traffic, according to AdGuard. ®