Watchdog reveals lingering Google Privacy Sandbox worries

The UK Competition and Markets Authority (CMA) still has privacy and competition concerns about Google's Privacy Sandbox advertising toolkit, which explains why the ad giant recently again delayed its plan to drop third-party cookies in Chrome until 2025.

Google for the past few years has been trying to reinvent the software that delivers targeted ads online because the legacy approach, which relies on files called cookies that get used for ad tracking and measurement, denies privacy.

The Chocolate Factory refers to its suite of advertising application programming interfaces (APIs) as the Privacy Sandbox, though regulators and privacy advocates continue to raise doubts that the software lives up to its name.

Ad industry rivals, not so much concerned about the privacy aspect of the whole affair, worry that Google's reimagined tech stack will put them at a competitive disadvantage by denying them the data they use to make their ads more effective.

Last year, Google started rolling out early versions of specific Privacy Sandbox APIs, like the Topics API, in its Chrome browser, in order to test the technology. The ad targeting tech has since been made available for Android applications.

The Topics API allows ads to be targeted at users of Chrome, Edge (soon), and Android devices based on interests conveyed through online interactions. The API uses an on-device classifier model to generate a list of interests inferred from browsing activity, based on a publicly accessible taxonomy that presently includes 469 topics like "Arts & Entertainment."

The API each week determines – locally instead of over a network – a person's top five topics, based on visited sites that implement the Topics API. The website publishers and third-party ad providers on sites supporting the Topics API receive a random list of up to three of the visitor's top five topics over the past three weeks, for a maximum total of five. These interests can be used to present ads that reflect what the visitors presumably want to see.

But the system is complicated and Google's assurances about the privacy advantages of its approach haven't convinced everyone, perhaps as a result of the company's persistent involvement in privacy scandals.

The CMA on Friday issued its latest update on Google's commitments to implement its Privacy Sandbox ad technologies in a way that doesn't put rivals at a disadvantage.

The report incorporates input from the UK Information Commissioner's Office (ICO), which oversees privacy issues. A leaked draft of the ICO's Privacy Sandbox assessment earlier this week revealed that the ICO still believes the technology isn't living up to its name. And now those concerns have been publicly articulated.

The CMA report lists almost 80 issues that have yet to be resolved to the satisfaction of UK regulators.

"The regulators are showing real concern about some significant areas – from latency and the role of cloud providers through to governance and privacy," said James Rosewell, co-founder of Movement for an Open Web, an advertising interest group, in a statement. "These are fundamental issues that are not going to be addressed overnight. The fact that the issues list is growing as the technology gets closer is a sign that Google has tied itself up in knots that it simply can’t unwind."

Rosewell argues that Google has not put enough thought into the governance of the new ad regime being proposed – most competitors don't want Google giving itself new gatekeeping powers – and that competing ad targeting schemes should be able to compete fairly in an open market.

Among the CMA's lingering worries about Google's technology, there's concern that the Topics interest-based ad mechanism doesn't explain itself well.

"We are concerned that the Topics consent user interface may not adequately inform users about how their personal data is used or how the topics generated may be used for purposes wider than interest-based advertising (e.g. as determined by organizations that decide to use the API)," the report says, adding that Google is planning to revise the Topics API consent interface.

There's also the possibility that Topics data about people's interests might be used for purposes other than advertising.

"Based on the ICO's preliminary assessment, we are concerned that topics data may be used for purposes outside that specified by the API, and in so doing may harm the user and breach Applicable Data Protection Legislation," the report says, while also observing that "Google does acknowledge that entities calling the API might use the data for other purposes."

Another worry is that if the taxonomy of interests in the Topics API expands sufficiently, there will be a larger number of data points that may prove sufficient to identify people. "We agree with the ICO that future utility-based changes to the taxonomy could introduce new privacy risks," the CMA report says.

Web publishers have their own wish list of fixes, like a way to correct an errant Topics classification of a website and associated interests. The report also covers other APIs like the Protected Audience API and Fenced Frames. It's clear Google still has quite a bit of work left to do.

Google said in a statement last week that it continues to expect the Privacy Sandbox to improve upon the not-very-private status quo. "We've been closely engaging with the ICO, and other privacy and competition regulators globally, and will continue to do that to reach an outcome that works for users and the entire ecosystem," the biz said.

It's not as if Google has a choice while under the regulatory microscope. ®