Privacy Sandbox

Article by Tsaaro

July 16, 2021

7 min read

A moreprivate, open web accessible to everyone.

Introduction
In August 2019, Google announced a new initiative (known as Privacy Sandbox) to develop
a set of open standards to fundamentally enhance privacy on the web. The goal for this
open source initiative is to make the web more private and secure for users, while also
supporting publishers.
In January 2020, just before covid-19 took over the world, Google made one more
announcement; they updated that the industry’s feedback was optimistic and confident
regarding their ‘Privacy Sandbox.’
And with that confidence, they announced that they would phase out the support for
third-party cookies in their Google Chrome browser.
In March 2021, in the recent announcement, Google said after the support for third-party
cookies are phased out, they will not develop a unique identifier solution to identify users
across the web using different browsers and devices;

Instead, they will use ‘privacy-preserving APIs,’ which will prevent identifying individuals
across the web while delivering the same efficiency and value level to advertisers and
publishers.

What is Privacy Sandbox?

Google created a developer sandbox for Google Chrome, where companies or individuals
can ‘play’ with the Google Chrome browser data. In developers’ language, a ‘sandbox’ is an
isolated environment and a safe place for testing that can’t affect anything outside of it.

Privacy Sandbox is covering four key areas:

● Ad targeting:

Advertisers want to reach users interested in their products or reach a customer on
a different website who previously visited their website.
FLoC & TURTLEDOVE, both acronyms, are two different proposals designed to solve
ad targeting problems.
FLoC stands for “Federated learning of Cohorts,” which uses advanced machine
learning known as “Federated Learning” to allow advertisers to reach new
audiences.
TURTLEDOVE stands for “Two Uncorrelated requests, Then Locally-Executed
Decision On Victory,” which is a proposal to solve the problem of retargeting
customers; this is for advertisers who want to reach the users who already visited
their website before.

● Ad delivery:

Delivering an ad to a web page is another critical point-in-time where the risk of user
privacy getting compromised is higher.

The Trust Token API

Cookies and other tracking technologies are significantly matured in detecting
advertising fraud;
Ad fraud is a type of online fraud where advertisers are tricked into spending money
to buy ads on websites that are either low value or irrelevant or visited by bots.
The Trust Token API helps authenticate real users without using any tracking
technology. For Example, if you logged into your Yahoo mail account, and if Yahoo
wants to, it can drop a Trust Token in your browser and classify you as a real user.

When you visit other sites with the same browser, the Trust Token can be accessed
by other websites and feel comfortable with you as you are already classified as a
trusted user.

● Ad performance:

Many advertisers prefer spending on online media over offline media because they
have visibility on their ad dollars’ performance and effectiveness.
To solve this without using third-party cookies, The Google Chrome team proposed
a few standards, including the Aggregated Reporting API and the Conversion
Measurement API.

The Aggregated Reporting API gives advertisers a privacy-first way to measure
how many users saw their ad from a specific ad campaign; this is achieved by
providing only a single report after gathering and aggregating the data from
multiple websites.

The conversion measurement API proposes a new way of tracking an ad
campaign’s success without using third-party cookies; it stores how many users took
action based on an ad, whether buying a product or filling a lead form.
For Example, if a user sees an ad for a pair of shoes and then buys those shoes, the
browser stores that information; after some time delay, the browser sends back that
aggregated information to the advertiser.

Google makes it hard for the advertising companies to tie the clicks and conversions
to an individual; all of this is aggregated information, nothing at the user level.

● User privacy:

Web browsers also reveal quite a lot of information about the users like the IP
address, fonts they support, version of the browser, and a lot more;
With enough data points across companies, one can stitch the data and identify a
user reasonably well; this is called the ‘fingerprinting.’ technique.
To prevent fingerprinting, Google Chrome is developing a technology called Privacy budget.

In simple terms, every website will have a budget (which is the amount of
information) that it can use to request from the browser; you can’t go beyond that
allocated privacy budget.

There might still be a possibility of identifying a large part of heterogeneous groups.

Updates by Google

By Jun 2021, Chrome and others have offered more than 30 proposals, and four of those
proposals are available in origin trials. For Chrome, specifically, Google plans to have the
key technologies deployed by late 2022 for the developer community to start adopting
them. Chrome could then phase out third-party cookies over a three month period, starting
in mid-2023 and ending in late 2023.

Each proposal goes through a rigorous, multi-phased public development process:

Discussion: The technologies and their prototypes are discussed in forums like GitHub or
W3C groups.

Testing: The technologies are rigorously tested in Chrome through potentially numerous
origin trials, allowing for transparency and feedback throughout.

Ready for adoption: Once the development process is complete, the successful
technologies are ready to be used at scale. They will be launched in Chrome and ready for
scaled use across the web.

After this public development process, Google plans to phase out support for third party
cookies in two stages:

Stage 1 (Starting late-2022): During stage 1, publishers and the advertising industry will
have time to migrate their services. This is expected to last for nine months.

Stage 2 (Starting mid-2023): Chrome will phase out support for third-party cookies over a
three month period finishing in late 2023.

Google also published updates in April 2021 regarding User Agent string reduction, a
project which aims to reduce the possibility of using the data to fingerprint and track users
across the web.

For a developer, if the site, service, library or application relies on certain bits of
information being present in the User Agent string such as Chrome minor version, OS
version number, or Android device model, he/she will need to begin the migration to use
the User Agent Client Hints API instead, which is a way to avoid the historical baggage
and passive fingerprinting surface exposed by the venerable User-Agent header.

Summary

Third party cookies are typically the ones set by “third party” ad tech companies whose
tracking code is found on millions of sites. Hundreds of ad tech trackers are collecting
information, without the user’s knowledge, and certainly without their consent. The ad tech
companies sell their data for profit or make money by using it to help marketers improve
the targeting of ads — i.e. behavioral targeting and also to collect user’s data to make a
unique identification of them — i.e. browser fingerprinting.
To solve this , Google proposed ‘Privacy Sandbox’ to develop a set of open standards to
fundamentally enhance privacy on the web. The goal for this open source initiative is to
make the web more private and secure for users. They also announced that they would
phase out the support for third-party cookies in their Google Chrome browser.
Privacy Sandbox covers four key areas that are:

Ad targeting : FLoC & TURTLEDOVE are two different proposals designed to solve ad
targeting problems.

Ad performance: To maintain Ad performance without using third-party cookies, The
Google Chrome team proposed a few standards, including the Aggregated Reporting API
and the Conversion Measurement API.

Ad delivery : The Trust Token API is designed to authenticate real users without using any
tracking technology.

User’s Privacy : To prevent fingerprinting, Google Chrome is developing a technology
called Privacy budget which is basically a limit on how much data a website can request
from a browser.

For Chrome, specifically, Google plans to have the key technologies deployed by late 2022
for the developer community to start adopting them and then phase out third-party
cookies over a three month period, starting in mid-2023.

Google also published updates in April 2021 regarding User Agent string reduction, a
project which aims to reduce the possibility of using the data to fingerprint and track users
across the web.