Upcoming: Gaming & Advertising Guide, Learn More>

Some are Concerned that Google’s Privacy Sandbox Could Limit Innovation and Stifle Competition

Tim Cross  11 May, 2020

When Google announced at the start of the year that it would end support for third-party cookies within two years, all eyes turned to its ‘Privacy Sandbox’. The sandbox was announced last August by Google launched with the aim of building “a more private web”. The sandbox is where Google engineers are developing new application programming interfaces (APIs) to replace third-party cookies.

For advertising specifically, cookies are used to target ads to people based on sites they have visited and for things like conversion measurement. Within the sandbox, Google is proposing new ways to target and measure ads in more privacy-friendly manner, and is inviting industry feedback on these proposals.

With the clock ticking down on Google’s January 2022 deadline, and the tech giant so far refusing to push the deadline back despite the pandemic disruption, the solutions emerging within the sandbox now could well signal the future of advertising on Chrome, which according to NetMarketShare is used by 68 percent of desktop users and 60 percent of mobile users globally.

Dennis Yurkevich, founder of privacy-focused audience platform AirGrid, says that while the solutions being proposed within the sandbox cover a wide range of functions, they all tie into a new privacy model for the web on Chrome.

The core principles of the sandbox are as follows. Firstly, user identity should work on a “per-site basis”, so for example someone who reads the FT for work and then watches cat videos at night should remain two distinct (i.e. unlinked) identities. There also won’t be a way to ‘join up’ first-party identities in order to track users across different websites. Finally, any first-party identities created should only have minimal amount of external data attached to them, so things like battery level, which could be to identify users, will no longer be shared.

Together, Google hopes that these principles will allow advertisers to find and target their audiences in a way that preserves privacy.

As VAN has previously reported, there are concerns that these sandbox solutions won’t allow advertisers to target and measure advertising as they do today.

For example, the TURTLEDOVE API proposed within the sandbox is designed to allow retargeting, where advertisers can target users who’ve previously seen their ads or visited their website. But for now at least, TURTLEDOVE doesn’t allow advertisers to do things like frequency capping (where an advertiser can limit the number of ads shown to a user) and reporting relies on a separate API that hasn’t been fleshed out yet.

Neal Richter, chief scientist at SpotX, a video ad technology company, and chairman of the IAB’s Tech Lab in the U.S., says these proposals “do push forward theoretically credible technical solutions to audience targeting”. But they also suddenly give browsers a much bigger role in the advertising process. “Advertisers should have a number of questions about what assurances they have that their proprietary data and algorithms are safe to be transmitted to a billion browsers,” he said.

And AirGrid’s Yurkevich believes there are more basic problems with Google’s current sandbox approach.

“Currently the web platform provides very flexible constructs to create any type of experience for your users, in relation to content, applications and advertising,” said Yurkevich. “You are able to write code to do pretty much anything, make requests to external services, and store data in the user’s browser.”

But in a world where advertising on Chrome runs through Google-controlled APIs, it follows that Google gets to set rules and restrictions on how certain processes work. Transparency could be one issue, since only Google knows exactly how decisions are made within the Chrome browser.

“If we take a look at a single proposal such as TURTLEDOVE, it dictates a very specific API and information flow, which is littered with phrases such as ‘a while later my browser contacts first-ad-network.com and requests ads’,” said Yurkevich. “This seems very opaque, and leaves all the decisioning about when and which ad networks are called to the browser.” This could potentially cause problems where Google’s own ad network is competing against third parties, making it hard to see if Google is giving its own services preferential treatment.

But Yurkevich also believes that by setting tighter rules around how targeted advertising works, independent ad tech companies will find it harder to innovate. “By setting such specific flows for these proposals, it leaves little room for new ideas, meaning the execution of ad campaigns will become highly commoditised and most likely in the hands of a few major players,” he said.

SpotX’s Richter agreed that the rules set by Google are “narrow in scope”, but said it’s not yet clear how innovation in ad tech will be affected. “What we don’t know is how divergent solutions will be or how advertisers will change their technology strategies,” he said. “But under current proposals, it seems clear that some common use cases of advertising systems would be forced to change. Browsers are essentially departing from the historic position of neutral executors of standards compliant code and are taking a position of changing how code is executed to execute privacy policies.”

And he added that under the current proposals, some parts of the ad tech ecosystem will have smaller roles to play. “In many ways the proposals shift the decision making of campaigns to the browser and away from the DSP and DMP,” he said. “Advertisers should have questions about how they will manage and optimise these campaigns to KPIs where the information flow is fundamentally different.”

Another problem with standards arises when you have different browsers independently devising their own solutions for cookie-free advertising. W3C, an organisation which creates standards for the World Wide Web, is seeking to mediate between the browsers and produce one unified API which works across browsers.

But AirGrid’s Yurkevich isn’t convinced this API will come to fruition. “Even with less volatile topics there is always some disparity between browsers,” he said. “So I feel it is unlikely that there will be a complete consensus.”

SpotX’s Richter agreed that there is a long term risk that the industry has two sets of rules for each browser: one set that is standardised by the W3C for content rendering and code execution, and another set of rules relating to advertising that isn’t standardised across browsers.

Nothing is Set in Stone

However, it is still early days and there is some hope that solutions will be found over the next two years.

Firstly, Google’s privacy sandbox ideas are still at the proposal stage. While time is ticking, less than half a year has passed since Google announced it is killing off third-party cookies. The proposals gaining traction now won’t necessarily be the APIs that are adopted in 2022. TURTLEDOVE itself replaced PIGIN, a separate proposal which was unpopular for not being sufficiently privacy-compliant.

Secondly, even if the current proposals do stick around, Google’s engineers seem to be happy to engage with the industry’s concerns. Michael Kleber, the Google engineer who designed TURTLEDOVE, has been very responsive to complaints outlined on the proposal’s Github page. Google has chosen to involve the industry in its privacy sandbox, suggesting it will listen to feedback.

And lastly, Google’s sandbox isn’t the only solution for cookieless targeting. “There will always be companies out there trying to build new products and solutions, and there will be advertisers whom also want to avoid the status quo, and use more cutting edge technologies,” said AirGrid’s Yurkevich. AirGrid is involved with several of these initiatives, which work similarly to TURTLEDOVE (in that they operate via the browser).

“There are other groups working on proposals for decentralised identifiers (DIDs) and Web Neural Networks (WebNN),” said Yurkevich. “They will have privacy constraints, but they’ll allow a much larger playing field in terms of how you use and build upon these technologies,” he added.

Like the sandbox proposals, these solutions are still theoretical, not workable solutions which the industry could adopt today. But Yurkevich believes that the initiatives that aren’t controlled by Google and set fewer constraints on how digital advertising operates, will have all the privacy benefits of Google’s sandbox but without the drawbacks.

Subscribe to Our Newsletter

Follow VAN on Twitter

Go to Top