What’s Really Going on in the Privacy Sandbox?

The following column originally appeared in the mighty AdExchanger on Feb. 15, 2022

“I said ‘Hey, what’s going on?’” – 4 Non Blondes

Back in 1994, when a 23-year-old Netscape engineer single-handedly enabled third-party cookies by default, digital advertising was a $50 million business. Now it’s at $450 billion, and a lot more people are involved.

It seems they don’t agree – not just on technical issues, which can be solved, but on existential ones. Like: “Is ad targeting and measurement good for our society or not?” Or: “Is requiring a person to opt in to ‘tracking’ fair?” 

The Privacy Sandbox was launched by Google’s Chrome team in 2019 as a test bed for ideas. They chose to take their ideas to the World Wide Web Consortium (W3C). This step was not required; Apple and others regularly make changes to products on their own.

As the W3C’s hard-working counsel and strategy lead, Wendy Seltzer, admits: “We can’t force anyone to do anything. We look for places where we can help find consensus.”

And in the past month, there’s been a flurry of Sandbox-related announcements: a potential replacement for the FLoC proposal, in-market tests for measurement and attribution ideas, a new working group.

Amid all this excitement, we’d be forgiven for thinking we’re on the brink of adopting universal standards for ad targeting and measurement. Not quite. We’ve become so used to a splintered internet that the whole idea of a self-regulated World Wide Web with the same rules of engagement for everyone seems as quaint as “Do Not Track.”

Building castles in the sand

As a cooperative venture, the Web relies on the goodwill of participants to survive. The W3C and its nerdier cousin, the Internet Engineering Task Force (IETF), are certainly doing their jobs.

Despite what we think, advertising is only a small part of the W3C’s daily grind. (It almost never comes up at IETF meetings.) Sandbox ideas end up in the Improving Web Advertising Business Group (IWA-BG), the Privacy Community Group (PCG) or the Web Incubator Community Group (WICG). Only the first one is focused on ads. The IWA-BG has 386 registered participants, 62 more than the Music Notation Community Group but 14 less than the more-popular Interledger Payments Community Group.

The main work of the W3C members consists of responding to issues on GitHub and holding conference calls, which are fun to audit. They’re definitely overworked. Two weeks before last Halloween, a new group called the Private Advertising Technology Community Group (PAT-CG) launched with a lot of momentum. At the group’s first gathering, one participant made the obvious point: “Many of us are struggling to take active part in all the groups active in this space.”

Like most committees, these ones can inspire angst. Frustration could be felt in the Twitter screed of one of the PAT-CG’s champions: “The folks in this group are *hungry to make progress*.”

What is clear is that the pro-advertising contingent is fighting uphill. During a presentation to the IETF last year, a Google engineer describing the FLoC proposal felt the need to justify the project by citing academic studies about the economic impact of cookie loss on publishers. In the same meeting, an Apple engineer talking about Private Relay, which masks IP addresses (and can break things like time zone and fraud detection), felt no need to justify promoting “privacy.”

The trouble is – and this is the crux of the issue – there’s still no consensus here on a very important, foundational question: What is privacy?

There’s a team called the Technical Architecture Group (TAG) within the W3C drafting a set of “privacy principles.” These are still a work in progress with many stakeholders, and the W3C’s Seltzer said in a meeting last fall that “it’s a tough challenge to bring all those perspectives together.”

But the ultimate success of this draft or a related privacy threat model that would herd the privacy cats isn’t clear.

So, what happens now?

Given its limited objectives, the Sandbox is succeeding. The Chrome team has received a lot of feedback and is reacting. According to the latest updates, four proposals have completed or are currently in trials (Trust Tokens, FLoC, Core Attribution and First-Party Sets). At least two more will enter trials this year.

Results are mixed, but that is just how engineering works: blunt feedback and iterations. FLoC itself has flown through an initial test, a redirection and recent relaunch, and it has hatched a whole aviary of suggested improvements. Missing in all this is a promise of cross-browser, Web-wide solutions.

The impact of FLoC is instructive in another way – one that’s reminiscent of the “Do Not Track” experience. In the latter case, a member of the W3C working group, Ashkan Soltani, grew frustrated and ended up helping to draft the CCPA and CPRA regulations. (Soltani is now in charge of the California Privacy Protection Agency.)

Similarly, a vocal member of the W3C Privacy Sandbox, James Rosewell, drafted a complaint that, in part, led to Google’s agreement to cooperate with the UK’s Competition and Marketing Authority. This agreement was accepted by the CMA just before Valentine’s Day, while a coalition of European publishers filed another complaint.

Seems like, in the end, the future of the cookie may just be worked out between the parties with the power here: Alphabet and the regulators.

Follow Martin Kihn (@martykihn) and AdExchanger (@adexchanger) on Twitter.

Leave a Reply