Google Is Protecting Their Moat, Not Your Privacy

We should all be skeptical that Google will deliver on its promise to improve consumer privacy and expand data protection, when that very act will erode Google's dominance.

A bridge over a moat, used as a metaphor for the advertising dominance that Google is protecting
Moat, JLP
Callout
The digital advertising landscape continues to rapidly evolve. Forced to balance increased consumer awareness about data privacy, developing legislation for consumer data protections, and on-going technology innovations; we are poised to see significant changes to how digital advertising works by the end of 2024. One of these changes is the end of support from web browsers for third-party cookies — a means to capture and record activity as a user navigates throughout the internet. It can't come soon enough.
A few cookies next to a laptop computer, representing the tracking mechanism built into web browsers
Browser Cookie, JLP

Advertising, in its many forms, is about awareness. Effective advertising informs an audience about a brand, product, or service. The intent is to educate, persuade, and remind consumers. The goal is to match the most relevant ad to the right audience. Matching, of course, relies on data about a consumer, the more specific and personable, or so the theory goes, the better. To collect this type of data, advertising companies exploited a capability in web browsers called the cookie.

Browser cookies were invented in 1994 by Lou Montulli, an engineer at Netscape. The web prior to 1994 had been, by default, stateless — each visit to a webpage was a single event, unrelated to previous trips. Montulli needed a solution that would allow him to detect if a user had previously visited the Netscape website. His solution was a simple mechanism that stored a short snippet of text, written by the web browser, that would persist between web sessions. When a consumer navigated to netscape.com in the future, the text snippet would be sent to the netscape server along with the browser request for the web page content. In Lou's case the presence of the returned text indicated that this user had previously visited the netscape.com site.

Cookies are stored as a key:value pairs, where the key is the name of the domain (in this case netscape.com) and the value is a simple text field. This mechanism was quickly adopted by other sites to create new functionality like persisting shopping carts across sessions or personalizing content. Cookie usage today is ubiquitous, and a critical part of the web ecosystem consumers have come to rely on.

Example Cookie

Example of two cookies, one to set a UI preference and the other acting as a session tracking ID:

Cookie: theme=light; sessionToken=abc123

Shortly after the cookie was introduced, DoubleClick, a significant player in the digital advertising ecosystem that would later be purchased by Google, leveraged this functionality to set and receive cookies for advertising it displayed across the Internet.

A shooting target, concentric rings of white and red, surrounding a bullseye
Target, JLP

Behavioral Targeting

Today, as you surf the web, sites are able to set browser cookies that correlate a user to the actions the user has taken. This mechanism allows for collecting a stream of data about a user's behavior, such as which article they read, what image they clicked on, or details about the user's location and device they are using. The data collected by the website a user entered into their browser is considered first party data. The user and the website effectively have a first party relationship with each other, one they have both willing and directly entered into. The user chose to navigate to that particular website — and the website agreed to provide the requested content.

On all future requests to this same website, any first party cookie data that the browser has recorded will be sent to the website as part of the request. Over time, the website can store and use this information to provide enhanced services to the user, for example more personalized content.

A diagram showing that a website sets a cookie value on first visit, on all subsequent visits the cookie is sent back to the web server

Many times a website's content will also include elements that are serviced by other domains. For example, a website that uses Google to display an ad. In this case, the ad itself would be served from Google's domain rather than directly from the website domain. These other services can also set cookies and obtain the same click stream of data about the user and the user's actions. These cookies are considered to be third party cookies, because the user does not have a direct relationship with the other services.

A depiction showing that 3rd party domains that have elements on the site can also set and retrieve cookie data

Third party cookies have the same behavior as first party cookies, every time the third party service is called, the cookie data is sent along with the request to the third party domain. What makes third party cookie usage so powerful is that for all other websites a user navigates to, if they also use the same third party services, the third party cookie data will be sent in response. Collectively, the returned cookie data acts as a breadcrumb across the internet. This allows third parties to effectively track users as they navigate throughout the web and build a rich history of those interactions.

The usage of third party cookies is pervasive across the internet, most websites include several third party services and their associated cookies. Users of the web today have their web history, usage patterns, and identifiable data tracked with nearly every internet interaction, and are often unaware of the identifiable breadcrumbs they are leaving in their wake.

Armed with this tracking information, advertisers can target audiences and individuals based on captured activity. Users who show a bias toward a topic or meet a demographic criteria can be matched to related advertising. This approach is called behavioral advertising.

Prolonging Google's Dominance

Advertising services parse the captured user data and apply categories to the user, creating large audience groups, or segments, which are interest and demographic based. These same categories are associated to advertising campaigns and media to allow matching. Several categories can be combined to provide finer and finer-grained advertising targeting.

While cookies have provided a way to capture powerful data that has resulted in user benefits, they have done so by intruding on consumer privacy. In 2020 Apple made a major decision to block third party cookies by default across their ecosystem. At that time, Apple’s safari web browser was the most popular web browser for mobile devices, and overall safari represented a little under 25% of the entire browser market. Under pressure from privacy advocates, Google announced their intentions to also block third party cookies in their chrome web browser. Today, Google chrome accounts for about 65% of all browser usage (per StatCounter, December 2022).

Google dominates browser market share at nearly 65%, followed by Safari at almost 19%
Browser Market Share, December 2022, StatCounter

However, Google has since pushed back their implementation timeline twice, now claiming third party cookies will be blocked by the end of 2024. This delay is a big deal and a signal that Google isn't committed to this promise. Google derives a significant portion of its $168 Billon ad revenue from the data its browser collects from third party cookies. We should all be skeptical that Google will deliver on its promise to improve consumer privacy and expand data protection, when that very act will erode Google's dominance (44% of all digital advertising spend globally) in digital advertising.

The justification for delay has been that Google needs more time to develop an alternative solution to third party cookies, something they call the privacy sandbox. While the naming is great marketing, their solution is a collection of services that ensure Google remains the dominate player in the advertising industry. Two building blocks of their solution are First Party Sets and a service called Topics.

First Party Sets is an attempt to lump multiple websites and domains into a logical group that would be treated entirely as a first party. This would fundamentally change the way the cookies work today, allowing a much broader set of domains access to any collected first party information collected by a site in the set. While it may seem that websites owned by a single company ought to share this type of data, this is often far less obvious to a consumer who may want much finer control of their data. First Party Sets may also allow shallow partnerships between companies seeking to share data cross-domains, say a consortium of sites that agree to work with each other.

Topics, the other foundational service in privacy sandbox, is an implementation of interest-based targeting. This form of targeting provides ad matching based on a finite, defined list of categories. Each web site is cataloged and mapped to topics from this category list. As users navigate throughout the web, the categories of the sites they view are tallied and the highest scoring categories can be used by an ad server.

A chart with an overview of how topics are selected and used to target ads

There are real problems with this solution. The mapping of categories to sites is crucial, whoever makes this determination also has the power to determine what is a sensitive topic, such topics are proposed to be banned from being tagged to a consumer. However, what's sensitive turns out to be very subjective and highly contextual.

Furthermore, there seems to be too little done to prevent fingerprinting by watching topics and user traffic and building a portfolio over time. The end-result could be as equally poor for protecting consumer privacy as the current implementation of third party cookies are.

The W3C Technical Architecture Group (TAG), part of the international body that helps set web standards, rejected both of these proposals recently (see here and here). The TAG details several other concerns including the concern that implementing First Party Sets and Topics will likely not be accepted by competing services and platforms, driving a wedge in the standards approach. The worst case scenario here would be that web experiences begin to be tailored to a Google implementation, potentially shutting out or diminishing the experience for non-Chrome users. It will be telling if Google decides to implement privacy sandbox anyway given it's browser dominance.