Google infamous Chrome tracking nightmare has just gotten worse. The company has confirmed critical changes to its promise to stop its browser’s 2.6 billion users being secretly tracked across the web, risking further, significant delay.
Chrome’s dominance of the browser market is well understood, with an almost 65% market share. Only Safari offers any competitive scale at around 20%, which means that when you look to non-Apple users, Chrome’s dominance is incredible.
The more serious concern, of course, is that Google is also the dominant force in digital advertising. The two facts are not unrelated. Chrome is a shop window onto the web, one that’s controlled by Google, just as it dominates online tracking and search. It’s a spider’s web built on data, your data, earning Google more than $150 billion a year.
This is why, while other browsers—notably Safari and Firefox, to say nothing of Brave and DuckDuckGo—have been enhancing user privacy and eradicating invasive user tracking, Google has been unable to do the same. Google says it wants to shift to a more “privacy focused web,” but it can’t do so without serving the needs of its customers, advertisers, and that has caught Google in something of a trap.
On the one hand, Google has been trumpeting replacements for the third-party tracking cookies that are now being happily banished elsewhere. The issue here is that Google’s measures are compromised by its need to maintain some user tracking to fuel targeted ads, so it can’t take a simple Apple- or Mozilla-like blanket approach. We saw this with FLoC, where anti-tracking measures awkwardly achieved the opposite.
On the other hand, because Google is so dominant, and because its new measures run the risk of actively blocking its competitors in the digital ad world from also tracking users, Google has been challenged by regulators. While the privacy lobby is pushing Chrome to ban tracking, the ad industry and regulators are essentially saying that it’s not so simple, not if Google will unfairly benefit from any changes.
Google had promised to banish tracking cookies from Chrome by early in the new year—they’d almost be gone by now. But its need to replace those tracking cookies with an alternative has led to a stalemate. Chrome is stuck with cookies until the year after next—at the earliest. “Chrome is the only major browser that does not offer meaningful protection against cross-site tracking,” rival Mozilla has warned.
In an ideal world, Google would just switch off this secretive tracking and shift to something less invasive. The problem is that anything Google does to enhance your privacy, also stymies targeted advertising. FLoC grouped users to avoid individual tracking, but other identifiers rendered those protections useless. The next focus will be a “privacy budget,” where trackers will be drip-fed an allowance of your data.
The problem is that as Google shifts from an openly nefarious tracking ecosystem to one in which is sets the rules others must follow, it risks exerting even more control. The U.K. Competition and Markets Authority (CMA) was one of the regulators that called Google out on this, and this week we have seen the results.
Last week, the CMA announced it had “secured improved commitments from Google on its proposals to remove third party cookies and other functionalities from its Chrome browser.” That means Google has agreed it won’t shift from tracking cookies to a more private tracking tech until it can satisfy regulators it’s not anti-competitive.
“We are determined to ensure that the Privacy Sandbox is developed in a way that works for the entire ecosystem,” Google confirmed, “and as part of this process, we have now offered revised commitments.”
Clearly, just going ahead and binning tracking cookies is in your best interests, as other major browsers have done, but that doesn’t suit Google. The company’s commitments to enhancing privacy “are all noise until Google actually agrees to collect less data and do less behavioral targeting,” DuckDuckGo warns users.
Google assured me that “there was no timeline change [for killing tracking cookies] announced as part of these revised commitments.” But it will need to launch a technical alternative that can both pass the use privacy test, which FLoC so clearly failed, and the market competition test, which has resulted in this compromise.
Anything that risks further delays to the removal of Chrome’s third-party tracking cookies is very bad news for users—it really is as simple as that.
Google has also agreed as part of this process that it will not advantage its own tracking at the expense of others, meaning it will abide by the same rules it sets for everyone else. But there’s clearly an element of scale and understanding that will ensure it remains top of the pile, and the concept of poacher and gamekeeper, where Chrome and the digital ad industry are concerned, remains clearly in place.
At last month’s Chrome Dev Summit, Google’s Barb Smith acknowledged that 80% of internet users “avoid certain online activities due to privacy or security concerns,” but also that “it’s difficult for developers to meet the growing expectations for privacy, when so many capabilities rely on third-party cookies and other cross-site tracking mechanisms, which weren’t designed with privacy in mind.”
More notably, Smith confirmed that the Privacy Sandbox is intended “to support a healthy sustainable ecosystem,” with advertising a “critical part of that ecosystem… that funds much of the web’s content,” showing a slide with “relevant ads and content” and “measurement” as the first bullets under “new privacy preserving technologies.”
Not wishing to state the obvious, but you won’t find Apple heralding Safari’s latest Intelligent Tracking Protection by emphasizing its utility for targeted advertising.
Google’s commitment to the CMA includes working with the regulator “to identify and resolve any competition concerns before the removal of third-party cookies,” and the agreement of a “standstill period” of at least 60 days before cookies are removed, with the CMA assessing Google’s proposed alternatives against industry concerns.
The CMA has secured an agreement that it can delay Google’s Privacy Budget if required—if that Privacy Budget becomes (as expected) Google’s key cookie alternative, it can’t really switch off tracking cookies until it’s good to go.
The CMA has also secured agreements to limit Google’s plans to restrict access to your IP address, a core datapoint used to identify you on Chrome, such that you can be tracked individually. Contrast this with Apple’s new Private Relay, an innovation added to iCloud with iOS 15 that does exactly this—blocks your IP address from advertisers and trackers, stopping them from fingerprinting you.
This is all complicated, but a much simpler way to view Google’s isolated approach to user privacy was provided earlier this year by Apple’s privacy labels, which show Chrome as the only major browser that tracks the identity of users against all the data it collects—and it collects a lot of data. That’s helpful context to this wider issue.
As was evident with Google’s FLoC backtrack, even well-intentioned privacy moves are compromised once out the lab and exposed to the complex tracking and fingerprinting ecosystem that drives targeted ads. Blanket blocking techniques, such as those adopted by Apple, resolve the issue, but they damage the ad industry and reduce ad revenues.
Google wants a best of both worlds—a have cake and eat it—solution, but the bad news for users is that there’s no certainty one exists. It was market regulator pressure that kicked Chrome’s cookie removal out a year or two in the first place.
Timelines may not yet have changed, but Google needs to deliver a privacy/tracking balance that has so far proven impossible, if it’s to remain on track for killing cookies in 2023. In the meantime, Chrome can choose to avoid this secretive default tracking by switching browsers to one of Chrome’s major rivals.