How Trump’s Political Appointees Overruled Tougher Settlements With Big Banks
Cloud Services Security Vendor Disclosed a 'Security Incident'

Google Claims Blocking Cookies Is Bad For Privacy. Researchers: Nope. That Is 'Privacy Gaslighting'

Google logo The announcement by Google last week included some dubious claims, which received a fair amount of attention among privacy experts. First, a Senior Product Manager of User Privacy and Trust wrote in a post:

"Ads play a major role in sustaining the free and open web. They underwrite the great content and services that people enjoy... But the ad-supported web is at risk if digital advertising practices don’t evolve to reflect people’s changing expectations around how data is collected and used. The mission is clear: we need to ensure that people all around the world can continue to access ad supported content on the web while also feeling confident that their privacy is protected. As we shared in May, we believe the path to making this happen is also clear: increase transparency into how digital advertising works, offer users additional controls, and ensure that people’s choices about the use of their data are respected."

Okay, that is a fair assessment of today's internet. And, more transparency is good. Google executives are entitled to their opinions. The post also stated:

"The web ecosystem is complex... We’ve seen that approaches that don’t account for the whole ecosystem—or that aren’t supported by the whole ecosystem—will not succeed. For example, efforts by individual browsers to block cookies used for ads personalization without suitable, broadly accepted alternatives have fallen down on two accounts. First, blocking cookies materially reduces publisher revenue... Second, broad cookie restrictions have led some industry participants to use workarounds like fingerprinting, an opaque tracking technique that bypasses user choice and doesn’t allow reasonable transparency or control. Adoption of such workarounds represents a step back for user privacy, not a step forward."

So, Google claims that blocking cookies is bad for privacy. With a statement like that, the "User Privacy and Trust" title seems like an oxymoron. Maybe, that's the best one can expect from a company that gets 87 percent of its revenues from advertising.

Also on August 22nd, the Director of Chrome Engineering repeated this claim and proposed new internet privacy standards (bold emphasis added):

... we are announcing a new initiative to develop a set of open standards to fundamentally enhance privacy on the web. We’re calling this a Privacy Sandbox. Technology that publishers and advertisers use to make advertising even more relevant to people is now being used far beyond its original design intent... some other browsers have attempted to address this problem, but without an agreed upon set of standards, attempts to improve user privacy are having unintended consequences. First, large scale blocking of cookies undermine people’s privacy by encouraging opaque techniques such as fingerprinting. With fingerprinting, developers have found ways to use tiny bits of information that vary between users, such as what device they have or what fonts they have installed to generate a unique identifier which can then be used to match a user across websites. Unlike cookies, users cannot clear their fingerprint, and therefore cannot control how their information is collected... Second, blocking cookies without another way to deliver relevant ads significantly reduces publishers’ primary means of funding, which jeopardizes the future of the vibrant web..."

Yes, fingerprinting is a nasty, privacy-busting technology. No argument with that. But, blocking cookies is bad for privacy? Really? Come on, let's be honest.

This dubious claim ignores corporate responsibility... that some advertisers and website operators made choices -- conscious decisions to use more invasive technologies like fingerprinting to do an end-run around users' needs, desires, and actions to regain online privacy. Sites and advertisers made those invasive-tech choices when other options were available, such as using subscription services to pay for their content.

Plus, Google's claim also ignores the push by corporate internet service providers (ISPs) which resulted in the repeal of online privacy protections for consumers thanks to a compliant, GOP-led Federal Communications Commission (FCC), which seems happy to tilt the playing field further towards corporations and against consumers. So, users are simply trying to regain online privacy.

During the past few years, both privacy-friendly web browsers (e.g., Brave, Firefox) and search engines (e.g., DuckDuckGo) have emerged to meet consumers' online privacy needs. (Well, it's not only consumers that need online privacy. Attorneys and businesses need it, too, to protect their intellectual property and proprietary business methods.) Online users demanded choice, something advertisers need to remember and value.

Privacy experts weighed in about Google's blocking-cookies-is-bad-for-privacy claim. Jonathan Mayer and Arvind Narayanan explained:

That’s the new disingenuous argument from Google, trying to justify why Chrome is so far behind Safari and Firefox in offering privacy protections. As researchers who have spent over a decade studying web tracking and online advertising, we want to set the record straight. Our high-level points are: 1) Cookie blocking does not undermine web privacy. Google’s claim to the contrary is privacy gaslighting; 2) There is little trustworthy evidence on the comparative value of tracking-based advertising; 3) Google has not devised an innovative way to balance privacy and advertising; it is latching onto prior approaches that it previously disclaimed as impractical; and 4) Google is attempting a punt to the web standardization process, which will at best result in years of delay."

The researchers debunked Google's claim with more details:

"Google is trying to thread a needle here, implying that some level of tracking is consistent with both the original design intent for web technology and user privacy expectations. Neither is true. If the benchmark is original design intent, let’s be clear: cookies were not supposed to enable third-party tracking, and browsers were supposed to block third-party cookies. We know this because the authors of the original cookie technical specification said so (RFC 2109, Section 4.3.5). Similarly, if the benchmark is user privacy expectations, let’s be clear: study after study has demonstrated that users don’t understand and don’t want the pervasive web tracking that occurs today."

Moreover:

"... there are several things wrong with Google’s argument. First, while fingerprinting is indeed a privacy invasion, that’s an argument for taking additional steps to protect users from it, rather than throwing up our hands in the air. Indeed, Apple and Mozilla have already taken steps to mitigate fingerprinting, and they are continuing to develop anti-fingerprinting protections. Second, protecting consumer privacy is not like protecting security—just because a clever circumvention is technically possible does not mean it will be widely deployed. Firms face immense reputational and legal pressures against circumventing cookie blocking. Google’s own privacy fumble in 2012 offers a perfect illustration of our point: Google implemented a workaround for Safari’s cookie blocking; it was spotted (in part by one of us), and it had to settle enforcement actions with the Federal Trade Commission and state attorneys general."

Gaslighting, indeed. Online privacy is important. So, too, are consumers' choices and desires. Thanks to Mr. Mayer and Mr. Narayanan for the comprehensive response.

What are your opinions of cookie blocking? Of Google's claims?

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Chanson de Roland

Well, the Editor has covered the field so well here that there isn’t much to say that he hasn’t reported or said. Google’s disingenuousness and duplicity on the issue of privacy is well established and well known. Alphabet (Google’s parent company) and Google, Alphabet-Google, makes nearly all of its money, and I think more than 87%, from advertising. And it is able to do that because it uses pervasive, highly sophisticated, and highly effective technology to trespasses on not only the users of its services but also the privacy of users of nearly every other service and website on the internet. So Google’s business model, its revenue model, depends on violating personal privacy to generate the vast majority of its revenues. Without pervasive trespasses on privacy, Alphabet-Google would be no larger than the privacy oriented DuckDuckGo search engine and would, therefore, lack the tremendous wealth that enriches its insiders and certain shareholders and that its uses to exercise undue, indeed, corrupt, influence on U.S. governments and democratic governments throughout the world.

And as alluded to in the article, supra, Google is not alone, because the immoral business model of expropriating users’ personal information for profit has become pervasive, if not ubiquitous, among internet firms, as nearly all, with extremely rare exception, do it. The big names are well known, Facebook, Alphabet-Google, Twitter, Microsoft, et al. and a whole raft of smaller firms so as to comprise nearly the entire internet. What of the internet remains is completely compromised as law enforcement and government intelligence agencies catchup to private enterprises in violating our privacy but for the purposes of intelligence gathering, law enforcement, and, for despotic governments, control of their subjects.

However, one player in this rouges gallery of privacy violators isn’t as well known, and that is Jeff Bezos’ Amazon and its affiliated companies, such as the Washington Post, which explains the Washington Post reciting the party’s misleading line about blocking cookies resulting in fingerprinting, without mentioning that several firms, Apple, Mozilla (makers of Firefox), the Brave Browser, et al., have the means to successfully mitigate fingerprinting and are doing so.

Fingerprinting is simply the latest technical threat to privacy in response to the surprise development of people resorting to ad blocking and to cookie and tracker blocking and to the use of reputable VPN services in surprisingly large and growing numbers, thereby frustrating both the tracking technologies of the leading internet search and social media firms and frustrating the large ISPs’ compromise of the FCC to overturn former FCC Chairman Wheeler’s privacy protections and open internet regulations. So what Google and the Washington Post don’t say is that it is a continuing battle between them and their ilk’s privacy breaching technologies and the technical response of certain firms and public interests advocates to develop the technical, practical, and convenient means to protect privacy. That battle is joined. The big social media, Alphabet-Google and Bing search, entertainment firms, news media, etc., have all the wealth and political power and the best talent in the world on their side. In the other corner, the largest player for privacy is probably Apple. After that, there are firms like DuckDuckGo, Brave, and Mozilla, whose revenues aren’t even a rounding error on Facebook, Microsoft, or Alphabet-Google’s income statement.

Yet the battle is joined, and the privacy side of that battle is doing far better than I would have expected. And the privacy side is apparently doing well enough for Alphabet-Google and the Washington Post to howl in pain and undertake technical responses to technologies that block tracking and fingerprinting. Google is the technical lead, as it has just announced changes to its dominant Chrome browser that would disable anti-tracking protections. Brave and several other browsers based on Chrome have announced that they will branch Chrome to disable Alphabet-Google’s latest attack on privacy.

I close with a word about a fantasy world with privacy effectively restored. Contrary to what Alphabet-Google and the Washington Post contend, the online commercial sky won’t fall. It would change, but it wouldn’t fall. I suspect that subscriptions for content would return. New revenue models, such as that attempted by the Brave browser, would evolve. People would lose access to so much free stuff. But in its place, the quality of news and content would improve. Internet firms expropriation of news organizations and other firms’ original content would cease. And many of the small businesses and jobs that the wild-west internet of zero privacy and weak security destroyed would return. So we would see change, which, I think, would be a significant net good, though it wouldn’t be good for Facebook, Alphabet-Google, and their ilk. But what is good for Alphabet-Google and its ilk and what is good ordinary folk and the world are two very different and often contrary and antithetical things.

George

A follow-up to Roland's comment, readers wanting to learn more can read these blog posts:

Surveillance Capitalism: A Profitable Business Google And Microsoft Agree About
https://ivebeenmugged.typepad.com/my_weblog/2016/05/surveillance-capitalism.html

How Google Tracks All Of Your Online Purchases. Its Reasons Are Unclear
https://ivebeenmugged.typepad.com/my_weblog/2019/06/google-tracks-purchases.html

George

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name and email address are required. Email address will not be displayed with the comment.)