Media Review

Media Review #3: Potential Direction for FLoC, New Reporting Explainer and a Look at SWAN and UID 2.0

Google considers switching FLoC to a topic-based approach, as exec acknowledges cookie replacement has fingerprinting potential – DigiDay

= On July 26, during the Internet Engineering Task Force meeting, Josh Karlin, a tech lead manager in Google’s Privacy Sandbox team presented the current state of FLoC

= Karlin explained that a potential next step for FLoC could be moving from FLoC IDs (~30,000 different cohorts) to topic-centric IDs, like “fitness”, with a lower number of groups, like ~256

= This approach is aimed at reducing the fingerprinting surface, as it would minimize the number of bits of information about the user shared by FLoC, which could be used, for example, by identity tech providers to improve the accuracy of their systems

= Prior to Karlin’s presentation, engineers from Facebook proposed ad topic hints to the Privacy Community Group at the W3C, which is operating on a similar basis

= However, both Karlin and Google’s spokesperson denied that this is a confirmed direction for FLoC, and that many ideas are still being evaluated

Introduction to Attribution Reporting (Conversion Measurement) – Google

= On August 9th, Google published a more detailed description of the Attribution Reporting API, the successor of the Conversion Measurement API, which has been under development for many months

= Google claims that while it still is under development, this API aims to eventually address multiple reporting and optimization-focused use cases

= The API operates based on two types of reports:

= Event-level reports associating individual ad clicks or views with coarse conversion data for optimization, coarse reporting, and fraud detection use cases

= Aggregate reports offering more detailed conversion data, but in an aggregated form for reporting the effects of the campaigns and other optimization use cases not satisfied by Event-level reports

= Attribution Reporting aims to also satisfy app-to-web attribution and cross-device attribution and be usable for both FLEDGE and FLoC

= However, in their most recent update of the Privacy Sandbox timeline, Google moved the start of the testing phase of ad measurement APIs, including the Attribution Reporting API, to Q1 2022 from Q4 2021

What is SWAN? – AdMonsters

= James Rosewell, one of the creators of SWAN, explains what this community-operated idea is all about

= The author claims that SWAN uses pseudo-anonymous identifiers to not only comply with European privacy laws but also Mozilla’s data privacy principles

= James Rosewell claims that SWAN operates on the foundation of choice – users have to agree on personalized marketing when accessing ad-funded websites, while on the other hand, entities running these sites have to agree to standard contractual terms

= It is not the intention of this proposal to share identifiable personal information of users across sites, even if the user provides an email address, it will only be used to generate a pseudo-anonymous identifier

= SWAN uses cookies to store people’s consistent preferences, but they are only read and updated in a first-party setting by participating organizations who agreed to the terms

= The proposal was criticized by engineers behind Safari, Edge, and Mozilla (more below)

Privacy analysis of SWAN.community and United ID 2.0 – Mozilla

= After the analysis of SWAN and UID 2.0, Mozilla concludes that, from a technical standpoint, they are a regression in privacy in that they allow the tracking of users who are presently protected against it

= The company claims that SWAN uses redirect tracking (bounce tracking) and UID 2.0 uses primary identifiers (e.g. email address) to bypass browser anti-tracking mechanisms

= Mozilla has concerns that while both these proposals rely on policy controls (relying on user consent for tracking and then restricting the use of tracking data), there are insufficient ways to verify that these policies are being followed. And whether the policies are enforced or not, this would still give many companies access to the user’s browsing history

= The company emphasizes that it is a situation that browsers are currently trying to fix, and repeated that its intention is to eliminate cross-site tracking from its browser entirely, which is a continuation of the work started by Enhanced Tracking Protection in 2019