Ryan says Google vague on FLoC privacy impact; an information fiduciary starts; IAB sees ad challenges

Privacy Beat

Your weekly privacy news update.




Ryan says Google’s info on “FLoC” browser-cohort plan too vague to tell impact on privacy; seeks review

Perennial ad-tech critic Johnny Ryan has unleashed a four-point assessment of Google’s “FLoC” plan to to put advertising-interest cohort technology in its Chrome browser. Overall, the Irish-based advocate says Google has released too little information to determine if the system, as revealed so far, will be a privacy improvement over third-party cookies.

“Google has not yet provided sufficient information for one to judge whether its new advertising system will end the enormous data free-for-all among thousands of companies active in the online advertising industry,” Ryan wrote in a richly footnoted email and identical blog posting on the website of the Irish Council of Civil Liberties, where he works. “It relies on privacy safeguards such as ‘trusted servers’, isolating data on the person’s device, and targeting groups of people rather than individuals.”  These are “vaguely described,” Ryan says.  He calls for regulators to investigate and get more info from Google, adding:

  • The “trusted servers” will receive information about everyone, upon as-yet undisclosed principles, and will be responsible for delivering ads, reporting to advertisers and website owners. “Google does not appear to describe how this could be done without compromising privacy,” Ryan writes.
  • It’s not clear who will control the methods of creating “interest groups” within each user’s Chrome browser — Google, publishers, advertisers or what. This raises a question, according to Ryan and others, whether interest cohorts could be formed around interests that could be used in discriminatory ways.

Ryan is not the only person concerned about Goggle’s FLoC.  “This is a massive competitive power grab by Google targeted towards other ad networks, masquerading as privacy,” wrote Johannes Ernst, of Indie Computer Corp., on an email list of ProjectVRM at the Harvard Berkman Klein Center. “Because Google still knows who you are — you are still logged into it — but nobody else does — because the cookies went away. Therefore, going through Google ad networks will continue to be perfect targetable (if you let Google do the matching), but everybody else’s will only be a ‘cohort’ and Google can make those cohorts as good or bad as they like.”

And on his personal blog, ex-Mozilla engineer and editor Don Marti, now working for CafeMedia, wrote a satirical impression on how browser “FLoC” data cohorts could be misused. “In one important way, FLoC is worse than third-party cookies,” Marti says in an email. “Any site can check the user’s cohort. If you run an evil site, and want to use third-party cookies to profile your users, you have to enter into a contractual relationship with some company that has scripts or pixels on many other sites in order to get the third-party cookie data. With FLoC, the evil site can just call one JavaScript function and know the user’s cohort, no paperwork needed.”





Does your organization need customized privacy compliance solutions? ITEGA  can help.

We bring together support you need to approach compliance with CCPA, GDPR if needed, and future privacy legislation as it emerges.

Learn More



Ex-Googler set to launch “information fiduciary” pilot called Deeper Edge; first effort at personalizing event listings

A former Google policy executive will announce next week a new “information fiduciary” initiative.  Richard Whitt’s goal:  Figure out how strongly the public wants to control how their personal data is collected and used, and whether they would pay a company to help them.

Silicon Valley-based Deeper Edge LLC will be designed to be a “web guardian” of end-user privacy, security and identity.  But Whitt has an initial idea to provide something of value besides privacy — a way to help people find events and activities of interest in their area and organize that data — but doing so anonymously.

The Deeper Edge website already has a 40-second teaser video, but will go live next week. Whitt has been guiding the work of a nonprofit since leaving Google, the Glia Foundation,  where he and others have probed the ideas that are now being put into practice.

An overarching intention in the long run is to ease the user’s daily online struggles, from managing passwords to fending off attacks by bad actors. In this early stage, the local events and venues interactive tracker will pour information into a personalized calendar with links.

“You tell the platform what you’re interested in as much as you want and we’ll go out and find it,” says Whitt. “But none of that data goes to the venue unless the user decides they want to do that.” It’s collected anonymously, using Deeper Edge as a proxy, in effect.

Beyond a reference implementation, says Whitt, Deeper Edge will move to be a comprehensive manager that safeguards your personal information and helps you figure out who to share it with, when and on what terms.  The Deeper Edge information fiduciary could be a newspaper, a retailer, an affinity group or something else he says.

Whitt is a senior strategy consultant to ITEGA, the sponsor of this newsletter. He is also a Mozilla Fellow.





IAB report acknowledges privacy challenge for advertising, releases ideas to fix it — for public comment until May 7

A sober assessment on widening privacy concerns around digital advertising, an invitation to the public to provide by May 7 ideas about what to do to fix it, and an appeal from U.S. Sen. Ron Wyden highlighted the annual leadership meeting of the Interactive Advertising Bureau (IAB) this week.

Because of privacy concerns and regulation, the traditional value exchange of ad-supported media — free content in exchange for seeing ads — is losing its value, consultant PwC US wrote in a report commissioned by the IAB and released at the virtual gathering. “To put it bluntly, the old value exchanges are just not enough,” Sue Hogan, IAB senior vice president research and analytics said in a statement accompanying the report. “The model is broken. Publishers and media companies have to reimagine reciprocity or risk the flight of consumers to competitors.”

Among other trends to watch, says the statement about the report: Expect more “walled gardens” with higher walls, as third-party identifiers go away, watch retailers such as Walmart increasingly publish content on their websites; and “for all to thrive, hate speech, fraud and misinformation must be solved for.”  The PwC report was based on lengthy interviews with 20 ad and publishing execs.

Meanwhile, the affiliated IAB Tech Lab released for public comment a portfolio of standards for responsible “addressability and predictable privacy” — ways to target advertising without violating privacy laws or norms.  Deadline for comments is May 7, and during an “Addressability Solution Road Show” on March 24. The package includes two drafts, “Best Practices for User-Enabled Identity Tokens” and “Taxonomy and Data Transparency Standards to Support Seller-defined Audience and Context Signaling.”

A keynote speaker to the IAB meeting, Sen. Wyden pushed his 2019 universal opt-out law (see BILL TEXT  and a law firm’s analysis of the Wyden bill and Wyden’s one-page description.) “There are some aspects of advertising technology that are going to have to change,” Wyden warned the IAB audience.





Like what you see? Then recommend to a friend.

Subscribe to Privacy Beat

Business, advertising interests embrace Democrat’s privacy bill; no ‘private right’; would pre-empt California, Virginia

A new and theoretically bipartisan push in Congress to seriously consider federal digital privacy regulation emerged this week with the refiling — with changes — of a bill by a former Microsoft executive who is now a Washington state congresswoman.

Two things are politically significant about U.S. Rep. Susan DelBene’s updated bill (SEE TEXT)  is that she claims at least 100 fellow centrist Democrats in the House Progressive Caucus support the bill and she said she hoped for GOP co-sponsors to join business interests backing it.  Both the U.S. Chamber of Commerce and the National Retail Federation embraced it, as did ad-tech’s Network Advertising Initiative.

On the other hand, the bill contains two provisions that in previous sessions have been flatly opposed by Democratic leaders and championed by Republicans and the ad-tech industry. First, the bill would pre-empt existing, more strict, state privacy laws such as those adopted in California and Virginia and considered elsewhere. Second, it generally prohibits citizens from filing privacy lawsuits, leaving enforcement to the U.S. Federal Trade Commission and state attorneys general only if the FTC declines to take action.

The bill’s definition of “sensitive” includes people’s web browsing history and app use unless the data is aggregated,  MediaPost’s Wendy Davis wrote in her story about the bill. She also wrote that a requirement that companies obtain opt-in consent before sharing or selling that data has some loopholes — including one that applies when companies disclose how they plan to use the information.

Other  provisions of the “Information Transparency and Personal Data Control Act”:

  • It requires companies collecting “sensitive” information from 250,000 or more people per years to submit to a privacy audit by a neutral third party every two years. Such information would include financial account numbers, health information or social-security numbers.
  • Consumers have to “opt-in” before particularly sensitive personal data on them is shared by data users.  But for the vast majority of other data, some of it potentially personal, sharing is allowed unless the user explicitly “opts-out.”  This approach is not supposed by groups such as Consumer Reports.
  • Consumers have to be informed when their personal information is shared.
  • The bill does not address artificial intelligence or facial recognition technologies.







With “FLoC’s” in the browser, is Google focused on privacy or tightening its grip on the digital ad economy?

“After spending more than a decade building up massive profits off targeted advertising, Google announced on [March3] that it’s planning to do away with any sort of individual tracking and targeting once the cookie is out of the picture . . . .

“What Google does plan on building, though, is its own slew of “privacy-preserving” tools for ad targeting, like its Federated Learning of Cohorts, or FLoC for short. Just to get people up to speed: While cookies (and some of these planned universal ID’s) track people by their individual browsing behavior as they bounce from site to site, under FLoC, a person’s browser would take any data generated by that browsing and basically plop it into a large pot of data from people with similar browsing behavior—a “flock,” if you will. Instead of being able to target ads against people based on the individual morsels of data a person generates, Google would allow advertisers to target these giant pots of aggregated data.

“We’ve written out our full thoughts on FLoC before—the short version is that, like the majority of Google’s privacy pushes that we’ve seen until now, the FLoC proposal isn’t as user-friendly as you might think. For one thing, others have already pointed out that this proposal doesn’t necessarily stop people from being tracked across the web, it just ensures that Google’s the only one doing it. This is one of the reasons that the upcoming cookiepocolypse has already drawn scrutiny from competition authorities over in the UK. Meanwhile, some American trade groups have already loudly voiced their suspicions that what Google’s doing here is less about privacy and more about tightening its obscenely tight grip on the digital ad economy.”


Privacy Beat is a weekly email update from the Information Trust Exchange Governing Association in service to its mission. Links and brief reports are compiled, summarized or analyzed by Bill Densmore and Eva Tucker.  Submit links and ideas for coverage to newsletter@itega.org.

Share Share

Tweet Tweet

Share Share

Forward Forward




Copyright © 2021 Information Trust Exchange Governing Association, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp