Google appears to seek control over cross-site user logins | Expert proposes privacy “safe harbor” regime

Privacy Beat

Your weekly privacy news update.


Google’s cross-site identity ideas broached at TPAC

As third-party cookies fade, Google, using Chrome, appears to seek a controlling role over cross-site user logins 

Google Inc. moved this week to advance new standards in which web browser makers — including Google and Apple — control which websites get to share user logins and elements of identity, rather than publishers or users themselves. 

The effort was described in detail in two World Wide Web Consortium (W3C) presentations by Google Chrome senior engineer Sam Gogo. The first description was in the form of a “draft community group report” dated Oct. 18 and posted to the W3C Federated Credential Management (FedCM) group. The “report” is styled as an application programming interface (API) standard for cross-site data exchange.

The second was contained in official breakout notes of an Oct. 21 Federated Credential Management discussion featuring GoTo at the W3C’s annual meeting, know formally as W3C TPAC 2021. 

Details and extension explanations and Q-and-A with Goto are in the two documents.  Taken as a whole, they paid a picture of Google’s effort to at the same time (1) address privacy concerns by blocking third-party cookies in Chrome in 2022-2023 while (2) trying to create a method to still permit browsers to support cross-site logins that don’t opaquely support surveillance-type advertising. 

But Goto implied that Google’s position is that a global ID is a form of “tracking.” The public notes quote Goto as saying: “Personally [I] believe we should make sure users are protected from tracking and passing global IDs is part of the job.” 

“Our approach is to insert the browser into this situation to enable affordances,” notes of the Oct. 21 discussion quote Goto as saying. He said the current system in which third-party cookies manage cross-site logins without judgement creates conflict with emerging browser privacy features. “We like federation and privacy and we want both,” the notes quote Goto saying, adding the Google project goal is “looking for ways to make them not conflict.” 

Google’s solution, it would appear, is to put its Chrome browser, using the Open ID Connect standard, in the position of deciding what’s surveillance and what’s user-desired, cross-site access convenience.  Among alternatives for controlling cross-site identity: 

  • So called “Self Sovereign Identity” in which software completely in control of the end user decides what information to give to which parties and when, without intervention by a “user agent” (UA) such as a browser.
  • An Identity Provider (IdP), such as an Internet Service Provider, email provider publisher or affiliated group of web services, decides when to allow cross-site logins. This is an approach Goto said Chrome is considering supporting this approach. 
  • A government service which makes, enforces and perhaps runs identity services and requires compliance by parties within its jurisdiction, including web browser makers.

Discussion in the W3C breakout included whether the browser should make lists of acceptable and non-acceptable parties for cross-site logins. So far, Google, in its First Party Sets proposals, seems to be saying that the browser should only allow commonly owned websites with different domain names to cross-authenticate users. Would that mean, asked Achim Schlosser, of the European Net ID Federation, that Chrome would require users to log in repeatedly across non-corporate affiliated sites? GoTo referred Schlosser to the FedCM document.  NetID is a collaboration of Germany publishers and big ISPs.




Does your organization need customized privacy compliance solutions? ITEGA  can help.

We bring together support you need to approach compliance with CCPA, GDPR if needed, and future privacy legislation as it emerges.

Learn More

safe harbor

NGO privacy/identity “safe harbor” rules, enforceable by FTC, advocated by a second Kerry-affiliated policy expert 

An experienced Washington internet-policy expert says advertising and technology companies need to come together on standards for privacy and identity so that government can then regulate to those standards.

Karen Kornbluh’s remarks were included as part of a broader Q-and-A interview with tech journalist Julia Angwin and published as an email newsletter and web posting at, which Angwin edits.  Kornbluh, a former diplomat and FCC staffer,  is now senior fellow and director, digital innovation and democracy initiative at the German Marshall Fund of the United States.

“Of course, the [U.S. Federal Trade Commission]  is so outgunned. They don’t have enough money, they don’t have enough staff, they don’t have enough expertise, and the technology is moving really fast, Kornbluh told Angwin.

She continued: “That’s why we come down to the need for some kind of digital code of conduct, to get the platforms to do some of this work themselves under the regulatory supervision of the FTC. The industry could get together and spell out what would be good enough steps to not be considered negligent, and then that can be used as a safe harbor. The industry would work out the details, but the regulators would decide if it’s enough and audit to make sure they’re complying.”

The idea of a regulatory “safe harbor” for companies which adhere to some industry codes of conduct around privacy and identity was advanced last year by a prominent Brookings Institute researcher, Cameron Kerry.  Kerry is the brother of former U.S. Sen. John Kerry, and Kornbluh worked for Kerry on the staff of the Commerce Committee and its Telecommunications Subcommittee. [ITEGA, publisher of this blog, has offered itself as a non-profit governance service for trust, identity, privacy and information commerce).



Un-redacted Texas suit reveals new claims that may damage Google position vs. publishers and competitors

Twitter came alive at end of week with reports about an Oct. 22 development in the advertising antitrust suit against Google filed by 17 U.S. states and lead by Texas’ attorney general.

The news is that the court hearing the case permitted “unredaction” of thousands of words previously sealed from public view — mostly damning allegations made by the state plaintiffs.  The freshly unreacted legal complaint can be found and downloaded from the nonprofit CourtListener website.

Digital Content Next’s Jason Kint, Tweeting about the new verbiage, includes an excerpt that quotes a Google executive (the name is still redacted) in a company document, that his No. 1 priority was the “need to fight off the existential threat posed by header bidding . . . . “ 

A long Twitter thread is authored by Patric McGee, the Financial Times’ full-time correspondent baed in San Francisco and covering Silicon Valley. McGee’s Tweets highlight newly unreacted sections pointing to the significant profitability of Google’s ad-serving and tracking business and allegations of how it was intended to disadvantage publishers and competitors.

Another series of Tweets on the disclosures are authored by an anonymized California-based tech games and video programmer who Tweets as “fasterthanlime” and is known as “Amos.” He claims to have just read the entire 176-page, un-redacted complaint.

In one Tweet, “Amos” screen-grabs (see image, above) a section of the un-redacted complaint which reads: “Internally, a Google employee concedes that an electronic exchange such as its own should to normally be able to extract such high fees in the market . . . an exchange shouldn’t be an immensely profitable business . . . but should instead be like a public good used to facilitate buyers and sellers.”




Like what you see? Then recommend to a friend.

Subscribe to Privacy Beat

Ryan and EU parliamentarians push advertisers to abandon Google and Facebook “surveillance” systems

European privacy advocates issued calls for an end to so-called “surveillance” advertising,  using a letter to advertisers and a fresh research compilation to make their points. 

The first salvo came from 19 members of the 705-member European Parliament, led by  “Green” activists, asking the chief executives of Europe’s largest companies to stop advertising via platforms like Google and Facebook.  They referred to an “opaque and toxic ecosystem” which threatens “privacy, social cohesion and democracy worldwide.” 

The group’s  two-page letter, in English, called on the CEOs to “switch to less harmful and still, even more effective, alternatives which are already available.”  It cites The New York Times, the Dutch public broadcaster Ster and search engine DuckDuckGo as pioneers in alternate ad systems that rely less on personal data “and have fewer negative externalities for society.” It asks the CEOs to reply “what your reasoning is to use this personal data-driven advertising system and if you are considering changing this system.” The letter does not say how many CEOs were sent it.

In its news account of the letter, Dutch publisher Volkskrant wrote that “in so doing, the politicians explicitly place some of the responsibility for the excesses of social media with the companies that keep the whole mechanism running: advertisers who pump money into it.” 

Meanwhile, a discussion about the letter on the Harvard Project VRM listserv included this comment from Tim Walters: “Nice, but it doesn’t go to root causes. Advertisers (big or small, and remember that most of Facebook’s ad revenue does not come from the large brands), use FB and Google because they work, i.e., provide the greatest return for the ad investment.” 

The second salvo came from perennial privacy advocate and ad-tech critic Johnny Ryan, via the non-profit Irish Council for Civil Liberties, where he is now a senior fellow.  In a summary of his full review document, Ryan writes that “tracking-based online advertising imperils fundamental rights and publisher sustainability by diverting data and revenue from publishers, it favours Big Tech and the bottom of the web at legitimate publishers’ expense, and enables massive fraud and micro-targeted disinformation.” Ryan previously worked in the tech, online advertising, and publishing industries. He is also affiliated with the U.S.-based Open Markets Institute

Ryan’s document titled: “Sustainable without surveillance: ICCL review of sustainable publishing and tracking-based advertising,” covers six points and is a footnoted, fact-based compilation of data and arguments critical of ad-tech driven “programmatic” advertising. It cites cases where removing tracking has appeared to bolster publisher revenues.





Nineteen EU lawmakers explain why big corporations should stop using tracking ad ecosystem 

  • Below is an except of a two-page letter, in English, delivered by 19 members of the 705-member European Parliament, to an undisclosed number of corporate CEO’s asking them to abandon use of so-called “surveillance advertising” on platforms such as Google and Facebook. (See story, above) 

“Among civil society there is growing consensus that the current digital advertising ecosystem is posing a burgeoning threat to privacy, societal cohesin and democracy around the world. With this letter we want to call upon you as a corporate leader to stop contributing to the highly opaque and toxic ecosystem of tracking advertising. We all up on you to switch to less harmful and still, even more effective, alternatives which are already available.” 

“Tracking advertising technology is developed to accumulate enormous amounts of personal data, often without the knowledge or clear consent of the data subjects concerned, breaching their rights to data protection and privacy. This data is thereupon used to identify opportunities to influence individuals with personal data-targeted advertising, a system which is non-transparent and therefore often misused for political, commercial and even criminal interests.”

“ . . . [W]e believe it is also the responsibility of large corporations like yours to reconsider the way they make use of a system which is so blatantly harming our society. By continuing to use tracking advertising platforms, you are not only financing the growth of a harmful system, but you are a victim as well of fraud and price skimming.”



Privacy Beat is a weekly email update from the Information Trust Exchange Governing Association in service to its mission. Links and brief reports are compiled, summarized or analyzed by Bill Densmore and Eva Tucker.  Submit links and ideas for coverage to

Share Share

Tweet Tweet

Share Share

Forward Forward




Copyright © 2021 Information Trust Exchange Governing Association, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp