As third-party cookies fade, Google, using Chrome, appears to seek a controlling role over cross-site user logins 

Google Inc. moved this week to advance new standards in which web browser makers — including Google and Apple — control which websites get to share user logins and elements of identity, rather than publishers or users themselves. 

The effort was described in detail in two World Wide Web Consortium (W3C) presentations by Google Chrome senior engineer Sam Gogo. The first description was in the form of a “draft community group report” dated Oct. 18 and posted to the W3C Federated Credential Management (FedCM) group. The “report” is styled as an application programming interface (API) standard for cross-site data exchange.

The second was contained in official breakout notes of an Oct. 21 Federated Credential Management discussion featuring GoTo at the W3C’s annual meeting, know formally as W3C TPAC 2021. 

Details and extension explanations and Q-and-A with Goto are in the two documents.  Taken as a whole, they paid a picture of Google’s effort to at the same time (1) address privacy concerns by blocking third-party cookies in Chrome in 2022-2023 while (2) trying to create a method to still permit browsers to support cross-site logins that don’t opaquely support surveillance-type advertising. 

But Goto implied that Google’s position is that a global ID is a form of “tracking.” The public notes quote Goto as saying: “Personally [I] believe we should make sure users are protected from tracking and passing global IDs is part of the job.” 

“Our approach is to insert the browser into this situation to enable affordances,” notes of the Oct. 21 discussion quote Goto as saying. He said the current system in which third-party cookies manage cross-site logins without judgement creates conflict with emerging browser privacy features. “We like federation and privacy and we want both,” the notes quote Goto saying, adding the Google project goal is “looking for ways to make them not conflict.” 

Google’s solution, it would appear, is to put its Chrome browser, using the Open ID Connect standard, in the position of deciding what’s surveillance and what’s user-desired, cross-site access convenience.  Among alternatives for controlling cross-site identity: 

• So called “Self Sovereign Identity” in which software completely in control of the end user decides what information to give to which parties and when, without intervention by a “user agent” (UA) such as a browser.
• An Identity Provider (IdP), such as an Internet Service Provider, email provider publisher or affiliated group of web services, decides when to allow cross-site logins. This is an approach Goto said Chrome is considering supporting this approach. 
• A government service which makes, enforces and perhaps runs identity services and requires compliance by parties within its jurisdiction, including web browser makers.

Discussion in the W3C breakout included whether the browser should make lists of acceptable and non-acceptable parties for cross-site logins. So far, Google, in its First Party Sets proposals, seems to be saying that the browser should only allow commonly owned websites with different domain names to cross-authenticate users. Would that mean, asked Achim Schlosser, of the European Net ID Federation, that Chrome would require users to log in repeatedly across non-corporate affiliated sites? GoTo referred Schlosser to the FedCM document.  NetID is a collaboration of Germany publishers and big ISPs.
 

PLATFORMS, PRIVACY AND IDENTITY

• Google met with platforms in bid to slow “privacy” regs, Texas suit alleges | Leah Nylen, Politico.com
• Federal consumer finance agency probing Google, Apple, PayPal data practices | Wendy Davis, DigitalNewsDaily/MediaPost.com
• Snap CEO says Apple’s privacy policies affecting its revenue; stock plunges | Filipe Esposito, 9to5mac.com | RELATED STORY
• Apple’s Privacy Change Is Hitting Tech and E-Commerce Companies | Patience Haggin & Suzanne Vranica, WSJ.com | RELATED STORY
• DC district attorney adds Zuckerberg as defendant in privacy suit | Cecilia Kang, NYTimes.com
• Oversight Board slams Facebook for giving special treatment to high-profile users | Bobby Allyn, NPR.org | RELATED STORY
• Pierre Omidyar’s affiliates see as backing whistleblower against Facebook | Emily Burnbaum, Politico.com
• TechMeme’s aggregation of stories about Facebook and fake news | TechMeme.com

AD TECH

• Email-based ad targeting see has having privacy, practical problems | Tim Peterson, DigiDay.com
• Nonprofit Websites Are Riddled With Ad Trackers | Alfred Ng & Maddy Varner, TheMarkup.org
• Google takes up to 42% from ads, states allege in Texas antitrust suit | Bob Van Voris, Bloomberg.com
• AirBnB cut $542M of advertising couldn’t measure any performance falloff | Rand Fishkin, SparkToro.com (ABOUT FISHKIN)
• Brave dumps Google search, adds its own to browser; will be ad supported | Laurie Sullivan, MediaPost.com
• VENDOR VIEW: Questions and perspectives about Google’s “FLoC” trial | Antoine Rouzaud, Criteo via Medium.com
• VENDOR VIEW: Identity Resolution Misses The Mark Without Systemic Measurement And Attribution | Kunal Nagpal, InMobi via AdExchanger.com

PRIVACY BUSINESS

• Consumers prefer biometrics to passwords, think less of brands with bad authentication | Chris Burt, BiometricUpdate.com
• Microsoft announces privacy management, compliance tools | News Release
• Basis, Formerly Known As Centro, Is Gearing Up For An IPO | Allison Schiff, AdExchanger.com
• Skyflow’s data privacy API business raises $45M Series B | Alex Wilhelm, TechCrunch.com

NGO privacy/identity “safe harbor” rules, enforceable by FTC, advocated by a second Kerry-affiliated policy expert 

An experienced Washington internet-policy expert says advertising and technology companies need to come together on standards for privacy and identity so that government can then regulate to those standards.

Karen Kornbluh’s remarks were included as part of a broader Q-and-A interview with tech journalist Julia Angwin and published as an email newsletter and web posting at TheMarkup.com, which Angwin edits.  Kornbluh, a former diplomat and FCC staffer,  is now senior fellow and director, digital innovation and democracy initiative at the German Marshall Fund of the United States.

“Of course, the [U.S. Federal Trade Commission]  is so outgunned. They don’t have enough money, they don’t have enough staff, they don’t have enough expertise, and the technology is moving really fast, Kornbluh told Angwin.

She continued: “That’s why we come down to the need for some kind of digital code of conduct, to get the platforms to do some of this work themselves under the regulatory supervision of the FTC. The industry could get together and spell out what would be good enough steps to not be considered negligent, and then that can be used as a safe harbor. The industry would work out the details, but the regulators would decide if it’s enough and audit to make sure they’re complying.”

The idea of a regulatory “safe harbor” for companies which adhere to some industry codes of conduct around privacy and identity was advanced last year by a prominent Brookings Institute researcher, Cameron Kerry.  Kerry is the brother of former U.S. Sen. John Kerry, and Kornbluh worked for Kerry on the staff of the Commerce Committee and its Telecommunications Subcommittee. [ITEGA, publisher of this blog, has offered itself as a non-profit governance service for trust, identity, privacy and information commerce).

WASHINGTON WATCH

• Both parties  Step Up Efforts to Adopt Tougher Tech Laws | John McKinnon, WSJ.com
• Lujon’s Senate Bill Threatens Web Companies With Lawsuits Over Recommendations |  Wendy Davis, DigitalNewsDaily/MediaPost.com
• Federal appeals court advances suit piercing Section 230 immunity | Wendy Davis, Wendy Davis, DigitalNewsDaily/MediaPost.com
• VIDEO: On Section 230, Klobuchar sees more “hallway support” for repeal | WSJ.com

STATEHOUSE WATCH

• Mass. Bill Intends to Protect Personal Biometric Data | Katya Maruri, GovTech.org
• States Are Toughening Up Privacy Laws for At-Home DNA Tests | Emily Mullin, Wired.com
• Illinois appeals court allows biometric liability to extend for five years | Margaret Dalton et al., Stoel Rives law firm
• California and Florida Introduce Two More Genetic Privacy Laws Into the Mix | Theodore Claypoole, Womble Bond Dickson law firm
• California privacy board’s chair discusses rule making plans | Jeewon Serrato, BakerHostetler law firm

Un-redacted Texas suit reveals new claims that may damage Google position vs. publishers and competitors

Twitter came alive at end of week with reports about an Oct. 22 development in the advertising antitrust suit against Google filed by 17 U.S. states and lead by Texas’ attorney general.

The news is that the court hearing the case permitted “unredaction” of thousands of words previously sealed from public view — mostly damning allegations made by the state plaintiffs.  The freshly unreacted legal complaint can be found and downloaded from the nonprofit CourtListener website.

Digital Content Next’s Jason Kint, Tweeting about the new verbiage, includes an excerpt that quotes a Google executive (the name is still redacted) in a company document, that his No. 1 priority was the “need to fight off the existential threat posed by header bidding . . . . “ 

A long Twitter thread is authored by Patric McGee, the Financial Times’ full-time correspondent baed in San Francisco and covering Silicon Valley. McGee’s Tweets highlight newly unreacted sections pointing to the significant profitability of Google’s ad-serving and tracking business and allegations of how it was intended to disadvantage publishers and competitors.

Another series of Tweets on the disclosures are authored by an anonymized California-based tech games and video programmer who Tweets as “fasterthanlime” and is known as “Amos.” He claims to have just read the entire 176-page, un-redacted complaint.

In one Tweet, “Amos” screen-grabs (see image, above) a section of the un-redacted complaint which reads: “Internally, a Google employee concedes that an electronic exchange such as its own should to normally be able to extract such high fees in the market . . . an exchange shouldn’t be an immensely profitable business . . . but should instead be like a public good used to facilitate buyers and sellers.”

ANTITRUST

• U.S. bill would stop Big Tech favoring its own products | Diane Bartz, Reuter PLC
• Antitrust Update: Developments at the FTC and DOJ | John J. Kavanagh, Steptoe law firm
• As the FTC takes aim at tech giants, the regulator just lost key tech and data privacy leaders | Kate Kaye, DigitDay.com
• Watchdogs Urge Senate To Confirm Privacy Expert Bedoya To FTC | Wendy Davis, PublishersDaily/MediaPost.com

PERSONAL PRIVACY

• VENDOR REPORT: Survey finds two-thirds avoid intrusive websites, but would share with transparency and control | Wyng platform |  SURVEY DOCUMENT
• VIDEO: How to keep yourself protected online: What to know about cookies, privacy settings | Ree Hines, NBC/Today.com
• FTC report finds concerns with internet service providers’ data collection, use | Wendy Davis, DigitalNewsDaily/MediaPost.com | FTC NEWS RELEASE
• SURVEY: Privacy Concerns Key Reason Buyers Flee Online Retailers | Jack M. Germain, ECommerceTimes.com | RELATED STORY
• Brave’s privacy-first search engine is now built in to its browser | J. Fingas, Engadget.com
• After whistleblower, poll finds public support for regulation of social media platforms | Chris Teale, MorningConsult.com
• Use this iPhone setting to keep ads from following you across the internet  | Alison DeNisco Rayome, CNet.com

JOURNALISM SUSTAINABILITY

• Big U.S. news publishers are adhering to GDPR; is that a good thing? | Patrick Maynard, via Poynter.org
• France hails victory as Facebook agrees to pay newspapers for content | Angelique Chrisafis, TheGuardian.com
• Facebook is expanding use of NewsTab; says it is one third of link-outs | Sara Fischer, Axios.com
• Gannett Snares $516 Million In Refinancing To Pay Down Existing Loan | Ray Schultz, PublishersDaily/MediaPost.com
• Gannett debt expected to be purchased by Apollo Global affiliates | Dhirendra Tripathi, Reuters PLC
• Google lowers app-store “fee” to 15% on Jan. 1 benefits subscriptions | Nick Statt, Protocol.com
• An act tucked inside the federal spending bill could deliver as much as $1 billion to subsidize local journalists’ salaries | Rick Edmonds, The Poynter Institute
• When newspapers close, bonds among locals weaken and misdeeds can thrive | Jennifer Berry Hawes & Stephen Hobbs, Charleston [S.C.] Post & Courier