Google “Topics”: Why should browser control? Is the IRS outsourcing identity authentication?

Privacy Beat

Your weekly privacy news update.



Assessing the Google “Topics” targeting pivot; why should dominant Chrome browser be in any control position at all?

Observers are trying to assess Google’s intentions with its announcement this week that it is killing off its cohort-based “FLoC” ad-targetting-in-the-browser idea after a lot of criticism — and replacing it with a new proposal with a different approach. But the new idea — “Topics” — still puts Google’s dominant browser “Chrome” at the center of ad targeting.

The Wall Street Journal’s story said “Topics” was the result of privacy-advocates pushback and would “give marketers less granular information about web users . . . . “  The New York Times account called Topics  “potentially a huge shift for the digital advertising industry” which, still, might be no less alarming to advertisers and regulators.

The new idea was all explained from Google’s perspective in a Jan. 25 announcement, a “Get to Know Topics” narrative by Vinay Goel, product director, Google Chrome Privacy Sandbox, and in a detailed GitHub “explainer.”  Instead of a complicated system for putting browser users into anonymized “cohorts”, Topics would have the browser software constantly review all your clicks, periodically assign you three from among at least 300 initial interests and give them to advertisers.

Apparently included is some way to give the user some way of adjusting the three submitted interests. But yet to be decided, perhaps, is whether a “default” setting on the browser would have Topics turned off unless a user specifically “opts-in” — as would probably be required in the European Union, and perhaps also in some U.S. states.

The change will produce more FUD (fear, uncertainty, doubt) in the advertising, publishing and ad-tech industries as to Google’s intentions. Possibilities include (a) Offer a somewhat more privacy-aware user tracking solution to keep ahead of FTC and California privacy scrutiny? (b) Provide a minimalist alternative to killing off the third-party cookie, which absent any other change will hurt Google’s advertising competitors? (c) Appease antitrust regulators?

“A lot of Google’s post-cookie ad system (whicih they brand as “Privacy Sandbox”) is being built because antitrust regulators are watching them,” wrote CafeMedia’s Don Marti in a personal-opinion post to the Harvard-Berkman ProjectVRM listserve. He says Google “would be a lot better off if they kicked Chrome out of the nest as its own open-source org with a nice trust fund and search ad deal . . . . “ Otherwise Marti speculates, Google will end up with an onerous antitrust consent decree.

So-called “relevant” and “interest-based” advertising is based on flawed theories of what motivates purchasing, ProjectVRM founder “Doc” Searls wrote to the same listserve. “The massively ironic fact remains that Google is great at contextual advertising that isn’t personal, and can do fine without trying to personlize everything through unwelcome tracking. Might even do better.”

The most obvious question, from an ITEGA perspective: Why a piece of privately controlled software which provides near-monopoly gatekeeper access to large chunks of the web should be managing privacy and identity rather than a government or public-benefit nonprofit managing a level playing field? Especially when it controls the largest chunk of the web’s advertising ecosystem as well?

Below is a selection of other stories about “Topics”


RELATED: Put a hold the third-party cookie crumble?

A group of German publishers and advertisers is asking European Union regulators to stop Google from deciding which third-party cookies to banish from its Chrome browser in 2023, saying that interposes Google into their relationship with their users.  The plea came in a lawsuit filed last week.   “Publishers must remain in a position where they are allowed to ask their users for consent to process data, without Google capturing this decision,” the group, including Politico Publisher Axel Springer and Germany’s federal association of digital publishers, said in a 108-page complaint to the European Commissioner for Competition Margrethe Vestager. Google’s response to the complaint is well-covered in TechCrunch’s report.


Does your organization need customized privacy compliance solutions? ITEGA  can help.

We bring together support you need to approach compliance with CCPA, GDPR if needed, and future privacy legislation as it emerges.

Learn More



Later in 2022, you won’t be able to access your IRS data unless you signup with a private id company. How’d that happen?

Two news stories in the last week underscore a policy debate that’s not happening in the United States — should the government or a private company control the “authentication” and login to government services such as the Internal Revenue Service (IRS) or social security?

A relatively short new story published with video to the CBS News site report that the IRS will begin in mid-2022 to require that if you want to access your tax information online you will have to sign up using technology of a private vendor, ID.ME, and existing IRS logins will no longer work. “The IRS says the move is necessary to protect taxpayers from potential identity theft,” CBS reports, adding: “But privacy advocates say it’s invasive and point out that the company behind has a spotty record in verifying people’s identities.”

A much longer, investigator piece, ran Jan. 20 on Bloomberg News with the headline, “How Did Get Between You and Your Identity?”  It details the history and funding of, which under a different name was originally a participant in an Obama-administration effort to create a competitive private marketplace for identity-management of access to federal government programs.

But now’s relationship with the IRS is exclusive, according to the reporting by Bloomberg’s Shawn Donnan and Dina Bass.

Here’s a rather long, but sentient section of their story, as a fair-use excerpt:

“Which problems the government should tackle on its own, and which are best left to the private sector has long been the subject of a fierce debate in America. It’s a partisan divide seen with President Biden’s attempts to get a new social spending package through Congress. But when technology is involved, there’s often a more united belief that the marketplace is better equipped to deliver a solution—whether it’s transporting supplies to the International Space Station or developing vaccines.

“That idea was reinforced with the Obama administration, when it struggled to roll out effective insurance portals after the Affordable Care Act took effect in 2010, and then the following year with the National Institute of Standards and Technology’s digital identity plan. Jeremy Grant, who oversaw that implementation, says when Obama ceded the task of policing digital identities to the private sector, aware that anything resembling a national identity card would be a hard sell with conservatives, “the thesis was that you could have industry solve this for you.”

“A decade later, though, Grant thinks Washington relinquished too much control to companies like He now leads the Better Identity Coalition, which is composed largely of financial-services firms such as JPMorgan Chase, Wells Fargo, and Equifax. It’s pushing legislation in Congress that would require a bigger government role in verifying digital identities, for fear that for-profit contractors such as may come to dominate the function.”






Ryan asserts IAB Europe is functionally unable to achieve intention to stop ad-tech personal-data violations of EU law

Perennial privacy crusader Johnny Ryan, of the non-profit IIrish Council for Civil Liberties,  has fired yet another salvo at the ad-tech industry, and particularly the Interactive Advertising Bureau’s European operation. He says there is no practical way for the IAB to audit and stop the exchange of personal information billions of times per day across the “real-time bidding” (RTB) programmatic ad system.  (See Quote of the Week, below, for details). 

IAB Europe can’t audit what 1000+ companies that use its TCF system do with our personal data | Johnny Ryan, Irish Council for Civil Liberties | TWITTER STREAM

“​​A crawler on an end-user device cannot see what happens between companies servers,” Ryan asserts in his review of how he thinks IAB Europe functions.. “It is impossible for IAB Europe to independently monitor the movement of RTB data behind the scenes between companies’ servers. It can not observe what is sent in the bid request, or what companies it was sent to, or who those companies then passed that data on to, and what each company did with it. This ‘server-side’ problem is insoluble, and is the consequence of RTB’s inherent insecurity.”







Industry piles on criticism of Democrat-filed “surveillance advertising” proposal; what advertising would benefit?

The latest — and toughest — Democrat-led effort to respond to privacy concerns with web advertising drew instant criticism from the advertising, ad-tech and general business sectors, all but ensuring the “Banning Surveillance Advertising Act,” will likely become merely a vessel for hearings and negotiations. In their statement filing the bill, Sen. Cory Booker, D-N.J., declared: “Surveillance advertising is a predatory and invasive practice.”  Backing the bill were 13 named privacy groups, and seven academics prominent in privacy policy circles.  | TEXT OF BILL | BACKGROUNDER ON BILL

Criticism focused on claims that a major change in the way advertising is handled on the web would cost jobs and revenues.  But one observer, CafeMedia’s Don Marti, wrote in a personal blog: “A surveillance ad ban won’t make people buy less stuff, but in the absence of surveillance ads, different gatekeepers will be more important.”  He said obvious winners would be purveyors of advertising based on search-engine optimization strategies, affiliate programs, search advertising and content marketing.







Like what you see? Then recommend to a friend.

Subscribe to Privacy Beat


Ryan: The challenge of auditing personal data exchange among ad-tech services not met by IAB Europe 

  • The following is excerpted from a blog post by Johnny Ryan of the Irish Council for Civil Liberties, arguing that a vendor compliance program announced by the Interactive Advertising Bureau’s (IAB) European affiliate “is unable to establish transparency and control over the sharing of personal data via programmatic advertising’s “real time bidding” (RTP) technology.  TCF refers to the IAB’s Transparency and Control Framework.

“Despite IAB Europe’s claims, there is no way to audit what happens to personal data after it has been broadcast to thousands of companies, hundreds of billions of times a day. 

The [EU’s General Data Protection Regulation (GDPR)] prohibits the processing of personal data unless it is kept secure . . . There are no technical controls in place to limit what companies do with the personal data they get from RTB broadcasts. Rather than control where personal data goes, and what happens to it, the TCF is an uncontrolled honour system . . . . 

“According to IAB TechLab’s documentation, “there is no technical way to limit the way data is used after the data is received” . . .  IAB Europe now claims that it will attempt to monitor for the first time whether companies honour or ignore TCF requests about how data is used. IAB Europe calls this the “TCF Vendor Compliance Programme”. As we show below, this is technically impossible.

“IAB Europe’s TCF Vendor Compliance Programme appears to operate as follows: Technical auditing of Vendors on Publishers properties by accessing and crawling websites implementing a TCF CMP and, where the vendor is integrated, to scan tags and analyze URL, headers, postdata, and cookies of https requests”.

“This ‘crawling’ approach examines what happens on an end-user device . . . IAB Europe has not said that it will audit RTB broadcasts of personal data, despite this being the primary security concern. One reason for this absence may be that such an audit is technically impossible.

“The majority of RTB data traffic is impossible to see or audit . . . This means that data protection depends on whether hundreds or thousands of companies can be trusted to honour a TCF request, every time there is an RTB auction. The TCF has no way of verifying whether they do so . . . Nor can IAB Europe audit related server-to-server operations, such as ‘clean room’ and other sharing of tracking profiles about large numbers of people . . . .

“IAB Europe can only observe what happens on the end-user devices that its crawler controls. However, there are problems here, too. In theory, each of the items identified by IAB Europe is visible to an end-user device that loads a website, and is typically trivial to monitor. However, all, except for cookies, can be obfuscated or encrypted to frustrate auditors . . . Also moot is the otherwise troubling fact that no mobile apps appear to be included.

“The lack of transparency and control in the TCF is therefore unchanged by IAB Europe’s new “TCF Vendor Compliance Programme”. It remains impossible for a person to know what companies actually receive their data, or what will do with their personal data, or for a person enforce their rights under the GDPR over that data.”


Privacy Beat is a weekly email update from the Information Trust Exchange Governing Association in service to its mission. Links and brief reports are compiled, summarized or analyzed by Bill Densmore and Eva Tucker.  Submit links and ideas for coverage to

Share Share

Tweet Tweet

Share Share

Forward Forward




Copyright © 2022 Information Trust Exchange Governing Association, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp