Google’s “First Party Sets” runs into opposition at W3C group meeting; independent privacy entity promoted

Three browser makers and at least one major publisher are suggesting that Google’s latest effort to promote privacy on the web — First Party Sets (FPS) — might be scrapped because it doesn’t necessarily promote privacy — and may not comply with a British antitrust directive.  However, the World Wide Web Consortium (W3C) “Privacy Community Group” could move to split off a related governance idea and move it forward independently.

Google has advanced FPS as a replacement — perhaps temporary — for the elimination of third-party cookies, which for two decades have allowed multiple websites to trade data and identity information — mostly for advertising targeting — without explicit end-user permission.

Engineers from competing browser makers Apple, Brave and Mozilla suggested before and during Thursday’s W3C online meeting (May 26) that it may be time for Google to shelve FPS (see MINUTES). Instead, at least two participants in the session — Don Marti of ad-tech vendor CafeMedia, and Aram Zucker- Scharff of The Washington Post — suggesting carving out a portion of the FPS idea and continuing to work on it, even if FPS itself is withdrawn by Google or shelved by the group’s co-chairs.  That portion is something advanced by Google — an “independent enforcement entity” (IEE) — which would in some way govern privacy-protecting means of data transfer between sites.  ( ITEGA, a 501(c)3 nonprofiit organization that sponsors this newsletter, has expressed interest in taking such a role. See earlier story.)

“One of what appears to me to be [the]  most constructive parts of this proposal is the independent enforcement entity, which is some kind of a future governance body that’s capable of evaluating first-party sets and approving sets that are valid — and able to reject sets that are not valid.” said Marti, of CafeMedia. Marti said he would be more comfortable with Google’s FPS idea “if we knew about how the IEE works, its level of resources, guarantee of independence and the skills that are going to be represented there.”

British ad-tech executive James Rosewell, a perennial critic of Google’s post-cookie initiatives and initiator of FPS modification called GDPR Validating Sets 2, said FPS does not align with European privacy law, the General Data Protection Regulation (GDPR).  He commented in an email sent to the Privacy CG co-chairs and placed into the minutes by Apple’s O’Connor. Rosewell himself was not present. Rosewell’s email asserts Google promised to British antitrust regulators that it it would “align its browser development globally to GDPR. FPS does not align to GDPR.”

Key Safari browser privacy engineer John Wilander of Apple first raised pre-meeting criticism of Google’s FPS initiative in an exchange on a group listserve earlier this week. “We are against cross-site cookie access by default in all of its forms, FPS or other,” said Wilander, speaking for Apple engineers, adding, “FPS has the risk of hiding relationships between websites which would otherwise have to be more explicit and potentially understood by users.”

So far, in the lifetime of this (W3C) group, I think what we’ve tried to do is focus the group’s limited time on things that seem to have more consensus than this does,” observed Theresa O’Connor, of Apple, one of three-cochairs of the Privacy Community Group that was meeting.  The other browser-maker co-chairs are Pete Snyder, of Brave Software and Erik Anderson, of Microsoft.  Microsoft was silent on Thursday, but Snyder opened the discussion of First Party Sets, saying he believed FPS would be “privacy harming” and therefore shouldn’t be under consideration by the Privacy Community Group.

• Brave joins Mozilla in declaring Google’s First-Party Sets feature harmful to privacy | Martin Brinkmann, GHacks.net
• Abstract of paper about link decoration and re-directions to track users after the “death” of the third party cookie |   One of co-authors is Pete Snyder who works at Brave Software.

Speaking for Google, Kaustubha Govind, engineering manager for Google’s Chrome privacy initiatives, said Google’s FPS proposal is intended to be a bridge between the end of third-party cookies and whatever else the web community eventually arrives at to foster digital advertising and identity. “The intention was primarily to deal with the incompatibility that most major browsers are facing with respect to third-party cookie deprecation,” she said. “Why don’t we all use the same list” (of trustworthy sites),” she asked.  FPS was designed to “break tracking, but keep non-tracking site compatibility working for the most part now.”  She added: “What we really want to break is exchange of information flows  that happens across websites that are not owned by the same organization.”

The Privacy Community Group should consider either stopping consideration of FPS entirely, focus on useful parts of it, or develop new privacy-forward proposals to deal with the end of third-party cookies, said Aram Zucker-Scharff, of The Washington Post in Thursday’s discussion. Some other good work is underway, he said.  “Can we find the pieces of it that satisfy these use cases?” he asked.  As for FPS, he said: “The idea that we might build something that essentially enables a new kind of information flow, without any user intervention is something that I’m opposed to.”

Zucker-Scharff said it might make sense to break off the IEE proposal from FPS “into its own thing.” He added: “Where this is something that might be useful, some sort of governance entity for advertising technology and privacy.”

Google’s Govind first broached the idea of an IEE in a slide deck she and a colleague prepared for an Aug. 12, 2021 meeting of the W3C Privacy Community Group. (See an earlier story in Privacy Beat, Sept. 10, 2021.) Google is also advancing an idea of for allowing login across multiple website without third-party cookies, called the Federated Credential Management API.

ROUNDUP: REPLACING THE COOKIE

• Czech news publishers are preparing for the cookieless future by introducing a single sign-on system | David Tvrdon, TheFixMedia.com
• Inside Hearst UK’s multi-pronged approach to third-party cookie replacements | Kayleigh Barber, DigiDay.com
• DRAFT: W3C Federated ID Community Group report on authentication
• SalesForce’s Kristine Chapman’s chart of current efforts to replace third-party cookies | (As of about March 23, 2022)
• A Sept. 2017 blog post by Robert Broeckelmann defining authentication, federation and SSO:
• How a person gets logged in using a URL append/query string: (Sam GoTo works for Google):
• Also see what Apple is up to

CHROME AND PRIVACY — BACKGROUND

• Google is testing its new Privacy Sandbox settings in Chrome | Steve Dent, EnGadget.com
• Google resumes shoveling stuff into its ‘Privacy Sandbox’ | Thomas Claburn, TheRegister.com
• Chrome’s “Topics” advertising system is here, whether you want it or not | Ron Amadeo, ArsTechnica.com
• Topics wants to pick up where FLoC failed | Manuel Vonau, AndroidPolice.com
• Google starts global tests of Privacy Sandbox ad targeting | Natasha Lomas, TechCrunch.com
• Google’s Privacy Sandbox ad technology testing begins | Greg Finn, SearchEngineLand.com