Read this article in Deutsch, Español, 日本語.
Google recently released a proposal for a third-party cookie replacement technology called Topics. It’s a move meant to satisfy the needs of advertisers while side-stepping many of the privacy pitfalls of their previous proposal, FLoC, the privacy nightmare we denounced earlier last year.
But with Topics, Google is just twisting user tracking and profiling in different ways.
Right from the start, the document outlining how the Topics API works, clearly shows its true purpose:
key use cases that browsers want to support […] is interest-based advertising […] a form of personalized advertising in which an ad is selected for the user based on interests derived from the sites that they’ve visited in the past
That is behavioral profiling.
How does Topics differ from FLoC?
Google limits the amount of information a site can gather to a few topics initially from a set that might be as big as a few thousands and only allows a single additional topic to be obtained every week. They also limit the topics advertisers can see to topics offered by sites on which those advertisers are present, giving topics approximately the same reach as third-party cookies. Some random topics might be offered as well and Google claims that this lessens the chance that sharing a given topic will automatically be compromising or identifying.
Google also claims that this will reduce the ability of advertisers to gather enough data themselves for building a profile, but it is clear that big advertisers that have sites covering all topics will be able to obtain a full list of topics of interest for a user quite fast. We also suspect that smaller advertisers will be able to easily build workarounds.
The only really useful part is that users are able to disable the whole system or exclude certain topics in a way that can’t be easily detected. However, we expect that most users won’t change the defaults and will just fall victim to this anyway.
In addition, the wording in the specification is loose and ambiguous in a way that leaves it open to manipulation by Google, to expose more or less information. This is especially possible for websites that cover a large range of topics, such as Google and Facebook, which will be able to observe the widest range of behaviorally profiled information.
How Topics stays true to the FLoC spirit
Topics has the same fundamental problem as FLoC: it enables third parties to build profiles, which is always problematic, no matter how many privacy mitigations you put around it. Your browser would still learn about your interests as you move around the web. So, it’s basically spyware.
As we know, revealing information about the user’s interests to various entities, even slowly, will allow them over time to identify political affiliation, sexual orientation, and other personal information about the user. This can have real-world consequences. And, as has been shown by the Cambridge Analytica scandal, this identification can be done even with very few topics. The little randomness element Google has added will unlikely do much to counter this.
Indeed, in going back to the drawing board after FLoC, the only aspects Google seems to have looked into are the ability to identify someone and to get compromising information about them. But this is addressed less by making improvements than by creating a complex system that is harder to analyze for loopholes. But the loopholes remain and can be played.
The Verdict?
Based on this, and Google’s track record, we currently have no faith in the new Topics API. Adding tweaks upon tweaks to “fix” privacy issues of a system that’s specifically engineered to leak user information only ends up obscuring the real problem and leading nowhere. Even if a compromise could be reached for now, the system would not be safe from future tweaks that could lead to leaking more information about a user.
We believe that spying on people’s behavior and profiling them is wrong. Period. It is easy to get misled by this new variation of FLoC, since it does appear to have made some positive changes. However, it still violates your privacy. And pretending that behavioral profiling can be okay as long as you hide a few bits of information, or sometimes add false information, is really missing the point that you shouldn’t be profiling in the first place.
Instead of arguing endlessly about whether profiling can be made acceptable (it can’t), we would much rather start with a return to context-based advertising and then fine-tune that, if (as Google claims) there are indeed cases where it doesn’t work.
At least this time, we can just disable it without fearing that it will cause issues in the future.
Nice try, Google, but you are still off-topics on this one.
Input from Vivaldi developers Tarquin Wilton-Jones and Julien Picalausa
