Deconstructing Google’s excuses on tracking protection

randomwalker | 918 points

>This isn’t the first time that Google has used disingenuous arguments to suggest that a privacy protection will backfire. We’re calling this move privacy gaslighting, because it’s an attempt to persuade users and policymakers that an obvious privacy protection—already adopted by Google’s competitors—isn’t actually a privacy protection.

Exactly. Firefox and Safari have both implemented and keep improving the type of fingerprint protection that Google is throwing their hands in the air about.

This summary is a thorough response, pointing out just how ridiculous and meritless the original post[1] from Google was.

[1] https://www.blog.google/products/chrome/building-a-more-priv...

gregdoesit | 5 years ago

Google's original post is super gross. It dismisses the idea that there could be alternate ways to fund content (i.e. micropayments). I get why they promote "free content" but it is not free at all when you are trading your attention and privacy.

Further, their privacy sandbox sounds like it would just monopolize the advertising space to them. If they don't allow advertisers to collect data, that takes control away from advertisers and centralizes it to their ad market platform.

The post also creates some weird false dichotomy between cookies and fingerprinting. Let's just block both, yea? That's what is best for the user, and probably best for the web in the long term.

We absolutely need a new funding model for the web (to kill ads). The biggest barrier I see are the high transaction fees of digital transactions (30 cents + 2.9%). I don't know if the solution will be Brave, Libra, or something else entirely. Whatever it is, it can't come soon enough.

TACIXAT | 5 years ago

Somewhere along the way, ad networks got incredibly greedy (I know, gasp).

I remember when I was much younger, there were banner ads on a bunch of pages (and pop-ups/pop-unders of varying levels of frustration). The banner ads were fine even when we were rocking 56k internet: not beloved by any stretch, but typically reasonably okay.

I have previously toyed with ad blockers, but at a certain point stopped, figured I'd play nice or whatever. Then there were sites that over time legitimately ate into computer resources to the point they were eating way more energy than reasonable (I can't remember which one, but there was one that if I left the site open long enough, it'd crash all open tabs). At that stage, I went back to ad blockers. I really wish it didn't come to it, but man, that whole "give somebody an inch and they'll take a mile" is in full display online now.

jsgo | 5 years ago

This new initiative seems to be about some changes to Chrome that were overlooked due to hazy justifications that seem to have distracted everyone. I'm guessing the justifications are especially unclear because Google doesn't want to upset advertisers. But how about we look at the technical changes they're announcing, rather than how they justify them?

- Forcing websites to explicitly mark cross-site cookies, or they get blocked for cross-site usage. They also seem to be hinting at adding better ways to clear cookies in Chrome. [1] [2]

- Further attempts to block fingerprinting. (Vague, seems hard?)

These seem like... good things? The SameSite initiative makes CSRF attacks harder. Maybe not big news or as strong as you'd like, but in the right direction?

[1] https://web.dev/samesite-cookies-explained/ [2] https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-s...

skybrian | 5 years ago

Funny how Google paints itself as the somewhat Justice Scalia of web privacy using originalist arguments to make its point. Personally I never been impressed by these constructions and in this case to the extent that it would be rightly interpreted I would be more a living web privacy kind of person anyway. I ultimately think in the web as in the constitution it is disingenuous to think framers would have envisioned at its conception all use cases and especially all potential abuses.

doe88 | 5 years ago

I felt a dejavú while reading Google statements. It remind me a time when Microsoft published statements about how harmful was OSS for software innovation.

diegof79 | 5 years ago

Has anyone ever considered just giving 3rd party javascript less access to things? That may fix the fingerprinting problem too.

I do have some appreciation for how badly it would break a lot of the web applications though, but it seems like it might work.

schlipity | 5 years ago

How do we reconcile wanting to block fingerprinting so we can't be tracked, with the fact that almost every modern front end uses fingerprinting for things like figuring out the canvas size for responsive designs? I definitely don't want to be tracked, but I'd like responsive designs to keep working.

jedberg | 5 years ago

Switched back to firefox on Mac, Windows and Android a few weeks ago and never looked back. Only using chrome for work.

Schnitz | 5 years ago

On top of the generally absurd claims made in the official Google post, that writing was just terrible. Comma splices all over the place, sentences starting with So and But, very strange tone and wording in some things. Did anyone edit this?

Oh and I love the “thank you in advance for your help” lol what?

bgdnyxbjx | 5 years ago

This letter lost me really early on:

>> "There is little trustworthy evidence on the comparative value of tracking-based advertising."

This is flat out wrong. Google and Facebook have proven that there are BILLIONS of dollars on the table for the value of "tracking-based advertising"

As an engineer who used to work in ad-tech, making appeals to reason to these companies won't help. There's a lot of money flowing in this sector, and unless large internet companies see the value in changing their ad-based business models, the only thing that will dissuade them are shifts in public opinion, laws, and policy.

Or a rearchitecture of the web, which I'm all for :)

standyro | 5 years ago

I feel so bad for the author of this post. I would love to bump into and chat with the author 10 years from now at some conference and learn about the arguments that went into why this was written.

I wonder if the director of chrome engineering has drunk the koolaid enough to believe this? Or whether they feel really bad about carrying water to pay the bills.

prepend | 5 years ago

To be fair, most of the reasons for trackers is to fight ad fraud. Most of traffic on ads are just bots.

hartator | 5 years ago

What if Google is so entrenched in this position because they see a ton of evidence? What if Google is “right”?

I tried out Google’s non-personalized ads for a while, and wow the ads were bad, especially on YouTube. Not like irrelevant but downright obnoxious. But wait, we’ve seen this before!

A couple years ago, Google noticed that ads were starting to get downright atrocious and started fighting them. One relevant blog post: https://blog.google/technology/ads/building-better-web-every...

Why Google oh why are ads so bad? Because advertisers got more evil? Yes and no. Google got more evil advertisers as all the good ad money went to Facebook’s properties.

2012 https://www.emarketer.com/newsroom/index.php/google-edges-cl...

2019 https://www.emarketer.com/chart/217028/facebook-vs-google-sh...

Google’s recent blogpost is frustratingly “right”: given the opportunity cost of bad ads, an average user is better off opting in to higher-quality tracking-targeted ads. BUT! That is only because Google the ad company lost the good content. And sadly, Google the software company owns the browser, so they have to make do in a Google world.

This isn’t even an issue about privacy. It’s about a company overtly misrepresenting the interests of its users in bad faith. No different than Uber tacking on the $1 “safe rides” fee as a pure margin generator rather than as protection for riders.

choppaface | 5 years ago

> We find this passage from Shoshana Zuboff’s The Age of Surveillance Capitalism to be apt: “Demanding privacy from surveillance capitalists or lobbying for an end to commercial surveillance on the internet is like asking old Henry Ford to make each Model T by hand. It’s like asking a giraffe to shorten its neck, or a cow to give up chewing. These demands are existential threats that violate the basic mechanisms of the entity’s survival.”

This quote is hilarious, but if, as the article suggests, privacy-invading, tracking-based ads aren't much better than content and region-based ads, presumably advertising companies like Google could abandon it and still provide similar value to their customers.

It might even save time, resources, and money since they wouldn't need to put as much effort into tracking.

musicale | 5 years ago

> the pickpocketers will just switch to muggings. That would be even worse. Surely you don’t want that, do you?

A contrast with law enforcement, is that the abusers are not punished and deterred, but instead encouraged to escalate the potency of their behaviour. Anti-tracking technology is preventing pick-pocketing by expecting people to ride in armoured cars. This should be part of the solution, but we also need deterrence.

Laws like the GDPR should in theory help, but sadly enforcement with regard to tracking consent has been lacklustre, and consequently and predictably the law is widely flaunted. This makes the mitigating technical measures all the more necessary, yet they are not a panacea.

gnode | 5 years ago

Can someone explain me if this isn't (technically speaking) and uphill battle? Let's say all browsers implement first-party isolation and anti-fingerprinting, won't tracking simply move server-side?

"Hey AdTech Network. Here is the server from Free Newspaper. Can you send me an add for Free Newspaper user X at IP Y?" "Hey Free Newspaper. Oh, that guy? I just saw him buying a flight ticket at Flight Aggregator. He is definitely Flight Aggregator user Z. Here is a targeted ad."

anticristi | 5 years ago
[deleted]
| 5 years ago
[deleted]
| 5 years ago
[deleted]
| 5 years ago

Is there someway it'd be possible to develop a browser that fingerprinted as identically as possible for everybody? Surely we have different IP Addresses, but we can make things like querying for viewport dimensions the same.

JMTQp8lwXL | 5 years ago

I find it amusing how commenters on HN are so privacy-sensitive while good share of software industry today supports, depends on or directly is involved in people tracking, this way or another.

airnomad | 5 years ago

It's almost like Google wants to track and deliver advertising.

Almost like they have some financial interest in determining user behavior so they can deliver more targeted ads. Almost like they are an adware company.

Nah, can't be that. That would be like a conspiracy or something......

einhverfr | 5 years ago

That surveillance economy strongly reminds me Tobacco industry. It was cool and trendy until everyone woke up and regulated it to death, as it should be. GDPR is just the beginning.

auslander | 5 years ago

fantastic essay. thank you

undoware | 5 years ago

Ironically, this site wants to use my browser's canvas to fingerprint me.

Umm.. no thanks!

1024core | 5 years ago

"Hide your evil"

lazyeye | 5 years ago

Get rid of cookies, get rid of fingerprints by sharing them between all browsers using a p2p network so everyone has the same fingerprints. Now get rid of Google. Thanks for all the fish, Google.

devoply | 5 years ago

https://www.blog.google/products/chrome/building-a-more-priv...:

> Some ideas include new approaches to ensure that ads continue to be relevant for users

'nuff said

jiveturkey | 5 years ago

> To appreciate the absurdity of this argument [about encouraging fingerprinting], imagine the local police saying, “We see that our town has a pickpocketing problem. But if we crack down on pickpocketing, the pickpocketers will just switch to muggings. That would be even worse. Surely you don’t want that, do you?”

Calling arguments "absurd" or "disingenuous" is itself arguing in bad faith, and respectable publications can do better.

This sort of thing happens in real life all the time. In the debate over drug policy, one of the major arguments for legalization is that drug prohibition leads to different types of crime. On the one hand, this is a "defeatist" attitude to have about drug policy. On the other hand, the world is complicated, and sometimes we have to make compromises.

The author continues:

> Based on peer-reviewed research, including our own, we’re confident that fingerprinting continues to represent a small proportion of overall web tracking. And there’s no evidence of an increase in the use of fingerprinting in response to other browsers deploying cookie blocking.

That's an excellent, concrete point to make about the question. But it's not "absurd" for others to have less confidence in that conclusion. It sounds like a tricky open question.

oconnor663 | 5 years ago

> To appreciate the absurdity of this argument [about encouraging fingerprinting], imagine the local police saying, “We see that our town has a pickpocketing problem. But if we crack down on pickpocketing, the pickpocketers will just switch to muggings. That would be even worse. Surely you don’t want that, do you?”

Actually, fingerprinting is not JUST used to track users for ads. Describing the characteristics of a device is used for lots of other purposes as well. For example canvas size etc etc useful for other reasons. Many / most web dev folks rely on fingerprints (user agent / screen size) when targeting layouts, adding / removing features etc.

The whole analogy where police are cracking down on criminals is the same as cracking down on fingerprinting is what is "absurd" and "disingenuous". A better analogy is wanting to have a 10mph speed limit to reduce pedestrian deaths. It would (and I like car free planning so would support it). But it would ALSO make commutes etc slower.

privateSFacct | 5 years ago