As Apple and Google enact privacy changes, businesses are grappling with the fallout, Madison Avenue is fighting back and Facebook has cried foul.
Get ready for more random ads online, higher prices and subscriptions galore. But your privacy concerns may still not fade.
Berlin-based Xayn, which as we reported last year is doing ad-free, personalized, privacy-safe search as an alternative to tracking and profiling adtech giants like Google, has expanded its product offering — launching a desktop version (in beta for now).
The desktop Xayn WebBeta is described as a “light web version” of the product with similar functionality to the mobile app — though of course there are differences, such as not being able to literally swipe on content to signal interest/disinterest, as you do on Xayn’s mobile apps.
Xayn isn’t a browser itself, per se, though it’s crossing the streams a bit (and can self-describe as a “browsing engine”) — since, as well as private search, it also offers an in-app browsing experience by populating a feed with snippets of content organized in the form of a discovery/news feed.
You’ll likely notice a short lag on loading the software in a desktop browser (also true on mobile) as Xayn’s AI figures out what to populate this feed with. It seems marginally longer the first time you fire the software up — when it’s starting from scratch (localizing the content to your country) vs repeat visits when the AI will have your individual browsing signals to work with.
On the desktop Xayn, you can signal a like or dislike on a particular piece of content by hovering the mouse next to the green (to like) or pink (to dislike) bar, which appear on the left and right sides of the content box respectively, and then clicking on the up (or down) thumb icon that pops up. So it’s actually a left click to like.
And if you really don’t need another feed in your online life you can switch off the discovery view — and have only a search bar on loading.
Search results are displayed by default in a similar grid of rectangular content panes to the discovery feed. Which is a little lacking in information density for this information worker…
Xayn’s learning AI can be toggled off whenever you like, by clicking on the brain icon in the top right. Say if you want to browse ‘unwatched’ — i.e. without the stuff you’re looking at being used as learning material for the AI to decide what else you’ll get shown (both for content in the feed and search results).
You can also reset the learning manually by clearing your browsing data — if you want to purge the whole thing and start again.
Another carrot to entice users is no ads: Xayn is ad-free — which of course isn’t the case with other non-tracking private search engines (like DuckDuckGo or Qwant), which tend to rely on showing contextual ads.
And in another break from the search industry ‘norm’, its AI’s search algorithms are open source.
Other features available on the desktop version of Xayn include a ‘deep search’ offering that it says lets users dive into a topic via “a simple click to be shown a personal reference library of relevant content”; and ‘collections’ — a bookmark-like offering which lets users “collect and store their favorite web content by creating, filling, and managing collections”.
Plus, as well as being ad-free itself, Xayn has baked in an ad blocker — blocking ads on third party sites for a “noise-free” browsing experience as it puts it.
Its first focus for the desktop is Chromium-based browsers and Firefox — so Safari users will need to switch to a supported browser to kick the tyres of its WebBeta.
The mobile version of Xayn’s product launched back in December and has been downloaded more than 250,000 times worldwide since then, according to the startup.
Three months after launch it says users were already conducting 100,000+ active daily searches — feeding in the browsing data and interest-based swipes that the AI uses to train and improve the personalized content discovery which is core to Xayn’s value proposition. And because it’s doing all this learning and reranking on device it’s able to tout its user-specific search results as ‘privacy safe’.
It also tries to avoid a filter bubble type effect by consciously injecting variance — so its algorithms don’t always just feed users more of the same.
Both the desktop and mobile version of Xayn use a technique called Masked Federated Learning to tailor the user’s web experience without compromising their privacy.
Google is also of course working on evolving its own ad targeting technology — currently it’s piloting a technology called FloCs (aka ‘federated learning of cohorts’) to put browser users in interest buckets for ad targeting purposes, as it works on deprecating tracking cookies. But its core business remains people profiling and selling your attention to advertisers — something Xayn definitely isn’t doing.
“We started Xayn as a direct response to the false privacy vs convenience dilemma and quickly proved that it’s possible to solve this trade-off so users are no longer losers. In fact, with each update, our fantastic team of engineers and designers demonstrates all over again how privacy, quality, and great UX go hand in hand,” said Leif-Nissen Lundbæk, co-Founder and CEO, in a statement.
“We didn’t want to copy what’s already out there but instead re-think it and create something new. With Xayn, you can find your favorite part of the Internet — either by actively searching the web or by browsing through the discovery feed that offers personalized content suggestions from the entire Internet. Either way, your privacy is always protected.”
“In creating Xayn’s web version, we have taken all the elements that made the app great and adapted them to the desktop browser window,” added Julia Hintz, its head of design, in another statement.
“The privacy-protecting algorithms, the intuitive design, and the smooth animations have found their way into the web version. Users can switch effortless between mobile and desktop without leaving their familiar environment. This is key for the seamless, deep interaction experience that makes Xayn special.”
In the web version of the product, Xayn says users’ personal data stays privately within the browser.
Asked about the security of the desktop product, a spokesperson told us: “Desktop computers are less safe than smartphones in general. However, Xayn protects personal data by using decentralized privacy-preserving machine learning in combination with encryption. From the pure technical point of view, Xayn is actually a browser within a browser on a desktop device. On desktop devices, Xayn runs in a sandbox in the respective browsers and this is how it protects personal data from unwanted third-party access.”
Future features Xayn plans to add includes the ability for mobile and desktop users to synchronize their personalized experience across multiple devices, while keeping their privacy intact, so the AI’s learnings can go with them wherever they’re online.
To check out the WebBeta version of Xayn’s search engine on your desktop computer point your browser at www.xayn.com.
Earlier this summer, Xayn announced a $12 million Series A funding round led by the Japanese investors Global Brain and Japanese telco KDDI, along with participation from prior backers including Berlin’s Earlybird VC — bringing its total financing to $23M+. Unsurprisingly, then, Asia (starting with Japan) is now a big focus for the Berlin startup.
Weeks after Instagram rolled out increased protections for minors using its app, Google is now doing the same for its suite of services, including Google search, YouTube, YouTube Kids, Google Assistant, and others. The company this morning announced a series of product and policy changes that will allow younger people to stay more private and protected online and others that will limit ad targeting.
The changes in Google’s case are even more expansive than those Instagram announced, as they span across an array of Google’s products, instead of being limited to a single app.
Though Congress has been pressing Google and other tech companies on the negative impacts their services may have on children, not all changes being made are being required by law, Google says.
“While some of these updates directly address upcoming regulations, we’ve gone beyond what’s required by law to protect teens on Google and YouTube,” a Google spokesperson told TechCrunch. “Many of these changes also extend beyond any single current or upcoming regulation. We’re looking at ways to develop consistent product experiences and user controls for kids and teens globally,” they added.
In other words, Google is building in some changes based on where it believes the industry is going, rather than where it is right now.
On YouTube, Google says it will “gradually” start adjusting the default upload setting to the most private option for users ages 13 to 17 in the weeks ahead, which will limit the visibility of videos only to the the users and those they directly share with, not the wider public. These younger teen users won’t be prevented from changing the setting back to “public,” necessarily, but they will now have to make an explicit and intentional choice when doing so. YouTube will then provide reminders indicating who can see their video, the company notes.
YouTube will also turn on its “take a break” and bedtime reminders by default for all users ages 13 to 17 and will turn off autoplay. Again, these changes are related to the default settings — users can disable the digital well-being features if they choose.
On YouTube’s platform for younger children, YouTube Kids, the company will also add an autoplay option, which is turned off autoplay by default so parents will have to decide whether or not they want to use autoplay with their children. The change puts the choice directly in parents’ hands, after complaints from child safety advocates and some members of Congress suggested such an algorithmic feature was problematic. Later, parents will also be able to “lock” their default selection.
YouTube will also remove “overly commercial content” from YouTube Kid, in a move that also follows increased pressure from consumer advocacy groups and childhood experts, who have long since argued that YouTube encourages kids to spend money (or rather, beg their parents to do so.) How YouTube will draw the line between acceptable and “overly commercial” content is less clear, but the company says it will, for example, remove videos that focus on product packaging — like the popular “unboxing” videos. This could impact some of YouTube’s larger creators of videos for kids, like multi-millionaire Ryan’s Toy Review.
Elsewhere on Google, other changes impacting minors will also begin rolling out.
In the weeks ahead, Google will introduce a new policy that will allow anyone under the age of 18, or a parent or guardian, to request the removal of their images from Google Image search results. This expands upon the existing “right to be forgotten” privacy policies already live in the E.U., but will introduce new products and controls for both kids and teenagers globally.
The company will make a number of adjustments to user accounts for people under the age of 18, as well.
In addition to the changes to YouTube, Google will restrict access to adult content by enabling its SafeSearch filtering technology by default to all users under 13 managed by its Google Family Link service. It will also enable SafeSearch for all users under 18 and make this the new default for teens who set up new accounts. Google Assistant will enable SafeSearch protections by default on shared devices, like smart screens and their web browsers. In school settings where Google Workspace for Education is used, SafeSearch will be the default and switching to Guest Mode and Incognito Mode web browsing will be turned off by default, too, as was recently announced.
Meanwhile, location history is already off by default on all Google accounts, but children with supervised accounts now won’t be able to enable it. This change will be extended to all users under 18 globally, meaning location can’t be enabled at all under the children are legal adults.
On Google Play, the company will launch a new section that will inform parents about which apps follow its Families policies, and app developers will have to disclose how their apps collect and use data. These features — which were partially inspired by Apple’s App Store Privacy Labels — had already been detailed for Android developers before today.
Google’s parental control tools are also being expanded. Parents and guardians who are Family Link users will gain new abilities to filter and block news, podcasts, and access to webpages on Assistant-enabled smart devices.
For advertisers, there are significant changes in store, too.
Google says it will expand safeguards to prevent age-sensitive ad categories from being shown to teens and it will block ad targeting based on factors like age, gender, or interests for users under 18. While somewhat similar to the advertising changes Instagram introduced, as ads will no longer leverage “interests” data for targeting young teens and kids, Instagram was still allowing targeting by age and gender. Google will not. The advertising changes will roll out globally in the “coming months,” the company says.
All the changes across Google and YouTube will roll out globally in the coming weeks and months.
Update: Google has now confirmed the delay, writing in a blog post that its engagement with UK regulators over the so-called “Privacy Sandbox” means support for tracking cookies won’t start being phased out in Chrome until the second half of 2023.
Our original report follows below…
Adtech giant Google appears to be leaning toward postponing a long planned deprecation of third party tracking cookies.
The plan dates back to 2019 when it announced the long-term initiative that will make it harder for online marketers and advertisers to track web users, including by deprecating third party cookies in Chrome.
Then in January 2020 it said it would make the switch within two years. Which would mean by 2022.
Google confirmed to TechCrunch that it has a Privacy Sandbox announcement incoming today — set for 4pm BST/5pm CET — after we contacted it to ask for confirmation of information we’d heard, via our own sources.
We’ve been told Google’s new official timeline for implementation will be 2023.
However a spokesman for the tech giant danced around providing a direct confirmation — saying that “an update” is incoming shortly.
“We do have an announcement today that will shed some light on Privacy Sandbox updates,” the spokesman also told us.
He had responded to our initial email — which had asked Google to confirm that it will postpone the implementation of Privacy Sandbox to 2023; and for any statement on the delay — with an affirmation (“yep”) so, well, a delay looks likely. But we’ll see how exactly Google will spin that in a few minutes when it publishes the incoming Privacy Sandbox announcement.
Google has previously said it would deprecate support for third party cookies by 2022 — which naturally implies that the wider Privacy Sandbox stack of related adtech would also need to be in place by then.
Earlier this year it slightly hedged the 2022 timeline, saying in January that any changes would not be made before 2022.
The issue for Google is that regulatory scrutiny of its plan has stepped up — following antitrust complaints from the adtech industry which faces huge changes to how it can track and target Internet users.
In Europe, the UK’s Competition and Markets Authority has been working with the UK’s Information Commissioner’s Office to understand the competition and privacy implications of Google’s planned move. And, earlier this month, the CMA issued a notification of intention to accept proposed commitments from Google that would enable the regulator to block any deprecation of cookies if it’s not happy it can be done in a way that’s good for competition and privacy.
At the time we asked Google how the CMA’s involvement might impact the Privacy Sandbox timeline but the company declined to comment.
Increased regulatory oversight of Big Tech will have plenty of ramifications — most obviously it means the end of any chance for giants like Google to ‘move fast and break things’.
Pro-privacy browser Brave, which has been testing its own brand search engine for several months — operating a waitlist where brave (ha!) early adopters could kick the tyres of an upstart alternative in Internet search — has now launched the tool, Brave Search, in global beta.
Users interested in checking out Brave’s non-tracking search engine, which is built on top of an independent index and touted as a privacy-safe alternative to surveillance tech products like Google search, will find it via Brave’s desktop and mobile browsers. It can also be reached from other browsers via search.brave.com — so doesn’t require switching to Brave’s browser to use.
Brave Search is being offered as one of multiple search options that users of the company’s eponymous browser can pick from (including Google’s search engine). But Brave says it will make it the default search in its browser later this year.
As we reported back in March, the company acquired technology and developers who had previously worked on Cliqz, a European anti-tracking search-browser combo which closed down in May 2020 — building on a technology they’d started to develop, called Tailcat, to form the basis of the Brave-branded search engine.
The (now beta) search engine has been tested by more than 100,000 “early access users” at this point, per Brave. It’s made this video ad to tout its “all in one” alternative to Google search + Chrome.
The company recently passed 32M monthly active users (up from 25M back in March) for its wider suite of products — which, as well as its flagship pro-privacy browser, includes a news reader (Brave News), and a Firewall+VPN service.
Brave also offers privacy-preserving Brave Ads for businesses wanting to reach its community of privacy-preferring users.
Growing public awareness of surveillance based business models has been building momentum for pro-privacy consumer tech for a number of years. And several players which started out with a strong focus on one particular pro-privacy product (such as a browser, search engine or email) have been expanding into a full suite of products — all under the same non-tracking umbrella.
As well as Brave, there’s the likes of DuckDuckGo — which offers non-tracking search but also a tracker blocker and an email inbox protector tool, among other products, and reckons it now has between 70M-100M users overall; and Proton, the maker of e2e-encrypted email service ProtonMail but also a cloud calendar and file storage as well as a VPN. The latter recently confirmed passing 50M users globally.
There is also Apple itself too, of course — a Big Tech giant that competes with Google and the adtech complex by promising users a privacy premium to drive sales of its hardware and services. (At the start of this year Apple said there are now over 1BN iOS users globally — and over 1.65BN Apple devices.)
Tl;dr: The market for privacy consumer tech is growing.
Still, even Apple doesn’t try to compete against Google search which perhaps underlines the scale of the challenge involved in trying to poach users from the search behemoth. (Albeit, Apple extracts massive payments from Google to preload the latter’s search engine onto iOS devices — which does conflict with (and complicate) its wider, pro-privacy, pro-user promises while also adding a nice revenue boost for Apple… ).
DuckDuckGo has, by contrast, been at the non-tracking search coalface for years — and turning a profit since 2014. Though clearly not in the same profit league as Apple. But, more recently, it’s also taken in rare tranches of external funding as its investors spy growing opportunity for private search.
Other signs of expanding public appetite to protect people’s information from commercial snoopers include the surge of usage for e2e encrypted alternatives to Facebook-owned WhatsApp — such as Signal — which saw a download spike earlier this year, after the advertising giant announced unilateral changes to WhatsApp’s terms of service.
Credible players that have amassed a community of engaged users around a core user privacy promise are well positioned to ride each new wave of privacy interest — and cross sell a suite of consumer products where they’ve been able to expand their utility. Hence Brave believing the time is right for it to dabble in search.
Commenting in a statement, Brendan Eich, CEO and co-founder of Brave, said: “Brave Search is the industry’s most private search engine, as well as the only independent search engine, giving users the control and confidence they seek in alternatives to big tech. Unlike older search engines that track and profile users, and newer search engines that are mostly a skin on older engines and don’t have their own indexes, Brave Search offers a new way to get relevant results with a community-powered index, while guaranteeing privacy. Brave Search fills a clear void in the market today as millions of people have lost trust in the surveillance economy and actively seek solutions to be in control of their data.”
Brave touts its eponymous search offering as having a number of differentiating features vs rivals (including smaller rivals) — such as its own index which it also says gives it independence from other search providers.
Why is having an independent index important? We put that question to Josep M. Pujol, chief of search at Brave, who told us: “There are plenty of incentives for censorship and biases, either by design, or what is even more difficult to combat, unintentional. The problem of search, and how people access the web, is that it is a mono-culture, and everybody knows that while it’s very efficient, it’s also very dangerous. A single disease can kill all the crops. The current landscape is not fail-tolerant, and this is something that even users are becoming aware of. We need more choices, not to replace Google or Bing, but to offer alternatives. More choices will entail more freedom and also get back to real competition, with checks and balances.
“Choice can only be achieved by being independent, as if we do not have our own index, then we are just a layer of paint on top of Google and Bing, unable to change much or anything in the results for users’ queries. Not having your own index, as with certain search engines, gives the impression of choice, but in reality such engine ‘skins’ are the same players as the big-two. Only by building our own index, which is a costly proposition, will we be in a position to offer true choice to the users for the benefit of all, whether they are Brave Search users or not.”
Although, for now, it’s worth noting that Brave is relying on some provision from other search providers — for specific queries and in areas like image search (where, for example, it says it’s currently fetching results from Microsoft-owned Bing) — to ensure its results achieve adequate relevancy.
Elsewhere it also says it’s relying upon anonymized contributions from the community to improve and refine results — and is seeking to live up to wider transparency claims vis-a-vis the search index (which it also claims has “no secret methods or algorithms to bias results”; and for which it will “soon” be offering “community-curated open ranking models to ensure diversity and prevent algorithmic biases and outright censorship”).
In another transparency step Brave is reporting the percentage of users’ queries that are independent by showing what it bills as “the industry’s first search independence metric” — meaning it displays the ratio of results coming exclusively from its own index.
“It is derived privately using the user’s browser as we do not build user profiles,” Brave notes in a press release. “Users can check this aggregate metric to verify the independence of their results and see how results are powered by our own index, or if third-parties are being used for long tail results while we are still in the process of building our index.”
It adds that Brave Search will “typically be answering most queries, reflected by a high independence metric”. Although if you’re performing an image search, for example, you’ll see the the independence metric take a hit (but Brave confirms this will not result in any tracking of users).
“[Transparency] is a key principle at Brave, and there will also be a global independence metric for Brave Search across all searches, which we will make publicly available to show how we are progressing towards complete independence,” it adds.
On the monetization side, Brave says it will “soon” be offering both a paid ad-free version of search in the future and an ad-supported free version — while still pledging “fully anonymous” search. Though it specifies that it won’t be flipping the ad switch during the early beta phase.
“We will offer options for both ad-free paid search and ad-supported free search later,” it notes. “When we are ready, we will explore bringing private ads with BAT revenue share to search, as we’ve done for Brave user ads.”
Users of the search engine who do not also use Brave’s own browser will be served contextual ads.
“In Brave Search via the browser, strong privacy guarantees for opt-in ads are a norm and a brand value that we uphold,” adds Pujol, confirming that users of its search and browser are likely to get the same type of ad targeting.
Asked about pricing of the forthcoming ad-free version of the search engine he says: “Although we have not finalized the launch date or the price yet, our ad-free paid search will be affordable because we believe search, and access to information, should be available on fair terms for everyone.”
In an interesting recent development in Europe, Google — under pressure from antitrust regulators — has agreed to ditch a pay-to-play auction model for the choice screen it offers regional users of its Android platform, letting them pick a default search engine from list with a number of rivals and its own brand Google search. The move should expand the number of alternative search engines Android users in Europe are exposed to — and could help chip away at some of Google’s search marketshare.
Brave previously told us it would not participate in Google’s paid auction — but Pujol says that if the new model is “truly free to participate” it will likely take part in future.
“Google and free-to-participate seem difficult to believe, given plenty of precedents but if this model is indeed truly free to participate, without contracts or non-disclosure agreements, then we would likely participate,” he says. “After all, Brave Search is open to everyone who would like to use it, and we are open and happy to put Brave Search on any platform.”
“We have localized browsers throughout the European market, so in addition to growth via the Brave browser growing, we intend to grow Brave Search’s usage by marketing our best-in-class privacy on all media that reach prospective users,” he adds.
The UK’s competition watchdog will take a deep dive look into Apple and Google’s dominance of the mobile ecosystem, it said today — announcing a market study which will examine the pair’s respective smartphone platforms (iOS and Android); their app stores (App Store and Play Store); and web browsers (Safari and Chrome).
The Competition and Markets Authority (CMA) is concerned that the mobile platform giants’ “effective duopoly” in those areas might be harming consumers, it added.
The study will be wide ranging, with the watchdog concerns about the nested gateways that are created as a result of the pair’s dominance of mobile ecosystem — intermediating how consumers can access a variety of products, content and services (such as music, TV and video streaming; fitness tracking, shopping and banking, to cite some of the examples provided by the CMA).
“These products also include other technology and devices such as smart speakers, smart watches, home security and lighting (which mobiles can connect to and control),” it went on, adding that it’s looking into whether their dominance of these pipes is “stifling competition across a range of digital markets”, saying too that it’s “concerned this could lead to reduced innovation across the sector and consumers paying higher prices for devices and apps, or for other goods and services due to higher advertising prices”.
The CMA further confirmed the deep dive will examine “any effects” of the pair’s market power over other businesses — giving the example of app developers who rely on Apple or Google to market their products to customers via their smart devices.
The watchdog already has an open investigation into Apple’s App Store, following a number of antitrust complaints by developers.
It is investigating Google’s planned depreciation of third party tracking cookies too, after complaints by adtech companies and publishers that the move could harm competition. (And just last week the CMA said it was minded to accept a series of concessions offered by Google that would enable the regulator to stop it turning off support for cookies entirely if it believes the move will harm competition.)
The CMA said both those existing investigations are examining issues that fall within the scope of the new mobile ecosystem market study but that its work on the latter will be “much broader”.
It added that it will adopt a joined-up approach across all related cases — “to ensure the best outcomes for consumers and other businesses”.
It’s giving itself a full year to examine Gapple’s mobile ecosystems.
It is also soliciting feedback on any of the issues raised in its statement of scope — calling for responses by 26 July. The CMA added that it’s also keen to hear from app developers, via its questionnaire, by the same date.
Taking on tech giants
The watchdog has previously scrutinized the digital advertising market — and found plenty to be concerned about vis-a-vis Google’s dominance there.
That earlier market study has been feeding the UK government’s plan to reform competition rules to take account of the market-deforming power of digital giants. And the CMA suggested the new market study, examining ‘Gapple’s’ mobile muscle, could similarly help shape UK-wide competition law reforms.
Last year the UK announced its plan to set up a “pro-competition” regime for regulating Internet platforms — including by establishing a dedicated Digital Markets Unit within the CMA (which got going earlier this year).
The legislation for the reform has not yet been put before parliament but the government has said it wants the competition regulator to be able to “proactively shape platforms’ behavior” to avoid harmful behavior before it happens” — saying too that it supports enabling ex ante interventions once a platform has been identified to have so-called “strategic market status”.
Germany already adopted similar reforms to its competition law (early this year), which enable proactive interventions to tackle large digital platforms with what is described as “paramount significance for competition across markets”. And its Federal Cartel Office has, in recent months, wasted no time in opening a number of proceedings to determine whether Amazon, Google and Facebook have such a status.
The CMA also sounds keen to get going to tackle Internet gatekeepers.
Commenting in a statement, CEO Andrea Coscelli said:
“Apple and Google control the major gateways through which people download apps or browse the web on their mobiles – whether they want to shop, play games, stream music or watch TV. We’re looking into whether this could be creating problems for consumers and the businesses that want to reach people through their phones.
“Our ongoing work into big tech has already uncovered some worrying trends and we know consumers and businesses could be harmed if they go unchecked. That’s why we’re pressing on with launching this study now, while we are setting up the new Digital Markets Unit, so we can hit the ground running by using the results of this work to shape future plans.”
The European Union also unveiled its own proposals for clipping the wings of big tech last year — presenting its Digital Markets Act plan in December which will apply a single set of operational rules to so-called “gatekeeper” platforms operating across the EU.
The clear trend in Europe on digital competition is toward increasing oversight and regulation of the largest platforms — in the hopes that antitrust authorities can impose measures that will help smaller players thrive.
Critics might say that’s just playing into the tech giants’ hands, though — because it’s fiddling around the edges when more radical intervention (break ups) are what’s really needed to reboot captured markets.
Apple and Google were contacted for comment on the CMA’s market study.
A Google spokesperson said: “Android provides people with more choice than any other mobile platform in deciding which apps they use, and enables thousands of developers and manufacturers to build successful businesses. We welcome the CMA’s efforts to understand the details and differences between platforms before designing new rules.”
According to Google, the Android App Economy generated £2.8BN in revenue for UK developers last year, which it claims supported 240,000 jobs across the country — citing a Public First report that it commissioned.
The tech giant also pointed to operational changes it has already made in Europe, following antitrust interventions by the European Commission — such as adding a choice screen to Android where users can pick from a list of alternative search engines.
Earlier this month it agreed to shift the format underlying that choice screen from an unpopular auction model to free participation.
European privacy group noyb, which recently kicked off a major campaign targeting rampant abuse of the region’s cookie consent rules, has followed up by publishing a technical proposal for an automated browser-level signal it believes could go even further to tackle the friction generated by endless ‘your data choices’ pop-ups.
Its proposal is for an automated signal layer that would enable users to configure advanced consent choices — such as only being asked to allow cookies if they frequently visit a website; or being able to whitelist lists of sites for consent (if, for example, they want to support quality journalism by allowing their data to be used for ads in those specific cases).
The approach would offer a route to circumvent the user experience nightmare flowing from all the dark pattern design that’s made cookie consent collection so cynical, confusing and tedious — by simply automating the yeses and noes, thereby keeping interruptions to a user-defined minimum.
In the European Union cookie consent banners mushroomed in the wake of a 2018 update to the bloc’s privacy rules (GDPR) — especially on websites that rely on targeted advertising to generate revenue. And in recent years it has not been unusual to find cookie pop-ups that contain a labyrinthine hell of opacity — culminating (if you don’t just click ‘agree’) — to vast menus of ‘trusted partners’ all after your data. Some of which are pre-set to share information and require the user to individually toggle each and every one off.
Such stuff is a mockery of compliance, rather than the truly simple choice envisage by the law. So noyb’s earlier campaign is focused on filing scores of complaints against sites it believes aren’t complying with requirements to provide users with a clear and free choice to say no to their data being used for ads (and it’s applying a little automation tech there too to help scale up the number of complaint it can file).
Its follow-up here — showing how an advanced control layer that signals user choices in the background could work — shares the same basic approach as the ‘Do Not Track’ proposals originally proposed for baking into web browsers all the way back in 2009 but which failed to get industry buy-in. There has also been a more recent US-based push to revive the idea of browser-level privacy control — buoyed by California’s California Consumer Privacy Act (CCPA), which took effect at the start of last year, and includes a requirement that businesses respect user opt-out preferences via a signal from their browser.
However noyb’s version of browser-level privacy control seeks to go further by enabling more granular controls — which it says it necessary to better mesh with the EU’s nuanced legal framework around data protection.
It points out that Article 21(5) of the GDPR already allows for automatic signals from the browser to inform websites in the background whether a user is consenting to data processing or not.
The ePrivacy Regulation proposal, a much delayed reform of the bloc’s rules around electronic privacy has also included such a provision.
However noyb says development to establish such a signal hasn’t happened yet — suggesting that cynically manipulative consent management platforms may well have been hampering privacy-focused innovation.
But it also sees a chance for the necessary momentum to build behind the idea.
For example, it points to how Apple has recently been dialling up the notification and control it offers users of its mobile platform, iOS, to allow people to both know which third party apps want to track them and allow or deny access to their data — including giving users a super simple ‘deny all third party tracking’ option backed into iOS’ settings.
So, well, why should Internet users who happen to be browsing on a desktop device not have a set of similarly advanced privacy controls too?
EU lawmakers are also still debating the ePrivacy Regulation reform — which deals centrally with cookies — so the campaign group wants to demonstrate how automated control tech could be a key piece of the answer to so-called ‘cookie consent fatigue’; by giving users a modern toolset to shrink consent friction without compromising their ability to control what happens with their data.
In order to work as intended automated signals would need to be legally binding (to prevent adtech companies just ignoring them) — and having a clear legal basis set out in the ePrivacy Regulation is one way that could happen within fairly short order.
The chance at least is there.
There have been concerns that the ePrivacy reform — which was stalled for years — could end up weakening the EU’s data protection framework in the face of massive adtech industry lobbying. And the negotiation process to reach a final text remains ongoing. So it’s still not clear where it’s going to end up.
But, earlier this year, the European Council agreed its negotiating mandate with the other EU institutions. And, on cookies, the Council said they want companies to find ways to reduce ‘cookie consent fatigue’ among users — such as by whitelisting types of cookies/providers in their browser settings. So there is at least a potential path to legislate for an effective browser-level control layer in Europe.
For now, noyb has published a prototype and a technology specification for what it’s calling the ADPC (aka Advanced Data Protection Control). The work on the framework has been carried out by noyb working with the Sustainable Computing Lab at the Vienna University of Economics and Business.
The proposal envisages web pages sending privacy requests in a machine-readable way and the ADPC allowing the response to be transmitted using header signals or via Java Script. noyb likens the intelligent management of queries and automatic responses such a system could support to an email spam filter.
Commenting in a statement, chairman Max Schrems said: “For Europe, we need more than just an ‘opt-out’ so that it fits into our legal framework. That’s why we call the prototype ‘Advanced’ Data Protection Control, because it’s much more flexible and specific than previous approaches.
“ADPC allows intelligent management of privacy requests. A user could say, for example, ‘please ask me only after I’ve been to the site several times’ or ‘ask me again after 3 months.’ It is also possible to answer similar requests centrally. ADPC thus allows the flood of data requests to be managed in a meaningful way.”
“With ADPC, we also want to show the European legislator that such a signal is feasible and brings advantages for all sides,” he added. “We hope that the negotiators of the member states and the European Parliament will ensure a solid legal basis here, which could be applicable law in a short time. What California has done already, the EU should be able to do as well.”
The Commission has been contacted for comment on noyb’s ADPC.
While there are wider industry shifts afoot to depreciate tracking cookies altogether — with Google proposing to replace current adtech infrastructure supported by Chrome with an alternative stack of (it claims) more privacy respecting alternatives (aka its Privacy Sandbox) — there’s still plenty of uncertainty over what will ultimately happen to third party cookies.
Google’s move to end support for tracking cookies is being closely scrutinized by regional antitrust regulators. And just last week the UK’s Competition and Markets Authority (CMA), which is investigating a number of complaints about the plan, said it’s minded to accept concessions from Google that would mean the regulator could order it not to switch off tracking cookies.
Moreover, even if tracking cookies do finally crumble there is still the question of what exactly they get replaced with — and how alternative adtech infrastructure could impact user privacy?
Google’s so-called ‘Privacy Sandbox’ proposal to target ads at cohorts of users (based on bucketed ‘interests’ its technology will assign them via on-device analysis of their browsing habits) has raised fresh concerns about the risks of exploitative and predatory advertising. So it may be no less important for users to have meaningful browser-level controls over their privacy choices in the future — even if the tracking cookie itself goes away.
A browser-level signal could offer a way for a web user to say ‘no’ to being stuck in an ‘interest bucket’ for ad targeting purposes, for example — signalling that they prefer to see only contextual ads instead, say.
tl;dr: The issue of consent does not only affect cookies — and it’s telling that Google has avoided running the first trials of its replacement tech for tracking cookies (FLoCs, or federated learning of cohorts) in Europe.
Well this is big. The UK’s competition regulator looks set to get an emergency brake that will allow it to stop Google ending support for third party cookies, a technology that’s currently used for targeting online ads, if it believes competition would be harmed by the depreciation going ahead.
The development follows an investigation opened by the Competition and Markets Authority (CMA) into Google’s self-styled ‘Privacy Sandbox’ earlier this year.
The regulator will have the power to order a standstill of at least 60 days on any move by Google to remove support for cookies from Chrome if it accepts a set of legally binding commitments the latter has offered — and which the regulator has today issued a notification of intention to accept.
The CMA could also reopen a fuller investigation if it’s not happy with how things are looking at the point it orders any standstill to stop Google crushing tracking cookies.
It follows that the watchdog could also block Google’s wider ‘Privacy Sandbox’ technology transition entirely — if it decides the shift cannot be done in a way that doesn’t harm competition. However the CMA said today it takes the “provisional” view that the set of commitments Google has offered will address competition concerns related to its proposals.
It’s now opened a consultation to see if the industry agrees — with the feedback line open until July 8.
Commenting in a statement, Andrea Coscelli, the CMA’s chief executive, said:
“The emergence of tech giants such as Google has presented competition authorities around the world with new challenges that require a new approach.
“That’s why the CMA is taking a leading role in setting out how we can work with the most powerful tech firms to shape their behaviour and protect competition to the benefit of consumers.
“If accepted, the commitments we have obtained from Google become legally binding, promoting competition in digital markets, helping to protect the ability of online publishers to raise money through advertising and safeguarding users’ privacy.”
In a blog post sketching what it’s pledged — under three broad headlines of ‘Consultation and collaboration’; ‘No data advertising advantage for Google products’; and ‘No self-preferencing’ — Google writes that if the CMA accepts its commitments it will “apply them globally”, making the UK’s intervention potentially hugely significant.
It’s perhaps one slightly unexpected twist of Brexit that it’s put the UK in a position to be taking key decisions about the rules for global digital advertising. (The European Union is also working on new rules for how platform giants can operate but the CMA’s intervention on Privacy Sandbox does not yet have a direct equivalent in Brussels.)
That Google is choosing to offer to turn a UK competition intervention into a global commitment is itself very interesting. It may be there in part as an added sweetener — nudging the CMA to accept the offer so it can feel like a global standard setter.
At the same time, businesses do love operational certainty. So if Google can hash out a set of rules that are accepted by one (fairly) major market, because they’ve been co-designed with national oversight bodies, and then scale those rules everywhere it may create a shortcut path to avoiding any more regulator-enforced bumps in the future.
So Google may see this as a smoother path toward the sought for transition for its adtech business to a post-cookie future. Of course it also wants to avoid being ordered to stop entirely.
More broadly, engaging with the fast-paced UK regulator could be a strategy for Google to try to surf over the political deadlocks and risks which can characterize discussions on digital regulation in other markets (especially its home turf of the U.S. — where there has been a growing drumbeat of calls to break up tech giants; and where Google specifically now faces a number of antitrust investigations).
The outcome it may be hoping for is being able to point to regulator-stamped ‘compliance’ — in order that it can claim it as evidence there’s no need for its ad empire to be broken up.
Google’s offering of commitments also signifies that regulators who move fastest to tackle the power of tech giants will be the ones helping to define and set the standards and conditions that apply for web users everywhere. At least unless or until any more radical interventions rain down on big tech.
What is Privacy Sandbox?
Privacy Sandbox is a complex stack of interlocking technology proposals for replacing current ad tracking methods (which are widely seen as horrible for user privacy) with alternative infrastructure that Google claims will be better for individual privacy and also still allow the adtech and publishing industries to generate (it claims much the same) revenue by targeting ads at cohorts of web users — who will be put into ‘interest buckets’ based on what they look at online.
The full details of the proposals (which include components like FLoCs, aka Google’s proposed new ad ID based on federated learning of cohorts; and Fledge/Turtledove, Google’s suggested new ad delivery technology) have not yet been set in stone.
Nonetheless, Google announced in January 2020 that it intended to end support for third party cookies within two years — so that rather nippy timeframe has likely concentrated opposition, with pushback coming from the adtech industry and (some) publishers who are concerned it will have a major impact on their ad revenues when individual-level ad targeting goes away.
The CMA began to look into Google’s planned depreciating of tracking cookies after complaints that the transition to a new infrastructure of Google’s devising will merely increase Google’s market power — by locking down third parties’ ability to track Internet users for ad targeting while leaving Google with a high dimension view of what people get up to online as a result of its expansive access to first party data (gleaned through its dominance for consumer web services).
The executive summary of today’s CMA notice lists its concerns that, without proper regulatory oversight, Privacy Sandbox might:
- distort competition in the market for the supply of ad inventory and in the market for the supply of ad tech services, by restricting the functionality associated with user tracking for third parties while retaining this functionality for Google;
- distort competition by the self-preferencing of Google’s own advertising products and services and owned and operated ad inventory; and
- allow Google to exploit its apparent dominant position by denying Chrome web users substantial choice in terms of whether and how their personal data is used for the purpose of targeting and delivering advertising to them.
At the same time, privacy concerns around the ad tracking and targeting of Internet users are undoubtedly putting pressure on Google to retool Chrome (which ofc dominates web browser marketshare) — given that other web browsers have been stepping up efforts to protect their users from online surveillance by doing stuff like blocking trackers for years.
Web users hate creepy ads — which is why they’ve been turning to ad blockers in droves. Numerous major data scandals have also increased awareness of privacy and security. And — in Europe and elsewhere — digital privacy regulations have been toughened up or introduced in recent years. So the line of ‘what’s acceptable’ for ad businesses to do online has been shifting.
But the key issue here is how privacy and competition regulation interacts — and potentially conflicts — with the very salient risk that ill-thought through and overly blunt competition interventions could essentially lock in privacy abuses of web users (as a result of a legacy of weak enforcement around online privacy, which allowed for rampant, consent-less ad tracking and targeting of Internet users to develop and thrive in the first place).
Poor privacy enforcement coupled with banhammer-wielding competition regulators does not look like a good recipe for protecting web users’ rights.
However there is cautious reason for optimism here.
Last month the CMA and the UK’s Information Commissioner’s Office (ICO) issued a joint statement in which they discussed the importance of having competition and data protection in digital markets — citing the CMA’s Google Privacy Sandbox probe as a good example of a case that requires nuanced joint working.
Or, as they put it then: “The CMA and the ICO are working collaboratively in their engagement with Google and other market participants to build a common understanding of Google’s proposals, and to ensure that both privacy and competition concerns can be addressed as the proposals are developed in more detail.”
Although the ICO’s record on enforcement against rights-trampling adtech is, well, non-existent. So its preference for regulatory inaction in the face of adtech industry lobbying should off-set any quantum of optimism derived from the bald fact of the UK’s privacy and competition regulators’ ‘joint working’.
(The CMA, by contrast, has been very active in the digital space since gaining, post-Brexit, wider powers to pursue investigations. And in recent years took a deep dive look at competition in the digital ad market, so it’s armed with plenty of knowledge. It is also in the process of configuring a new unit that will oversee a pro-competition regime which the UK explicitly wants to clip the wings of big tech.)
What has Google committed to?
The CMA writes that Google has made “substantial and wide-ranging” commitments vis-a-vis Privacy Sandbox — which it says include:
- A commitment to develop and implement the proposals in a way that avoids distortions to competition and the imposition of unfair terms on Chrome users. This includes a commitment to involve the CMA and the ICO in the development of the Proposals to ensure this objective is met.
- Increased transparency from Google on how and when the proposals will be taken forward and on what basis they will be assessed. This includes a commitment to publicly disclose the results of tests of the effectiveness of alternative technologies.
- Substantial limits on how Google will use and combine individual user data for the purposes of digital advertising after the removal of third-party cookies.
- A commitment that Google will not discriminate against its rivals in favour of its own advertising and ad-tech businesses when designing or operating the alternatives to third-party cookies.
- A standstill period of at least 60 days before Google proceeds with the removal of third party cookies giving the CMA the opportunity, if any outstanding concerns cannot be resolved with Google, to reopen its investigation and, if necessary, impose any interim measures necessary to avoid harm to competition.
Google also writes that: “Throughout this process, we will engage the CMA and the industry in an open, constructive and continuous dialogue. This includes proactively informing both the CMA and the wider ecosystem of timelines, changes and tests during the development of the Privacy Sandbox proposals, building on our transparent approach to date.”
“We will work with the CMA to resolve concerns and develop agreed parameters for the testing of new proposals, while the CMA will be getting direct input from the ICO,” it adds.
Google’s commitments cover a number of areas directly related to competition — such as self-preferencing, non-discrimination, and stipulations that it will not combine user data from specific sources that might give it an advantage vs third parties.
However privacy is also being explicitly baked into the competition consideration, here, per the CMA — which writes that the commitments will [emphasis ours]:
Establish the criteria that must be taken into account in designing, implementing and evaluating Google’s Proposals. These include the impact of the Privacy Sandbox Proposals on: privacy outcomes and compliance with data protection principles; competition in digital advertising and in particular the risk of distortion to competition between Google and other market participants; the ability of publishers to generate revenue from ad inventory; and user experience and control over the use of their data.
An ICO spokeswoman was also keen to point out that one of the first commitments obtained from Google under the CMA’s intervention “focuses on privacy and data protection”.
In a statement, the data watchdog added:
“The commitments obtained mark a significant moment in the assessment of the Privacy Sandbox proposals. They demonstrate that consumer rights in digital markets are best protected when competition and privacy are considered together.
“As we outlined in our recent joint statement with the CMA, we believe consumers benefit when their data is used lawfully and responsibly, and digital innovation and competition are supported. We are continuing to build upon our positive and close relationship with the CMA, to ensure that consumer interests are protected as we assess the proposals.”
This development in the CMA’s investigation raises plenty of questions, large and small — most pressingly over the future of key web infrastructure and what the changes being hashed out here between Google and UK regulators might mean for Internet users everywhere.
The really big issue is whether ‘co-design’ with oversight bodies is the best way to fix the market power imbalance flowing from a single tech giant being able to combine massive dominance in consumer digital services with duopoly dominance in adtech.
Others would say that breaking up Google’s consumer tech and Google’s adtech is the only way to fix the abuse — and eveything else is just fiddling while Rome burns.
Google, for instance, is still in charge of proposing the changes itself — regardless of how much pre-implementation consultation and tweaking goes on. It’s still steering the ship and there are plenty of people who believe that’s not an acceptable governance model for the open web.
But, for now at least, the CMA wants to try to fiddle.
It should be noted that, in parallel, the UK government and CMA are speccing out a wider pro-competition regime that could result in deeper interventions into how Google and other platform giants operate in the future. So more interventions are all but guaranteed.
For now, though, Google is probably feeling pretty happy for the opportunity to work with UK regulators. If it can pull oversight bodies deep down in the detail of the changes it wants to make that’s likely a far more comfortable spot for Mountain View vs being served with an order to break its business up — something the CMA has previously taken feedback on.
Google has been contacted with questions on its Privacy Sandbox commitments.
In its latest ambitious digital policy announcement, the European Union has proposed creating a framework for a “trusted and secure European e-ID” (aka digital identity) — which it said today it wants to be available to all citizens, residents and businesses to make it easer to use a national digital identity to prove who they are in order to access public sector or commercial services regardless of where they are in the bloc.
The EU does already have a regulation on electronic authentication systems (eIDAS), which entered into force in 2014, but the Commission’s intention with the e-ID proposal is to expand on that by addressing some of its limitations and inadequacies (such as poor uptake and a lack of mobile support).
It also wants the e-ID framework to incorporate digital wallets — meaning the user will be able to choose to download a wallet app to a mobile device where they can store and selectively share electronic documents which might be needed for a specific identity verification transaction, such as when opening a bank account or applying for a loan. Other functions (like e-signing) is also envisaged being supported by these e-ID digital wallets.
Other examples the Commission gives where it sees a harmonized e-ID coming in handy include renting a car or checking into a hotel. EU lawmakers also suggest full interoperability for authentication of national digital IDs could be helpful for citizens needing to submit a local tax declaration or enrolling in a regional university.
Some Member States do already offer national electronic IDs but there’s a problem with interoperability across borders, per the Commission, which noted today that just 14% of key public service providers across all Member States allow cross-border authentication with an e-Identity system, though it also said cross-border authentications are rising.
A universally accepted ‘e-ID’ could — in theory — help grease digital activity throughout the EU’s single market by making it easier for Europeans to verify their identity and access commercial or publicly provided services when travelling or living outside their home market.
EU lawmakers also seem to believe there’s an opportunity to ‘own’ a strategic piece of the digital puzzle here, if they can create a unifying framework for all European national digital IDs — offering consumers not just a more convenient alternative to carrying around a physical version of their national ID (at least in some situations), and/or other documents they might need to show when applying to access specific services, but what commissioners billed today as a “European choice” — i.e. vs commercial digital ID systems which may not offer the same high-level pledge of a “trusted and secure” ID system that lets the user entirely control who gets to sees which bits of their data.
A number of tech giants do of course already offer users the ability to sign in to third party digital services using the same credentials to access their own service. But in most cases doing so means the user is opening a fresh conduit for their personal data to flow back to the data-mining platform giant that controls the credential, letting Facebook (etc) further flesh out what it knows about that user’s Internet activity.
“The new European Digital Identity Wallets will enable all Europeans to access services online without having to use private identification methods or unnecessarily sharing personal data. With this solution they will have full control of the data they share,” is the Commission alternative vision for the proposed e-ID framework.
It also suggests the system could create substantial upside for European businesses — by supporting them in offering “a wide range of new services” atop the associated pledge of a “secure and trusted identification service”. And driving public trust in digital services is a key plank of how the Commission approaches digital policymaking — arguing that it’s a essential lever to grow uptake of online services.
However to say this e-ID scheme is ‘ambitious’ is a polite word for how viable it looks.
Aside from the tricky issue of adoption (i.e. actually getting Europeans to A) know about e-ID, and B) actually use it, by also C) getting enough platforms to support it, as well as D) getting providers on board to create the necessary wallets for envisaged functionality to pan out and be as robustly secure as promised), they’ll also — presumably — need to E) convince and/or compel web browsers to integrate e-ID so it can be accessed in a streamlined way.
The alternative (not being baked into browsers’ UIs) would surely make the other adoption steps trickier.
The Commission’s press release is fairly thin on such detail, though — saying only that: “Very large platforms will be required to accept the use of European Digital Identity wallets upon request of the user.”
Nonetheless, a whole chunk of the proposal is given over to discussion of “Qualified certificates for website authentication” — a trusted services provision, also expanding on the approach taken in eIDAS, which the Commission is keen for e-ID to incorporate in order to further boost user trust by offering a certified guarantee of who’s behind a website (although the proposal says it will be voluntary for websites to get certified).
The upshot of this component of the proposal is that web browsers would need to support and display these certificates, in order for the envisaged trust to flow — which sums to a whole lot of highly nuanced web infrastructure work needed to be done by third parties to interoperate with this EU requirement. (Work that browser makers already seem to have expressed serious misgivings about.)
Another big question-mark thrown up by the Commission’s e-ID plan is how exactly the envisaged certified digital identity wallets would store — and most importantly safeguard — user data. That very much remains to be determined, at this nascent stage.
There’s discussion in the regulation’s recitals, for example, of Member States being encouraged to “set-up jointly sandboxes to test innovative solutions in a controlled and secure environment in particular to improve the functionality, protection of personal data, security and interoperability of the solutions and to inform future updates of technical references and legal requirements”.
And it seems that a range of approaches are being entertained, with recital 11 discussing using biometric authentication for accessing digital wallets (while also noting potential rights risks as well as the need to ensure adequate security):
European Digital Identity Wallets should ensure the highest level of security for the personal data used for authentication irrespective of whether such data is stored locally or on cloud-based solutions, taking into account the different levels of risk. Using biometrics to authenticate is one of the identifications methods providing a high level of confidence, in particular when used in combination with other elements of authentication. Since biometrics represents a unique characteristic of a person, the use of biometrics requires organisational and security measures, commensurate to the risk that such processing may entail to the rights and freedoms of natural persons and in accordance with Regulation 2016/679.
In short, it’s clear that underlying the Commission’s big, huge idea of a unified (and unifying) European e-ID is a complex mass of requirements needed to deliver on the vision of a secure and trusted European digital ID that doesn’t just languish ignored and unused by most web users — some highly technical requirements, others (such as achieving the sought for widespread adoption) no less challenging.
The impediments to success here certainly look daunting.
Nonetheless, lawmakers are ploughing ahead, arguing that the pandemic’s acceleration of digital service adoption has shown the pressing need to address eIDAS’ shortcomings — and deliver on the goal of “effective and user-friendly digital services across the EU”.
Alongside today’s regulatory proposal they’ve put out a Recommendation, inviting Member States to “establish a common toolbox by September 2022 and to start the necessary preparatory work immediately” — with a goal of publishing the agreed toolbox in October 2022 and starting pilot projects (based on the agreed technical framework) sometime thereafter.
“This toolbox should include the technical architecture, standards and guidelines for best practices,” the Commission adds, eliding the large cans of worms being firmly cracked open.
Still, its penciled in timeframe for mass adoption — of around a decade — does a better job of illustrating the scale of the challenge, with the Commission writing that it wants 80% of citizens to be using an e-ID solution by 2030.
The even longer game the bloc is playing is to try to achieve digital sovereignty so it’s not beholden to foreign-owned tech giants. And an ‘own brand’, autonomously operated European digital identity does certainly align with that strategic goal.
At its annual Build conference today, Microsoft announced a couple of new features for version 91 of its Edge browser that, like so much at Build this year, aren’t earth-shattering (developer velocity!) but nice quality-of-life upgrades for its users. Since Microsoft develops Edge in the open, these may also feel familiar to those who keep a close eye on the Edge roadmap – indeed, I think I’ve seen most of these in Edge 90 already…
One new feature is Startup Boost, which allows Edge to start up almost instantly. The way Microsoft does this is pretty straightforward. It simply loads some of the core Edge processes whenever you boot up your Windows machine, so when you task Edge with starting up, there isn’t all that much work left to do. This shouldn’t have too much of an effect on your Windows 10 bootup time, so it’s probably a trade-off worth making, but I also can’t recall anybody complaining about browser startup times in the last couple of years either.
The other new feature is ‘sleeping tabs,’ which does pretty much what you expect it to do. It puts your tabs to sleep so they don’t use up unnecessary memory and CPU cycles.
Microsoft first announced that it was testing this feature back in December and at the time, the Edge team said that it reduces memory usage by 32% and helps improve battery life as well, given that sleeping tabs use 37% less CPU on average compared to non-sleeping tabs.
It’s worth noting that Google’s Chrome browser, which shares many of its underlying technology with Edge, also features tools to limit resource usage, including what Google calls ‘tab freezing,’ as does virtually every other major browser today.
Pour one out for Internet Explorer, the long-enduring internet browser that’s been the butt of countless jokes about its speed, reliability, and probably most notable of all, security, which will retire next year after more than 25 years of service.
Microsoft said it will pull the plug on the browser’s life support in June 2022, giving its last remaining half a dozen or so users a solid year to transition to Chrome or Firefox — let’s be honest here — though other respectable browsers are available. There will be some exceptions to the end-of-life plan, such as industrial machines that need the browser to operate.
For years, Microsoft has nudged Internet Explorer users towards its newer Edge browser as a more reliable and secure alternative to the ailing Internet Explorer, often in the most obnoxious ways possible by splashing on-screen ads the second you flirt with using a rival browser. As the wider web’s support for Internet Explorer dwindled, enterprises have also begun phasing out support for the browser.
But in ending support for Internet Explorer, Microsoft is parting ways with one of the most problematic security headaches in its history.
Virtually no other software has been subject to more security bugs than Internet Explorer, in large part due to its longevity. Microsoft has patched Internet Explorer almost every month for the past two decades, trying to stay one step ahead of the hackers who find and exploit vulnerabilities in the browser to drop malware on their victims’ computers. Internet Explorer was hardened over the years, but it lagged behind its competitors, which sped ahead with frequent, almost invisible security updates and tougher sandboxing to prevent malware from running on the user’s computer.
As much as it’s easy to hate on Internet Explorer, it’s been with us for almost three decades since it debuted in Windows 95, and it’s served us well. For many of us who grew up on the internet in our teens and twenties, Internet Explorer was the first — and really the only — browser we used. Most of us signed up for our first Hotmail email address with Internet Explorer. We learned how to code our MySpace page using that browser, and we downloaded a lot — and I mean a lot — of suspicious-looking, malware-packed “games” that slowed the computer down to a crawl but thought nothing of it.
I remember, as a 10-(ish)-year-old child, seeing for the first time the pixelated Internet Explorer icon on that bright, teal wallpapered cathode-ray monitor in a cold attic room in our family home, because, not really knowing what the internet was, I complained to my father: “I don’t want to just explore the internet. I want to see the whole thing.”
Thanks to Internet Explorer, I got to see a large part of it.
Google is resuming work on reducing the granularity of information presented in user-agent strings on its Chrome browser, it said today — picking up an effort it put on pause last year, during the early days of the COVID-19 pandemic, when it said it wanted to avoid piling extra migration burden on the web ecosystem in the middle of a public health emergency.
The resumption of the move has implications for web developers as the changes to user-agent strings could break some existing infrastructure without updates to code. Although Google has laid out a pretty generous-looking timeline of origin tests — and its blog post emphasizes that “no User-Agent string changes will be coming to the stable channel of Chrome in 2021“. So the changes certainly won’t ship before 2022.
The move, via development of its Chromium engine, to pare back user-agent strings to reduce their ability to be used to track users is related to Google’s overarching Privacy Sandbox plan — aka the stack of proposals it announced in 2019 — when it said it wanted to evolve web architecture by developing a set of open standards to “fundamentally enhance” web privacy.
Part of this move toward a more private default for Chromium is depreciating support for third party tracking cookies. Another part is Google’s proposed technological alternative for on-device ad-targeting of cohorts of users (aka FLoCs).
Cleaning up exploitable surface areas like fingerprintable user-agent strings is another component — and should be understood as part of the wider ‘hygiene’ drive required to deliver on the goals of Privacy Sandbox.
The latter remains a massive, tanker-turning effort, though.
And while there has been some suggestions Google could be ready to ship Privacy Sandbox in early 2022, given the timelines it’s allowing for origin tests of the changes to user-agent strings — a seven phase rollout, with two origin trials lasting at least six months apiece — that looks unlikely. (At least not for all the constituent parts of the Sandbox to ship.)
Indeed, back in 2019 Google was upfront that the changes it had in mind would not come overnight, saying then: “It’s going to be a multi-year journey”. Albeit in January 2020 it seemed to dial up at least part of the timeline, saying it wanted to phase out support for third party cookies within two years.
Still, Google can’t realistically depreciate tracking cookies without also shipping changes in browser standards that are needed to provide publishers and advertisers with alternative means to do ad targeting, measurement and fraud prevention. So any delay to elements of the Privacy Sandbox could have a knock-on impact on its ‘two-year’ timeline to end support for third party cookies. (And 2022 may well be the very earliest the shift could happen.)
There’s push and pull going on here, as Google’s effort to retool web infrastructure — and, more specifically, to change how web users and activity can and can’t be tracked — has massive implications for many other web users; most notably the adtech players and publishers whose businesses are deeply embedded in this tracking web.
Unsurprisingly, it has faced a lot of pushback from those sectors.
Its plan to end support for third party tracking cookies is also under regulatory scrutiny in Europe — where advertisers complained it’s an anti-competitive power move to block third parties’ access to user data while continuing to help itself to masses of first party user data (given its dominance of key Internet services). So depending on how regulators respond to ecosystem concerns Google may not be able to keep full control of the timeline, either.
Nonetheless, from a privacy perspective, Chrome paring back user-agent strings is a welcome — if overdue — move.
Indeed Google’s blog post notes that it’s the laggard vs similar efforts already undertaken by the web engines underlying Apple’s Safari browser and Mozilla’s Firefox.
“As noted in the User Agent Client Hints explainer, the User Agent string presents challenges for two reasons. Firstly, it passively exposes quite a lot of information about the browser for every HTTP request that may be used for fingerprinting,” Google writes, fleshing out its rational for the change. “Secondly, it has grown in length and complexity over the years and encourages error-prone string parsing. We believe the User Agent Client Hints API solves both of these problems in a more developer- and user-friendly manner.”
Commenting on the development, Dr Lukasz Olejnik, an independent consultant and security and privacy researcher who has advised the W3C on technical architecture and standards, describes the incoming change as “a great privacy improvement”.
“The user-agent change will reduce entropy and so reduce identifiability,” he told TechCrunch. “I view it as a great privacy improvement because considering IP address and the UA string at the same time is highly identifying. UAs are not exactly simplified in Firefox/Safari in the way Chrome suggests doing them.”
Google’s blog post notes that its UA plan was “designed with backwards compatibility in mind”, and seeks to reassure developers — adding that: “While any changes to the User Agent string need to be managed carefully, we expect minimal friction for developers as we roll this out (i.e., existing parsers should continue to operate as expected).
“If your site, service, library or application relies on certain bits of information being present in the User Agent string such as Chrome minor version, OS version number, or Android device model, you will need to begin the migration to use the User Agent Client Hints API instead,” it goes on. “If you don’t require any of these, then no changes are required and things should continue to operate as they have to date.”
Despite Google’s reassurances, Olejnik suggested some web developers could still be caught on the hop — if they fail to take note of the development and don’t made necessary updates to their code in time.
“Web developers may be concerned as certain libraries or backend systems depend on the strict UA string existing as today,” he noted, adding: “Things may stop working as intended. This might be a sudden and surprising breakage. But the actual impact at a scale is unpredictable.”
Google announced a new feature for its Chrome browser today that alerts you when one of your passwords has been compromised and then helps you automatically change your password with the help of… wait for it… Google’s Duplex technology.
This new feature will start to roll out slowly to Chrome users on Android in the U.S. soon (with other countries following later), assuming they use Chrome’s password-syncing feature.
It’s worth noting that this won’t work for every site just yet. As a Google spokesperson told us, “the feature will initially work on a small number of apps and websites, including Twitter, but will expand to additional sites in the future.”
Now you may remember Duplex as the somewhat controversial service that can call businesses for you to make hairdresser appointments or check opening times. Google introduced Duplex at its 2018 I/O developer conference and launched it to a wider audience in 2019. Since then, the team has chipped away at bringing Duplex to more tasks and brought it the web, too. Now it’s coming to Chrome to change your compromised passwords for you.
“Powered by Duplex on the Web, Assistant takes over the tedious parts of web browsing: scrolling, clicking and filling forms, and allows you to focus on what’s important to you. And now we’re expanding these capabilities even further by letting you quickly create a strong password for certain sites and apps when Chrome determines your credentials have been leaked online,” Patrick Nepper, senior product manager for Chrome, explains in today’s announcement.
In practice, once Chrome detects a compromised password, all you have to do is tap the “change password” button and Duplex will walk through the process of changing your password for you. Google says this won’t work for every site just yet, but “even if a site isn’t supported yet, Chrome’s password manager can always help you create strong and unique passwords for your various accounts.”
It’ll be interesting to see how well this works in the real world. Every site manages passwords a little bit differently, so it would be hard to write a set of basic rules that the browser could use to go through this process. And that’s likely why Google is using Duplex here. Since every site is a little bit different, it takes a system that can understand a bit more about the context of a password change page to successfully navigate it.
In addition to adding this feature, Google is also updating its password manager with a new tool for important passwords from third-party password managers, deeper integration between Chrome and Android and automatic password alerts when a password is compromised in a breach.
A new crop of internet browsers from Brave, DuckDuckGo and others offer stronger privacy protections than what you might be used to.
FLoC is meant to be an alternative to the kind of cookies that advertising technology companies use today to track you across the web. Instead of a personally identifiable cookie, FLoC runs locally and analyzes your browsing behavior to group you into a cohort of like-minded people with similar interests (and doesn’t share your browsing history with Google). That cohort is specific enough to allow advertisers to do their thing and show you relevant ads, but without being so specific as to allow marketers to identify you personally.
This “interest-based advertising,” as Google likes to call it, allows you to hide within the crowd of users with similar interests. All the browser displays is a cohort ID and all your browsing history and other data stay locally.
The trial will start in the U.S., Australia, Brazil, Canada, India, Indonesia, Japan, Mexico, New Zealand and the Philippines. Over time, Google plans to scale it globally. As we learned earlier this month, Google is not running any tests in Europe because of concerns around GDPR and other privacy regulations (in part, because it’s unclear whether FLoC IDs should be considered personal data under these regulations).
Users will be able to opt out from this origin trial, just like they will be able to do so with all other Privacy Sandbox trials.
Unsurprisingly, given how FLoC upends many of the existing online advertising systems in place, not everybody loves this idea. Advertisers obviously love the idea of being able to target individual users, though Google’s preliminary data shows that using these cohorts leads to similar results for them and that advertisers can expect to see “at least 95% of the conversions per dollar spent when compared to cookie-based advertising.”
Google notes that its own advertising products will get the same access to FLoC IDs as its competitors in the ads ecosystem.
But it’s not just the advertising industry that is eyeing this project skeptically. Privacy advocates aren’t fully sold on the idea either. The EFF, for example, argues that FLoC will make it easier for marketing companies that want to fingerprint users based on the various FLoC IDs they expose, for example. That’s something Google is addressing with its Privacy Budget proposal, but how well that will work remains to be seen.
Meanwhile, users would probably prefer to just browse the web without seeing ads (no matter what the advertising industry may want us to believe) and without having to worry about their privacy. But online publishers continue to rely on advertising income to fund their sites.
With all of these divergent interests, it was always clear that Google’s initiatives weren’t going to please everyone. That friction was always built into the process. And while other browser vendors can outright block ads and third-party cookies, Google’s role in the advertising ecosystem makes this a bit more complicated.
“When other browsers started blocking third-party cookies by default, we were excited about the direction, but worried about the immediate impact,” Marshall Vale, Google’s product manager for Privacy Sandbox, writes in today’s announcement. “Excited because we absolutely need a more private web, and we know third-party cookies aren’t the long-term answer. Worried because today many publishers rely on cookie-based advertising to support their content efforts, and we had seen that cookie blocking was already spawning privacy-invasive workarounds (such as fingerprinting) that were even worse for user privacy. Overall, we felt that blocking third-party cookies outright without viable alternatives for the ecosystem was irresponsible, and even harmful, to the free and open web we all enjoy.”
It’s worth noting that FLoC, as well as Google’s other privacy sandbox initiatives, are still under development. The company says the idea here is to learn from these initial trials and evolve the project accordingly.
Google today announced that its Chrome browser is moving to a faster release cycle by shipping a new milestone every four weeks instead of the current six-week cycle (with a bi-weekly security patch). That’s one way to hasten the singularity, I guess, but it’s worth noting that Mozilla also moved to a four-week cycle for Firefox last year.
“As we have improved our testing and release processes for Chrome, and deployed bi-weekly security updates to improve our patch gap, it became clear that we could shorten our release cycle and deliver new features more quickly,” the Chrome team explains in today’s announcement.
Google, however, also acknowledges that not everybody wants to move this quickly — especially in the enterprise. For those users, Google is adding a new Extended Stable option with updates that come every eight weeks. This feature will be available to enterprise admins and Chromium embedders. They will still get security updates on a bi-weekly schedule, but Google notes that “those updates won’t contain new features or all security fixes that the 4 week option will receive.”
The new four-week cycle will start with Chrome 94 in Q3 2021, and at this faster rate, we’ll see Chrome 100 launch into the stable channel by March 29, 2022. I expect there will be cake.
In addition, the Edge team also announced a few under-the-hood changes that will allow the browser to startup significantly faster (up to 41% faster according to Microsoft’s preliminary tests, to be precise). Since Microsoft can’t speed up your hard drive or significantly shrink Edge, though, the way the team achieves this is by loading the browser in the background when you sign in and then it’ll continue running when you close all browser windows. If that’s not to your liking, you can always turn this feature off, too.
While vertical tabs are available for you to play with now, though, the startup improvements will roll out over the course of this month.
Vertical tabs, of course, are nothing new. Other browsers have long supported them, either as a built-in feature or through extensions. But it’s nice to see them finally becoming a reality in Edge, too.
“Most websites follow a conventional grid that leaves plenty of whitespace on either end of the page,” Microsoft’s Michele McDanel writes in today’s announcement. “As we began working with our users, we realized that this vertical real estate could be a better location for tabs, rather than the traditional horizontal list of tabs at the top. While vertical tabs may not be an entirely new concept, we saw an opportunity to improve the browser experience and tested several prototypes with our users.”
In its research, Microsoft discovered that users who like vertical tabs also like to switch between them and standard horizontal tabs, so it added an always-visible toggle to do so. And since users sometimes want to reclaim all of their screen estate, the team added the ability to collapse the sidebar, too.
For those of you who use Bing, Microsoft is also adding a few nifty new features to its search engine. There’s a new recipe view for when you’re once again out of ideas for what to make for dinner, improved visual search results, and the company has spruced up some of its rich sidebar snippets with a more infographic-like feel. But let’s face it: you’re not using Bing. If perchance you do, you can find more details about the udpates here.
Requiring that app makers list the data they collect reveals a lot about what some apps do with our information (ahem, WhatsApp) but creates confusion about others.
The internet is not a private place. Ads try to learn as much about you to sell your information to the highest bidder. Emails know when you open them and which links you click. And some of the biggest internet snoops, like Facebook and Amazon, follow you from site to site as you browse the web.
But it doesn’t have to be like that. We’ve tried and tested six browser extensions that will immediately improve your privacy online by blocking most of the invisible ads and trackers.
These extensions won’t block every kind of snooping, but they will vastly reduce your exposure to most of the efforts to track your internet activity. You might not care that advertisers collect your data to learn your tastes and interests to serve you targeted ads. But you might care that these ad giants can see which medical conditions you’re looking up and what private purchases you’re making.
By blocking these hidden trackers from loading, websites can’t collect as much information about you. Plus by dropping the unnecessary bulk, some websites will load faster. The tradeoff is that some websites might not load properly or refuse to let you in if you don’t let them track you. You can toggle the extensions on and off as needed, or you could ask yourself if the website was that good to begin with and could you not just find what you were looking for somewhere else?
We’re pretty much hardwired to look for that little green lock in our browser to tell us a website was loaded over an HTTPS-encrypted connection. That means the websites you open haven’t been hijacked or modified by an attacker before it loaded and that anything you submit to that website can’t be seen by anyone other than the website. HTTPS Everywhere is a browser extension made by the non-profit internet group the Electronic Frontier Foundation that automatically loads websites over HTTPS where it’s offered, and allows you to block the minority of websites that don’t support HTTPS. The extension is supported by most browsers, including Chrome, Firefox, Edge, and Opera.
Another extension developed by the EFF, Privacy Badger is one of the best all-in-one extensions for blocking invisible third-party trackers on websites. This extension looks at all the components of a web page and learns which ones track you from website to website, and then blocks them from loading in the browser. Privacy Badger also learns as you travel the web, so it gets better over time. And it requires no effort or configuration to work, just install it and leave it to it. The extension is available on most major browsers.
Ads are what keeps the internet free, but often at the expense of your personal information. Ads try to learn as much about you — usually by watching your browsing activity and following you across the web — so that they can target you with ads you’re more likely to click on. Ad blockers stop them in their tracks by blocking ads from loading, but also the tracking code that comes with it.
uBlock Origin is a lightweight, simple but effective, and widely trusted ad blocker used by millions of people, but it also has a ton of granularity and customizability for the more advanced user. (Be careful with impersonators: there are plenty of ad blockers that aren’t as trusted that use a similar name.) And if you feel bad about the sites that rely on ads for revenue (including us!), consider a subscription to the site instead. After all, a free web that relies on ad tracking to make money is what got us into this privacy nightmare to begin with.
PixelBlock & ClearURLs
If you thought hidden trackers in websites were bad, wait until you learn about what’s lurking in your emails. Most emails from brand names come with tiny, often invisible pixels that alerts the sender when you’ve opened them. PixelBlock is a simple extension for Chrome browsers that simply blocks these hidden email open trackers from loading and working. Every time it detects a tracker, it displays a small red eye in your inbox so you know.
Most of these same emails also come with tracking links that alerts the sender which links you click. ClearURLs, available for Chrome, Firefox and Edge, sits in your browser and silently removes the tracking junk from every link in your browser and your inbox. That means ClearURLs needs more access to your browser’s data than most of these extensions, but its makers explain why in the documentation.
Firefox Multi-Account Containers
And an honorary mention for Firefox users, who can take advantage of Multi-Account Containers, built by the browser maker itself to help you isolate your browsing activity. That means you can have one container full of your work tabs in your browser, and another container with all of your personal tabs, saving you from having to use multiple browsers. Containers also keep your private personal browsing separate from your work browsing activity. It also means you can put sites like Facebook or Google in a container, making it far more difficult for them to see which websites you visit and understand your tastes and interests. Containers are easy to use and customizable.
A group of industry heavyweights, including Google, Box, Citrix, Dell, Imprivata, Intel, Okta, RingCentral, Slack, VMware and Zoom, today announced the launch of the moderncomputing.com.
The mission for this new alliance is to “drive ‘silicon-to-cloud’ innovation for the benefit of enterprise customers — fueling a differentiated modern computing platform and providing additional choice for integrated business solutions.”
Whoever wrote this mission statement was clearly trying to see how many words they could use without actually saying something.
Here is what the alliance is really about: even though the word Chrome never appears on its homepage and Google’s partners never quite get to mentioning it either, it’s all about helping enterprises adopt Chrome and Chrome OS. “The focus of the alliance is to drive innovation and interoperability in the Google Chrome ecosystem, increasing options for enterprise customers and helping to address some of the biggest tech challenges facing companies today,” a Google spokesperson told me.
I’m not sure why it’s not called the Chrome Enterprise Alliance, but Modern Computing Alliance may just have more of a ring to it. This also explains why Microsoft isn’t part of it, though this is only the initial slate of members and others may follow at some point in the future.
Led by Google, the alliance’s focus is on bringing modern web apps to the enterprise, with a focus on performance, security, identity management and productivity. And all of that, of course, is meant to run well on Chrome and Chrome OS and be interoperable.
“The technology industry is moving towards an open, heterogeneous ecosystem that allows freedom of choice while integrating across the stack. This reality presents both a challenge and an opportunity,” Google’s Chrome OS VP John Solomon writes today.
As enterprises move to the cloud, building better web applications and maybe even Progressive Web Applications that work just as well as native solutions is obviously a noble goal and it’s nice to see these companies work together. Given the pandemic, all of this has taken on a new urgency now, too. The plan is for the alliance to release products — though it’s unclear what form these will take — in the first half of 2021. Hopefully, these will play nicely with any browser. A lot of these ‘alliances’ fizzle out quite quickly, so we’ll keep an eye on what happens here.
Bonus: the industry has a long history of alliance like these. Here’s a fun 1991 story about a CPU alliance between Intel, IBM, MIPS and others.
At the Chrome Dev Summit, Google’s Chrome team today announced a number of new capabilities for developers, updated rules for extension developers, as well as new steps to improve the overall performance of the browser.
In addition, the Chrome team also announced a major change for extension developers: sometime in 2021, users will get more granular control over which sites an extension can access and starting in January, every extension will feature a ‘privacy practices’ section on the Chrome Web Store that details what kind of data the extension collects.
The Chrome team also today announced that it will launch Manifest V3 in mid-January, when Chrome 88 hits the stable channel. That’s something a lot of extension developers — especially those working on ad blockers — have been dreading. Manifest V3 introduces new limits for extension developers that are meant to prevent them from accessing too much data from their users, but it also puts relatively severe limits on how extensions can interact with a web page. Google now says it has made some changes to V3 based on the feedback it has received, but this is probably not the last we’ve heard of this.
The team also continues to work on new ways to speed up the browsing experience, too. The team is doing this by actually changing the way it compiles Chrome, something it first talked about this summer, when these changes arrived in the Chrome beta channel.
“Based on looking at the usage patterns of Chrome, we asked ourselves — with insights of how users are actually using Chrome — are there things we could do in how we compile chrome itself that would make it more efficient? And we found that the answer is yes,” Google’s Ben Galbraith told me. “[…] We call it profile-guided optimization and in [certain] scenarios, we found up to 10 percent faster page loads due to these task-specific compiler optimizations.” Most of the scenarios are in the 2 to 5 percent range, but given how mature most browser engines are now, even that’s a significant difference.
The team is also recently worked on improving tab throttling and how it allocates resources to foreground and background tasks. Galbraith noted that the plan is to do more work along these lines moving forward.
Developers, too, will get some new tools to improve the performance of their web apps as part of Google’s Web Vital initiative, which aims to provide developers with the right performance metrics to help them understand how users experience their web apps. Google Search will use some of these core metrics in its rankings, starting May 2021. Google already highlights this data in the Chrome Experience Report, in its Search Console and elsewhere, but today it is also launching an open-source Web Vitals Report tool to help developers create custom visualization based on the Web Vitals data they’ve sent to Google Analytics. Google Analytics doesn’t currently surface this data in the context of Web Vitals, so developers can now run these reports using Google’s own hosted tool or fork the code and run them on their own infrastructure.
“When you look at the different metrics, we’re focused on the things that we understand the most: loading metrics, visual stability and the like, and interaction — so when you click on something, something actually happens. The mission for these metrics is to be able to really understand the quality of the experience that you’ve got.,” Google’s Dion Almaer explained.
And there is more. On the privacy front, Google continues to iterate on its Privacy Sandbox model. It’s adding two new experiments here with the Click Conversion Measurement API to measures ad conversions without using cross-site identifiers and the new Trust Token APIs that allow a site to issue a cryptographic token to a user it trusts. The idea behind this token is that the browser can then use this token in another context as well to evaluate that a user is who they say they are — and not a bot or an impostor with malicious intent.
In addition, there are also new features for developers who want to write PWAs, updates to how developers can accept payments in Chrome and more.