Media Review #3

Potential Direction for FLoC, a Look at SWAN, UID 2.0 explained and more

In this Media Review, we selected four articles about potential direction for FLoC, detailed description of Google’s Attribution Reporting API, the analysis of SWAN and the explanation of UID 2.0.

Last Updated:
Published:

On July 26, during the Internet Engineering Task Force meeting, Josh Karlin, a tech lead manager in Google’s Privacy Sandbox team presented the current state of FLoC

Karlin explained that a potential next step for FLoC could be moving from FLoC IDs (~30,000 different cohorts) to topic-centric IDs, like “fitness”, with a lower number of groups, like ~256

This approach is aimed at reducing the fingerprinting surface, as it would minimize the number of bits of information about the user shared by FLoC, which could be used, for example, by identity tech providers to improve the accuracy of their systems

Prior to Karlin’s presentation, engineers from Facebook proposed ad topic hints to the Privacy Community Group at the W3C, which is operating on a similar basis

However, both Karlin and Google’s spokesperson denied that this is a confirmed direction for FLoC, and that many ideas are still being evaluated

Introduction to Attribution Reporting (Conversion Measurement) – Google

On August 9th, Google published a more detailed description of the Attribution Reporting API, the successor of the Conversion Measurement API, which has been under development for many months

Google claims that while it still is under development, this API aims to eventually address multiple reporting and optimization-focused use cases

The API operates based on two types of reports:

  • Event-level reports associating individual ad clicks or views with coarse conversion data for optimization, coarse reporting, and fraud detection use cases

  • Aggregate reports offering more detailed conversion data, but in an aggregated form for reporting the effects of the campaigns and other optimization use cases not satisfied by Event-level reports

Attribution Reporting aims to also satisfy app-to-web attribution and cross-device attribution and be usable for both FLEDGE and FLoC

However, in their most recent update of the Privacy Sandbox timeline, Google moved the start of the testing phase of ad measurement APIs, including the Attribution Reporting API, to Q1 2022 from Q4 2021

What is SWAN? – AdMonsters

James Rosewell, one of the creators of SWAN, explains what this community-operated idea is all about

The author claims that SWAN uses pseudo-anonymous identifiers to not only comply with European privacy laws but also Mozilla’s data privacy principles

James Rosewell claims that SWAN operates on the foundation of choice – users have to agree on personalized marketing when accessing ad-funded websites, while on the other hand, entities running these sites have to agree to standard contractual terms

It is not the intention of this proposal to share identifiable personal information of users across sites, even if the user provides an email address, it will only be used to generate a pseudo-anonymous identifier

SWAN uses cookies to store people’s consistent preferences, but they are only read and updated in a first-party setting by participating organizations who agreed to the terms

The proposal was criticized by engineers behind SafariEdge, and Mozilla (more below)

Privacy analysis of SWAN.community and United ID 2.0 – Mozilla

After the analysis of SWAN and UID 2.0, Mozilla concludes that, from a technical standpoint, they are a regression in privacy in that they allow the tracking of users who are presently protected against it

The company claims that SWAN uses redirect tracking (bounce tracking) and UID 2.0 uses primary identifiers (e.g. email address) to bypass browser anti-tracking mechanisms

Mozilla has concerns that while both these proposals rely on policy controls (relying on user consent for tracking and then restricting the use of tracking data), there are insufficient ways to verify that these policies are being followed. And whether the policies are enforced or not, this would still give many companies access to the user’s browsing history

The company emphasizes that it is a situation that browsers are currently trying to fix, and repeated that its intention is to eliminate cross-site tracking from its browser entirely, which is a continuation of the work started by Enhanced Tracking Protection in 2019

If you have any questions, comments or issues, or you’re interested in meeting with us, please get in touch.