The State of Online Privacy Pt4
The Topics API Explainer
This is a series looking at the ways online privacy, particularly tracking, is changing. If you haven’t already, have a read of part 1, 2, and 3.
How Did We Get Here?
2022 was supposed to be the year Chrome deprecated third-party cookies and a new way of tracking people was introduced. However, the first offering, the Federated Learning of Cohorts (FLoC) was less than desirable to many, but particularly to privacy advocates.
In a nutshell, FLoC was supposed to group people together in interest-based cohorts to direct ads to. So, if your browser history indicated you’d visited football websites over the last few days, you’d be put into a cohort with other football-website-visitors & you’d all be served football ads.
While this addressed some of the issues presented by third-party cookies (3PC), it presented a host of new problems which largely boils down to the overarching issue: identifying specific people. Each cohort would have an ID and a capacity of a few thousand people, making it easy for interested parties (attackers, ad agencies, etc) to identify the people in the cohorts. Meaning people could still be tracked.
How Does Topics Try to Improve on FLoC?
The Topics API proposes a different way of digital advertising. Instead of 3PC or FLoC, the Topics API suggests having a master list of topics which will be maintained by humans and not include sensitive topics (e.g. race, political leanings, etc). Using browser history tracking (which is the core of behavioural advertising), the API will be able to determine what people are interested in at specific intervals (for now, it’s proposed weekly intervals) and then select topics from the list and ads that match those topics will be displayed to the person. People will be able to opt-out of this tracking if they want, as will websites.
The API will use a combination of different strategies to address the issues presented in FLoC. Mainly looking at making it harder for users to be fingerprinted (and therefore identified);
- The API designers have limited how many topics there are to a few hundred meaning the group of people per topic is significantly increased
- There are limits placed on how many topics, which topics a person is shown and limits on how many of a person’s topics a website can see.
- There is a reduced 20% chance that the a person will get the same topic across two websites.
- A person’s topics will be updated weekly to prevent a profile being built.
The Topics API does seem to have given more thought to the issues presented by FLoC and addresses them. However…
Is This a Suitable Solution?
This depends. There has been a big push for banning behavioural advertising, and the EU have since placed restrictions and laws around how cookie notices should be displayed, what data can be collected about a person and more. US senators are also proposing similar bills.
Tracking is integral to behavioural advertising but tracking is also the problem, since the goal of tracking people is to collect personal data which can then be used to (in this case) sell, but in other cases, more nefarious things. These APIs are trying to retrofit a system that is already very problematic without addressing the real issue: tracking.
Additionally, this API would be on by default so many people will not know they’re consenting to this and although there’s a mechanism for switching it off, that relies on people knowing it’s on in the first place.
Topics API needs to know your browser history in order for it to work. While there has been thought put into how to anonymise people and limit identification, this is a bandaid solution.
The exclusion of “sensitive” topics also poses the question of what is sensitive and who gets to decide? There is no current definition of what API developers mean when they say “sensitive” which further emphasises the subjectiveness of it all. Pregnancy and climate change are both topics that are advertised and could be sensitive to a subset of users, especially those who have had traumatising experiences with either.
There are other, more consent-forward ways to find out what adverts people want to see and when they want to see them, that don’t involve tracking. Contextual advertising is also an option that’s being proposed as an alternative, which basically says: “if I’m on a supermarket website, I don’t mind soap being advertised to me”.
Conclusion
We have to wait and see how the wider privacy community feels about this API but, as it stands, while it is an improvement on FLoC, it still doesn’t address the main problem of 3PC.
You can read the detailed explainer of Topics or ask your own questions and get involved in the community. This API is being discussed in the W3C Private Advertising Community Group, which you can join if you’re interested and want to learn more.
