Advertising is the basis for monetizing digital content and services on the Internet. However, in order to select more relevant ads, advertising networks are forced to collect as much information about users as possible. This comes close to the violation of privacy. Things get even more controversial when the largest representatives of the advertising business begin to promote the idea of privacy.
Advertisеment
Here's how Alphabet (Google), the owner of one of the largest advertising networks AdSense, the most popular browser Chrome with a huge influence on the mobile market, tried to challenge itself by spying on the user with one eye and making sure that no one else does with the other.
ℹ️ This material is suitable for those who work in the field of digital advertising or the web, those who want to understand how modern advertising works on the Internet, those who fight for anonymity on the network, and those who love holy wars about which browsers are safer and better. The author tried not to touch on complex technical aspects.
The Role of Third Party Cookies in Advertising
Advertising on websites is provided by advertising networks. An advertising network is a set of websites that sell space for advertising banners, and advertising servers that ensure that users are classified according to their interests and social strata. So, the system will pick corresponding advertising for them.
A cookie is a tag that a server can assign when responding to a request. Browsers store these tags and return them to the server each time the user navigates the same domain/website. Thus, by associating a tag with stored data, the server can store information about a random user.
Let's consider how contextual advertising works in its standard form. For this purpose, Figure 1 shows an illustration of the process of user marking by the advertising server for issuing an advertising banner on a specific topic of interest.
Let's say there are 2 sites that are partners of the same advertising network.
The user visits website-1.com
with some topic
- The HTML code of the site has a place for an advertising banner. The banner specifies the URL for loading the image. The browser, trying to display the image, requests it from the advertising server.
- Since the ad server and the site are nodes of the same ad network, the server knows what kind of site it is and what its subject matter is. The server sees a request from a new user, but does not yet know about preferences - it can show random or related to the subject matter of the current site ads. In this case, the server assigns an identifier to this new client via the cookie mechanism, and the browser automatically saves the cookie for further use in requests to the same domain.
- Formation and transmission by the server of an HTTP response with the Set-Cookie header to set a cookie.
The "flagged" user visits website-2.com
which is part of the same network, but with a different topic:
- According to the same scheme as in point 1), a request is made to the advertising server with the same domain, and since the domain is the same, the browser will automatically include the Cookie header with the previously issued tag in the HTTP request.
- The server reads the cookie and matches the identifier with its database, which contains a record that the tag was issued to this user during a visit to website-1.com.
- The server gives the client an advertising banner with the theme of the previous site.
The fact that the cookie is issued by the ad network server and is linked to the domain of that ad network, and not to the domain of the site itself, is why it is called a third-party cookie.
The same mechanism can be used for tracking, when some third party needs to track which sites a user visits.
Ways to combat advertising
The question of how to maintain privacy while effectively promoting products and services is extremely relevant. Irrelevant, improperly embedded, unethical or simply imposed advertising irritates users. Finally, collecting user data without their consent violates basic human rights and law in many countries.
In general, this is how things stand. "Businesses" want to flood the user with advertising, and the user either don't want to see it, or at least want to control it. Ad networks and browser developers are forced to balance, trying to please both, while preserving advertising as the most important way to earn money on the Internet. Accordingly, there are methods of counteraction to combat the negative effects of advertising.
Legislative initiatives
List of the most significant current bills:
- California Consumer Privacy Act (CCPA).
- General Data Protection Regulation (GDPR).
- ePrivacy Directive.
They are aimed specifically at combating tracking, not advertising.
The European Internet advertising law GDPR is well known to many. Every website, even outside the EU, these days shows a window asking you to consent to the use of cookies. However, it is obvious that most often these banners cause nothing but irritation.
Research data - 2021 , 2020 , 2019 - show:
- The user can still be tracked by cookies in 90% of cases.
- 75% of websites do not take user choice into account at all.
- On average, each site makes 3.51 requests that share user IDs with third parties without consent.
These laws also do not regulate fingerprinting. To sum it up, legislative initiatives are ineffective.
Privacy mechanisms in browsers
Let's see what current browsers can offer users to protect against advertising and tracking.
The main tool is ad blockers. There are built-in solutions, like in Opera and Vivaldi, and several third-party browser extensions. Different blockers work in a similar way and often offer the same basic features.
How most ad blockers work
- Blocking requests to known advertising networks. To do this, blockers store a list of domains affiliated with advertising networks.
- Removing elements similar to advertising banners from an HTML page.
- Force cookie lifetime limitation.
Advanced security features
- Neural network image analysis to find advertising banners on a page.
- Fuzzy hashing of images to match against a database of known advertising banners.
- Detecting fingerprinting scripts. We'll talk about them closer to the end.
Browser developers are also putting forward technical initiatives aimed at maintaining user privacy when accessing the Internet.
For example, Apple Safari and Mozilla Firefox have long since implemented comprehensive solutions. In Safari, this is the Intelligent Tracking Prevention (ITP) technology, and in Firefox, a whole set of mechanisms, including Anti-tracking policy (ATP) , Resist Fingerprinting (RFP) and Enhanced Tracking Protection (ETP). Both approaches are aimed at actively combating trackers and fingerprinting.
Google is proposing a different concept: Privacy Sandbox. This newer initiative involves a fundamental overhaul of the advertising mechanisms and will be discussed in detail below.
Brave is a special case. It implements an alternative, privacy-focused approach to advertising called Brave Ads Platform , which rewards users for viewing ads, so you may not need to limit ads.
Industry experts have long discussed the complete elimination of third-party cookies as the primary tracking mechanism.
Disabling third-party cookies is an extremely complex and painful process for online businesses. It affects not only advertising networks, but also all sites that have integrations with other sites or services through embedded solutions, such as external authorization services, analytics collection services, or recommendation services. Embedded solutions "out of the box" are extremely important, because not all companies have sufficient resources to reconfigure their servers and transfer integration functions from an existing site to API servers.
But there are successful examples of restricting third-party cookies. For example, Mozilla Firefox and Apple Safari browsers limit such cookies to a short lifespan depending on the settings set by the user. They also block third-party cookies if they are included in the lists of known domains of advertising networks and trackers. This is is similar to the methods used by of ad blockers. Overall, this is an example of a successful compromise between the convenience of working on the Internet, privacy, and earnings from advertising.
Privacy Sandbox
And now, Google Chrome developers have also decided to partially abandon third-party cookies, which became part of the Privacy Sandbox initiative aimed at
The Privacy Sandbox aims to create technologies that protect online privacy and give companies and developers tools to build thriving digital businesses.
Source
The process of disabling third-party cookies in the Google Chrome browser was broken down into stages. Google has also provided new browser APIs for advertising networks and trackers.
At the first stage, Privacy Sandbox was limited to 1% of all third-party cookies, and then it was planned to expand the blocking share.
The developers have implemented alternative identification methods, implemented as JS functions:
- Topics API - for transmitting topics of sites visited by the user to advertising networks.
- Private state tokens (PST) - identifiers for other integrations. It is stated that these methods of obtaining information about the user better preserve privacy.
Google has already provided a timeline of the stages. The 1% third-party cookies blocking test ran from January 4, 2024 to July 22, 2024.
The Dominance of Google Chrome Browser
See, Google Chrome is the most popular browser on the planet. And in regions where it does not dominate, browsers from other companies based on the open browser engine Google Chromium dominate, for example, Yandex Browser on the Russian market. Safari is in second place worldwide. This follows from Table 1.
It should be noted that Google, Apple and Yandex have their own advertising networks and platforms, which occupy a significant share due to the dominant position of their operating systems and products in the respective markets.
This means that browsers from these companies - Google Chrome, Yandex Browser and Apple Safari - are interested in collecting information about users in one way or another, either for use in their advertising networks or for sale to partners.
This is clearly mentioned in the license agreements. That obvious that such companies (that own dominant platforms and applications) are least affected by third-party cookie restrictions, because they can introduce advertising identifiers for users at the browser source code level.
Privacy Sandbox implementation
So, Google Chrome introduced the Privacy Sandbox initiative to the world. But after 6 months of blocking tests, due to unsatisfactory results, as well as the rejection of this measure by experts, on July 22, 2024, Google abandoned its plans to increase the share of third-party cookies blocked, announcing the introduction of a special user setting in its browser instead. Let's take a look at what went wrong.
To begin with, both cookie-replacing APIs raise concerns. First, in order for a developer to be able to issue PSTs, it is necessary to register with Google, which automatically locks (and limits) the project to company's solutions. For example, registration may be denied to companies resident in countries on the US sanctions list.
Furthermore, despite the fact that the AI model used in the Topics API is open and anyone can check its stated accuracy, in practice it turns out to be more important that the accuracy of contextual advertising depends on its work. It is also known that this Chrome browser API specifically imposes five percent noise on its own result - this measure is designed to improve privacy, sometimes replacing your interests with random ones. That is, the effectiveness of contextual advertising when using the Topics API is definitely reduced.
Finally, Google's AdSense advertising network has much more data about the user with these inputs, due to the collection of identifying information by the Chrome browser itself. This should give the company a systematic competitive advantage over independent advertising networks. All this suggests that Google's true goal is to strengthen its position in the growing advertising market, and not at all to care about users.
Financial results for fiscal year 2024, based on quarterly reports on Form 10-Q, annual reports on Form 10-K, and IFRS reports, were recently made available. These are the U.S. and international financial reporting standards for organizations whose securities are traded on stock exchanges.
Before discussing the impact of third-party cookie blocking on the online advertising market, you must keep in mind that there are several types of companies involved in digital advertising.
The first of these are advertising networks. Examples of such companies include: VK, AdNow, ExoClick, Sovrn, Ezoic, Admixer, AdRoll, AdsTerra, PropellerAds, Tradedoubler, PubMatic, and Outbrain.
The second type of companies consists of platform owners such as operating systems, popular apps, digital product ecosystems, social networks, and browsers. These companies operate on the same principle as the first group, but do not rely on web browser mechanisms such as cookies. Instead, they collect user data through the apps themselves. The list of such companies includes: Yandex, AppLovin, Microsoft, Google, Apple, and Amazon.
The third group includes television companies, mobile operators, satellite TV operators and Internet service providers. They tag users using subscriber IDs or device IMEIs and make money by replacing ads on web pages that users view with their own ads. The American company Verizon is an example of a large mobile operator that uses this strategy.
So, let's move on to the financial results of some of the above companies. The income and losses of their advertising segments are shown in Table 2.
The following table includes financial results of advertising networks and specialized divisions of large corporations engaged in advertising sales. Data from this research.
Company | Units of measurement | Q4-22 | Q1-23 | Q2-23 | Q3-23 | Q4-23 | Q1-24 | Q2-24 | Q3-24 | Q4-24 |
|---|---|---|---|---|---|---|---|---|---|---|
RUB billion | 1.6 | 1.6 | 1.8 | 1.9 | 2.6 | 2.0 | 2,2 | 2.4 | 3.0 | |
SEK million | 46.4 | 45.9 | 46.9 | 48.4 | 57.5 | 52.4 | 48.1 | 48.9 | 61.9 | |
US $ million | 7.4 | 5.5 | 6.3 | 6.4 | 8.5 | 6.7 | 6.7 | 7.2 | 8.6 | |
US $ million | 25.8 | 23.2 | 22.6 | 23.0 | 24.8 | 21.7 | 21.4 | 22.4 | 23.5 | |
US $ million | 70.2 | 71.5 | 75.0 | 86.4 | 95.3 | 105.8 | 108.0 | 119.8 | 137.3 | |
RUB billion | 7.0 | 6.8 | 7.9 | 9.1 | 10.1 | 9.4 | 10.3 | 11.4 | 12.8 | |
US$ billion | 1.7 | 1.8 | 1.8 | 2.5 | 2.6 | 2.0 | 2.0 | 2.8 | 2.9 | |
US$ billion | 5.9 | 5.6 | 5.8 | 6.0 | 6.6 | 6.2 | 6.5 | 6.6 | 7.3 |
The reported revenue data was converted into a relative change from quarter to quarter (QoQ). The resulting values, reflecting short-term revenue fluctuations, are shown in Figure 6.
Figure 6 - QoQ change in ad network revenue for 2023–2024 in percent. The orange dotted line represents the projected 15.3% annual growth rate for the digital ad market (or 3.6% QoQ) according to this research. The blue area is the time frame for the 1% 3PC block in Google Chrome. Illustration from this research.
It is clear that the overall market has seen a significant decline in the first two quarters of 2024 Q1-24–Q2-24 . It is also clear that Google's quarterly revenue decline of 5.8% in the first quarter of 2024 Q1-24 was lower compared to other companies.
It is also important to acknowledge the inaccuracy of the data reviewed on revenues from advertising network segments provided by companies. For example, annual reports may not contain a direct estimate of revenues specifically from the advertising division. In such cases, the value was estimated using other sources. This is noted in the table and in the figure for Google.
Further, some companies include the financials of their advertising products in their reporting for larger business segments. For example, Microsoft reports revenue from LinkedIn and Bing - its core advertising products - under its Productivity and Business Processes segment, which also includes non-advertising products like Office 365. Similarly, Yandex reports revenue from its Yandex Direct advertising network under its Search and Portal segment, which also includes its search engine, web browser, and YandexID (a nod to the proprietary browsers and federated authentication systems of large corporations).
Lastly, the impact of cookie restrictions on the owners of major platforms - AppLovin, Yandex, Microsoft and Google - should have been insignificant, but they also experienced a slowdown in revenue growth. This indicates either a seasonal decline in the entire digital advertising market, or that the hypothesis is incorrect, in other words, that these companies were also "affected."
Why fingerprinting will become widespread
In the conditions of limitations of the main technology for advertising networks, they will try to survive. In the current environment, market participants who do not have their own widely distributed platforms are left either to put up with the conditions imposed by Google, receiving an uncontrollable risk of dependence on the competing advertising network Google AdSense, or to implement workarounds. Such workarounds can be:
- Closer cooperation with advertising network partners:
- Installing your own servers or server applications on network partner sites.
- Create VPN tunnels from partner servers to network servers so that third-party cookies become first-party cookies.
- Transferring user IDs on the site to advertising networks via API calls for further matching on the network servers.
- Using another well-known method of tracking users - fingerprinting.
The second way looks extremely attractive and an easy way out of the situation for both advertising networks and websites, because it is possible to deliver a JS script implementing fingerprinting to a partner website page based on already established mechanisms for delivering advertising content, for example, as a fragment of HTML code along with loading the contents of an advertising banner.
Fingerprinting
It's time to finally talk about what fingerprinting is. This is an approach that involves compiling a user identifier by collecting a variety of technical browser characteristics and user settings, which may include values unique to a given person-device pair. The collected characteristics are in most cases freely available to the script through calls to the browser API.
The user identification method shown in a unique sequence diagram in Figure 7.
- Steps 1-2, 6-7, 11-12. On the page, along with the advertising banner, the browser receives a JS code that implements fingerprinting. The subject of the advertisement is random.
- Steps 3, 8. The browser executes the script, receives the characteristics of the browser and device and, based on them, forms a relatively stable fuzzy identifier.
- Steps 4-5, 9-10. The identifier is sent to the ad network server, possibly with all the collected metrics. The server saves the identifier and the website topic so that the next time the same or similar identifier is received, it can generate contextual advertising.
To speed up the entire system, the generated identifier can be saved in the user's browser via the localStorage JS API for long-term storage of data at steps 3, 8. Then, when re-requesting advertising, steps 6–10 are not required, and the identifier can be immediately included in the request (step 11).
The diagram may seem confusing, but in reality everything happens here as it would with a cookie, but the step of receiving and processing the JS code is added, and the ad server now relies on a generated fuzzy identifier rather than a deterministic cookie tag.
The danger of the trend for users
Fingerprinting is difficult to combat. While cookies can be cleared, fingerprinting is a code that does not reveal itself. Also, a fingerprinting mark cannot be distinguished from any other marks that may be important for the operation of the site.
In addition, fingerprinting is a large amount of JS code that makes many unnecessary calls to the browser API for the site to work and loads the network, which slows down the page loading, and in turn, affects the ranking of sites in search results.
If we look at the problem more globally, we can assume that the increase in the number of mechanisms that violate privacy on the Internet will cause users to become increasingly dissatisfied with the unauthorized use of their personal data. As a result, more and more people will start looking for alternative solutions: browsers with tools that provide a greater degree of privacy, browser extensions with functions for blocking ads, trackers and fingerprinting scripts.
However, websites that rely directly on advertising for their income may also begin to adapt to this trend by using technologies that discriminate against users who use ad blocking technologies. Unfortunately, this practice is already common - you have probably seen such sites that hide some information for users who use ad blockers or users who are not authorized.
Ultimately, this could result in users who have privacy tools being restricted from accessing certain features and content on sites, further exacerbating the digital divide.
Closing words
The developers of the Google Chrome browser have attempted to offer a compromise solution that would, on the one hand, stop the activity of trackers that exploit cookie technology. But, on the other hand, offer alternative mechanisms for advertising on the Internet. Unfortunately, the implementation of the Privacy Sandbox initiative in its current form has failed to create a viable concept, probably due to the fact that Google itself is not interested in the complete absence of tracking.
The experiment described in limiting third-party cookies shows that privacy initiatives can indeed be a significant threat to advertising networks. However, small and medium-sized players in the advertising technology and recommendation systems market suffered the most, while the impact of the changes on market leaders with their own platforms, such as Google itself, was comparatively limited.
It is important that experts in the advertising business reached a consensus, expressing disagreement with the changes, believing that Google should not impose such decisions given the dominant position of its advertising products in the global market.
Unfortunately, the introduction of privacy initiatives like Privacy Sandbox is unlikely to make users' online experience more private due to the lack of measures against browsers and fingerprinting scripts collecting data. At the same time, Google's initiative, on the contrary, has strengthened the position of large advertising networks. It is especially ironic to realize that Privacy Sandbox was launched after Chrome switched to Manifest V3, which limited the effectiveness of ad-blocking extensions , and somewhere along with the news about YouTube's intolerance of users with such extensions. This situation could serve as an example to the public of poor solutions to the problem of maintaining online privacy and should be taken into account in other privacy initiatives.
On the other hand, some of the solutions in the Privacy Sandbox look promising. For example, the Topics API, which analyzes user interests using a local neural network, does eliminate the need to use cookies to pass identifiers to third parties if the goal is to display ads. Potentially, the development of these ideas could lead to an alternative model for online advertising, perhaps reminiscent of what is currently implemented in the Brave browser.
It is clear that the development and promotion of privacy initiatives will not be under the control of proprietary browser developers.
Source: habr.
Support us
Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options:
