Find below Movement for an Open Web’s (MOW) in-depth analysis of Google’s First Quarterly Report, as required by their commitments with the UK Competition and Markets Authority (CMA). This document is also available as a PDF, which can be found here.
MOW has also produced an accompanying summary issue list of key issues found with the report, which can be found here.
Paragraph 321 of the Commitments imposed on Google in respect of its proposed Privacy Sandbox Proposals2, require Google to provide the CMA with quarterly reports regarding progress made on the proposals, updated timing expectations, and substantive explanations of how Google has taken into account observations made by the CMA and by third parties pursuant to paragraphs 123 and 17(c)(ii)4 of the Commitments. In essence, this means that under the Commitments, Google is required to report to the CMA on how it addressed competition concerns in respect of the proposed Privacy Sandbox Proposals and whether it acted reasonably in how it did this assessment.
However, based on the points summarised below and further expanded in the following paragraphs,
there are concerns that in the recent report produced by Google (“the Report”)5, the company has not acted reasonably regarding the way in which it performed the actions required by the Commitments. Moreover, its approach departs from the spirit of the criteria required by the Commitments (i.e. there are many examples in the Report which show that Google treated compliance with some of the Commitments in a rather dismissive manner).
Specific examples of the concerns are available in the accompanying Issues List.
The Report shows the following inconsistencies with its obligations under the Commitments:
- There is no apparent agreement with CMA on testing. However, it seems that tests are currently being carried out, which is contravention with paragraph 17(c)(ii) of the Commitments.
- There seems to be no visibility as to the timing of all the events disclosed despite the obligation to provide publication of such timeframes by Google’s (paragraphs 116-12).
- There seems to be nothing in the Report regarding why particular points were thought reasonable, and others not. The Report simply asserts outcomes without providing reasoning. Therefore, this could be argued to be a breach of paragraph 12 which requires Google to take into consideration reasonable views and suggestions expressed to it by publishers, advertisers and ad tech providers (i.e. reasoned responses, as opposed to pure statements).7
- There is nothing in the Report regarding the quantitative impacts which the Privacy Sandbox Proposals would have on publishers despite an obligation to agree the modelling of such impact with the CMA (paragraph 17(c)(ii) of the Commitments.
Section 8 of the Commitments (“Section 8”) offered by Google to address competition concerns in the relevant market in respect of its Privacy Sandbox Proposals (“the Commitments)8 contains the operative part of the Commitments. Section 8 imposes a burden of proof on Google to demonstrate that its proposed changes are offering the equivalent functionalities as the ones it is proposing to withdraw to avoid competition concerns (paragraph 219). Therefore, Section 8 imposes an obligation on Google to demonstrate that the market distortion caused by the Privacy Sandbox Proposals is objectively justified.
Article 810 sets out four guiding Commitments for the CMA’s review of possible issues under the Commitments:
8.a. Impact on privacy outcomes and compliance with data protection Commitments as set out in the Applicable Data Protection Legislation
In respect of assessing the impact of the Privacy Sandbox Proposals on privacy and compliance with relevant data protection legislation, the Report does nothing to address this issue.
First, it is striking that the Report provides no details on privacy. This leaves competitors with no guidance as to the design of compliant systems. Indeed, there are only two instances where Google mentions privacy implications in the report.
The first instance is in respect of Attribution Reporting, regarding which the Report states that: “Chrome has heard some conflicting feedback on the impact of conversion reporting delays. However, given that the Attribution Reporting API does introduce randomized delays in reporting to protect users’ privacy, Chrome expects that specific use-cases or concerns will become clearer during the testing period, and may be addressed by additional debugging support or developer guidance.” This statement only acknowledges that changes in Attribution Reporting will cause delays in reporting concerns regarding user privacy, and provides no insight as to how a system could, objectively, comply with the stated concern.
The second instance where the Report mentions privacy is in respect of the User-Agent Reduction / User-Agent Client Hints. In this respect, the Report mentions that: “Chrome is in discussions and evaluating ways to maintain privacy while providing sufficient information that will be useful for debugging.” The language of this statement is rather vague as it states that Google is only “evaluating ways to maintain privacy”. Again, there is an omission of essential benchmarking information. There is not even a framework for analysis: what is meant by “sufficient”; what does “maintain privacy” mean: Current practice? Future practice? What exactly is the specific privacy concern and how can it be addressed on an objective and non-discriminatory approach? This is unacceptably vague for rivals looking to make significant investments, and this asymmetry of information perfectly suits Google.
It is also striking that Google has continued to use first- and third-party distinctions after their deprecation by the CMA-ICO joint report.
Consequently, in respect of showing the impact of the proposals on privacy outcomes and compliance with data protection Commitments, the Report does nothing to demonstrate such effect.
8.b. impact on competition in digital advertising and in particular the risk of distortion to competition between Google and other market participants;
The second area in respect of which Google must provide objective justifications for the distortion in the market caused by the Privacy Sandbox Proposals is in relation to the impact on competition in digital advertising and the risk of distortion of competition between Google and other market participants.
In this regard, the Report merely states that: “Google has made great efforts to explain the proposal to reduce the User Agent string, with the information affected remaining available through User Agent Client Hints. In particular, this has been done through explainers on the proposal and the corresponding origin trial, with various updates on the Chromium blog and Chrome Platform Status.
Going forward, Google plans to monitor several metrics. Google will also work with partner teams, both internal and external, to receive feedback and metrics on client hints latency from the server’s perspective and will monitor community repos through Chromium and issues reported on the Github repository. Results of tests will be shared with the CMA in accordance with paragraph 17(c)(ii) of the Commitments.”
It should be noted that this statement contains false information. “The information affected remaining available through User Agent Client Hints” is not the same information as that in the User Agent string, i.e the “affected” information does not “remain available.” That is precisely why there are concerns. It is odd, and misleading, to assert that there is no change when, quite plainly, there is a change to User Agent information.
The difference is that less information is available and that increased latency is introduced, which harms competing bidding. Indeed, Google’s admission of testing this point (p.5) is inconsistent with the statement. It is also unclear whether this testing engaged the CMA as required in para. 17(c)(ii).)
It can be seen that Google only “explained the proposal to reduce the User Agent string” and “plans to monitor several metrics”. This pre-supposes that there is a privacy issue, and “explains” based on this assertion how the proposed UA string reduction will take place. This says nothing as to the why: why was it necessary? What specific concern does a competing technology need to address? There is nothing here as to what the User Agent string is doing, and what it is useful for – and thus a flaw in the logic, which looks only to (unsubstantiated) harm, and not to the use of the User Agent string and thus how equivalence might be achieved in new technology.
What the Report should have done would have been to analyse and show the impact of the removal of the User Agent String which harms advertising competition, given the impact that latency has on advert population. By performing this analysis, the Report would have assessed the impact on competition in digital advertising, which was actually required under Article 8b. of the Commitments.
There is also no mention of training, despite an obligation to provide this in the commitments. Although the verification of this goes via the monitoring trustee for conflict of interest reasons, it is very puzzling that there is no mention of training here.
c. impact on publishers (including in particular the ability of publishers to generate revenue from advertising inventory) and advertisers (including in particular the ability of advertisers to obtain cost-effective advertising);
To the surprise of the readers of the Report, there is nothing in respect of analysing the impact of the Privacy Sandbox Proposals on publishers and advertisers.
There is nothing in the report to quantify the impact on publishers and advertisers. It is implausible that no party raised this with Google, and there is no reasoned response as to the quantification of impacts despite the two core obligations underlying this report (Paragraph 12 in relation to reasoned responses to stakeholders and para 17(b)(ii) in relation to quantitative testing) both being in play. Origin Trials themselves do not provide any information as to ecosystem impacts.
Bearing in mind the timing transparency obligations, it would be very helpful to have clarity on when such quantitative testing of ecosystem impact might take place, to allow stakeholder engagement as to metrics.
8.d. impact on user experience, including the relevance of advertising, transparency over how
Personal Data is used for advertising purposes, and user control;
In respect of the impact on user experience and transparency, the Report contains a few references as per below.
- In The Report Google stated that: “As part of its commitments to the Competition and Markets Authority, Google has agreed to publicly provide quarterly reports on the stakeholder engagement process for its Privacy Sandbox proposals (see paragraphs 12 and 17(c)(ii) of the Commitments). These Privacy Sandbox feedback summary repos are generated by aggregating feedback received by Chrome from the various sources as listed in the feedback overview, including but not limited to: GitHub Issues, the feedback form made available on privacysandbox.com, meetings with industry stakeholders, and web standards forums. Chrome welcomes the feedback received from the ecosystem and is actively exploring ways to integrate learnings into design decisions.”
- In respect of FLEDGE, the Report states that “concerns have been raised about the potential impact of computationally-intensive bidders in the FLEDGE auction”. The Report goes on to say that: “Chrome is in active discussions with developers about the potential impact on site performance. Chrome welcomes the opportunity to learn more during testing.”
- However, there are inconsistencies between the Commitments and the Report as there is nothing in the Report to say how the Commitments are being complied in such manner that concerns would not arise. This actually leads to a technical breach of the Commitments as Google has mentioned ongoing testing in the Report but it is not clear whether it agreed the quantitative testing frameworks with the CMA. According to paragraph 17 of the Commitments, Google should have involved the CMA in developing the parameters for testing of the Privacy Sandbox Proposals.
- In respect of Testing FLEDGE with other features, there have been concerns regarding when and how will testing with other features (k-anonymity server, key-value servers, etc) take place. The Report goes on to say that “Chrome is intentionally rolling out features in phases for our initial origin trials to make testing easier. Chrome recognizes that providing clarity on timeline for other features is important and will clarify when possible.”
- By stating that Google will provide clarify “when possible”, Google is not using concrete language to enable the relevant stakeholders to engage with the relevant testing process and therefore this is not in line with the transparency requirement contained in paragraph 11 of the Commitments, which requires publication of material timing issues in addition to the quarterly reports.
- In respect of User-Agent Reduction / User-Agent Client Hints, concerns were acknowledged in the Report as follows: “Having as much information as possible is important when debugging certain types of attacks, including Denial of Service. Losing some info from the UA string may pose challenges.” In response, the Report says that: “Chrome is in discussions and evaluating ways to maintain privacy while providing sufficient information that will be useful for debugging.”
- Once again, the Report is not clear on what the reasoned basis for resolution of the discussions are, and how they comply with the Commitments. Indeed, this lack of transparency itself raises concerns
Regarding User Agent Reduction, the Report states that “There are concerns about the latency of getting hints via Critical-CH (on the first page load).” In response Google stated that “Chrome is investigating ways to improve performance.”
Nevertheless, there are no details in the Report on how Google is investigating how to improve performance.
This needs urgent clarification: the quantitative testing should be agreed with the CMA (Para 17(c)(ii)) – especially as it affects bidding on adverts, a major competitive metric. Yet testing appears to have been going on regardless. There is an obvious explanation for this: test first, so that the CMA does not get visibility into any adverse test results.
Moreover, the report shows that Google accepts that there is a latency issue yet has continued to deprecate the User Agent string. This is not in line with the Commitments as it creates an anticompetitive impact (increased latency harming ad bidding) and thus harms rivals, who have no clear information on latency equivalency, while not stating an objective and nondiscriminatory standard for the asserted privacy improvement, which remains undefined. Google speaks of “fingerprints” (although using User Agent string data is hardly a crime).
If there is a concern, this needs objective and non-discriminatory definition as the reason for proceeding in this way (this being the reasoned response para 12 requires). It should not simply be asserted, to ensure that rivals can also comply with the concern.
Google clearly knows about the latency point, despite the odd and contradictory statement that there is no change to information noted above: why else is the point being tested? Google should leave the User Agent string unchanged until the latency impact point is addressed. It is not clear how the determination of this matter to the contrary is a reasonable resolution of the expressed concern, and the report simply asserts an ability to act.
As concerns User Agent Reduction, the Report acknowledges concerns “about values of specific hint”. In response, Google states that “Sec-CH-UA-Model is the same as in the UserAgent string. Chrome will try to make this more clear in future documentation.”
By saying that it will “try” to clarify matters in respect of User Agent reduction, Google does not seem to be in line with its obligations regarding transparency in the Commitments. It would be much more helpful for Google to publish clarifying information on the internet, as agreed in paragraph 12. Furthermore, by potentially maintaining the uncertainty, the process of engaging key stakeholders in the proposed changes is being made even more difficult.
As concerns the User-Agent Client Hints, the Report identifies “Concerns around prescriptive nature of UA-CH”. In response Google states that “Chrome sees the prescriptive nature of UACH headers as an important improvement over the flexibility of the UA string, both from the point of view of eventual cross-browser interoperability and user privacy protection (by preventing arbitrary additions of high-entropy identifiers). However, the issue remains open in case others also share this concern and would like to provide feedback.”
Regarding this point, it seems that instead of taking corrective action to address the concerns and further engaging with the stakeholders to eliminate the concerns, Google prefers to “leave the issue open”, without trying to solve it. Again, important metrics are not defined (e.g., how is so-called “entropy” a concern within the meaning of the Commitments, which speak instead of privacy? How is this relationship between “entropy” and privacy to be defined, so that rivals can comply on a non-discriminatory basis?).
In respect of First Pay Sets, the Report mentions that “A dynamic design (as opposed to a static list) might be more prone to false assertions of common ownership, and page load latency/failures.” As a reply to this concern, Google mentions that “Chrome is currently pursuing the static list approach; and will keep this feedback in mind if the signed assertions approach is re-evaluated in the future.”
Regarding Trust Token API, the Report identifies concerns “about long-term viability of any form of cross site data propagation, albeit a low amount of entropy (~2.5 bits)”. In response, Google mentions that “Given the robust user protections to avoid unique user identifiability Chrome believes there is a good case for ecosystem acceptance. Chrome is working closely with key stakeholders to ensure long term viability.”
Nevertheless, there is no transparency regarding who the key stakeholders are or what exactly Google is doing in this respect. The statement of the concern is also curious from the perspective of the Commitments: “a good case for ecosystem acceptance”, but why exactly? The only reason given is an (asserted) privacy concern (user identifiability) but the risk factors for this are not defined; moreover, and more significantly, there is no reference to other Commitments which the Commitments require to be weighed. It might be said that this type of technology forcing without regard to balance between the Commitments is precisely what Google has agreed not to do. This sounds like Google simply pushing a Trust Token definition onto the ecosystem; indeed, the phrase “ensure long term viability” is revealing. Is Google pushing this onto others to “ensure long term viability?” If the technology were indeed so
positive, that would be a given.
Based on the above paragraphs, it can be strongly argued that the Report addresses neither the impact on user experience nor the transparency requirement. What the Report does in respect of the obligations imposed under section 8.d. of the Commitments is to use vague language that acknowledges the existing concerns and to promise to “keep in mind” such concerns. However, the purpose of the Commitments is not to enable Google to “keep in mind” the existing competition concerns, but to prevent competition concerns from arising during the period between now and the Third Party Cookie Standstill (paragraph 2211) such that the next generation of privacy technology will not undermine competition. This needs to be shown affirmatively: how, exactly, have the Commitments been weighed up when reasonable points have been made? The Report provides only the sound of silence on this important point.
8.e. technical feasibility, complexity and cost involved in Google designing, developing and
implementing the Privacy Sandbox.
As concerns the testing of the technical feasibility of the Privacy Sandbox Proposals, the language of the Report demonstrates further inadequacy. For example, in respect of Topics, the Report states that: “Noise is an important method for protecting user-privacy, and the noise levels versus usefulness of topics will be explored through testing.” This testing should be agreed with the CMA. Moreover, the “noise” point is simply a rerun of the FLOC issue with the “95% as effective” claim.12 Google has cast the point as a static analysis of how effective a Google product, or Google architecture, running on Chrome is.
This is not the relevant issue. The issue is whether rivals get access to data inputs they currently have to allow future competition, including unforeseen innovative uses. It is unfortunate that Google has inserted the snide remark that Origin Trials are misunderstood by others, since this is precisely Google’s (now repeated) misunderstanding: an Origin Trial of a particular API cannot tell the CMA, or the market, anything about possible future uses that depend on data streams that are not in the API. There is no static analysis that can tell the industry what level of degradation or “noise” is acceptable, as this can only ever read on currently cognisable use. Therefore, any harm to innovation (perhaps the concern here above all others) cannot be addressed through a static Origin Trial, as opposed to analysis of the data flows themselves. Indeed, it would be illegal for companies to tell Google how effective their competing products are in such a Trial. It remains unclear how these Trials are supposed to provide information on competitive constraint, and in any event, the report does not provide any such information.
The same language is used in respect of FLEDGE: “Chrome is in active discussions with developers about the potential impact on site performance. Chrome welcomes the opportunity to learn more during testing.” Additionally, as regards CHIPS “Chrome is actively exploring how to facilitate testing environments that would allow for such tests to occur.” According to paragraph 17 of the Commitments, Google is required to involve the CMA in this process, but it is not clear whether it has done so.
Based on the above, it can be seen that Google has not respected its obligations contained in section 8.e of the Commitments in respect of performing the analysis and assessment of the impact of the technical feasibility of the Privacy Sandbox Proposals. What the Report merely does in respect of the testing requirements is to acknowledge that Google is simply considering what type of testing needs to be done and the testing that has been done is not finalised.
Finally, the report appears to have been signed by the wrong party: It is supposed to be signed by the CEO or a designate (Annex 2). There is no information on how a compliance manager has been designated rather than a more senior board representative as contemplated in the Commitments. There is thus no link back to someone responsible under securities law. The point of this certification being framed in that way is to be able to sue under UK and US investor protection law, to ensure robustness in the package in the eyes of the market. This only works if there is a clear paper trial to a board member. Google should be asked to provide a clear paper trail from the board to Mr DuPree with a specific board member publicly confirming that Mr DuPree’s representations are correct and made on behalf of the listed company.
Furthermore, it is puzzling that this is treated as a “compliance” concern only, when issues of legal principle (competition vs privacy) are still necessarily involved as the product designs are not yet complete; nor will they be for some time. This may suggest a tick-box approach, whereas
Commitments-based regulation was agreed.
In essence, the Report is just an update on the processes that are being considered by Google in respect of implementing the Privacy Sandbox Proposals. Furthermore, the language used in the Report is rather vague and does not provide concrete details in respect of the impact of the Privacy Sandbox Proposals on the market and on Google’s competitors. What the Report should have demonstrated was the impact on the four areas mentioned in Article 8 of the Commitments, with specific details on arguments and how they were weighed on a reasoned basis, as required in Paragraph 12. However, Google has not provided any such information. Consequently, the CMA should consider the shortfalls very seriously and take appropriate action. A set of questionnaires expanding on how exactly the reasons provided comply with the development Commitments, and addressing areas where there appears to be tension between this Report and the agreed Commitments obligations, would be a very logical next step.
Header image courtesy of Scott Graham via Unsplash (Licensed for free use under the Unsplash License)
Endnotes
132.a. Google will: a. provide the CMA with quarterly reports within three Working Days of the end of each three-calendar-month period following the Effective Date about: progress on the Privacy Sandbox proposals; updated timing expectations; substantive explanations of how Google has taken into account observations made by the CMA and by third parties pursuant to paragraphs 12 and 17(c)(ii) of these Commitments; and a summary of the interactions between the CMA and Google pursuant to paragraphs 17 and 21 of these Commitments, including in particular a record of any concerns raised or comments made by the CMA and the approach retained for addressing such concerns or comments pursuant to paragraphs 17(a)(ii) and 21. The quarterly reports will include a signed Compliance Statement in respect of paragraphs 25-27, 30-31 and, with respect to those provisions, paragraph 33 of these Commitments. The Compliance Statement will be signed by the CEO (or an individual with delegated authority) on behalf of each company giving the Commitments and will be in the form included in Annex 2 to these Commitments;
2 Case 50972 ‐ Privacy Sandbox Google Commitments Offer 4 February 2022
3 12. Google will publish on a dedicated microsite a process for stakeholder engagement in relation to the details of the design, development and implementation of the Privacy Sandbox proposals and report on that process publicly, as well as to the CMA through the quarterly reports described in paragraph 32(a) below. As part of that process, Google will take into consideration reasonable views and suggestions expressed to it by publishers, advertisers and ad tech providers, including (but not limited to) those expressed in the W3C or any other fora, in relation to the Privacy Sandbox proposals, including testing, in order to better apply the Development and Implementation Criteria in the design, development and implementation of the Privacy Sandbox proposals.
4 c. Testing. During the period from acceptance of these Commitments until the Removal of Third-Party Cookies, Google will seek to agree with the CMA parameters and other aspects2 which are material for the design of any significant tests for evaluating the effectiveness of the Alternative Technologies, and of other Privacy Sandbox proposals at Annex 1 that are amenable to Quantitative Testing, according to the Development and Implementation Criteria. Such testing will be carried out on the following basis: ii. Google will involve the CMA in the design of such tests of Alternative Technologies and of other Privacy Sandbox proposals at Annex 1 that are amenable to Quantitative Testing, and will share with the CMA the results of such tests and, to the extent necessary for the CMA to understand and evaluate the results, explanations of the data used and underlying analyses as well as, on request and where practicable, relevant analyses retained in Google’s systems for the purpose of the experiment results. Google will work with the CMA to enable the CMA to understand and have confidence in the results. Google will take into account reasonable views and suggestions expressed by stakeholders in relation to the testing of the Privacy Sandbox proposals, in accordance with paragraph 12.
5 Privacy Sandbox Progress Report Prepared for the CMA, 16 May 2022
6 Google will publicly disclose the timing of the key Privacy Sandbox proposals as set out in Annex 1. Google will also publicly update the information provided for in Annex 1 as timings change or become more certain. Such disclosures may be made in particular within the blink-dev discussion group, within the W3C, within any other fora and/or in a blog post, a dedicated microsite or equally prominently. Such disclosures will aim to enable publishers, advertisers and ad tech providers to influence the Privacy Sandbox and to adjust their business models, including by providing sufficient advance notice of the proposals and publishing key information. Google will use its best endeavours to ensure that blog posts and Privacy Sandbox microsite updates relating to origin trials for, the timing of, and any key changes to, the Privacy Sandbox proposals as set out in Annex 1 will contain an express reference to these Commitments and a brief explanation of the involvement of, and regulatory oversight provided by, the CMA in consultation with the ICO. Google will provide a single webpage from which all such disclosures can be accessed.
7 See, for example, GDPR Validated Sets where Google has continued to progress First Party Sets rather than apply a non-discriminatory definition.
9 21. During the standstill period, the CMA may notify Google that competition law concerns remain such that the Purpose of the Commitments will not be achieved. Google will work with the CMA without delay to seek to resolve concerns raised and address comments
made by the CMA with a view to achieving the Purpose of the Commitments. Google will inform the CMA of how it has responded to those comments.
10 8. Google will design, implement and evaluate the Privacy Sandbox proposals by taking into account the following factors (the “Development and Implementation Criteria”), which will inform the answer to the question of whether or not the Purpose of the Commitments has been achieved. The Development and Implementation Criteria are:
a. impact on privacy outcomes and compliance with data protection Commitments as set out in the Applicable Data Protection Legislation;
b. impact on competition in digital advertising and in particular the risk of distortion to competition between Google and other market participants;
c. impact on publishers (including in particular the ability of publishers to generate revenue from advertising inventory) and advertisers (including in particular the ability of advertisers to obtain cost-effective advertising);
d. impact on user experience, including the relevance of advertising, transparency over how Personal Data is used for advertising purposes, and user control; and e. technical feasibility, complexity and cost involved in Google designing, developing and implementing the Privacy Sandbox.
11 22. If Google and the CMA do not resolve those competition law concerns during the standstill period referred to in paragraph 19 above, the CMA may take action pursuant and subject to section 31B(4)(a) of the Act. In such circumstances the CMA will have reasonable grounds for believing that there has been a material change of circumstances since the Commitments were accepted.