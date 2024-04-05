



Analysis Inspired by Google's Privacy Sandbox advertising innovation initiative, Microsoft last month announced plans for a “privacy-preserving” mechanism to serve interest-based ads in its Edge browser.

Microsoft says the Ad Selection API is similar to Google's Protected Audience API and provides a way to serve targeted ads through an auction process without the privacy issues associated with third-party cookies. The purpose is that. The software giant's plans have not yet been implemented, but ad blocking software vendor AdGuard has already said it will block the API due to privacy concerns.

HTTP cookies are files that web applications save in your browser to maintain state (such as whether you are logged in and your preferences) and perform other functions (necessary and non-essential). The website may also allow third parties to set her cookies. Cookies have traditionally been used to track users online, help deliver targeted advertising, and analyze user behavior.

We should believe that the mere fact that user data is encrypted eliminates the possibility of unauthorized access.

Third-party cookies reduce or negate privacy by allowing us to track people online and create profiles of their interests and activities. They are becoming increasingly obsolete thanks to privacy regulations in Europe and some states such as California. Google's Chrome browser will drop support for third-party cookies later this year, and privacy-focused browsers like Brave, Firefox, and Safari already block third-party cookies by default.

Don't expect cookies to crumble like this.

To prepare for the end of third-party cookies, which marks the end of the current era of advertising technology, Google has launched Privacy Sand, a suite of ad-related technologies that aims to provide the functionality of third-party cookies without protecting your privacy. I invented a box. problem. The extent to which that is possible is still being assessed by browser tests and the UK's Competition and Markets Authority, and Google has made a series of commitments aimed at ensuring market competition.

Microsoft has already used Google's open source Chromium project as the basis for its Edge browser, and it also likes the idea of ​​privacy-preserving targeted advertising.

“The Ad Selection API is a browser platform feature that allows advertisers and publishers to serve more relevant ads to users without relying on third-party cookies or other cross-site tracking identifiers,” Redmond said last month. He explained. Microsoft said the Ad Selection API will be available for testing in late 2024.

AdGuard CTO Andrey Meshkov said in a note to The Register that Microsoft's Ad Selection API and Google's Protected Audience API are similar apart from a few minor differences.

“However, one notable difference is that Google leaves two options for where to place ad auctions: in the Trusted Execution Environment (TEE) or on the device, whereas Microsoft only runs ad auctions within the TEE. That means we want to do it,” Meshkov said.

An ad auction run on TEE should theoretically be inaccessible to the host machine. Data is processed in memory through an encrypted process, so participants do not have access to the details of the users to whom their ads are served.

Meshkov said Microsoft's decision not to turn the browser itself into an ad network is a step in the right direction. But he questions Microsoft's assumptions about the impenetrability of TEEs and the trustworthiness of the ad tech companies running these auctions.

“The mere fact that user data is encrypted eliminates the possibility of unauthorized access, and we should believe that the TEE is a secure environment that no one can penetrate,” he said, adding that such a complex system expressed skepticism as to whether it would work properly. Gate.

Meshkov said AdGuard already blocks Google's Protected Audience API for users who have anti-tracking filters enabled. And his Ad Selection API from Microsoft is similar, so once it's implemented in Edge, “we'll start blocking it as well,” he said.

“Microsoft's Ad Selection API is bad for the web for many of the same reasons as Google's Protected Audiences API. Both systems are extremely complex and difficult for users to understand,” said a principal at Brave Software. privacy researcher Peter Snyder told The Register.

“Both systems require enormous amounts of computing power to perform the simple task of display advertising (although both systems require significant amounts of computing power, whether that energy is spent on the user's device or on a central server). (different systems). Also, both systems require browsers with large installed bases to provide any functionality; they require meaningful “targeting” in the first place and focus on a few dominant browsers. will further centralize the web. ”

Snyder also expressed skepticism about the reliability of trusted execution environments.

“Despite its name, TEE does not automatically protect user data,” he explained. “First, TEE does not guarantee that the code it runs is privacy-protecting. You still have to trust , which is no small thing considering how poorly advertising companies (including Google and Microsoft) have handled user data in the past.

“Second, by the same token, TEE does not provide protection against unexpected malicious code, such as supply chain attacks (see the recent The moment it's leaked, the user's privacy is at risk. Using TEE doesn't change that fact, it obscures it.”

He argues that Microsoft's Ad Selection API and Google's Protected Audience API rely on complex systems that put users at risk.

“These systems are advertising 'to' the user, not 'for' the user,” he argues, arguing that traditional contextual advertising and new systems are simpler, safer and more secure. He added that it's great for the web.

