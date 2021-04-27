



Google Chrome recently announced that it will replace the use of third-party cookies with cohort-based advertising. This paradigm shift creates a great deal of legal uncertainty, but can be a fake blessing to facilitate the EU’s approach to data governance.

Cookies and cohorts

Last year, Google announced its vision for a privacy-first future for web advertising. By 2022, the tech giant will abandon all third-party cookies on Chrome. Instead, Google introduces the so-called Federated Learning of Cohorts (FLoC). In essence, FLoC aims to replace the current system of individual identifiers with an algorithm (associative learning) that places users into groups (cohorts) based on browsing history. For example, users may be placed in a cohort of law students and tech enthusiasts based on their behavioral similarities online. Therefore, the algorithm collects data about user browsing habits (URLs visited, content on these sites, etc.) and then clusters groups of mutually interested users into a cohort. Each cohort is assigned a so-called cohort ID and consists of thousands of individual browsers.

Therefore, Chrome will continue to track your online activity, but that data will remain on your device. Only the AI ​​used to classify someone into a particular FLoC will be disclosed to advertisers, not the individual browsing behavior itself. No specific user ID is shared, but it does reveal which cohort the browser belongs to. In addition, the cohort should guarantee a level of k-anonymity. That’s why Google has branded its FLoC data conversion program as a privacy protection. In addition, it should be recognized that FLoC is limited to identifying individual Chrome browsers as other major players (Firefox, Vivaldi, Brave, Edge, etc.) have abandoned their implementation of the cohort-based datafiction model. there is.

Privacy without design

Today, FLoC has been tested and is said to be successful among many users in countries such as India and the United States. However, due to privacy and data protection concerns, Google has not yet tested it in the European Union. A significant concern is related to Google’s decision to automatically enroll the website in the FLoC trial. The manual sign-up system may have triggered the consent flow in the EU, but the current method violates the principle of consent as a legal basis (GDPR Article 7 and Electronic Privacy Directive Article 5). .. In addition, there remains legal uncertainty as to which entities act as data processors and administrators in establishing the cohort. Therefore, Google does not seem to give enough weight to privacy by design when creating a privacy sandbox. This is a bit ironic.

Sundi black box

About this Privacy Sandbox Sandbox is a new collection of Google’s privacy-enhancing technologies, including FLoC. Replacing user IDs with an anonymous cohort is clearly expected to enhance personal privacy. Still, advertisers can only get this anonymized cohort data, but Google retains access to both the raw user data stored in the browser’s cache and the history of the cohort to which the user belongs. .. So while FLoC does seem to protect personal privacy, it’s not very protected from Google.

In addition, Google’s sandbox is currently being investigated by the UK’s Competition and Markets Authority (CMA). The CMA argues that abandoning third-party cookies could prevent the cohort system from free competition, as various advertising networks will go out of business. In addition, Google was undoubtedly able to twist the FLoC algorithm for their own financial gain. This opacity is expected to increase Google’s dominant position in digital advertising and could strengthen its role as both a referee and a player in the industry.

This mysterious ambiguity about Google’s algorithmic decision-making and its exact role in the new advertising market can (intentionally) disrupt regulation. From this perspective, Google’s privacy-protected sandbox seems to be characteristic of a sand-covered black box.

Fingerprint and discrimination

Another concern is the fingerprint issue. A method of collecting individual information from a user’s browser and generating a unique identifier for that browser. Therefore, the more different your browser activity is from other browsers, the easier it will be to fingerprint. From this perspective, Google guarantees anonymity because the cohort consists of at least thousands of users. Therefore, the cohort ID itself is not sufficient for fingerprinting. This ID correlates with thousands of individual browsers. However, on the contrary, trackers targeting a particular cohort need to distinguish their browsers from just thousands of other browsers, not millions, as in the current third-party cookie model.

Google has endeavored to resolve this particular fingerprint risk within the scope of its privacy budget plan. However, this plan is an early suggestion for not implementing a browser, while FLoC testing has already begun. In addition, observers claim that Google has promised not to create cohorts based on sensitive categories (such as sexuality or race) to prevent discriminatory advertising.

Dataization and co-operatives

EU GDPR-related concerns may postpone its implementation, but cohort-based advertising should replace third-party cookies sooner rather than later. With the creation of FLoC, Google seems to be moving from individual-based datafiction to group-oriented profiling. It remains to be seen how this paradigm shift will resonate with the GDPR’s individualistic (data-based) story. For example, it is still unclear how data subject consent is guaranteed in the post-third-party cookie era.

You may need to rely on the EU’s Data Governance Act (DGA) to resolve this discrepancy. DGA Recitals 23 and 24 emphasize that data mediators may play an important role in assisting individuals in exercising their rights under the GDPR. In this regard, data co-operatives have the potential to enable a decentralized data governance model, although it is still in its infancy. As a major stakeholder in co-operatives, data subjects can voluntarily collect data and establish a common pool for mutual benefit. By managing the rights of an individual’s data, these co-operatives can very well protect the individual from submitting to the extraction logic of digital capitalism. Therefore, in the context of FLoC, co-operatives can serve the interests of all subjects belonging to a particular cohort. It can be argued that, if sufficiently transparent and credible, these co-operatives will irrefutably enhance an individual’s position in the data market. Therefore, a cohort-based collaborative model of data governance could be the EU’s best answer to Google’s data shift.

Conclusion

Google’s cohort-based advertising system raises new legal concerns. In this blog post, I briefly touched on some concerns about fingerprint authentication, discriminatory advertising, competition law, privacy and data protection. However, this data paradigm shift could also trigger the EU to take data governance legislation seriously. Cohort-based dataization may require a new collaborative model of distributed data governance. In this sense, Google’s sand black box is very likely an opportunity for disguise.

This article represents the author's view and does not represent the position of CiTiP or the University of Leuven.

Dieter holds a Master of Laws degree from KU Ruben. In addition, he recently completed a joint program, LLM, at the University of Amsterdam (Autumn Semester) and Columbia Law School (Spring Semester). Given this professional LLM degree, he conducted interdisciplinary research primarily in the field of international (criminal) law. In addition, he holds an introductory certificate in media economics from Solvay Business School and SMIT. Dieter works as a part-time researcher at CiTiP and is currently involved in the Safe-DEED project. In addition, he is simultaneously pursuing the LLM of IT / IP law at KU Leuven (Brussels campus).

