"Web Environment Integrity": Locking Down the Web
Brave strongly opposes Google's "Web Environment Integrity" proposal, the latest in Google's efforts to prevent users from being in control of how they use the Web.
Read this article →By the Brave Web Standards Team
By Peter Snyder, Sr. Director of Privacy
Update (June 2, 2022): First Party Sets has been removed as a work item from the W3C’s Privacy Community Group (PrivacyCG). Because of privacy concerns like those described in this blog post (among other concerns), a majority of the browser vendors in PrivacyCG did not see a way First-Party Sets could be standardized and implemented in a privacy-respecting way. We’re grateful to the Chairs and members of PrivacyCG who also recognized that First-Party Sets would harm privacy on the Web. We’re excited to continue working with PrivacyCG on new, upcoming proposals that will actually improve privacy.
Begin original post:
Google is proposing a feature called “First-Party Sets,” which would have browsers reduce privacy barriers between sites. This is both alarming and harmful. The Web is slowly, after much time (and harm), converging on the “site” as the privacy boundary for the Web. First-Party Sets would undo this boundary, just as browsers, researchers, and privacy activists are delivering on this progress.
First-Party Sets would allow multiple sites to declare themselves as effectively the same site; the browser would allow these sites to communicate with each other (including tracking users) as if they were the same site. The privacy harm from this is obvious: it would allow companies to automatically track you across sites, and without proper notification or consent.
If First-Party Sets becomes widely adopted in Google Chrome, it will become harder for user-respecting browsers to protect their users’ privacy. Chrome’s market dominance means that, over time, other browsers will likely have to implement more and more of First-Party Sets to maintain compatibility with the Web. Brave urges anyone with an interest in Web privacy to oppose Google’s proposal.
First-Party Sets constitute a radical change in how privacy is handled on the Web. First-Party Sets will allow more sites to track more of your behavior on the Web, and make it more difficult for users to predict how their information will be shared.
Today, most browsers use—or plan to use—the site as the privacy boundary on the Web. This emerging consensus is the collective result of years of work from academics, engineers, and privacy activists. Effectively, a site (and trackers on that site) should not be able to learn what you do on other sites. Enforcing boundaries between sites gives users better control over who can learn about their interests and behaviors. Such predictable, easily-understood privacy boundaries are a necessary (if incomplete) piece of building a privacy-protecting Web.
First-Party Sets would break this site-as-boundary policy—it would allow companies to weaken privacy protections between the sites they operate. Companies could declare all sites they control to be in the same First-Party Set. Browsers would then read these declarations and drop privacy protections between sites in the same set, allowing a user to be reidentified and tracked from site to site.
For example, Meta might declare that facebook.com, instagram.com, and whatsapp.com are in the same First-Party Set, and thus be able to link user behaviors across all three sites. This would be in spite of the fact that many users intentionally maintain different and unlinked profiles across all three services.
Similarly, Google could enable tracking across many of its properties, both those popularly associated with its parent company, Alphabet (such as google.com, googlemail.com, and youtube.com), and less commonly known sites that users may have no idea are associated with Google (such as blogger.com, crashlytics.com, and admob.com). First-Party Sets would allow one site to track you across all of these sites, even when you haven’t logged into them or created a profile with them.
Worse still, users would have no say in this decision: the sites would decide their own privacy boundaries, in a way that’s opaque to users and ignores their needs and concerns.
In short, First-Party Sets would shift Web privacy from something users can control to something websites control. Users wouldn’t even have a chance to make decisions about their privacy until after the harm is already done.
At heart, Web users need to know with whom they’re interacting so they can make informed privacy decisions. This is already a difficult problem; First-Party Sets would make it effectively impossible to have informed consent. The individual site is the main, atomic entity we expect users to understand and make decisions around.
The importance of the trustworthiness of the site is reflected in browsers’ UI—all major browsers give the origin site special treatment in the address bar or “omnibox”. It’s also reflected in the general Web security advice that users broadly understand as best-practice (for example, users understand they should protect themselves from being phished by checking they’re really on the site they think they are).
Anything that weakens or obscures the only information users have to base privacy and security decisions on should be unacceptable. First-Party Sets intentionally and unambiguously introduces this confusion.
Cynically, Google is promoting First-Party Sets as a privacy feature. They’re proposing the feature for standardization in PrivacyCG, the W3C group focused on designing new features to improve privacy. This is despite the fact that First-Party Sets would weaken privacy protections already in many current browsers (including Brave), and the privacy protections planned by others.
Google argues that First-Party Sets will improve privacy because it would allow Google to finally block third-party cookies. This is Google measuring itself by its own yardstick. Other browsers have blocked third-party cookies for years, and they’ve done so in a way that doesn’t require the kind of user-confusion at the root of First-Party Sets.
The simple fact is that First-Party Sets isn’t a privacy feature; the main goal of “First Party Sets” is to ensure companies can continue to identify and track people across sites in exactly the way that blocking third-party cookies is intended to prevent.
First-Party Sets is yet another example of Google cynically claiming to improve user privacy, when in fact pushing proposals that serve Google first, sites second, and users a distant third (if at all). First-Party Sets is one of many such user-harming Privacy Sandbox proposals, some of which are alarmingly already shipping in Chrome: Topics API broadcasts your personal interests to websites. Web Bundles will make it more difficult to control the content you load and see. FLEDGE both further promotes centralization on the Web, and would have users do data and battery draining work on behalf of advertisers, etc.
Privacy Sandbox is full of Trojan horses, promising a “finally” private Web in Chrome, but guaranteed to limit progress on Web privacy just as privacy is gaining some long-overdue momentum. Web users, activists, and advocates should push back against Google, by choosing actually privacy-preserving browsers like Brave and by getting involved in standards discussions.
Brave strongly opposes Google's "Web Environment Integrity" proposal, the latest in Google's efforts to prevent users from being in control of how they use the Web.
Read this article →The UK CMA (along with other regulators and web activists) are largely evaluating Google’s Privacy Sandbox as an isolated, independent set of features. Evaluations that fail to consider how Privacy Sandbox will interact with other upcoming Google proposals will miss how radical and harmful Privacy Sandbox will be to the Web in practice. This piece presents how Privacy Sandbox, when considered with other upcoming Chrome features, will harm user choice, privacy, and competition on the Web.
Read this article →The Topics API does not address the core harmfulness of FLoC: that it’s arrogant and dangerous for Google to be the arbiter of what users consider “sensitive” data.
Read this article →