Not So Protected Audience Demo

Instructions

  1. Visit the chrome://flags page and enable the "Privacy Sandbox Ads APIs" flags from the UI.
  2. If you are using Chrome M118+, execute Chrome from the command line and set the flag --args --disable-features=EnforcePrivacySandboxAttestations to disable attestation.
  3. If you are using Chrome M122, execute Chrome from the command line and set the flag --args --disable-features=FledgeEnforceKAnonymity to disable k-anonymity check.
  4. Disabling attestation and the k-anonymity check can be combined to a single command: --disable-features=EnforcePrivacySandboxAttestations,FledgeEnforceKAnonymity
  5. Visit the advertiser website which will add your browser to an interest group.
  6. Visit the publisher website to see the ad rendered in a fenced frame.

You can visit chrome://settings/adPrivacy/sites to see which sites use Protected Audience API.

Explanation

The current trend in enhancing privacy is very clear, and all browsers are adhering to it. It involves a simple thing: actions that used to be performed on the server are now being moved to users' devices. Apple and Safari with their Private Click Measurement can be considered pioneers in this area.

Unlike Apple, Google decided not to move in small steps, offering alternatives for small parts of the advertising ecosystem. Instead, they are trying to offer a "local" solution, which transfers the most important thing, the mechanism of the advertising auction, directly into their browser. This solution is called Protected Audience API.

What we had before: companies used powerful "generic" mechanisms such as cookies for behavioral targeting. Generic mechanisms allow a lot and, of course, it was easy to misuse.

Trying to structure this and implement a new mechanism specifically for advertising use will certainly be more private than the old one. But it's also a very powerful mechanism, are users sufficiently protected? If you read somewhere that the mere use of Protected Audience API solves any problems and makes behavioral targeting GDPR compliant - that's not true. This demo site shows how advertisers can continue to pursue you personally and show ads based on your personal data, not on some aggregated signals like "your interests."

How the demo works

If launching the demo is too complicated for you, then the demo looks roughly like this:

1. On the advertiser's site, you enter your name. Imagine, for example, that it's a registration page on some social network website.

2. On the publisher's site, you see an advertisement that uses your name.

Does this seem private enough for you?