But this rigid, self-serving “cross-site” definition allowed Google to conveniently sidestep any nuanced discussion about data collection, use or sharing that might impact its core business.
The hypocrisy was obvious in one of the earliest Sandbox proposals: “Related Website Sets,” which allows cross-site tracking for sites owned by a single company (read: Google). In other words, “it’s only a privacy violation when other people do it.”
This impoverished, binary definition of privacy led directly to the series of convoluted Sandbox proposals that were never adequate in either capability or performance. Topics and the Protected Audiences API were doomed from the start, burdened with the impossible mission of supporting usefully targeted advertising while allowing zero cross-site tracking.
Unintended consequences
Google’s absolutist stance has driven many in the industry toward potentially even less privacy-friendly alternatives, like identifiers based on nonresettable personal identifiers such as physical addresses or phone numbers. It also created a climate of hopelessness for the web that accelerated the flow of ad dollars into a monoculture of gigantic walled gardens (like YouTube) that may collect and exploit even more comprehensive user data.
Now, four years in, Google has produced little except unusable, unfixable APIs and a track record of monopolistic bullying that has made Google the target of multiple antitrust prosecutions in the U.S. and a showstopping intervention from the U.K.’s Competition and Markets Authority.
And I will personally try not to think too much about the thousands of hours wasted by those of us gullible enough to believe Google would at least eventually follow through on its stated plans.
The way forward
It is now clear that the Emperor of the Web has no clothes. Google has essentially admitted that the Privacy Sandbox’s flaws run too deep to salvage.
To be clear: The public-facing Privacy Sandbox work has been conducted by smart, well-intentioned individuals whom I like and respect. This outcome isn’t their fault—the blame lies squarely with Google’s executive leadership, who (whether cynically or naively) ordered an impossible mission. But now, because of them, everybody loses.
It should be clear to all that the Wild West era of third-party cookies (and the too often abusive data-sharing they enable) must come to an end. But now, instead, it will limp onward in undeath. Google will retreat into its castle, and nothing will improve for consumers.
Privacy is a hard problem but not an insolvable one—it boils down to treating users with care and respect. It’s time to collectively concede that self-regulation can’t and won’t succeed, and the only way forward is a true multistakeholder initiative led by regulators with binding authority over gatekeeper web platforms.