Google Chrome proceeds to deliver targeted ads based on your browser history • History
Google is gradually rolling out Privacy Enhanced ads in Chrome. This is technology that, unless turned off, allows websites to target the user with advertisements tailored to their online activities and interests based on their browser history.
A popup announcing this functionality has been popping up for some people since Chrome 115 was released in July, which included support for Google’s Topics API, which is part of the tech giant’s Privacy Sandbox project.
It seems that more and more people are now seeing this popup because those who aren’t keen on Chrome extracting their browsing histories to support Google’s ad revenue have spoken out. We understand that a small percentage of Chrome users are pulled into the Topics API system at a time, so you may not have noticed or been shown or alerted. How The Chocolate Factory asks you to consent to or accept ad targeting depends on where you live, or rather the laws of where you live.
Next year, Google aims to drop support for third-party cookies, which store browser data used by advertising companies for tracking and analytics — frequently at the expense of user privacy. The US giant has developed a variety of alternative technologies, such as the Topics API that will allow ad targeting to continue without cookie-based tracking, allegedly, with no privacy consequences.
Themes basically work like this: Instead of using cookies to track people across the web and learn their interests from the sites they visit and the apps they use, websites can ask Chrome directly, via the Themes JavaScript API, what kind of things they’re using The user is interested in it, then display ads based on that. Chrome selects these topics of interest by studying the user’s browser history.
So, if you visit a lot of financial websites, “investing” might be one of the topics you selected in Chrome. If a site you visit is querying the Topics API, it may learn of this interest from Chrome and decide to serve you an advertisement for bonds or pension funds. It also means that websites can fetch your online interests right from your browser.
Some people who have been notified of the new system complain that it is a dark pattern — a term Google employees consider unfairly provocative — where Chrome users may think they are accepting or enabling “enhanced” privacy from ads when in fact the Topics API is already enabled, and will remain enabled. , and it must be disabled in the browser settings. This means that the popup is a notification that you have opted in with a small link to your settings to disable the technology if you wish.
Screenshot of the “Got It” variant of Chrome’s “Enhanced” ad privacy pop-up…Click to enlarge
Will Dorman, Software Vulnerability Analyst at Carnegie Mellon Institute for Software Engineering’s CERT Coordination Center, male Last week, the Google popup provided a default “Got It” button that ignores the popup and does “exactly the opposite of what the title text describes” – it leaves Chrome ad targeting based on browsing history active.
Note that this pop-up explicitly says, “You can make changes in Chrome settings,” and that you can turn off Topics API support using these associated controls. Otherwise, it does not change the status quo. Where third-party cookies were previously used to deliver targeted ads, Chrome users also had to take steps to disable them.
However, there is now more resistance against the standards favored by Google and other advertising companies.
Matthew Green, professor of cryptography at Johns Hopkins University in the United States, encountered the pop-up and He expressed his dissatisfaction.
I certainly don’t want my browser to share any functionality of my browsing history with every random website I visit
“I don’t want my browser to track my browsing history to help serve me ads, and I certainly don’t want my browser to share any functionality of my browsing history with every random website I visit,” he said. via Twitter.
VC Paul Graham mocked ad targeting technology as spyware.
Google has given repeated reassurances that its Topics API does not allow companies to determine the people whose interests are determined by its Advertising API. But some developers claim that the themes may be useful for browser fingerprinting, and both Apple and Mozilla have said they will not adopt the themes due to privacy concerns.
The Google popup seems to have regional differences that make the call to action and button labels clearer and more consistent. One copy was mentioned It’s titled “Turn On Advertising Privacy Feature” and there’s a button that says “Turn it on.”
Unlike the distinctive “I see” button cited by Dorman and his companion unadorned “Settings” that defers any decision until the linked list loads, the “on” button in this variant menu is the same color as the alternate “No thanks” option and performs the action it suggests. Title of the popup.
This difference reflects different legal systems. Unlike America, where opt-out is acceptable and opt-in requirements are widely opposed by marketers, data privacy rules in the European Union are more demanding in the way data choices are presented.
So, if you see a pop-up with the words “Ok, that means you’ve probably opted in, depending on where you are, and you need to turn off Topics API support in your Chrome settings if you don’t like it”. ; If you have the “on” option, you will be asked to opt in or out because you are in an area that requires it.
Depending on which version of Chrome you are using, and whether you have been selected to start using the Topics API, you can turn this functionality off and on by visiting chrome://settings/adPrivacy wow chrome://settings/privacySandbox – Cut and paste these URLs into your address bar to go directly to the controls.
Screenshot of Google Chrome’s Themes API settings, via chrome://settings/adPrivacy Although yours may be in chrome://settings/privacySandbox …Click to enlarge
“Users in the UK, EEA, and Switzerland who have not already opted-in to Chrome Experiences will be invited to participate in Threads and manage their participation in Measurement and Protected Audience (formerly FLEDGE),” Google explained to log.
“All users will have powerful controls, and can make individual choices, per API, at any time. Chrome will continue to develop user controls carefully and in consultation with regulators, and will have more to share once this initial rollout has been evaluated” for a small percentage of users. All users will have robust controls, and can opt out of eligibility for trials at any time.” ®
Android Notes
Meanwhile, Android 14, which is due later this month, detaches CA certificates from the OS image so that they can be updated remotely without updating the OS.
As Tim Perry, creator of the open source HTTP Toolkit, points out in a blog post, while this is a worthwhile defense against untrustworthy CAs, its design will make life more difficult for developers and security researchers.
Unfortunately, despite those reasonable goals, the reality of implementation has dire consequences: system CA certificates are no longer loaded from /system, and when root access is used to either directly modify or mount the new location on disk, all changes are deleted. Berry: “Ignored by all the apps on the device.” “Uh-oh.”
log Perry asked for clarification and explained that this doesn’t mean much for alternative Android distributions like LineageOS and GrapheneOS because they can disable this feature if needed.
“This will seriously impact security and privacy researchers and reverse engineers, who all need to be able to examine traffic from third-party applications to fully understand the behavior of applications,” he said. (It) will also cause day-to-day practical problems for many Android developers and testers who use HTTP debugging tools like HTTP Toolkit etc with their own apps. In development, this adds a lot of friction, but it’s workable for your individual app with more complex setup work.”
Perry said the change would be a big problem for security researchers who would have to rely on alternative versions of Android that don’t have the change and that may not behave the same way. Many apps won’t run in these alternate Android versions due to safeguards like Google’s Play Integrity API.
Mobile devices are becoming increasingly closed, Perry said, and even on Linux, the restrictions on tools like Flatpak and Snap are moving toward a sandbox model inspired by phones.
“The reasons behind locking down in this way are not bad – both desktop computers and mobile phones are huge targets for attackers, and this and other similar restrictions will help protect everyday users from serious risks,” he added. “But the problem is that the security and privacy needs of researchers and developers are completely ignored. While it is important to protect devices by default, there must be practical and officially supported mechanisms for advanced users who know what they are doing to bypass these protections.”
