Session 2: A Deep-dive into the Privacy Sandbox APIs for Publishers
[Music] hello everyone and welome again to our privacy sandbox for publisher series this is our webinar 2 I hope you thoroughly enjoyed and you found webinar one yesterday to be incredibly informative um my name is konal guha I'm the director of privacy Partnerships for Asia Pacific I'm going to start with a very brief refresher on what we discussed during webinar one what is the Privacy sandbox it is 100% open-source and collab collative initiative where we are committed to maintaining user privacy by default through a depth of collaboration with the industry in the testing and trialing of our privacy enhancing Technologies which is a series of 20 apis it is our goal to ensure that we protect user privacy as well as enable a healthy digital ecosystem and economy we're moving away from a world that has been highly dependent on identifiers as the critical infrastructure of the internet into a future privacy first world where we are able to continue to transact at the digital economy level whilst ensuring user privacy by default through privacy preserving [Music] apis all of the apis that we have shared with you are now generally available as of August of 2023 this means that you and your businesses can already start testing trialing and implementing these apis in January of 2024 we will begin to phase out 1% of the third party cookie and then in close consultation with the CMA authorities we will begin to phase out third party cookies entirely starting Q3 of 2024 on Android stay tuned for more information from us in the New Year where we'll be able to share with you a similar road map that we will build out on the mobile ecosystem with that please allow me to introduce you to my colleague Shu who will share with you the ads apis for privacy sandbox Shu over to you hi I'm Shia Saka from the Privacy partnership teams at Google I'm B in Japan today I'll cover three main ads apas of privacy sandbox and next steps for you for the Privacy enhancing Advertising Solutions we expect that privacy sandbox will be one of the building blocks and not a stand alone Solution on its own building a more private internet requires Innovation from across the industry we expect that companies will use privacy sandbox in combination with other privacy safe signals including first party data and contextual signals now let's dive into a bit deeper the three main tier Focus apis that we are developing for Chrome and Android Publishers have two key apis to focus on in terms of the upcoming test uh test modes in q1 of 2024 add relevance via topics and protected audience apis okay I'll cover topics APA first topics provides a way to deliver privacy enhancing interest based advertising essentially the users's browser converts a person's site visitation history into high level topical interest these are available from within the browser allowing Al companies to to create or Advance third party segments to expand reach and leverage the scale of literally billions of chrome users the likely testers of or integrators of this apis will be ssps who integrate on the past topics in a bit R to dsps with topics uh users browser or Android device determines a handful of categories that represent their top interest based on the websites which will be apps in in case of Android that they frequented recently for example if a user often visits cooking sites or cooking apps on Android with vegetarian recipes Fe that use the topic API that browser or the user's device would associate that website or uh that web uh the app with certain topics such as vitaran quisine a week or two later when the user visits another participating sit or app you may be able to show them and add for for your restaurant if you're Altech provider has implemented that API so it can match that user with a revant topic topics API will not the only only one way you can reach your audiences instead topics will serve as just one of many signals that your outtech providers could offer to support interest based advertising amongst others such as as contextual information so that you can continue to drive business result in in a privacy enhancing way protected audience is Chrome's proposal to support remarketing and customer audiences some of you may know the protected audience as the the API forly known as fledge they likely test us or integrat US of this apis will be dsps and ssps who coordinate on device auctions these auctions happen without revealing the user site history to any external party let's say you own a travel website or travel app and you work with an eltech eltech partner who uses that protected audience API a user visits your website or app and checks out Beach locations for example using the protected audience API the user's browser or Android device is added to an interest group with others interested in Beach vacations as well and then later when the user visits a site or app um that uses an ADD an outtech partner who has also adapted protected audience the rather uh host and on device auction where the the outte company can choose which ad will serve based on their beat the ad relevance or other criteria if it if it wins the auction the the ad for your Beach vacation is displayed and the results are reported while the users INF stays on the on on their own device and remains private today at conval measurement often relies on third party cookies browsers are restricting access to third party cookies because these can be used to track users across site and handle user history user privacy the attribution reporting API enables those measurements in a privacy preserving way without third party quickies this API measures the effectiveness of ads when an ad is clicked or viewed that leads to a conversion the likely testers or integrators of this apis will be dsps ssps and measurement providers the APA allows the measurement of two events that are linked together for example the ability to measure user actions such as interaction where an add click or a view leads to a conversion like a purchase on Advertiser site without using cross site identifiers two main types of conversion reports um the first one is event level report uh which is more granular at event level the other type uh is aggregated or summary reports that look at information at um aggregated level plus other indicators like what may be in in the shopping cart so these types of reports are designed to be used individually but they can also be used together as they complimentary and how do we do this in a private enhancing way the event level reporting has limited data but these reports also leverage what we call Pets privacy enhancing Technologies such as differentiation privacy adding uh statistical noises and other encryption techniques with the aim to reduce the risk of risk of identity being joined across sides and just to remind the audience today uh for the advertising relevance and measurement apis we expect mainly Altech providers to integrate the the current Technologies in general availability so as a publisher what actions can you take today to have better visibility of companies participating in future test of privacy sandbox Technologies it is recommended that you review the tester list within GitHub uh for the for each of the apis in this list you can verify the role that each company has in the test as well as its planned calendar publishes the results and contact information the lists were created specifically to facilitate the coordination of test between different parties of Interest so looking ahead it is advisable to follow the following Steps step number one contact your ssps to understand in more detail their testing plans and the necessary steps to be included in their testing step number two update update your pre core to version 8.9 or higher to enable topics on protected audience apis for testing step number three depending on the SSP it will also be necessary to update your corresponding bit adapter to be able to receive beads from protected audience and then finally it is necessary to add the protected audience module to configure the different ssps so with these updates Publishers enable the use of topics as well as remarketing and audience groups through protected audience uh on the pages now as a reminder we've also rolled out the new ad privacy controls in Chrome that allow people to customize what ad topics they're interested in what relevance and measurement apis they want enabled and more you can view these controls by uh in Chrome setting and by visiting settings privacy and security at privacy controls incom now I'll hand over to my colleague Crystal who we go who will go through the Privacy apis hello everyone I'm chrystelle based in Singapore and I'm from the Privacy Partnerships team at Google taking care of savis Asia I'll be walking you through three of our privacy apis for anti- covert tracking and cross-side boundaries how they work and how you can get involved our goal of the Privacy sandbox is to reduce cross-side tracking while still enabling the functionality that keeps online content and services freely accessible by everyone deprecating and removing third party cookies and capsulate the challenge as they enable critical functionality across signin prod protection advertising and generally the ability to embed Rich thirdparty content in your sites but at the same time there also the key enablers of cross-side tracking in our previous major Milestone we launched a range of apis providing a privacy focused alternative to today's data school for use cases like identity and fraud detection there are specific scenarios where we want to ensure we do not break the experience for people using those sites with Alternatives in place we can now move on to begin phasing out third party cookies now let's dive a bit deeper on the four apis that might be relevant for your organization chips is about integrating with external services this API may be relevant for use cases where you have third-party chat EDS thirdparty map embeds thirdparty payment embeds and other scenarios related website sets is about websites with multiple domains for example apps specific domains brand specific domains or country specific domains to name a few relevant use cases user agent client hints is about new technologies for capturing user data and F Federated credential management or fed CM enables Federated identity Services allowing users to sign in to sites and services I'll now explain each of them in more details let's start with chips which stands for cookies having independent partition seats chips is definitely applicable across a wide range of circumstances and is largely for embedded use cases let's look at that in more details on the current version of the web with unpartitioned thirdparty cookies SS providers can access cookies in many different contexts in this example the site retail. example may want to work with a thir party service support. chat. example to embed a support chat box on its site many embeddable chat services today rely on cookies to save interaction history in another example you'll see here embed C could be a mapping provider that sets my preferred store location on site a but then when I navigate to site B that same mapping provider embedded there may know my location and that c needs to be able to store information in cookies but doing that today would allow C to track users across sites with chips C is declaring that it's not trying to to use cookies from that shared cookie jar on the left instead as seen on the right it now has partitioned or isolated cookie jars per top level site this is done via a double key partition which creates cookie jar AC C can continue to offer its functionality without being able to track users now so that way when the user navigates to site B There is a new Partition cookie jar BC so if is a thing you need we recommend you to explore this capability for your organization if you want to give feedback please do so on the chips GitHub repository next let's talk about related website sets related website sets helps you when a user journey is spread across multiple websites that require a deep integration through Technologies like third party cookies as third party cookies go away Chrome is focused on making sure that users are not being tracked across sites however Chrome recognizes that organizations rely on thirdparty cookies to maintain critical web experiences for users obvious use cases are examples like country code top level domains whereby let's say an Indonesian user of example. ID would want to be able to make use of the International example.com site without
restrictions let's look at how that use case is enabled through related website sets at a very high level related website sets is a list of sites that browsers can use to make exceptions to privacy restrictions such as third party cookie blocking site owners can list out their related domains in sub sets of a larger first party set subsets are key they Define use cases or reasons for domains being a specific set and being able to share State the first subset which I've already mentioned is the country code top level domain or cctld the country code subset requires common ownership of domains and companies can add an unlimited number of country code cctld domains second subset is called the service subset service subset is for utility domains that serve content like example- cdn.com there will not be any user interaction on these sites for service subsets companies will be able to add an unlimited number of service domains and a third type of subset is known as the Associated subset this is for domains that are related to the primary domain but have a different root like example Des shop.com it requires clear presentation to users and there is a limit of five domains counting in the primary domain example.com this means you can have six
different domains in your set each subset has different requirements with the goal of giving more flexibility for different types of domains the process of creating a related website set is fairly straightforward it begins with the set owner compiling the set of domains they want to add and submitting it to GitHub then there's a series of automatic checks that ensure that the submission rules for the subsets are followed the most important part to note is the final stage it requires developers to use the storage access API in Chrome these calls will be automatically granted for SE set members without user prompts different subsets have different rules you can check out the full details in GitHub the lated website sets is now rolled out to 100% of chrome stable and is fully live in production sites can also test with submitting sets to begin evaluating how they may want to create their side boundaries in the meantime we'd love to hear from you about your use cases and ideas around related website sets now onto our third privacy API user agent client hints before we get into UAC let's talk about the user agent string as a background generally when a user accesses a website a request is sent from the web server site asking for information about the user and upon receiving the request the browser automatically passes a user agent string containing information about the user such as the device OS language and browser version used by the user to the web server site and based on this information the web server May customize the way the site is displayed to the user however depending on how this information is combined it is granular enough to identify individual which has been a problem from the standpoint of privacy protection to address this concern we have decided to reduce the amount of information provided in the user agent string the information highlighted in green such as OS name browser name whether mobile or desktop Etc will continue to be retrieved the information highlighted in pink such as OS version device information and minor browsing version information will be fixed to a certain value and can no longer be retrieve what we mean by fix is that we know that the OS is Android but whatever the version is it will be displayed as 10 similarly it will display k no matter whether the device is an iPhone or Google pixel the browser version will also be 0.0.0 no no matter what the minor version is although the major version can be retrieved this information reduction is completed and you should see this change reflected if you need information that has been reduced in the user agent string you can obtain it by migrating to the newly developed user agent client hints API as you can see the amount of information has been reduced in the user agent string on the left the right side uses user agent client hint API and by sending a request for each piece of information you can continue to retrieve the information that was reduced in the user agent stram user agent client hints allow developers to request the user agent information they need instead of getting all information by default to get much of that information websites and services will need to transition to the user agent client API which provides the way to request only information they need and is a good privacy practice today and the pattern we want to set for the future the fourth API I want to discuss is fed CM or Federated credentials management fed CM has a specific Focus which is Federated identity so what is Federated identity Federated identity in short means having an identity provider that shares information about the user with one or more websites called relying parties in most cases a user has an account at the identity provider and the information shared with the website for login this type of login is definitely something that helps user it avoids the proliferation of usernames and passwords and really should be part of the web however it's often built on techn techologies that enable tracking like third party cookies it will be great if browsers had a way to distinguish valid Federated identity flows and that's where fat CM comes in fat CM mediates the exchange of information between the user site and identity provider to ensure that the user is inform and has the opportunity to provide consent this is what these prompts look like for fat CM they are very similar to what users are used to seeing when they try to log in with Federated Services however with the new API identity is Federated so user identities cannot be linked while the mock shows Google as the identity provider any identity providers like Facebook Twitter or your organization's login can be used as long as they implement the relevant endpoint required by the fat CM API fat cm is live and has been available in Chrome since last year so do try it out if you have a use case for it a team is also iterating on future improvements and would love to get your feedback in the Federated identity community group of the w3c so who will test and implement the corresponding privacy apis for the Technologies I just spoke about we expect a wide array of stakeholders to implement and that includes Publishers now how should you prepare for thirdparty Cookie phas Out we've broken the process down into a few key steps starting with auditing your thirdparty cookie usage thirdparty cookies can be be identified by their same side equal nonone value you should search your code to look for instances where you set the same side attribute to this value if you've previously made changes to add same side equal none to your cookies around 2020 then those changes May provide a good starting point the Chrome def tools Network panel shows cookies set and sent on requests in the application panel you can see the cookies h under storage you can browse the cookies stored for each side exess as part of the pach load and you can sort by the same side column to group all the non cookies from chrome 118 a def tools issues tab shows the breaking change issue cookie sent in cross-side contexts will be blocked in future Chrome versions the issue lists potentially affected cookies for the current page if you identify cookies set by Third parties you should check check with those providers to see if they have plans for the third party cookie phase out next test for breakage you can launch Chrome using I think the slide was still I'll pause I'll start again one two next test for breakage can launch Chrome using the test third party cookie phase out command line flag or from Chrome 118 enable Chrome Flex test third party cookie phas out this will set Chrome to block third party cookies and ensure that new functionality and mitigations are active in order to best simulate the state after the pH out if you maintain an active test suite for your sites then you should do two side by-side runs one with Chrome on the usual settings and one with the same version of Chrome launch with the test thirdparty cookie phase out flag any test failures in the second run and not in the first are a good candidates to investigate for third-party cookie dependencies once you have identified the cookies with issues and understand the use cases for them you can work through the following options to pick the necessary solution so how do you report issues with thirdparty cookies and get help well we want to ensure we are capturing the various scenarios where sites break without third party cookies to ensure that we have provided guidance tooling and functionality to allow sites to migrate away from their third-party dependencies if your site or a service you depend on is breaking with thirdparty cookies disabled you can submited to our breakage tracker at G.G report 3pc Das broken to summarize please evaluate and take the flowing actions to prepare for thirdparty cookie phase out in Chrome one audit your thirdparty cookie usage two test for breakage three for cross-side cookies which store data on a per side basis like an ed consider part partition with chips four for cross-side cookies across a small group of meaningfully linked sites consider related website sets lastly for other thirdparty cookie use cases M great to the relevant privacy sandbox apis I hope this was useful to equip you with the next steps to ensure you are prepared for your site to run without thirdparty cookies I will now hand it back to Kunal thank you cisal and Chu with this we hope you everyone who has joined us have begun to learn more about the technical Nuance of the apis both from an ads API perspective as well as from a general privacy apis perspective I'm going to summarize this session for for of us number one what are the ads apis for privacy sandbox there series of three apis that allows for ads based transactions across the full spectrum of the funnel whether it be brand campaigns through the topic apis performance campaigns through the protected audiences apis and attribution meas uh reporting from a measurement of Effectiveness and roas standpoint continues in conjunction with the ads based apis the general privacy apis ensures that we are both protecting against anti- CCO tracking fingerprinting as well as protecting against fraud and spam and ensuring that we can allow for certain use cases where you do have relationships with a thirdparty provider such as a Maps such as chat bot to continue to thrive and it's essential that a combination of the ads apis and the general privacy apis come together to solve for your domain and ensure that you're migrating into this privacy first future in a nutshell the ads apis is for you to work closely with your adtech providers the ssps and the dsps so that they are enabling the Technologies and you're able to test it with your traffic and your user base the Privacy apis are for all of you who have domains to be able to work with your technology com uh teams to test and learn and then Implement at Large Scale all of the different use cases that are relevant to you and your domains we welcome all of you all to join in the discourse through the GitHub forums to not only test and trial but please provide feedback back to us so that we are able to capture that feedback and build it into our road maps and this is an extremely important part of the Privacy sandbox initiative in summary three key actions number one the Privacy sandbox initiative is to address address identifiers at their call with the most guilty ones being cross-site cookie usage please begin to start auditing to ensure that we are helping you migrate to a world where you're not dependent on these identifiers there are General privacy apis that allow for you to maintain the Integrity of a safe and private internet please begin to create your profile on GitHub and start testing and trialing the specific use cases that you need and then ensure that you're able to implement it across all of your domains and finally ensure that all of these use cases that you've identified through the apis that we're building address the needs make sure that you're validating that these use cases are working we want and we need your feedback we are here to help support you the forums are there so that we can capture the feedback and then we can address them at the root in summary the wealth of information is all available on the web for you to access and your teams to access go to privacy sandbox.com to learn more about the initiative and for your Tech and developer teams go to developer. chrome.com and then in the
future developer.android.com to be able to get the latest of the apis and the tests and trials that we're we're we're enabling thank you for your time your patience your attentiveness to be with us through what is going to be the most important migration of the internet in our generation I wanted to conclude by saying that we are here to help you we are your partners through this migration and we're committed to ensuring that you have the tooling and the apis available so that you can migrate and then be able to drive growth and continuity for your businesses on behalf of the entire Google team thank you for your time we hope you have enjoyed today's prevy sbox webinar we value your feedback about the session and we would be interested to hear where their future sessions would also be helpful as you can see on your screen there is a QR code we would greatly appreciate it if you could take the next 30 seconds or a minute to answer a few simple questions the recording of this presentation will be available in a few hours on the same website please note that you'll need to register to get access to the content and don't forget to check out prev sandbox.com and developer. chrome.com for for most upto-date information and in future developer.android.com as well thank you
once again for joining us see you [Music] soon [Music] [Music] so
2023-11-28 06:55
