Bennett Cyphers* says a coalition of independent advertising is proposing to track people’s search activity through their emails as cookies are phased out.
Cookies are dying, and the tracking industry is scrambling to replace them.
Google has proposed Federated Learning of Cohorts (FLoC), TURTLEDOVE, and other bird-themed tech that would have browsers do some of the behavioural profiling that third-party trackers do today.
But a coalition of independent surveillance advertisers has a different plan.
Instead of stuffing more tracking tech into the browser (which they don’t control), they’d like to use more stable identifiers, like email addresses, to identify and track users across their devices.
There are several proposals from ad tech providers to preserve “addressable media” (read: individualised surveillance advertising) after cookies die off.
We’ll focus on just one: Unified Identifier 2.0, or UID2 for short, developed by independent ad tech company The Trade Desk. UID2 is a successor to The Trade Desk’s cookie-based “unified ID.”
Much like FLoC, UID2 is not a drop-in replacement for cookies, but aims to replace some of their functionality.
It won’t replicate all of the privacy problems of third-party cookies, but it will create new ones.
There are key differences between UID2 and Google’s proposals.
FLoC will not allow third-party trackers to identify specific people on its own.
There are still big problems with FLoC: it continues to enable auxiliary harms of targeted ads, like discrimination, and it bolsters other methods of tracking, like fingerprinting.
But FLoC’s designers intend to move towards a world with less individualised third-party tracking. FLoC is a misguided effort with some laudable goals.
In contrast, UID2 is supposed to make it easier for trackers to identify people.
It doubles down on the track-profile-target business model. If UID2 succeeds, faceless ad tech companies and data brokers will still track you around the web—and they’ll have an easier time tying your web browsing to your activity on other devices.
UID2’s proponents want advertisers to have access to long-term behavioural profiles that capture nearly everything you do on any Internet-connected device, and they want to make it easier for trackers to share your data with each other.
Despite its designers’ ill-taken claims around “privacy” and “transparency,” UID2 is a step backward for user privacy.
How does UID2 work?
In a nutshell, UID2 is a series of protocols for collecting, processing, and passing around users’ personally-identifying information (“PII”).
Unlike cookies or FLoC, UID2 doesn’t aim to change how browsers work; rather, its designers want to standardize how advertisers share information.
The UID2 authors have published a draft technical standard on Github. Information moves through the system like this:
- A publisher (like a website or app) asks a user for their personally-identifying information (PII), like an email address or a phone number.
- The publisher shares that PII with a UID2 “operator” (an ad tech firm).
- The operator hashes the PII to generate a “Unified Identifier” (the UID2). This is the number that identifies the user in the system.
- A centralised administrator (perhaps The Trade Desk itself) distributes encryption keys to the operator, who encrypts the UID2 to generate a “token.”
The operator sends this encrypted token back to the publisher.
- The publisher shares the token with advertisers.
- Advertisers who receive the token can freely share it throughout the advertising supply chain.
- Any ad tech firm who is a “compliant member” of the ecosystem can receive decryption keys from the administrator.
These firms can decrypt the token into a raw identifier (a UID2).
- The UID2 serves as the basis for a user profile, and allows trackers to link different pieces of data about a person together. Raw UID2s can be shared with data brokers and other actors within the system to facilitate the merging of user data.
The description of the system raises several questions. For example:
- Who will act as an “administrator” in the system?
Will there be one or many, and how will this impact competition on the Internet?
- Who will act as an “operator?” Outside of operators, who will the “members” of the system be?
What responsibilities towards user data will these actors have?
- Who will have access to raw UID2 identifiers?
The draft specification implies that publishers will only see encrypted tokens, but most advertisers and data brokers will see raw, stable identifiers.
What we do know is that a new identifier, the UID2, will be generated from your email.
This UID2 will be shared among advertisers and data brokers, and it will anchor their behavioural profiles about you. And your UID2 will be the same across all your devices.
How does UID2 compare with cookies?
Cookies are associated with a single browser.
This makes it easy for trackers to gather browsing history. But they still need to link cookie IDs to other information—often by working with a third-party data broker—in order to connect that browsing history to activity on phones, TVs, or in the real world.
UID2s will be connected to people, not devices.
That means an advertiser who collects UID2 from a website can link it to the UID2s it collects through apps, connected TVs, and connected vehicles belonging to the same person.
That’s where the “unified” part of UID2 comes in: it’s supposed to make cross-device tracking as easy as cross-site tracking used to be.
UID2 is not a drop-in replacement for cookies.
One of the most dangerous features of cookies is that they allow trackers to stalk users “anonymously.”
A tracker can set a cookie in your browser the first time you open a new window; it can then use that cookie to start profiling your behaviour before it knows who you are.
This “anonymous” profile can then be used to target ads on its own (“we don’t know who this person is, but we know how they behave”) or it can be stored and joined with personally-identifying information later on.
In contrast, the UID2 system will not be able to function without some kind of input from the user.
In some ways, this is good: it means if you refuse to share your personal information on the Web, you can’t be profiled with UID2.
But this will also create new incentives for sites, apps, and connected devices to ask users for their email addresses.
The UID2 documents indicate that this is part of the plan:
Addressable advertising enables publishers and developers to provide the content and services consumers have come to enjoy, whether through mobile apps, streaming TV, or web experiences. … [UID2] empowers content creators to have the value exchange conversations with consumers while giving them more control and transparency over their data.
The standard authors take for granted that “addressable advertising” (and tracking and profiling) is necessary to keep publishers in business (it’s not).
They also make it clear that under the UID2 framework, publishers are expected to demand PII in exchange for content.
This creates bad new incentives for publishers. Some sites already require log-ins to view content.
If UID2 takes off, expect many more ad-driven websites to ask for your email before letting you in.
With UID2, advertisers are signalling that publishers will need to acquire, and share, users’ PII before they can serve the most lucrative ads.
Where does google fit in?
In March, Google announced that it “will not build alternate identifiers to track individuals as they browse across the web, nor… use them in [its] products.”
Google has clarified that it won’t join the UID2 coalition, and won’t support similar efforts to enable third-party web tracking.
This is good news—it presumably means that advertisers won’t be able to target users with UID2 in Google’s ad products, the most popular in the world.
But UID2 could succeed despite Google’s opposition.
Unified ID 2.0 is designed to work without the browser’s help.
It relies on users sharing personal information, like email addresses, with the sites they visit, and then uses that information as the basis for a cross-context identifier.
Even if Chrome, Firefox, Safari, and other browsers want to rein in cross-site tracking, they will have a hard time preventing websites from asking for a user’s email address.
Google’s commitment to eschew third-party identifiers doesn’t mean said identifiers are going away. And it doesn’t justify creating new targeting tech like FLoC.
Google may try to present these technologies as alternatives, and force us to choose: see, FLoC doesn’t look so bad when compared with Unified ID 2.0.
But this is a false dichotomy. It’s more likely that, if Google chooses to deploy FLoC, it will complement—not replace—a new generation of identifiers like UID2.
UID2 focuses on identity, while FLoC and other “privacy sandbox” proposals from Google focus on revealing trends in your behaviour.
UID2 will help trackers capture detailed information about your activity on the apps and websites to which you reveal your identity.
FLoC will summarise how you interact with the rest of the sites on the web. Deployed together, they could be a potent surveillance cocktail: specific, cross-context identifiers connected to comprehensive behavioural labels.
What happens next?
UID2 is not a revolutionary technology. It’s another step in the direction that the industry has been headed for some time.
Using real-world identifiers has always been more convenient for trackers than using pseudonymous cookies.
Ever since the introduction of the smartphone, advertisers have wanted to link your activity on the Web to what you do on your other devices.
Over the years, a cottage industry has developed among data brokers, selling web-based tracking services that link cookie IDs to mobile ad identifiers and real-world info.
The UID2 proposal is the culmination of that trend. UID2 is more of a policy change than a technical one: the ad industry is moving away from the anonymous profiling that cookies enabled, and is planning to demand email addresses and other PII instead.
The demise of cookies is good. But if tracking tech based on real-world identity replaces them, it will be a step backward for users in important ways.
First, it will make it harder for users in dangerous situations—for whom web activity could be held against them—to access content safely.
Browsing the web anonymously may become more difficult or outright impossible.
UID2 and its ilk will likely make it easier for law enforcement, intelligence agencies, militaries, and private actors to buy or demand sensitive data about real people.
Second, UID2 will incentivize ad-driven websites to erect “trackerwalls,” refusing entry to users who’d prefer not to share their personal information.
Though its designers tout “consent” as a guiding principle, UID2 is more likely to force users to hand over sensitive data in exchange for content.
For many, this will not be a choice at all.
UID2 could normalise “pay-for-privacy,” widening the gap between those who are forced to give up their privacy for first-class access to the Internet, and those who can afford not to.
*Bennett Cyphers is a Staff Technologist at Eff.
This article first appeared at eff.org.