Google Taps Fastly To Make Cookie-free Adtech FLEDGE Fly

Google says it has partnered with Fastly, a content delivery platform, to support its effort to deliver targeted ads in its Chrome browser with a greater measure of privacy.

Google's FLEDGE is a Privacy Sandbox proposal to allow remarketing and custom audiences. It aims to let websites present ads that reflect visitor interests, without allowing visitors to be tracked or identified.

FLEDGE works like this: When a user visits a website associated with an interest group, like hiking, an interest group owner (a demand side platform, or DSP, enabling the purchase of ads associated with the site) can request the user's browser to join the relevant interest group, with a limited lifespan, using a JavaScript function.

If the JavaScript call succeeds – it could fail, be blocked, or be refused – the browser stores the interest group name (for example, hiking), the URL of the interest group owner, and configuration data to allow the browser to participate in an auction to place an ad.

When the user visits another website selling ads, the seller of that ad space – typically a supply side platform, or SSP – has the option to use FLEDGE to run an ad auction for an interest-relevant ad.

The SSP makes another JavaScript call to begin the auction within the browser – that is, the code fetches a list of interest group owners stored in the user's browser and invites some of them to bid to show the user a targeted ad.

Bidding is done via the bidding logic URL specified in the configuration data, which gets supplied with the interest group and information about the ad seller (the site's SSP or the site itself). The seller then receives the bids and displays the winning ad in a fenced frame – the (hopefully) secure successor to the iframe.

FLEDGE is being tested right now in Google's Chrome browser. Other browser vendors have yet to declare whether or not they will implement Google's Privacy Sandbox APIs.

Sort-of anonymity online? We'll see

To make this work while ensuring privacy, Google is running servers that implement a technique called k-anonymity. It's a way to promote privacy by hiding individuals within a crowd, the size of which is represented by the variable k.

FLEDGE applies k-anonymity to several aspects of the bid process. For example, an ad provider (DSP) could create a unique and thus trackable FLEDGE group (such as hikingUser23).

To prevent that, FLEDGE won't let a browser set an interest group unless there are at least k other browsers trying to set that same interest group. And to prevent ads targeting individuals, FLEDGE applies k-anonymity to ad rendering URLs, so a crowd of at least 50 users per ad design, within the past seven days, is required for an ad to be shown.

To make this work in a way that hides potentially identifying information – like a website visitor's IP address and the browser's User-Agent string – Google is putting its k-anonymity servers behind a third party. This is where Fastly comes in, running an Oblivious HTTP (OHTTP) relay.

• Google ready to kick the cookie habit by Q3 2024, for real this time
• Google lets a few Android devices into its Privacy Sandbox
• Shot down: Google's grand fancy plan for pro-privacy targeted ads
• Google postpones Chrome's third-party cookie bonfire yet again

As Google software engineer Philip Lee explains in a blog post, the user's Chrome browser sends an encrypted request through the OHTTP relay to Google's k-anonymity servers.

"The relay therefore doesn't see the content of the request but is aware of the user's IP address," Lee explains. "Conversely, the k-anonymity server (and gateway) are unaware of the user's identity but can see the content of the request."

There are some limitations to the privacy afforded by this approach. One is that the website publisher can still see the IP addresses of visitors. The other is that Google will have lots of identifying information about an individual if that person is signed into a Google Account through Chrome. But Google at least insists it will apply its k-anonymity protection to its own advertising services.

This approach "will offer better privacy since source address IP would be masked," said Lukasz Olejnik, independent privacy researcher and consultant, in an email to The Register.

"I know from my research that IP addresses, along with other information, [are] a strong identifier. It will certainly be a bit more difficult to do privacy research in a few years from now. That said, I'd like to think that my previous works somewhat contribute to the current evolution, which is positive!"

Olejnik expects Google's approach will lead to a more formalized web ad infrastructure platform. "The assumption here is that the platform would remain open to all competitors," he said. "If I understand correctly, this is the core premise behind the UK [Competition and Markets Authority] process."

Asked about whether Fastly might be in a position to abuse its role as a trusted intermediary, Olejnik replied, "Fastly as the management of the partial infrastructure should be trusted in this case. That said, I'm generally cautious about such centralized systems. They should always be done with care. We will only be able to review a final proposal and a design, once they will come."

As for the security of Oblivious HTTP, Olejnik allowed room for skepticism but said it's a technical standard.

"The key question is whether any other infrastructural providers would want to join in, too," he said. ®