Would you fly in a plane built from the "marketing" documents?

On  10th February 2024 shortly after the Competition and Markets Authority (CMA) published their 2023 Q4 report concerning Google’s Privacy Sandbox Commitments julien delhommeau asked me why I believe CMA’s concerns will not be satisfied in a Linked In comment.

“So I am genuinely curious, James Rosewell which specific concerns raised by the CMA in their report do you think Google will not be able to address in the coming months?”

This article provides my comprehensive response which also references the IAB Tech Lab’s assessment issued for public comment on 6th February 2024.

CMA Report

The CMA would acknowledge that the Q4 2023 report represents a “step change” from them. I broadly agree, although they are characteristically tight lipped about the specificity of criteria they will apply when making their decision should Google ask them to in July 2024. In answering the question, I consider my experience gained over nearly four years of working with the CMA, and the technical reviews of Google ’s proposals within the W3C and IAB Tech Lab , and the experience of others I engage closely with.

I also consider that Google’s Privacy Sandbox (GPS) is neither a set of web features nor a set of web standards. It is in fact proprietary technology that Google proposes should underpin a $690bn annual global industry (Source: Insider Intelligence | eMarketer, October 2023). As such the standard and quality of engineering, the roadmaps for feature development and change, and the binding legal commitments between Google and the CMA, I expect far greater industry focus during H1 2024. As examples; the CMA report does not mention industry statutory reporting requirements, and only briefly touches on the quality of the software delivery lifecycle at paragraph 124 a.

The following broad concerns were identified in the CMA’s Q4 2023 report:

In paragraphs 26 a), 27), 44 a), and 124 f), the CMA need to verify that Google haven’t developed features in GPS that discriminate against rival business-facing ad solution providers, while self-preferencing Google’s own Ad Systems such as its Google Ads or Google Ad Manager businesses. Anyone with evidence of such developments should inform the CMA before 27th February 2024. Details can be found here.

Even then Google have to convince the CMA that the expansion of “Sign in with Google” to increase matching across sites (such as using individuals’ identity via Google’s Customer Match) and other advantages Google might enjoy do not distort competition. Should such evidence come forward then the Commitments will be breached, and the CMA will reopen the CA98 case (see paragraph 11). Such a situation would result in Google having to redesign its proprietary APIs to ensure they do not distort competition by self-preferencing their own Ad Systems.

Paragraph 26 c). Google need to move the governance of GPS to an independent organisation. Obvious issues include limited taxonomy, limits on websites to 5, time delays imposed on rivals but exempted from Google’s core ad monetization across its owned and operated properties, effectiveness for media buyers or sellers, and restrictions on all data without considering the risk and appropriate safeguards. This will likely involve separation of all GPS source code and technical specifications to a separate entity like the Linux Foundation, but without a single individual Director. There is no such independent organization ready to take this on today and I estimate it will take years to set up such an organization, which can fairly represent both consumers and the businesses they interact as well as the technical standards for communication that also support businesses interactions with other businesses with open web standards.

Paragraph 26 d). Google’s pattern of behaviour over multiple decades is one of disregarding regulators. They pay the fine and keep infringing. See shopping, maps, and many privacy cases. Regulators are wise to this. The CMA will not fall into this trap. Assurances need to be legally binding and most importantly clearly defined, rather than Google’s habit of vagaries and redefinition of common terms. The Commitments took over a year to negotiate and I doubt new Commitments that aim towards remediating outstanding concerns is sufficiently advanced to pass muster could happen any faster

Paragraph 28). Google operates a policy of using its dominant position in adjacent markets to prevent alterative solutions from technically operating or gaining market share (e.g. see antitrust regulator evidence regarding AMP, removing DoubleClick support for rivals’ match keys, auction manipulation, etc.) .

Any organisation that operates what Google would consider an “alternative cross site identifier” which Google’s stated and re-iterated policy will be prevented on Google’s platforms, have a fiduciary duty to their shareholders to make submissions to regulators, to ensure their businesses can continue to serve their customers.

Given the large number of ID suppliers, which use email, IP address, or telco data to generate a match key, this means the CMA will need to consider at least 50 submissions. This also relates to the future governance questions, and assurances from Google, which have historically been hollow.

Paragraphs 35), 42), 43), 49), 61), 67). There are significant issues over user “consent” throughout the report.

What level of notice and choice over business decision making is Google required to offer for its own business-facing Ad Systems? For example, recent settlements with Germany’s antitrust authority and 41 US State Attorneys General, limit such consent requirements to when the information exchanged across businesses is linked to a Google User Account. Does this apply to Google’s Customer Match, which uses specific individuals’ identity (phone number, plaintext email, and street address) to match advertisers’ cross-organization (aka cross-site) information to improve the monetization of Google’s Owned and Operated (O&O) properties? These are not simple to resolve given the wider issues of Google gaining consent for all business-facing services and processing via its consumer-facing software. Why should Google be allowed to bundle these distinct services? That will likely become a more significant aspect of the CMAs thinking in the next quarter and will involve addressing these wider questions of what constitutes meaningfully informed consent, when individuals’ Personal Data is being collected and processed—even across Google’s owned-and-operated properties. I estimate this will take years if the CMA are committed to doing this properly.

Specific concerns:

Paragraph 35) Topics.  The CMA noted issues involving the governance of the hostname only taxonomy, number of items exposed, taxonomy itself, and the creation of the classifications for hostnames that all need to be addressed. It would not be reasonable for the CMA to accept a situation where some hostnames are classified using different approaches to others, as this has a high likelihood of distorting competition. This will take Google months to correct.

Paragraph 41) Protected Audiences (which ought to be renamed Auction Manager) Google clearly state they have no intention of supporting many use cases. The IAB Tech Lab and 65 organisations have confirmed the majority of use cases are not supported in their February 2024 report. Instead of addressing these outstanding concerns, Google responded by agreeing that many of these marketer and rival publisher use cases indeed will not be supported. Thus, the CMA must decide if they will let such a dominant firm dictate the market conditions for its rivals. They are unlikely to do this and thus Google will need to go back to the drawing board to design proposals that do not tip the market.

Latency and contract privity issues are significant and remain open. Google will need to provide those relying on its Auction Manager a contract covering liabilities, performance, accreditation, and access to auditable data, just like any other auction manager for rival publishers’ ad inventory. Google has given little to no thought on this important duty when attempting to monetize rivals’ ad inventory.

Fenced Frames, Event Reporting, and Video are supported via temporary work arounds until at least 2026. The CMA are not going to decide based on future promises and will require certainty and legally binding commitments. Again, little thought has been given to whether or how well Google’s proposals will enable rivals to compete with Google’s YouTube ad inventory. However, given video Display advertising relies on the identical open web communication standards as other forms of Display, Google cannot remove storage facilities, such as cookies, prior to addressing these use cases without distorting competition.

Google are requiring those operating Key/Value servers to use Trusted Execution Environments (TEEs). It does not seem reasonable to impose technical solutions on others, that one does not also use across Google’s owned and operated properties, especially when organisational measures (contracts and audit) could be used. The payment industry, which handles more sensitive information than most advertising, does not mandate the use of TEEs. Google’s Commitments to the CMA are unlikely to be satisfied by this direction.

Paragraph 50 a). CMA are concerned about fragmentation across the eco-system with multiple approaches to attribution reporting and require Google to work more closely with Apple, Meta, and Mozilla. This will take time to resolve given the requirement for the other parties to engage with Google’s proprietary APIs, which understandably they have not shown a willingness to do. The timing associated with this is hard to determine. Any agreement on privacy at forums like the W3C will have competition consequences which all need to be wary of (see comment on paragraph 91 below).

Paragraph 50 b). Independent Ad verification is not supported and is not possible with Google’s current policy for GPS. There is no information concerning how this will be achieved.

Paragraph 53). TEEs are to be required for others at some point after Google expect to ask the CMA to decide. It is not clear how the CMA will evaluate this. The use of cloud providers is also the subject of a separate CMA investigation which might relate to this in due course

(Incidentally those relying on GPS could place the same obligation on Google to operate monetization of its owned and operated properties and GPS in a TEE for the same risk prevention reasons stated by Google. I suspect Google would consider this unreasonable. What Google assert is good for the “Goose” is not good for the Google.)

Paragraphs 60) and 62) The CMA require Google to justify why Related Website Sets (RWS) should have limits placed on it. It is unlikely any organisation or the CMA will ever accept the premise that there is a “correct number” of brands they can operate. This places GPS policy at odds with commercial reality.

Further the CMA call out “Paragraph 27 of the Commitments includes specific provisions on Google’s use of Google First-Party Personal Data and Personal Data” in relation to RWS.

Combined Google will need to drop RWS from GPS and find another method to retain unlimited data communication among organizations using the open web navigation software, or web browser. This should be very welcome to the industry and whilst not directly related to the question asked will be required by Google to comply with the European Union’s DMA, a factor that the CMA are not considering but Google must.

Given the huge number of outstanding issues and concerns above, this will require a complete rethink, the changes to the designs and corrections to the faulty underlying principles will take years to address.

( Movement for an Open Web (MOW), and organisation I’m a Director of, carried out in depth testing of RWS. In addition to the concerns the CMA identified Google exercised excessive editorial judgement over the content of websites submitted, did not understand their own Contribution Licence Agreement (CLA), and in any case require those submitting sets to accept one-sided terms. MOW’s lawyers advised any submissions to be marked “NOT A CONTRIBUTION” to avoid Google’s default position that use of its proprietary APIs transfers additional use rights to Google, such as to inform its Bard/Gemini Answer Engine. Given debates regarding scraping to inform Google’s generative AI models, many large publishers are concerned over infringements of their intellectual property rights. The CMA are yet to comment on these significant concerns.)

Paragraph 66). Discrimination against rivals via self-preferencing is a key conceptual concern that Google cannot address given the limited user interface space available for the selection of authentication services and prior brand knowledge. The approach to Federated Credential Management (Fed CM) will need to be rethought to enable users to be able to communicate their preferences among all available Fed CM providers. This solution will need to operate in a manner where Google do not control the defaults. Thus, satisfying the CMA will require the problems associated with consent choices to be addressed. This cannot be anything less than a showstopper for the CMA given the findings in their July 2020 market report around self-preferencing.

Paragraph 76 a). CHIPS directionally will never support the requirement the CMA have placed on Google. Similarly to RWS the design will have to be rethought. This is because real-time interoperable communication is required by many business-facing processing that has nothing to do with advertising, and Google cannot offer proprietary APIs for every use case needed by every industry.

Paragraph 79). Google have stated that Video and Native support in Fenced Frames will not arrive until 2026. CMA will need full details on how Google will meet its Commitments on these large impacts to rival publishers’ ability to monetize their ad inventory and compete with Google’s owned-and-operated properties (like YouTube) before deciding. If Google had the detailed designs, I would have thought they would have published them already rather than allowing the uncertainty to continue. “Hacks” based on iFrames are not the same as full legally binding support.

Paragraph 83). CMA recognise that Google will be the primary provider of Private State Tokens (PST) in practice. The only way Google could satisfy the CMA’s concern is to agree not to be a provider of PST and thus rely on other parties themselves. While this would be very welcome for competition, this of course would not be in Google’s own commercial interest. This concern is not easily resolved and will likely play out alongside the various trials and regulatory activities that are taking place in parallel at the DoJ and EC.

There is a further concern that the CMA have not commented on the pinch point that PST provides for those engaged in fraud. IAB TL’s report under Invalid Traffic explains the issue of bad actors being able to fake and reuse PST tokens. Once the mechanism is compromised fraud will become rife because PST will be the only means of establishing trust. The current approaches provide a competitive cat and mouse game between good and bad actors unrestricted by a single set of APIs. Further Google have abandoned Web Environment Integrity (WEI) at paragraph 105 and therefore shown no intention to verify the integrity of the Chrome operating environment.

Paragraph 89). Google make extensive use of link decoration (which they call "bounce tracking” when rivals use the same mechanism in their Q3 report to the CMA) in their own search and other services. Google will need to rearchitect their own services to comply with the obligations to the CMA not to self-preference their own Ad Systems and monetization of their O&O properties relative to rivals.

Further there is a stated direction that link decoration interference will not come into effect until sometime in the future. The CMA need to obtain legal commitments concerning this to ensure Google does not reengage with discriminatory conduct as soon as the CMA takes its eyes off of Google’s conduct that without modification is likely to distort digital markets and “would be likely to amount to an abuse of a dominant position.”

Paragraph 91). The assurances to the CMA are directly opposed to the implementation of bounce tracking and stated direction when considering the likely replacement for Privacy Budget. They cannot be addressed by the current design.

Whilst the CMA continue to direct industry to W3C forums which facilitate collusion by agreeing definitions of non-price factors of competition such as privacy and in doing so breach competition laws the issue cannot be resolved. CMA need to step up to their role in addressing anti-competitive practices in technical standards forums before either the CMA or Google can advance Google’s proprietary GPS proposals. Market participants are becoming aware of the of the risks associated with engaging in W3C and IETF debates. Unlike other concerns this is an action the CMA need to take to avoid being complicit in anticompetitive practices themselves. This is a significant issue not adequately address in 124 e) of the report and which the CMA must address in the coming quarter.

Paragraph 100). The governance of IP protection needs to be established. Why should Google’s servers be the first hop or any hop in such a process. Google could just as well require all traffic from its consumer-facing Android and Chrome software to redirect through proxy servers controlled entirely by other organizations, such that Google’s O&O properties and Ad Systems are on a level playing field with all rivals. True to most of Google’s designs, Google self-preferences their own business-facing solutions by exempting them entirely or giving them first look. It will be interesting to see which if any of Google’s third-party services embedded on rival publishers’ properties are forced to have the additional latency imposed by new hops across this proxy service.

Moreover, the use of established block lists, like disconnect.me, will not meet the CMAs requirements for competition. For example, what would the right of appeal be for an organisation that operated network level “tracking” only in the view of the block list maintainer? Given the foreseeably large likelihood of placing entire businesses’ continued operations at risk due to classification or coding mistakes, such a process requires far more scrutiny and oversight than documented. A completely new governance method will need to be established which aligns to competition laws. Either Google can abandon IP proxy service in its entirety, or such a governance model needs to be established. This will take years to put in place.

Paragraph 104). The Commitments will be modified to include whatever Google propose to replace Privacy Budget. Google are changing the name but not changing the policy. As such the clock will reset and the CMA and industry will need to reassess Google’s proposals. CMA will also need to seek legally binding agreements that Privacy Budget, or proposals with like effect, are never implemented.

Paragraph 105) Whilst Google require others to operate in TEEs they have abandoned any attempt to ensure and expose the integrity of their own deployment of GPS. The CMA are thus mistaken to ignore the issue as they advise in their report. CMA will need to require Google to find another way of ensuring the integrity of the auction and reporting environment such that users of the technology can fulfil their statutory and commercial obligations. These would include as a minimum Sarbanes Oxley (SOX) reporting, Media Rating Council (MRC) accreditation, and Trustworthy Accountability Group (TAG) accreditation. Without such accreditation or fidelity GPS will be unusable. The CMA are yet to comment on this.

Paragraphs 106) to 114). It is likely that the results of testing which the CMA receive will not be sufficient to enable them to make a decision this year, should Google trigger the standstill period for the CMA judgment. As such, Google’s most likely decision will be to postpone once again the judgement of the CMA on their plans to privatize the open web. As Google are unlikely to make the request of the CMA until they have very good chances of being successful, I expect the testing and reporting to continue for years to come. There are two methods that Google can use to address this.

Google have the perfect information environment for testing. It’s called YouTube. Google could deploy GPS technologies to YouTube for six months reporting to SOX and SEC standards the results. They would also have to report results to the market via Alphabet’s quarterly market updates. They could also report these in detail to the industry and regulators like the CMA. Assuming in their controlled information environment GPS technologies do not distort the monetization of smaller content creators’ ad inventory relative to larger ones and can provider smaller marketers’ campaigns as effective results as larger ones, then the CMA would have the information they require to decide.

Another option would be for Google to commit not to make any further changes to degrade real-time interoperability and allow the market to adopt GPS or not on the merits of the proposition. Once the artificial and abusive threat of degrading interoperability is removed the CMA will learn from market effects how GPS performs within a competitive market. Once there is sufficient evidence that GPS technologies offer improved outcomes for marketers and publishers relative to rivals, the CMA will be able to agree the stand still period with Google.

Google have shown no interest in pursuing either option. As such I expect testing and the necessary modifications to Google’s proposals to continue for years to come.

Parallel events such as those being operated by DoJ and EC will likely advance during the continued testing period to the point that the CMA Commitments may become irrelevant, should the remedies imposed in a guilty verdict supersede Google’s current obligations.

Further the Digital Markets Act (DMA) which requires far greater fidelity of information being made available to publishers, advertisers, and their suppliers than that available in GPS will have come into effect. See this summary from law firm Linklaters. This will likely further alter Google’s plans.

Paragraph 124 a). IAB Tech Lab supported by at least 65 organisations published an assessment of the GPS technical specifications as published at the end of November 2023. They concluded that most industry use cases are not supported or degraded. Google responded by referencing material that would not be relied upon by any professional engineer working on a technology solution for a $690bn annual revenue industry. Whilst Google continue to make GPS up as they go along and apply a low quality of planning, change and feature control, testing, and governance the CMA’s concern will be unresolved. This will take years to address as it is systemic.

Those of us living in the UK, including all the people at the CMA, will be acutely aware of the Post Office Horizon IT scandal where despite engaging Fujitsu, a professional services organisation, significant technology deficiencies resulted in horrendous consequences for system users including jail time and bankruptcy. The CMA will not wish to oversee a similar fiasco.

Paragraph 124 b), d). The CMA will require legally binding commitments and not vague “assurances” concerning self-preferencing and penalising those that do not implement GPS.

Paragraph 124 c). Google stated policy in relation to alternative cross site identifiers would need to change significantly and be supported by legally binding agreements to address this concern. Google have shown no appetite for doing so.

Paragraph 124 f) Should evidence be presented to the CMA to support the assertion then Google will have breached the commitments. The CMA will thus likely fall back to CA98 and use interim measures to prevent Google progressing GPS whilst another remedy is sought.

Paragraph 124 h) The CMA must not distort competition between smaller market participants and larger publishers and marketers. The importance of smaller players is understated in the report.

Paragraph 124 i) It’s not at all clear how GPS will address this brand safety deficiency as to do so would require a significant policy change from Google.

Paragraph 124 j) A lot has been learnt from RWS and the submission process which is simpler than that of other GPS APIs. There is little detail concerning the final enrolment and attestation process, and in particular what the appeal process is available for an applicant that is ruled ineligible or revoked. This is related to the prior comments in relation to IP protection.

Paragraphs 128) and 129) The CMA comment on matters outside their jurisdiction. They are not a data protection authority. We are yet to learn the Information Commissioner's Office ’s (ICO) views on GPS. Given they have rejected exemptions for “first parties” which is baked into most GPS designs, or the implications for the wider data eco-system associated with the growing use of directly identifiable personal data such as email addresses or telephone numbers in place of lower risk random numbers, this is likely to be significant. Assuming the ICO do not alter their direction, I expect this to create further as yet underreported hurdles for GPS and the industry more widely.

Conclusion

It is always possible the CMA will not fulfil their role as a regulator and let Google off the hook. That might mean the timeline Google set out is achievable. However, I’m firmly of the belief there is cross party-political will in the UK to not allow this to happen. Such an outcome would be embarrassing for the CMA and dimmish the CMA among peer regulators. The CMA have bought the time needed by the EC and DoJ to press home their activities which continue to unfold in public and in private. There is a real possibility regulators are indeed co-operating and using their respective strengths.

I’m certain that Sarah Cardell (CEO of CMA) will not wish to see the CMA in a position where they decide on the acceptable number of journalists to lose their jobs, or preside over the next Post Office Horizon IT fiasco.