A Dual-Vantage Measurement of the Privacy Sandbox in the Real World

Recently, the web industry has opened the possibility to phase out third-party cookies. Following the lead of the Safari and Firefox browsers, which block them by default, in 2019 Google announced the Privacy Sandbox initiative, a set of APIs designed to replace the functionality of third-party cookies in the Chrome browser. These APIs are designed to support advertising functionality, fight fraud and strengthen cross-site privacy boundaries, improving user privacy. This thesis investigates the Privacy Sandbox, with a particular focus on the Protected Audience API, which enables interest-based advertising and ad retargeting. The research objective is to evaluate the adoption and implementation in practice. To this end, two complementary methods are applied. First, a Chromium-based web crawler analyzes the top 10,000 websites according to the Tranco list. The crawler collects JavaScript calls and Chrome DevTools protocol events related to the Privacy Sandbox APIs, both after accepting and after denying cookie consent banners. Second, a custom Chrome extension intercepts and analyzes JavaScript calls to the Privacy Sandbox APIs during real browsing sessions. This method enables the collection of authentic user data, providing insights into actual usage patterns and behaviors. The collected data highlights cases where the Privacy Sandbox APIs are not configured as intended by third parties that implement them, suggesting potential areas where privacy concerns could emerge from their usage. While the Privacy Sandbox aims to improve user privacy and provide an alternative to third-party cookies, the findings indicate that there are still challenges to be addressed for its broader and more effective adoption.