09 Jul 2023

Google Chrome ad features checklist

(Update 22 Dec 2024: add link to separate post on policy files)

(Update 21 Sep 2024: add link for turning off ad personalization for Google Accounts)

(Update 11 Jul 2024: add link for turning off ad tracking in Firefox)

(Update 2 Jan 2024: add Dark Visitors link)

For complicated reasons that you can read about in other places, Google Chrome is in the process of shipping a bunch of built-in advertising features, to enable a new variant of Real Time Bidding advertising inside the web browser. More info from noyb.eu: Google Chrome: Agree to ‘privacy feature’, but get tracking!

As a user, you’re probably better off with a browser from a company that isn’t incentivized or required to do any of this stuff. Besides the privacy and antitrust problems, in-browser ad features use your battery and bandwidth—one ad service reported a delay of 1500 milliseconds per ad. But sometimes a site is broken in other browsers, sometimes you need to test a site in multiple browsers, sometimes there is a company policy requiring a certain browser, or whatever. So, for your convenience (fine, mostly mine) here are notes and links for what to do about it.

Google’s in-browser ad features have been branded as Privacy Sandbox, but that’s a marketing name that applies to a lot of projects. So far the Privacy Sandbox options do not seem to include any actual privacy features, so you can safely turn them off. memo to self: update this blog post with details if they come out with a Privacy Sandbox feature that’s an actual privacy feature you should leave turned on.

For all Google Chrome users

  • Turn off third-party cookies, under chrome://settings/cookies. Select Block third-party cookies.

    This setting makes Google Chrome’s behavior similar to that of other browsers, so shouldn’t break anything on the normal web. (Some corporate applications will break, so if you have those applications at your company or organization, you can share the links in the desktop system administrators section with your IT department and they can configure Google Chrome to do the right thing.)

  • Below the third-party cookie setting, turn off Allow related sites to see your activity in the group (This is third-party tracking for sites that claim they’re related in some way—but the groups don’t get an independent check.)

  • Go to the in-browser ad features, at chrome://settings/adPrivacy or chrome://settings/privacySandbox and turn off at least Ad topics which is the really problematic one, and any of the others you want to. This stuff is all new, and sites don’t depend on it, so you can safely turn it off without breaking anything.

For Google Account holders

If you have a Google Account for services like YouTube or Gmail, go to https://myadcenter.google.com/home and set Personalized Ads to Off. (This should cover downstream processing of your data, not what happens in the browser.)It’s not about the cookies or specific tracking technologies. Personalized advertising is unavoidably risky, and so-called privacy-enhancing technologies just make it worse.

For Android users

Consumer Reports has an up to date set of instructions that should work across Android versions. See Workout 4 at CR Data Bootcamp

If you use an ad blocker or content blocker

If you choose to run an ad blocker or a content-blocking privacy extension, pick one that is honest and currently maintained.

Please don’t recommend an ad blocker to other people. When people search for ad blockers on search engines or browser extension directories, they’re likely to find malware, adware, scams, extensions that block visible ads but not tracking, and extensions that participate in a paid allow-listing scheme. If you recommend an extension, make sure to give a specific name and link.

The functionality available to extensions in Google Chrome is being reduced, so running Google Chrome with an ad blocker does not look like a long-term solution. But either of the above two should work for now. (If you do switch browsers, be sure to turn off advertising features in Firefox.)

For command line users and desktop system administrators

You can install a managed policies file to make these settings apply to all profiles and users. See turning off browser ad features from the command line.

Some Intranet and SaaS applications still require third-party cookies. If you are setting this up for other users, test this option thoroughly, especially if you have web applications that are known to only work on Google Chrome.

The other in-browser ad features are new and nothing depends on them, so they can safely be turned off for everyone. It’s not just a privacy thing. The performance impact of running an entire in-browser ad stack, especially on older PCs, means that these settings are likely to extend desktop system life and reduce user complaints.

For web developers

Data on your web visitors can be collected using a third-party script. Some third-party scripts are already being extended to do this. Fortunately the fix is something that looks like a good idea anyway: setting Permissions-Policy.

  • If you run a site with no third-party JavaScript or iframes, and you know you will never add them: you should technically be good, just don’t put any third-party JavaScript or iframes on it. (That includes embedded Twitter tweets, embedded YouTube videos, Imgur photo widgets, third-party fonts, all that stuff.)

  • If your site has third-party JavaScript or iframes, or someone might add one in the future: Check your Permissions-Policy HTTP header to make sure it includes browsing-topics=(). As I write this, a good header is:

Permissions-Policy "accelerometer=(),autoplay=(),browsing-topics=(),camera=(),display-capture=(),document-domain=(),encrypted-media=(),fullscreen=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),publickey-credentials-get=(),screen-wake-lock=(),sync-xhr=(self),usb=(),web-share=(),xr-spatial-tracking=()" "expr=%{CONTENT_TYPE} =~ m#text\/(html|javascript)|application\/pdf|xml#i"

See permissions-policy.conf in the h5bp project. If your site requires some of these permissions in order to work, you can always turn some of them back on. More info in the Permissions Policy article on MDN.

For WordPress sites

The WordPress plugin Disable Topics API by Roy Tanck will set the Permissions-Policy header for you.