09 Jul 2023
Google Chrome ad features checklist
(Update 22 Dec 2024: add link to separate post on policy files)
(Update 21 Sep 2024: add link for turning off ad personalization for Google Accounts)
(Update 11 Jul 2024: add link for turning off ad tracking in Firefox)
(Update 2 Jan 2024: add Dark Visitors link)
For complicated reasons that you can read about in other places, Google Chrome is in the process of shipping a bunch of built-in advertising features, to enable a new variant of Real Time Bidding advertising inside the web browser. More info from noyb.eu: Google Chrome: Agree to ‘privacy feature’, but get tracking!
As a user, you’re probably better off with a browser from a company that isn’t incentivized or required to do any of this stuff. Besides the privacy and antitrust problems, in-browser ad features use your battery and bandwidth—one ad service reported a delay of 1500 milliseconds per ad. But sometimes a site is broken in other browsers, sometimes you need to test a site in multiple browsers, sometimes there is a company policy requiring a certain browser, or whatever. So, for your convenience (fine, mostly mine) here are notes and links for what to do about it.
Google’s in-browser ad features have been branded as Privacy
Sandbox,
but that’s a marketing name that applies to a lot of
projects. So far the Privacy Sandbox
options do not seem to
include any actual privacy features, so you can safely turn them off.
memo to self: update this blog post with details if
they come out with a Privacy Sandbox
feature that’s an actual
privacy feature you should leave turned on.
For all Google Chrome users
Turn off third-party cookies, under chrome://settings/cookies. Select
Block third-party cookies.
This setting makes Google Chrome’s behavior similar to that of other browsers, so shouldn’t break anything on the normal web. (Some corporate applications will break, so if you have those applications at your company or organization, you can share the links in the
desktop system administrators
section with your IT department and they can configure Google Chrome to do the right thing.)Below the third-party cookie setting, turn off
Allow related sites to see your activity in the group
(This is third-party tracking for sites that claim they’re related in some way—but thegroups
don’t get an independent check.)Go to the in-browser ad features, at chrome://settings/adPrivacy or chrome://settings/privacySandbox and turn off at least
Ad topics
which is the really problematic one, and any of the others you want to. This stuff is all new, and sites don’t depend on it, so you can safely turn it off without breaking anything.
For Google Account holders
If you have a Google Account for services like YouTube or Gmail, go
to https://myadcenter.google.com/home
and set Personalized Ads
to Off
. (This should cover
downstream processing of your data, not what happens in the
browser.)It’s not about the cookies or specific
tracking technologies. Personalized
advertising is unavoidably risky, and so-called
privacy-enhancing technologies just make it worse.
For Android users
Consumer Reports has an up to date set of instructions that should work across Android versions. See Workout 4 at CR Data Bootcamp
If you use an ad blocker or content blocker
If you choose to run an ad blocker or a content-blocking privacy extension, pick one that is honest and currently maintained.
Privacy Badger - Chrome Web Store A simple, effective privacy extension that blocks most web ads as a side effect.
uBlock Origin - Chrome Web Store A full-featured extension that blocks tracking, ads, and annoyances.
Please don’t recommend an ad blocker
to other people. When
people search for ad blockers on search engines or browser extension
directories, they’re likely to find malware, adware, scams, extensions
that block visible ads but not tracking, and extensions that participate
in a paid allow-listing scheme. If you recommend an extension, make sure
to give a specific name and link.
The functionality available to extensions in Google Chrome is being reduced, so running Google Chrome with an ad blocker does not look like a long-term solution. But either of the above two should work for now. (If you do switch browsers, be sure to turn off advertising features in Firefox.)
For command line users and desktop system administrators
You can install a managed policies file to make these settings apply to all profiles and users. See turning off browser ad features from the command line.
Some Intranet and SaaS applications still require third-party cookies. If you are setting this up for other users, test this option thoroughly, especially if you have web applications that are known to only work on Google Chrome.
The other in-browser ad features are new and nothing depends on them, so they can safely be turned off for everyone. It’s not just a privacy thing. The performance impact of running an entire in-browser ad stack, especially on older PCs, means that these settings are likely to extend desktop system life and reduce user complaints.
For web developers
Data on your web visitors can be collected using a third-party script. Some third-party scripts are already being extended to do this. Fortunately the fix is something that looks like a good idea anyway: setting Permissions-Policy.
If you run a site with no third-party JavaScript or iframes, and you know you will never add them: you should technically be good, just don’t put any third-party JavaScript or iframes on it. (That includes embedded Twitter tweets, embedded YouTube videos, Imgur photo widgets, third-party fonts, all that stuff.)
If your site has third-party JavaScript or iframes, or someone might add one in the future: Check your Permissions-Policy HTTP header to make sure it includes
browsing-topics=(). As I write this, a good header is:
Permissions-Policy "accelerometer=(),autoplay=(),browsing-topics=(),camera=(),display-capture=(),document-domain=(),encrypted-media=(),fullscreen=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),publickey-credentials-get=(),screen-wake-lock=(),sync-xhr=(self),usb=(),web-share=(),xr-spatial-tracking=()" "expr=%{CONTENT_TYPE} =~ m#text\/(html|javascript)|application\/pdf|xml#i"See permissions-policy.conf in the h5bp project. If your site requires some of these permissions in order to work, you can always turn some of them back on. More info in the Permissions Policy article on MDN.
For WordPress sites
The WordPress plugin Disable
Topics API by Roy Tanck will set the Permissions-Policy
header for you.