
Building a more private web: A path towards making third party cookies obsolete - eh78ssxv2f
https://blog.chromium.org/2020/01/building-more-private-web-path-towards.html
======
negus
Yes this will have a great negative impact for Google's adtech competitors who
unlike Google do not have other means to spy on users such as Chrome, search
engine, Accelerated Mobile Pages, Gmail, voice assistant and so on.

But Google really has no choice here due to aggressive campaign by Mozilla,
Apple and Microsoft who boast with their Intelligent Tracking Prevention (
[https://webkit.org/blog/8828/intelligent-tracking-
prevention...](https://webkit.org/blog/8828/intelligent-tracking-
prevention-2-2/) ) implementation blaming Google as a company which does not
value users privacy. Google would lose privacy-conscious users otherwise.

But it is clear for me how all this anti-thirdparty cookies situation will go
further: server side third party ad trackers -- this will bypass Same Origin
Policy and will pose a privacy and security threat for users and websites even
more than todays third party frontend ad trackers.

~~~
air7
The issue with server side 3rd party ads is that the advertiser has no way to
assure the impressions are real.

~~~
kerkeslager
From the advertiser's perspective, that's a problem.

From my perspective, good. Advertising is toxic even when it's not invading my
privacy, and maybe if we make it less effective people will do less of it.

~~~
lubujackson
Reality leans the other way. What eill likely happen is that sites that used
to make 100k a year from ads see their revenue drop to 70k then 50k then 30k.
To stay afloat they plaster more and worse ads in order to survive.

This is exactly what happened during the first dot com crash when we went from
$35 CPM banner ads to $1. Suddenly, ads were slathered on every page or
websites simply disappeared. What we really need is a deal that works well for
all three parties: advertisers, consumers and content providers. Google
Adsense was this perfect solution for a while (until it got optimized to max
profitability).

Maybe online advertising is like social networks and can only enjoy brief
moments of relative balance before the cycle starts anew.

~~~
bryan_w
People easily forget the days of punch the monkey and x10 ads

~~~
stubish
Did those companies go out of business? An ad company in its death throws is
going to be annoying right up until someone puts it out of its misery.

------
zpeti
I think this is an easy move for Google, it's a "strategy credit" as Ben
Thompson would put it.

Google already knows most of what it needs about you, and it will in the
future from searches. It has no motivation to allow 3rd parties help in
tracking visitors. This way it can build a moat around its business while
pretending to care about privacy. It's bullshit.

~~~
wtetzner
Google's reason for wanting this is bullshit, but that doesn't mean it
wouldn't be a beneficial move in general.

~~~
ocdtrekkie
The beneficial move would be for Chrome to accept the industry-standard choice
of letting users easily block all tracking and fingerprinting... including
Google's.

But that wouldn't be good for Google. This is the exact reason an ad company
should not be allowed to own a web browser.

~~~
IAmEveryone
But... they are going to not just allow users, but per default, block 3rd
party cookies?

Edit: comment was either edited, or I’m going senile. In any case: Chrome does
allow blocking all cookies as well, and has from the first release.
Fingerprinting isn’t easily avoided, but they have taken some steps to make it
harder.

~~~
ocdtrekkie
It's edited, sorry! I felt it was important to clarify that the general
Privacy Sandbox concept they are promoting is designed and built around
allowing data collection about users that can be used for ad targeting,
whether it utilizes third party cookies explicitly or not.

Note that blocking all cookies breaks the web, blocking third party cookies
breaks adtech. It's important to note that even if Chrome has supported the
former, it has resisted implementing the latter.

Meanwhile, Firefox, Edge, and Safari have chosen to implement tracking
prevention, which has the goal of preventing any ad targeting towards a given
user.

------
amluto
> By undermining the business model of many ad-supported websites, blunt
> approaches to cookies encourage the use of opaque techniques ...

This is disingenuous. Reducing tracking does _not_ undermine websites. It
undermines advertisers that depend on tracking. If tracking stopped,
advertisers would target something else (e.g. content or coarse location) and
roughly the same amount of money would go to websites. Google’s privileged
position would be a lot less inherently valuable, though.

------
hurricanetc
>By undermining the business model of many ad-supported websites, blunt
approaches to cookies encourage the use of opaque techniques such as
fingerprinting (an invasive workaround to replace cookies), which can actually
reduce user privacy and control.

Sure. So how about we block fingerprinting? Oh waaaaaait I see. What you
actually want is your privacy invading business model to not be impacted.

Why are sites able to ascertain the type of browser, operating system, OS
version, webkit version, Safari version, time zone, language, platform,
vendor, screen dimensions, plugins, etc.

This shit should be as locked down as location, web cam, and microphone. Block
all of it.

~~~
notsureifreal
You'll end up trying to read a news article in a foreign language, that looks
like a mobile website, has 1000px headline and can't be navigated because some
of the functionality is broken.

~~~
hurricanetc
Nonsense. You can write a perfectly modern and beautiful site without any JS
at all.

------
phelm
I have disabled 3rd party cookies in my browser for about a year now. My
experience has been fine, I have had very few issues with things that I care
about, no whitelist and not had to re-enable them yet.

~~~
driverdan
I've been blocking 3rd party cookies for many years. It doesn't cause any
issues for 99.9% of sites. I think I've encountered less than 10 and I
whitelisted the ones I needed.

~~~
reaperducer
Same here. Web sites that block content because of a lack of third-party
cookie support are pretty rare. I ran into one last week and was so surprised
by the message it took me a few seconds to realize was happening.

------
Despegar
> Users are demanding greater privacy--including transparency, choice and
> control over how their data is used--and it’s clear the web ecosystem needs
> to evolve to meet these increasing demands. Some browsers have reacted to
> these concerns by blocking third-party cookies, but we believe this has
> unintended consequences that can negatively impact both users and the web
> ecosystem. By undermining the business model of many ad-supported websites,
> blunt approaches to cookies encourage the use of opaque techniques such as
> fingerprinting (an invasive workaround to replace cookies), which can
> actually reduce user privacy and control. We believe that we as a community
> can, and must, do better.

The Webkit team already proposed a privacy-preserving way to do ad click
attribution [1]. I'm guessing that was too private and Privacy Sandbox works
better for Google.

[1] [https://webkit.org/blog/8943/privacy-preserving-ad-click-
att...](https://webkit.org/blog/8943/privacy-preserving-ad-click-attribution-
for-the-web/)

------
jszymborski
In the past Chrome has played fast and loose with standards and features,
which was fine for them since Firefox and friends needed to adopt them lest
they widen the "Only works on Chrom(e/ium)" gap.

I wonder how removing a feature might go, however. The answer is "probably
well because Chrome has overwhelming market share", but I do wonder if,
between AMP and "no URLs" and no 3rd party cookies, if there's room for a
small but growing "it just works how I'd expect it to on Firefox" contingent
to spring up...

~~~
unlinked_dll
"only works in chrome" == "not going to use" for me and all any company/team
where I have influence over software dependencies/tools. Same goes for "only
works on one target" software in general though, usually means something is
under tested.

------
jotto
This will break a lot of auth0 jwt/login default integrations since it depends
on 3rd party cookies.

~~~
marcosdumay
This. Mozilla got the right tactics by making them session lived by default.
Completely banning them will only break stuff.

------
jka
There's a short summary of some of the features proposed for the Privacy
Sandbox here - [https://blog.chromium.org/2019/08/potential-uses-for-
privacy...](https://blog.chromium.org/2019/08/potential-uses-for-privacy-
sandbox.html)

------
markosaric
This will hurt the ad-tech businesses and websites/publishers who rely on
third-party ads/targeting much more than it will hurt Google (and Facebook).

Still, Google's revenue on third-party site ads was $6.4bn in Q3 of 2019 out
of the $40.5bn in total revenue so it could be felt a bit there too.

I fear that it all will move to first-party tracking though which will be so
much more difficult to block and so much more dangerous in terms of security.

------
rafaelturk
Hard to read this and extract facts. My sense that this article is
intentionally vague.

~~~
Ajedi32
Tl;Dr:

> [...] we plan to phase out support for third-party cookies in Chrome. Our
> intention is to do this within two years [...]

As for what they're replacing them with, sounds like they don't quite know
yet. They seem to still be in the requirements gathering phase:
[https://github.com/w3c/web-advertising](https://github.com/w3c/web-
advertising)

~~~
bilekas
Browser storage just to name one, cookies are really not too important.

With WebAssembly now.. And your company being one of _the_ leading browsers..
The cookie transport looks like pigeon mail.

~~~
Ajedi32
They're not getting rid of cookies; just third-party cookies.

------
apeace
If anyone from Google is reading this, the new SameSite policies coming to
Chrome 80 are breaking "Login with Google" functionality. I opened an issue
here: [https://github.com/google/google-api-javascript-
client/issue...](https://github.com/google/google-api-javascript-
client/issues/592)

------
pc2g4d
The arms race moves to its next phase.

I'm not sure this will accomplish much as it's not that hard to serve things
from one's own domain. More work for the tracking company to get things set
up, I suppose, but harder to detect once established.

------
ryanmccullagh
So now ad companies will just require a CNAME entry in the website's DNS
record.

~~~
ma2rten
And how do they link these between different websites?

~~~
wizzwizz4
Server-side magic – fingerprinting, behavioural detection, referer GET stubs,
etc.. It's not all that difficult, though it _is_ harder.

------
Tepix
For privacy conscious users who have blocked third party cookies for years,
this may make evading tracking ever more complicated.

My guess is we will need custom GreaseMonkey scripts that prevent parameters
from being appended to URLs so when you click on a link to another site it
will not pass tracking information. Generally whenever a tracking network
changes these parameters the Greasemonkey scripts will have to be updated
whereas in the past you could just block the third party cookies and avoid a
lot of the tracking.

------
bilekas
There have been articles recently which are claiming the value of those
cookies are not as valuable as before because the majority of them are
avoided/altered to obfuscate to the requester.

So I see this as a : 'Hey we got in before everyone and stopped using cookies
first' — When in reality, they're becomming less of a valuable commoddity.

I'll be very happy when companies stop storing excess info in their own
storage.

Until then, no round of applause from me .

~~~
ragebol
> _I 'll nurse a semi_

What? Care to explain for a non-native speaker / non-US based reader?

~~~
bilekas
Updated, as a non native speaker, it's really not an expression you _should_
learn!

~~~
IAmEveryone
It’s sexual, and therefore probably not a good expression to _use_ unless you
know what you are doing.

But it’s a somewhat eloquent term, in a way.

(It refers to getting sexually aroused, but only mildly)

------
EGreg
What about single-sign-on stuff? What about iframe widgets where you are
logged in?? Will there be a way to choose to keep being logged in, in iOS and
Android? Or will everything become stateless and dumb?

~~~
unilynx
They can use redirect flows and POST back to the page you’re logging in to. It
will be fine for most Auth flows (but not eg SAML passive logins)

~~~
ma2rten
Why can't they do this for ads?

------
awinter-py
a large chunk of G's business is first-party ads, i.e. in their own SERP vs on
someone else's inventory

interesting to see if that's the future. certainly anyone with substantial
inventory has experimented with this (NYT for example) because they suspect
they're getting cheating by G/FB

------
driverdan
This is so two-faced. This is the key line:

> Once these approaches have addressed the needs of users, publishers, and
> advertisers, and we have developed the tools to mitigate workarounds…

A browser vendor that cared about its users would make a browser for them, not
publishers or advertisers. It would block all tracking garbage by default.

Just admit it Justin, the real Chrome customers are advertisers. You don't
actually give a shit about users if it interferes with ad dollars.

Edit: I left out this good quote

> Some ideas include new approaches to ensure that ads continue to be relevant
> for users

More user-hostile advertiser appeasement.

~~~
negus
It is not that easy.

Consider Mozilla, the privacy maniacs. Even they let proprietary and intrusive
DRM plugin inside, though it is totally contradicts FOSS approach
[https://news.ycombinator.com/item?id=7746585](https://news.ycombinator.com/item?id=7746585)

This is life -- you have to take other parties interests into account or you
will be buried.

Start block all tracking garbage by default and sites will ban your users,
forcing them to choose another product.

Speaking about Google: when you're (unlike Apple) making most of your revenue
from ads, any hostile action to ad industry will be considered hypocrisy and
unfair competition

~~~
CarelessExpert
Privacy and ethics around proprietary software, while obviously related (in
that open software is obviously more transparent), are largely orthogonal. You
can have closed/proprietary software that respects privacy (Apple), and you
can have open software that doesn't (Chrome).

This just smells of whataboutism.

As for your hypothesis that websites will start blocking browsers that ban
tracking and so forth, frankly, that remains to be seen, and my bet is we'd
never actually see that happen in practice. The optics are just too toxic.
Surveillance capitalism survives because people don't know it's happening.
Banning a browser like Firefox would call attention to an infrastructure and
ecosystem that those individuals don't want to talk about in public.

Edit: As an aside, if sites _did_ start banning privacy-conscious browsers
like Firefox, I'd just stop going to those sites. In that respect, I'd
actually perversely appreciate something like this: It'd finally make it
blatantly obvious who is and isn't collecting and profiting from data about me
and my actions online without my permission.

~~~
maccard
> As for your hypothesis that websites will start blocking browsers that ban
> tracking and so forth, frankly, that remains to be seen, and my bet is we'd
> never actually see that happen in practice.

The result of the GDPR regulAtions resulted in a moderate number of us
websites refusing access to EU residents rather than attempt to comply. I
think it's an entirely reasonably assumption that said sites would block a
browser which attempted a similar idea

~~~
CarelessExpert
As I said in my edit: I'm actually fine with that (though I stand by my
skepticism that it'd actually happen), as it's a clear and unambiguous signal
that tells me which sites respect my privacy and which ones don't.

~~~
not2b
California now has a low that is similar to the EU law in many ways, and other
states will soon, so those sites will soon have to block Americans as well,
based on where they live if they can determine it, and soon they'll have to
just give up and follow the law.

~~~
CarelessExpert
You're talking about CCPA, and I completely agree, GDPR-style privacy regimes
are clearly the way the regulatory world is moving. It's just a matter of time
at this point.

------
npx13
You care about users privacy? Judging by how passive aggressively Google tries
to prevent us actually logging out of a Google Account, you are having a
laugh.

------
sub7
Good riddance. Unfortunately (almost) all our conversations - verbal and text
messaging - are being spied on to target us with ads right now.

Addressing anything else is like pissing in the ocean to change it's colour.

------
Scarbutt
Looks like safari gave them no choice, so now they grab this as an opportunity
to say the want to do it too.

~~~
wnevets
Hasn't safari always defaulted to no 3rd party cookies?

~~~
ergothus
As I understand it:

No. Rather, Safari uses "Intelligent Tracking Prevention". This blocks SOME
(most?) 3rd Party cookies, but not all. For example, single sign on providers
will often use cookies, and they are often explicitly 3rd party. ITP tries to
let those through.

IIRC Safari can be set to block ALL 3rd party cookies, but it is not the
default setting.

SSO providers don't NEED cookies, they can do full page redirects to avoid
being 3rd party, but it does complicate matters, and the relationship between
you, a site, and a 3rd party identity provider you've presumably agreed to can
be a different beast than the tracking cookies that are the focus here, though
of course identity providers could always join the dark side as well.

------
exabrial
I believe they'll just be using the QUIC protocol and IPv6 to track users
instead.

~~~
exabrial
For the downnvoters that don't believe me, go read Brave Browser's research
into this.

------
tboyd47
It's the classic regulatory capture move of pulling up the ladder behind you,
only they don't need regulators to do it.

What's more, Firefox is just an off-brand of Google to capture the "privacy
first" consumer market segment.

Doesn't mean I'm going to stop using Firefox, but it just helps to see the big
picture.

------
bilekas
Another reason why Google's concern here for our privacy is nonsense is if we
look here :

[https://webkit.org/tracking-prevention-policy/](https://webkit.org/tracking-
prevention-policy/)

We can see, google doesn't need to inform their chrome users :

> A privileged third party is a party that has the potential to track the user
> across websites without their knowledge or consent because of special access
> built into the browser or operating system.

INOL but my understanding of this would put Google's Chrome into that bracket.
Potentially also Microsoft/Apple ?

