

Daring Fireball: Cookies and Privacy - rkudeshi
http://daringfireball.net/2012/02/cookies_and_privacy

======
bstar77
I was unaware of those optional cookie settings. When I read that second
paragraph I almost left the article to make the privacy change before I
realized that I was already using Safari.

I can almost guarantee that, if asked, most users would request that their
browsing not be tracked some ad company you have no knowledge of. An
interesting case where Apple's policy is far more reasonable than Google's.

~~~
armandososa

        I can almost guarantee that, if asked, most users would request that their browsing not be tracked some ad company you have no knowledge of. 
    

I think that depends on how you frame the issue. "Do you want to have your
privacy invaded by evil marketing companies?" vs. "Would you help Google to
know you better, so it can serve you better ads?"

For me, ads are a necessary evil because I don't want to ever pay for every
content I consume on the internet. So, If third party cookies are used to
serve me better ads, ads that actually interest me, then I'm all for it.

Just this past week I finally decided to move my blog from Dreamhost to a
Managed WP Hosting company, and it was all because of their ads following me
all over the internet. I'm thankful to Google that it showed me those ads and
not something about beer or hip-hop music or macrame or whatever I don't care
for.

~~~
megablast
Exactly. Having spoken a lot about these issues to regular people, I would bet
most people would give up privacy for better ads. Just as most people would
give up privacy for a safer world.

~~~
batista
What are better ads? If I want something specific to buy, I can search 1000
million places on the web and find it with unprecedented ease. So why I need
"ads" at all? (and much less "better ads").

Plus, if I searched Google or visited sites for "depression", "dildos",
"flatulence problems", "David Hasselholf CDs", "weight loss", "quit your job"
etc, I sure as hell WOULDN'T want to see "better ads" targeting me for such
topics --especially when I'm browsing with other people around me.

~~~
robfig
Better ads are ads with higher click-through rates, which provides more
dollars for the site whose content you are freely consuming.

Higher click through rates come from a better match between the user's
interests and what the ad is offering. It is good for the advertiser (since
they get more customers), and the site (since they get more ad revenue), and
the user (since they see relevant ads instead of garbage).

~~~
batista
_Better ads are ads with higher click-through rates, which provides more
dollars for the site whose content you are freely consuming._

Well, I'd happily pay to get rid of the ads, given the chance.

 _Higher click through rates come from a better match between the user's
interests and what the ad is offering. It is good for the advertiser (since
they get more customers), and the site (since they get more ad revenue), and
the user (since they see relevant ads instead of garbage)._

It sure as hell isn't good for me. I don't want to see "relevant ads".

For one, they are just there to make me spend more.

And second, as I said above, I ABHOR relevant ads shown when I browse,
especially with other people around, that can guess that all those "adult
diaper" ads I'm being shown have something to do with what I was searching for
in private.

------
rkudeshi
I realize it's an ad hominem, but I'm surprised Gruber didn't further
emphasize the fact that Battelle runs an ad network. Of course it's in his
best interest to be able to set 3rd-party cookies. Understanding that puts
Battelle's argument in a different light.

Given that Mozilla claims they "fight for the users," is there a reason
Firefox doesn't also default to only allowing first-party cookies? (Perhaps it
has something to do with the massive deal with Google that represents 90% of
their revenues?)

~~~
ootachi
There is an article on how to do it: [http://support.mozilla.org/en-
US/kb/Disabling%20third%20part...](http://support.mozilla.org/en-
US/kb/Disabling%20third%20party%20cookies)

It mentions: "Some websites (e.g. Microsoft's Hotmail, MSN, and Windows Live
Mail webmail) use third-party cookies for purposes that are not necessarily
privacy concerns, and disabling third-party cookies may cause problems with
those sites."

That's probably the reason.

~~~
shhantaram
Google who is mozillas 90% income is not mentioned but ms is the examples to
make them look bad..sleazy at best

~~~
icebraining
Have you read it? They're saying that some websites use them for purposes that
are not privacy concerns. As long as Google doesn't do this - by which I mean,
as long as they _only_ use third-party cookies for tracking - they're
irrelevant, because Mozilla would shut them down anyway.

It's only sleazy if you see it as an attack and not a simple explanation.

------
toddmorey
What bothers me here is that Google broke a contract. Since there is no way to
determine between people who intentionally set that preference and those who
are just using the default settings, I guess they consider us "collateral
damage."

They could have gone public with the issue. They could have alerted users and
given them the option to change the defaults. They could have found some
interesting ways to make allowing 3rd-party cookies more advantageous to the
consumer.

Instead, they coded a hack to intentionally ignore your privacy settings.
Maybe it's not a huge action, but I can't hold that action in my head together
with the mantra of "do no evil." I just can't. And I'm truly saddened by that.

~~~
jdp23
Excellent point. I don't think they realize how much actions like this erode
people's trust.

------
ghshephard
I agree with Gruber here, in that most people, if randomly sampled, would
prefer only the sites they are explicitly visiting, track them - and not some
underlying ad-network that just happened to appear on the web page.

That is - I might visit nyt.com, and have no problem have them tracking who I
am, (I.E. that I have a subscription and can see more than 20 articles /
month) - but I would prefer that the underlying advertisers not be able to
track me from site to site just because they happen to be one of the
advertisers on nyt.com (and whatever other web pages I visit - eventually they
would start to build a pretty significant profile around me)

It may be the case that there are some legitimate (and useful) cases where
third-party cookies are useful - but, if that's the case, I'd rather
_explicitly_ allow that use, rather than have it allowed by default.

Hard to imagine very many people who would prefer the third-party tracking by
default - and I vote for inconveniencing that small group of people, in order
to protect the privacy of the much larger group who don't even know what a
"cookie" is or how it works.

------
Sander_Marechal
Good story, but there's one thing missing: Safari on iOS does not block 3rd
party cookies by default. It blocks them until you interact with a 3rd party
element on the site. Then it accepts them. And Google exploited that by faking
an interaction with a 3rd party element.

This "3rd party cookie only on interaction" is a setting that most desktop
browsers don't have. You can either accept or deny 3rd party cookies. So, in
that regard Safari on iOS _is_ different than the rest. But I'd argue that
it's a very sane default setting and I hope that normal browsers everywhere
start adding this setting too. I'd use it!

------
zeppelin_7
Gruber makes an assumption that the only thing that third party cookies are
used for is ad networks and tracking. A whole bunch of common (especially the
new social tools) you use rely on third party cookies.

Its not 3rd party cookies to blame, its their use. There are legitimate uses
for third party cookies. If I care about blocking ad networks, I use an ad
blocker. I just dont go ahead and limit the functionality that these cookies
offer.

~~~
elithrar
> Gruber makes an assumption that the only thing that third party cookies are
> used for is ad networks and tracking.

I think it'd be more fair to say that this particular use-case is the one that
he's emphasising. And, in the context of privacy, it's the one that regular
users are going to care about the most.

> If I care about blocking ad networks, I use an ad blocker. I just dont go
> ahead and limit the functionality that these cookies offer.

That might work for you, as an individual, but Apple couldn't do it without
copping a _lot_ of flak. Imagine if they suddenly blocked ads by default—the
web would go crazy.

I would posit a guess that there are more sites out there that need ad revenue
to survive than there are sites that need third-party cookies to survive.

~~~
zeppelin_7
More people want their FB likes than you know. If you dont want, you should
not start generalizing that the mass population doesnt. Also, half your
favorite sites will disappear without those evil ad networks. A large number
of people choose ad driven products than subscribing/paying for a service.

~~~
ugh
Why do you think ad networks can’t survive without targeting? Missing third
party cookies doesn’t even mean that all targeting is impossible.

------
nivloc
I had a pretty embarrassing meeting after opening a blog in Safari plastered
with lingerie ads during a presentation. Near as I can tell, my wife opened
mail from them in GMail and that was enough association to serve the ad.

So, who is to blame? The ad service for serving something inappropriate, my
browser for having a bad default privacy setting, or myself for not changing
the privacy setting and lending my wife the laptop to check her email?

No more 3rd party cookies for me. It's rather shameful that these ad networks
have seen fit to work around a sensible default. It's worth a mention that
this isn't new - flash cookies have been a workaround for ages.

~~~
nextparadigms
Would you prefer they had absolutely no knowledge about you, and they just
randomly showed you lingerie ads? Because that's going to happen in a future
where the ad networks can't track the user at all anymore. Totally random ads.

~~~
Steko
I think what most people would prefer is that faceless ad companies not have a
list of all the porn sites they've visited along with whatever real world info
they could gather on me sitting in plaintext on some unpatched server in
Cutrateistan.

I'm pretty sure you want that too but please continue with this utopian straw
man about how this is only about better ads.

------
tintin
They don't need cookies to track you when your browser footprint is unique
enough (<http://panopticlick.eff.org/>). So you still need a tool like
Ghostery (<http://www.ghostery.com/>) to disable the snippets that can track
you.

But then again: when everybody is blocking Google and Facebook, how would they
earn there money?

~~~
AllenKids
Well by then those dinosaurs just have to abandon their outdated business
model and innovate.

Just like we keep telling the MPAA/RIAA to do.

I'm only half joking.

~~~
kemiller
It's no joke at all. They're no more entitled to their gravy train than
Hollywood is.

------
ghshephard
Can anybody name a specific situation in which they've been inconvenienced by
not allowing third-party cookies? I've always had them turned off, and I don't
think I've ever not been able to do everything I've wanted to. I realize that
this is a hassle for people like facebook/google, who want to be able to track
us as we move from site-site, but I'm wondering how often it negatively
impacts the individual user?

~~~
Steko
I don't think it's universal but I've been on sites where I've been forced to
enable it to use their commenting platform (cant recall if disqus or
intensedebate).

It's either no longer a problem or depends on a site's implementation though
because I've used both platforms without 3rd party cookies recently.

------
nl
_> In short, Apple’s mobile version of Safari broke with common web practice,
and as a result, it broke Google’s normal approach to engaging with consumers.

I’d have used “tracking” in place of “engaging with”, but that’s semantics_

Actually, it does break Google's way of engaging with consumers. +1 buttons
(as well as Facebook Like, Diqus comments etc) require 3rd party cookies.

~~~
erichocean
Actually, no it doesn't, because people only need to see those buttons _if
they already have a relationship with the service in question_.

Example: I don't have a Google+ account, so I don't need to see the +1 button.
If you have a Google+ account, you would have a cookie, and thus be able to
see the +1 button.

------
abruzzi
In need of more emphasis is the fact that while many have received these
cookie settings unaware and may prefer wide open settings, Google and others
have no way to discern the difference between those users and those that
legitimately want to opt out.

------
Nitramp
An interesting problem about 3rd party cookies is this: Google offers users to
control their privacy settings using the Ad Preferences Manager
(<http://www.google.com/ads/preferences/>). Now if a user has 3rd party
cookies disabled, Google does not know the user, and thus cannot apply her
preferences.

An alternative solution on the browser side (and I think I saw this before
somewhere) would be to only send cookies to a 3rd part site if the user has
visited that site 1st party style before; i.e. don't accept 3rd party cookies
if they are new. That's a pretty weak signal in the case of Google (who
doesn't visit that page?), but at least for many other websites it could
improve the status quo ante. If I've never visited some ad network's site,
they should probably not be able to track me. Ads could then display inline a
"Customize Ads" link that allows users to opt in to targeted advertisement.

"User has visited 3rd party host somewhen" is probably too bad a signal. We'd
need something like "User wants to use 3rd party website". That's probably not
possible to build with the tools we currently have.

~~~
Nitramp
Downvote but no reply?

------
cpeterso
What might Google do if Mozilla bundled the Ghostery privacy extension with
Firefox? Or even AdBlock Plus? Google would still receive search referrals
from Firefox, but tracking Firefox users across the web would be more
difficult.

"Don't want to be tracked by advertisers? Use Firefox, not that browser built
by the web's largest advertising network."

------
stuntmouse
Is there a clear guide to only allowing "first party" cookies using Chrome?

~~~
sjs
1\. Open your Chrome preferences

2\. Select Under the hood on the left

3\. Hit the Content Settings button at the top under Privacy

<http://i.imgur.com/KMynO.png>

4\. Check the box labeled Block third-party cookies and site data.

<http://i.imgur.com/s6tG6.png>

~~~
hcmeier
Edit:

The reason for the cookies is this plugin:
[https://chrome.google.com/webstore/detail/hhnjdplhmcnkiecamp...](https://chrome.google.com/webstore/detail/hhnjdplhmcnkiecampfdgfjilccfpfoe)

\---

Maybe you can help me: I have the same preferences but there are some strange
cookies I can't delete.

My Preferences: <http://cl.ly/EW0B>

My current cookies: <http://cl.ly/EWuU>

After I clicked on "Remove All": <http://cl.ly/EX96>

When I now restart Chrome (without visiting any sites and about:blank as start
page) all cookies are back: <http://cl.ly/EWBr>

Any idea what could be causing this?

------
tatsuke95
Gruber on Google's cookies:

 _"I’d have used “tracking” in place of “engaging with”, but that’s
semantics."_

 _"Sounds wrong, or is wrong?"_

Gruber on Apple's storage of GPS data:

 _"[It's] either due to a bug or, more likely, an oversight."_

I don't mean to rip on the guy directly. Gruber's a competent writer, and in
the technology world, that's rare. But I don't understand why his opinion on
Google's cookie debacle are "news" when his agenda is so obvious; what Apple
does is good, what Google does is bad.

~~~
ghshephard
I think in this situation, it's a question of intent. I don't think anyone has
suggested that Apple was trying to do anything other than make it easy for you
to acquire GPS lock by saving your location information, and the long backup
history was an oversight. In the case of Google bypassing your browser
security - it was clearly not a case of oversight - they went to a lot of
effort to deliberately override the browser intent.

One was an error of incompetence, the other was willful.

------
numair
We have a major problem in this industry with bloggers and journalists
collecting an indirect paycheck from large corporations. Here we have Gruber,
who collects an indirect paycheck from Apple (Apple's provision of indirect
access to inside knowledge drives traffic and authority to Gruber's blog),
squaring off against Battelle, who collects an indirect paycheck from Google
(Gruber wrote a book that was an overly-positive history of the company -- for
which he collected both an advance and ongoing royalties, and he relies upon
its executives as guests for his expensive conference).

We can see the practical problems with this situation in that Gruber cannot
come out and say the plain truth -- that Battelle's opinion is absurd, and
only furthers the case to look at him as a Google shill. Apple's default
privacy settings on Safari are to be commended; they are part of why I always
suggest Safari as the best option for a WebKit-based browser, regardless of
Chrome's bells and whistles. Google's actions in this area cannot be defended
by any sane person -- they are clearly subversive, and the notion that Google
"knows what's best for consumers who simply didn't know better" is utterly
Microsoft-Circa-1990s Evil (with a capital E! This was the whole argument for
bundling Internet Explorer, among other things).

~~~
ghshephard
By "Inside Knowledge" I presume you mean the 1-week advance review of OS X
Mountain Lion. Providing Journalists with advance information under embargo is
common in pretty much every industry (Automobile Industry, Camera Industry) -
it lets them write their articles so they are ready for release at the same
time. The WSJ, NYT, and other outlets all got the same treatment.

I don't believe Gruber has ever written a book.

99% of Gruber's articles are just him providing a (somewhat snarky) view on
the industry - it's pretty rare for him to write an article that has any
inside knowledge - My guess is that it's less than 1 in 100.

He's been a pretty enthusiast regarding Metro/WP7 recently - as those product
appeal to his design aesthetic. I suspect that if Microsoft continues to
execute well, that Gruber will be seen as a Microsoft/Apple Design elitist in
years to come.

~~~
numair
I agree with you -- just presenting a balanced view of the motivations driving
both bloggers' posts. Gruber has far less to gain, as Apple isn't going to
provide employees for Gruber to interview for a book/conference.

