
Google Warns Against Blocking Cookies Entirely, Triggering Criticism - dominik
https://www.wsj.com/articles/google-warns-against-blocking-cookies-entirely-triggering-criticism-11566862905?mod=rsswn
======
lidHanteyk
I recall PHK's humble proposal for replacing cookies. Instead of the server
sending cookies to the browser, the browser sends an ED25519 key, a "Browser
Identity", to the server. Anything that the server wishes to personalize for
that identity can be encrypted with the identity's key. At the same time, the
browser user is free to choose whichever identity they like, including a
fresh/nonce identity.

~~~
SamReidHughes
Oh, the intent is to share the key across devices, right?

~~~
lidHanteyk
Right. The server knows a user by their identity key, not necessarily by the
device that the key is on. Since keys are lightweight, synchronizing them
across devices is akin to managing metadata.

Further, servers are free to keep private information on identities, with the
understanding that identities are so flimsy that any single identity profile
is not worth data-mining. This won't prevent tracking from truly big players,
like Google, AWS, or Cloudflare, but it greatly cuts down on their ability.

This reminds me of moot's concept of prismatic identity.

------
kbos87
Google wants to get out ahead of the shift in consumer sentiment on data
privacy and ad targeting. No doubt they only have their own best interests in
mind. They shouldn’t have a seat at the table when the legislation is being
written.

------
mark_l_watson
Does it really matter what Google wants?

I use laptops for coding and ML (one of my laptops has a 1070 GPU). I use
Firefox with containers, one for each major site (Twitter, Google properties,
HN, etc.). I only delete all cookies in Firefox about once a month - probably
not nearly often enough, even using containers.

I do most of my web browsing on an iPad Pro and I delete all cookies on Safari
very frequently.

I pay Google for Play Music, buy books and movies, and use GCP - that is
enough revenue for them, so I feel like they still make money from me. Twitter
makes money by showing me ads. Anyway, I feel just fine about frequently
nuking cookies.

~~~
papaf
_I only delete all cookies in Firefox about once a month - probably not nearly
often enough, even using containers._

I recommend Cookie auto delete if you haven't considered it before:
[https://addons.mozilla.org/en-US/firefox/addon/cookie-
autode...](https://addons.mozilla.org/en-US/firefox/addon/cookie-autodelete/)

------
JMTQp8lwXL
List of installed plugins, screen size, IP, and User-Agent are probably far
more effective than cookies anyways.

------
gerash
The propaganda machine that is WSJ. I'm glad that I don't pay $300 / year for
that. Here is a quote from the article:

> Cookies are small text files stored in internet browsers that let companies
> follow users around the internet, gathering information such as which sites
> they visit and what ads they view or click.

Compare that to the definition from Wikipedia:

> An HTTP cookie (also called web cookie, Internet cookie, browser cookie, or
> simply cookie) is a small piece of data sent from a website and stored on
> the user's computer by the user's web browser while the user is browsing.
> Cookies were designed to be a reliable mechanism for websites to remember
> stateful information (such as items added in the shopping cart in an online
> store) or to record the user's browsing activity (including clicking
> particular buttons, logging in, or ...

~~~
dimator
I don't see how the wsj quote is misleading or wrong.

It's a close enough approximation for laypersons reading a non-technical
newspaper. It's also a definition that's more closely aligned with the
article's subject.

~~~
gerash
I don't know about you but if I didn't know what Gluten was and an article
simply defined it as "Gluten is a protein that causes diseases such as celiac
disease" for its audience to further its argument I'd consider that misleading
and wouldn't trust the author anymore.

------
QuercusMax
Ah, what fantastic reporting. They don't bother to mention that cookies can be
used for things other than ad-tracking....

~~~
inetknght
A cookie (or any fingerprinting) shouldn't be necessary for a search query.
Yes, the results might be "less relevant". That's fine, acceptable, and even
_desired_.

~~~
QuercusMax
That's irrelevant. Cookies are used for tons of things besides search
personalization and "user tracking" (in the nefarious sense). Blocking all
cookies is throwing the baby out with the bathwater.

~~~
berbec
Blocking all third-party cookies would suit me just fine.

~~~
QuercusMax
Well that's a very different case from blocking _all_ cookies!

~~~
badrabbit
If you blocked all cookies, you can't establish a session on any sites at all.
If can accept that,what's the problem with blocking them?

~~~
thekyle
If you can accept that you won't be able to login, buy stuff, or save settings
on websites, then I guess there is nothing wrong with blocking cookies.

~~~
yumraj
Why? Why can't I have the browser maintain an in-memory session that is reset
if the browser instance dies? When I login, the browser creates an in-memory
session that is used just as today for session identification purposes. The
only issue would be that if the browser crashes, or I close that window/tab,
I'll have to relogin, which I'm totally fine with.

Conceptually similar to using a private/incognito mode all the time?

Every problem has a solution.

~~~
danShumway
> Why can't I have the browser maintain an in-memory session that is reset if
> the browser instance dies?

But... you're describing 1st party cookies. You can already set Firefox to
delete all cookies whenever the browser is closed. It's not just that this
problem has a solution, the solution is already implemented and live today in
every major browser.

It's also not 'conceptually' similar to private/incognito mode, it literally
is private/incognito mode. Private mode is just Firefox storing all of your
session/cookie data in RAM so that it will get deleted when the browser
closes. The main difference is that private mode is more aggressive, because
it includes downloads/history in the deleted session, and takes extra steps to
make sure the data won't accidentally get cached even in temporary files.

The big reason browsers are getting more aggressive about 3rd-party cookies is
that they can be used to track you across domains even during browsing
sessions, so there's often a good reason to block known tracking cookies
outright. Additionally, most ordinary users want cookies to persist between
browser sessions, so to enable that behavior we have to be more creative about
figuring out which cookies are harmful -- then we can remove them even for
ordinary users. It turns out that blocking 3rd-party cookies can sometimes be
a useful way to filter "good" and "bad" session data.

But if you don't fall into that category of user, and you're OK with needing
to re-log into sites when you open the browser, then go wild. Switching to
temporary cookies will definitely help with your privacy, and Firefox even
includes ways for you to whitelist any sites where you do want cookies and
localstorage to be persistent.

~~~
yumraj
Fair enough.

