But Google really has no choice here due to aggressive campaign by Mozilla, Apple and Microsoft who boast with their Intelligent Tracking Prevention ( https://webkit.org/blog/8828/intelligent-tracking-prevention... ) implementation blaming Google as a company which does not value users privacy.
Google would lose privacy-conscious users otherwise.
But it is clear for me how all this anti-thirdparty cookies situation will go further: server side third party ad trackers -- this will bypass Same Origin Policy and will pose a privacy and security threat for users and websites even more than todays third party frontend ad trackers.
It implies that other browser vendors (Mozilla, Safari/WebKit, new Edge) are in fact making the Web a more dangerous place.
I believe it's dangerous because it creates a harmful, unproductive PR narrative—people might just assume this is a true statement, without learning about both sides of the problem. I'm not trying to strip anyone of agency, I just don't think most of my friends would have time to research this topic and might decide to follow the main opinion instead.
The answer I'd like to hear: Yes, it does push some actors towards fingerprinting, but preventing fingerprinting should be dealt with regardless. Changes should happen both on legislative and browser-vendor level.
> But it is clear for me how all this anti-thirdparty cookies situation will go further: server side third party ad trackers -- this will bypass Same Origin Policy and will pose a privacy and security threat for users and websites even more than todays third party frontend ad trackers.
Server-side as well as white-labelled (subdomain) integrations already exist. Lotame (DMP) has at least one product of this kind, afaik.
That said, Apple/Mozilla/etc know this and so they are simultaneously trying to make fingerprinting more difficult. If they were not, I would agree with Google's stance. But since they are, it is really more of a footnote.
You forgot to mention them abusing children and planing terror attacks.
No terror stuff, but plenty of anti-Semitic material.
This might very well be true for what I know, but the general idea that optional privacy leads to more hostile environments seems to have been conclusively destroyed by HN and certain other forums, especially when compared to Facebook.
FB is interesting in that you would think that it would inhibit all bad behavior since you are using a real name. But really, people don’t care quite so much. Much improved though! Well, except for the bots, hacked accounts, and bad actors.
From the standpoint of dealing with crap messages, there are no silver bullets. But there are tools. Not everyone knows how to snowshoe, so you can have a decent win with even simple blocks.
Same Origin Policy does not seem to provide any protection against DNS-based tracking.
For example, putting a series of links to resources in a page and making conclusions from the series of DNS requests made automatically by "modern" browsers like Chrome, Safari, Firefox, Edge, Opera, etc.^1,2
To be fair, this sort of tracking is arguably brittle, e.g., if user has auto-loading of images disabled or is not using a cache that randomises the ordering of IP addresses within a response packet like BIND.
It can also be easily avoided by user control over her client automatically making DNS requests for any resource^3 and user control over her own source of authoritative DNS data. For example, using a client that does not automatically load resources and using a local source of DNS data like a HOSTS file or a zone file served from a logging authoritative server on localhost like tinydns.
3. Not just images or third party scripts
Not very reliable when user disables it or uses client that does not support it.
HTTP headers are malleable yet I still see the big tech companies appearing to treat them as reliably identifying a program/device. A new user-agent string or set of HTTP headers is not necessarily a new program/device.
Arguably gun owners, strip clubs and porn magazines have fought for free speech more than facebook and google combined.
I am happy to willingly share my personal data with your advertisers if that helps you keep profitable (NYT, Reason, Cato, Vice, Pornhub etc.) you need to figure out how to achieve that without acting like jerks.
But these discussions will soon go into "how easy it should be to opt in?". Should it be a pop up like "allow location" or something more complex as enabling CORS.
From my perspective, good. Advertising is toxic even when it's not invading my privacy, and maybe if we make it less effective people will do less of it.
This is exactly what happened during the first dot com crash when we went from $35 CPM banner ads to $1. Suddenly, ads were slathered on every page or websites simply disappeared. What we really need is a deal that works well for all three parties: advertisers, consumers and content providers. Google Adsense was this perfect solution for a while (until it got optimized to max profitability).
Maybe online advertising is like social networks and can only enjoy brief moments of relative balance before the cycle starts anew.
I don't think such a thing actually exists. I mean, there is a way to do advertising that doesn't require spying on everybody -- contextual ads -- but advertisers seem to consider that a bad outcome, and instead are spending a lot of time and energy trying to figure out how to continue to spy on everybody.
The problem right now is that it's all mingled together.
Sure you can. "Use check-out code 'newspaper1' to get 5% off any purcahse!" or something.
1. Find out about content I want. Decide to pay for it. Pay for it. Receive content. A simple, fair transaction where everyone gets what they want with no bullshit.
2. Find out about content I want. Receive content, along with ads that spy on me, distract me from the content I actually cared about, and tell me my girlfriend isn't hot enough, my car isn't fast or luxurious enough, my house isn't big enough, my family isn't safe enough, etc. Under the barrage of this constant psychological attack, I'll occasionally fall for it and end up spending much more money on things that I don't need than I would have spent on the content. And yet the content that I actually cared about and wanted to pay for only receives a fraction of those profits.
As I understand it today, I can view an ad on a random site and have a cookie with my unique ID in it saved. If I view other network ads, they know it's me and update my profile. Then when I check out, the site I'm buying from reads this cookie and reports back that it worked based on impressions.
AFAIK this won't be easy to replace if a random eCommerce store is blocked from reading Facebook et al cookies, it won't be able to report back reliably. You could do something like submit their email address or other data to Facebook and see if you get a hit, but that's probably illegal in many places without permission. And in most cases, the cookie from the ads will be blocked as it's third party (but would be able to be written for ads shown on-platform, which doesn't really matter since they can track server side anyway).
But clicks are very easy, you just tie a unique ID to the ad URL and have the landing page and checkout page track that. No cookies needed. It can report back in real time or later to update stats.
The browser will not make cookies from other sites available to the e-commerce site. There is no chance for the e-commerce site to take a look at what is in the Facebook cookie
I meant the 'page' (including the FB pixel JS on it) could read the pixel but the problem is of course the page is composed of resources from multiple domains and parties.
I'm pretty sure these days the default is just a JS ping to an endpoint, but the eponymous pixel exists under noscript tags for legacy support.
Which is of course the intent.
AFAIK, all that matters is how many conversions you get from $ spent. Both of those are perfectly visible, no tracking needed.
Maybe it helps society to go back to such models over destroying privacy.
(And as answer to the question: Statistical methods by comparing areas/times with no ads vs. with ads etc.)
As much as many HN readers would love to see ads and even the most benign forms of tracking to disappear, if you're aiming for something realistic (e.g that would still allow ads to exist and be a minimum profitable for all involved) you cannot just go back to the dark ages, and show the same ads to everyone.
You can - without detailed tracking - identify rough location of the user. (IP etc.)
You can pick ads based on the content, not based on the user. (A site with beauty tips probably has different readers from a site on woodworking; a site with celebrity news has different readers than deep political analysis)
And yes, Google and Facebook would make less money (disclaimer: I have a handful Alphabet shares in my portfolio and probably funds containing those) and yes spread would be higher, but this could still pay a lot of bills and interestingly could lead to revert from clickbait to proper content, as readers of proper content are more likely the target audience for high-paid ads.
Not willingly, but perhaps they can be forced through legislation. In any case, as long as the industry insists on spying on me, I will continue to fight them tooth and nail.
Ads are pollution, and need to be treated as such. Information providers need to develop business models which do not depend upon advertising revenue. (foundations, Patreon, whatever).
Short term: Less tracking is good. (Not only for privacy, but also since I don't want to see "optimized" content – I want to be surprised, contradicting opinions etc. like in a good newspaper)
The one thing that you can't reliably do, browser privacy or not, is gathering the useless number ad-companies currently rely on.
Would these users be using Chrome in the first place?
The Google search engine could be run for some small number of billions per year (or less) but Google extracts tens of billions per year from our pockets. It's a leech on society in the same way that Wall Street is.
They successfully propagandized the idea that "relevant ads are good" when it's patently obvious that relevant search results are what you want from a search engine. There's no need for ads at all.
This caught my attention, as I haven't heard anything about this before. Do you have a source with more details on it specifically? All I see is that Google pays Mozilla to make Google Search the default search engine and pays Adblock Plus to whitelist their ads. I'm not seeing any sources indicating that Google paid Mozilla any money to keep ad blocking out of their standard feature set.
Google already knows most of what it needs about you, and it will in the future from searches. It has no motivation to allow 3rd parties help in tracking visitors. This way it can build a moat around its business while pretending to care about privacy. It's bullshit.
But that wouldn't be good for Google. This is the exact reason an ad company should not be allowed to own a web browser.
Edit: comment was either edited, or I’m going senile. In any case: Chrome does allow blocking all cookies as well, and has from the first release. Fingerprinting isn’t easily avoided, but they have taken some steps to make it harder.
Note that blocking all cookies breaks the web, blocking third party cookies breaks adtech. It's important to note that even if Chrome has supported the former, it has resisted implementing the latter.
Meanwhile, Firefox, Edge, and Safari have chosen to implement tracking prevention, which has the goal of preventing any ad targeting towards a given user.
But I’d recommend not using it at all, I don’t.
This is disingenuous. Reducing tracking does not undermine websites. It undermines advertisers that depend on tracking. If tracking stopped, advertisers would target something else (e.g. content or coarse location) and roughly the same amount of money would go to websites. Google’s privileged position would be a lot less inherently valuable, though.
Sure. So how about we block fingerprinting? Oh waaaaaait I see. What you actually want is your privacy invading business model to not be impacted.
Why are sites able to ascertain the type of browser, operating system, OS version, webkit version, Safari version, time zone, language, platform, vendor, screen dimensions, plugins, etc.
This shit should be as locked down as location, web cam, and microphone. Block all of it.
Go there and enable "Block third-party cookies".
The internet still works without them.
The Webkit team already proposed a privacy-preserving way to do ad click attribution . I'm guessing that was too private and Privacy Sandbox works better for Google.
I wonder how removing a feature might go, however. The answer is "probably well because Chrome has overwhelming market share", but I do wonder if, between AMP and "no URLs" and no 3rd party cookies, if there's room for a small but growing "it just works how I'd expect it to on Firefox" contingent to spring up...
Still, Google's revenue on third-party site ads was $6.4bn in Q3 of 2019 out of the $40.5bn in total revenue so it could be felt a bit there too.
I fear that it all will move to first-party tracking though which will be so much more difficult to block and so much more dangerous in terms of security.
> [...] we plan to phase out support for third-party cookies in Chrome. Our intention is to do this within two years [...]
As for what they're replacing them with, sounds like they don't quite know yet. They seem to still be in the requirements gathering phase: https://github.com/w3c/web-advertising
With WebAssembly now.. And your company being one of the leading browsers.. The cookie transport looks like pigeon mail.
This is news to me.
I'm not sure this will accomplish much as it's not that hard to serve things from one's own domain. More work for the tracking company to get things set up, I suppose, but harder to detect once established.
My guess is we will need custom GreaseMonkey scripts that prevent parameters from being appended to URLs so when you click on a link to another site it will not pass tracking information. Generally whenever a tracking network changes these parameters the Greasemonkey scripts will have to be updated whereas in the past you could just block the third party cookies and avoid a lot of the tracking.
So I see this as a : 'Hey we got in before everyone and stopped using cookies first' — When in reality, they're becomming less of a valuable commoddity.
I'll be very happy when companies stop storing excess info in their own storage.
Until then, no round of applause from me .
What? Care to explain for a non-native speaker / non-US based reader?
But it’s a somewhat eloquent term, in a way.
(It refers to getting sexually aroused, but only mildly)
Between Chrome, GA, AdSense, DoubleClick, Gmail, etc, they don't need 3rd party cookies to gather user data. Even if killing 3rd party cookies drops them back a little, it drops the #2 panopticon back more...extending Google's lead.
Analytics uses first-party cookies for its core functionality. There are optional features where it connects to a third-party cookie from another Google service, e.g. connecting to the DV360 cookie to pull in demographic information.
interesting to see if that's the future. certainly anyone with substantial inventory has experimented with this (NYT for example) because they suspect they're getting cheating by G/FB
> Once these approaches have addressed the needs of users, publishers, and advertisers, and we have developed the tools to mitigate workarounds…
A browser vendor that cared about its users would make a browser for them, not publishers or advertisers. It would block all tracking garbage by default.
Just admit it Justin, the real Chrome customers are advertisers. You don't actually give a shit about users if it interferes with ad dollars.
Edit: I left out this good quote
> Some ideas include new approaches to ensure that ads continue to be relevant for users
More user-hostile advertiser appeasement.
Google is just acknowledging that for-profit, advertising-supported websites are a three-sided market; consumers, website authors, and advertisers all have interests. Figuring out how to satisfy everyone is tricky.
It may be that these competing interests can't all be satisfied and an advertising-supported Internet isn't going to make it in the long term, but they are going to try.
Of course they can't all be satisfied. The needs of advertisers are diametrically opposed to the privacy needs of users. There is no way to square this problem so that both groups are happy and Google certainly understands this. They aren't "trying" things out as experiments, they are executing on strategies to ensure their dominance over the business of digital advertising.
Many (most?) are happy to provide their personal information "by default" in exchange for better ad targeting, lower prices, etc.
"Everybody is just ignorant" is not a good way of evaluating markets.
Past results are that the advertising-supported Internet is enormously lucrative. Things are changing though. We will find out what happens when it happens.
Not even monopoly markets are dictatorships.
(yeah, I know they have to care about website designers, otherwise every website will just break, but when you have substantially a huge share of the browser share, you can tell website designers to get stuffed and they will have to deal with it)
I'm being intentionally simplistic- sometimes, complicating things with markets and so on feels like it obscures more than it illuminates.
Compatibility is important, even for the market leader, because if they break too many websites too quickly, that will push people to switch browsers like nothing else. Especially if it's a big website people use every day.
Chrome does have a somewhat easier time taking the lead on deprecating things but it often requires multi-year campaigns and gradual steps. (Consider the campaigns to kill NSAPI and Flash.) This is needed even for Google to maintain compatibility with its own websites.
The analogy to markets still works. Ebay can change the rules to be more buyer-friendly but not so much that too many sellers leave, because buyer-friendly rules don't matter if you can't find the thing you want to buy.
An example of the market breaking down is major news sites blocking Chrome's Incognito mode, despite Chrome's gradual attempts to make fingerprinting harder.
Have you ever dealt with Google as a customer :) ?
Consider Mozilla, the privacy maniacs.
Even they let proprietary and intrusive DRM plugin inside, though it is totally contradicts FOSS approach
This is life -- you have to take other parties interests into account or you will be buried.
Start block all tracking garbage by default and sites will ban your users, forcing them to choose another product.
Speaking about Google:
when you're (unlike Apple) making most of your revenue from ads, any hostile action to ad industry will be considered hypocrisy and unfair competition
DRM is an entirely different problem to that of privacy. While DRM is disgusting, a threat to open source as we know it and overall harmful to humanity as a whole, it does not inherently violate privacy.
Thus, saying "Even [the privacy maniacs] let proprietary and intrusive DRM plugin inside" doesn't make any sense.
Even if this question sounds naive, I feel like we should from time to time take a step back and review our situation.
> Speaking about Google: when you're (unlike Apple) making most of your revenue from ads, any hostile action to ad industry will be considered hypocrisy and unfair competition
I can agree with that (esp. given their monopoly), but the truth is not black and white here: there's a difference between applying the same measures equally to everyone and leaving a bunch of escape hatches for yourself, e.g. that time when Chrome decided to exclude certain Google cookies from the "Clear all cookies" screen.
I think this misses a larger point: advertising on its own requires absolutely no tracking at all. Consider print publications. They still virtually all advertise. And their ads generally relate, in some way, to the demographics who read the publications. There's no reason that approach can't also work on the web.
The problem we're facing today is the notion that advertisers should be able to uniquely target individuals with specific ads. That's a new idea that I think we, as a society, need to reject.
That's how it USED to work on the web and still does in some parts. Until Google (and others) started selling increasingly accurate demographic and behavioural targeting. Now advertisers are addicted to targeting 50+ females who like baking, cats, have at least one grandchild and who have recently shown an interest in Easy Bake Ovens.
I mean, logically it should be worth it because they pay for it, but part of me is wondering if the ad companies are conning their customers on this.
I dislike ads for two reasons:
- highly targeted ads can impact my behaviour in ways I’m not aware of (existing vs. created needs, emotions vs. rational decisions)
- it’s an invasion on our personal (internet) and public (your street, your neighbourhood) spaces.
The points above allow for manipulation at a unprecedented scale.
Again, this is more of a mental exercise, a problem I like to revisit from time to time, but if we take the points above into account, removing targeting doesn’t solve the issue completely.
I do think that contextual targeting is a more viable alternative, unless it becomes a rebranded version of behavioural (which is already happening).
This just smells of whataboutism.
As for your hypothesis that websites will start blocking browsers that ban tracking and so forth, frankly, that remains to be seen, and my bet is we'd never actually see that happen in practice. The optics are just too toxic. Surveillance capitalism survives because people don't know it's happening. Banning a browser like Firefox would call attention to an infrastructure and ecosystem that those individuals don't want to talk about in public.
Edit: As an aside, if sites did start banning privacy-conscious browsers like Firefox, I'd just stop going to those sites. In that respect, I'd actually perversely appreciate something like this: It'd finally make it blatantly obvious who is and isn't collecting and profiting from data about me and my actions online without my permission.
I already do this -- if a site doesn't work with my defenses against the ad industry up, then I don't go back to that site.
The result of the GDPR regulAtions resulted in a moderate number of us websites refusing access to EU residents rather than attempt to comply. I think it's an entirely reasonably assumption that said sites would block a browser which attempted a similar idea
Some sites would go behind paywalls, some would cease to exist, and some will just run nontargeted ads, but some would do none of those things.
These sites that can't be used without DRM plugin do not provide you a way around DRM because you're ruining their business model (at least they think so, or their content providers).
The same goes with ads.
If your browser start for example blocking ads at sites that live from it (like New York Times website), website administration will eventually ban your browser at all.
This is how it should work, users come first.
Just as all this tracking protection stuff is optional but ships out of the box in a configuration that's deemed the most beneficial to the user, DRM, while enabled by default, can be disabled by simply uninstalling the plugin.
As I say: it just smells of whataboutism.
Users need publishers to be able to make enough money to survive, or there won't be any content for them to use. You can't totally screw over either side, or the other will no longer exist.
> In particular, Google:
> has required manufacturers to pre-install the Google Search app and browser app (Chrome), as a condition for licensing Google's app store (the Play Store);
I almost miss Slashdot style "Micro$$$oft" discussions, at least people had some baseline hostility toward browser hegemony.
No, absolutely not. User-targeted advertising does not need to exist, a priori. Plenty of empires were built on privacy-friendly content-targeted advertising in the past and there's no reason that can't be done now. Except that Google would make far less money.
I strongly doubt the internet would stop working.
I fear that we would see a huge wave of advertising in disguise and other not necessarily more transparent forms of indirect funding and influencing.
For instance, there would suddenly be a very big incentive for product companies to become media companies themselves to make the distinction between reporting, advertising and simply describing their own product go away.
I believe an advertising ban would have a very large number of unintended and undesirable consequences.
Nonsense. I'm not going to stop buying food or soap because I don't see ads for it.
$300B is no way negligible by any mean and businesses are tightly coupled so the impact will propagate across everywhere. For instance, almost every functional search engines are powered by advertisement in some way (even DDG); how would you use the internet without a search engine?
Although I think your point is correct, I don't think that this program's failure is evidence for it. I give cash money to numerous small creators, but there's absolutely no way that I would have used the Google Contributer program to do it. That requires more trust in Google than I can muster.
A tremendous amount of resources are wasted on adtech - bandwidth, latency, which ultimately are accounted for in non-renewable time. Just compare using hacker news on mobile to reddit. I have a newish iPhone and reddit is basically unusable. Plausibly it’s a net-neutral situation, the downsides balancing out the upsides.
Similar evaluations can be made in the gaming space, comparing paid, freemium, and advertising driven. It wasn’t until fairly recently that advertising was even a viable revenue source for game developers.
The larger question perhaps is who loses their audience when they can no longer buy targeted advertising? Hint: it’s not the giant brands who blast billions of dollar blindly on mass advertising campaigns and can purchase Super Bowl commercials.
Disclaimer, a significant proration of the money I’ve made in the past decade + was from digital advertising.
Not to mention cognitive resources. How much brain power has the world wasted on trying to get people to look at or click on things?
Just a tip, if I want to use reddit on an iPhone, I usually go to i.reddit.com or reddit.com/.compact
There are also third party apps (I like Slide for Reddit) which are pretty good.
I think a probable scenario is that Google’s search ads and display ads business will have to be segmented from the rest of Google’s businesses. The other alternative may be to remove search bundled with search advertising, YouTube with its accompanying video advertising, and so on.
I would be more optimistic about Google’s ability to keep itself together, but they seem to have turned themselves in to a case study of corporate mismanagement and disfunction. Who knows what sorts of insane criminal things and accumulating at this point. Those future moments of weakness and going to make them incredibly vulnerable to regulators on both sides of the Atlantic, from both the right and the left. That is not a survivable position.
I fixed it for you.
So, this monster is "too big to fail"? All the more reason to kill it now before it gets even worse.
When users can't be tracked, ads will be less targeted which means Google will not be as valuable to advertisers.
i don't understand how this helps the conversation.
Credit to Apple for being aggressive taking on the ad companies. Yes this is totally a business decision that benefits them, but it also benefits consumers. So in that sense, the incentives are aligned.
Hope they keep going.
IIRC Safari can be set to block ALL 3rd party cookies, but it is not the default setting.
SSO providers don't NEED cookies, they can do full page redirects to avoid being 3rd party, but it does complicate matters, and the relationship between you, a site, and a 3rd party identity provider you've presumably agreed to can be a different beast than the tracking cookies that are the focus here, though of course identity providers could always join the dark side as well.
What's more, Firefox is just an off-brand of Google to capture the "privacy first" consumer market segment.
Doesn't mean I'm going to stop using Firefox, but it just helps to see the big picture.
We can see, google doesn't need to inform their chrome users :
> A privileged third party is a party that has the potential to track the user across websites without their knowledge or consent because of special access built into the browser or operating system.
INOL but my understanding of this would put Google's Chrome into that bracket. Potentially also Microsoft/Apple ?