Google to kill third-party Chrome cookies in two years

Google doesn’t want to block third-party cookies in Chrome right now. It has promised to make them obsolete later, though. Wait – what?

The search engine giant gave us the latest update this week in the journey towards what it says will be a more private, equitable web. It announced this initiative, known as the Privacy Sandbox, in August 2019. It wants to make the web more private for users, it said.

The discussion about online ads and privacy revolves around cookies because they’re what support many predatory advertising models today. It works like this: you visit a website and it puts a small file on your hard drive. This cookie contains information about the session – when you visited, what you looked at, what IP address you came from, and so on.

Some companies use these purely to remember you when you go back so that you don’t have to sign in again. Those are first-party cookies, and they’re a great way to make the web more convenient.

Other publishers let adtech companies put their own cookies on your site that they then use to track you across different publishers. So suddenly a life insurance company knows that you’ve been searching for ways to give up smoking. Maybe you don’t care if one site knows you’ve looked at products on another.

What might creep you out is that data brokers can also gather this data, along with thousands of other data points, and end up knowing more about you than your spouse does. They can then sell that data to anyone willing to pay for it. Ewww.

Google’s messaging this week took some parsing. On the one hand, it says:

Some browsers have reacted to these concerns by blocking third-party cookies, but we believe this has unintended consequences that can negatively impact both users and the web ecosystem.

On the other hand, it says:

Once these approaches have addressed the needs of users, publishers, and advertisers, and we have developed the tools to mitigate workarounds, we plan to phase out support for third-party cookies in Chrome. Our intention is to do this within two years.

So it’ll slowly squish third-party cookies, but only after it’s found alternatives. What does that squishing look like, and what are those alternatives?

The company already announced that it would limit third-party cookies to HTTPS connections, which will make them more secure. It plans to start doing that next month.

It will also treat cookies that don’t use the SameSite label as first-party only. SameSite is a tag that developers can include with cookies. It sets the rules for exchanging the cookie with other sites. A bank could use it to avoid sending session cookies to another site that links to a customer’s transaction page, for example, so that a third party couldn’t harvest session information. So in future, developers have to be upfront about how third-party cookies will work, or Chrome won’t send them between sites at all.

Google’s fear is that choking off third-party cookies immediately will move tracking companies (which, remember, it owns) to use more subversive tracking methods like fingerprinting. The Electronic Frontier Foundation (EFF) scoffed at this notion back in August when Google first unveiled the Privacy Sandbox calling it “frankly, a mess,” and reminding us that Google tracks two-thirds of the web as it is. It also pointed out that Mozilla already blocks trackers, that the company tackled fingerprinting in its browser, and that Google announced plans to do the same (it reiterated those plans this week).

What else is Google doing that would help make third-party cookies obsolete? It lists a set of explainers here that outline plans including aggregated reporting (producing summary reports of cross-site activity that don’t ID individual users), measuring conversions on websites without tracking users, and Federated Learning of Cohorts (FLoC), which lets you monitor the behaviour of a group of similar people rather than individuals.

It’s also mulling the idea of holding data about browsing habits in the browser rather than with the advertiser (PIGIN), and for applications to effectively cover their eyes so they can’t see your IP address.

It also wants to ‘shard’ identities, so that the identity that your life insurance company sees is different from the one your high-risk motorcycle hang gliding club sees.

The problem is that Google wants all this to happen while still supporting the ability for people to advertise online, on the basis that if they can’t advertise, then most of them will lose over half their revenue. What it doesn’t do is mull alternatives to advertising such as paid content or patron-based schemes because these go against its business model. However it goes about it, persuading advertisers to gather less data about people will be a tall order.

Meanwhile, the founder of the Mozilla Foundation went on to create Brave, a browser that already keeps browsing activity private while letting users opt into viewing ads in return for attention tokens. It wants to make that a currency that you can use to pay for premium content over time, and it lets people tip content creators with the token.