Google gives up: third-party cookies won't go away after all in Chrome
Google announced "a new path" for its Privacy Sandbox initiative for the Web. The company's plan was to eliminate third-party cookies on the Internet and replace them with new technology that it built-into its Chrome web browser.
Third-party cookies may be saved by resources that are loaded on websites. If you visit Site A, that loads elements from Sites B and C, then B and C may save cookies on the user's devices that are third-party.
The main idea behind third-party cookies is not a bad one, but it has been used and abused in the past. One specific problem is user tracking.
Google's euphemistically called Privacy Sandbox set out to kill third-party cookies on the Web. Since Google's main business is advertising, and tracking is a core part of advertising, it was no surprise that Privacy Sandbox still allowed tracking.
Put simply: it moved tracking inside the web browser and switched from tracking individual users to user groups. Users would be put into groups based on their browsing.
While that is objectively better than the tracking of individual users, it is still tracking. For Google and other advertising companies, tracking is essential. For many users, it is a nuisance and privacy invasion.
The use of the euphemistic term and others, including IP Protection and Tracking Protection, has been at the forefront of Google's initiative. Called Privacy Washing by privacy rights organizations, the main purpose was to get the majority of Chrome users to agree to the new system; who does not want more privacy in their browser, right?
Third-party cookies are here to stay
Now, Google is saying that the company has changed its plans significantly. The first half of the blog post by Anthony Chavez, VP, Privacy Sandbox at Google sounds like everything is in order.
Google says that it sees a lot of potential in Privacy Sandbox, but it admits that the overall performance could be better and that it "requires significant work".
Because of this, Google has made the decision to keep third-party cookies. Instead of dropping support, Google proposes a system that "lets people make an informed choice that applies across their web browsing, and they'd be able to adjust".
Additional details about the new approach are not available at the time of writing.
Closing Words
It sounds as if Google is about to give up on Privacy Sandbox. To save face, it is not dropping the feature entirely, but keeping it around for the time being.
While Google says that it will "continue to make the Privacy Sandbox APIs available and invest them", it sounds like the technology has already a grave reserved on Google's Graveyard.
Reading between the lines, it sounds as if Privacy Sandbox is not delivering the same results as third-party cookies when it comes to advertising and tracking.
This could have the potential to damage Google's core business going forward and it would explain why Google is rowing back.
It will be interesting to see how Google is going to introduce the "new experience in Chrome that lets people make an informed choice" and that is applied "across their web browsing".
It will probably come up with yet another euphemistic term to persuade users to pick the choice that is best for Google's advertising business. In any event, we will keep you posted on the development, as usual.
What is your take on this? Google making a U-Turn and keeping third-party cookies alive in browsers?
Similar debates about use of cookies took time around 2002-2004. And … cookies stay. They’ll stay now too.
They have their use and function.
What bothers me are the law legislation. As a web designer I should break my website design look just to add a popping Cookie policy!? Neah, I will put it in the footer of my site instead (even it doesn’t use cookies). At least I didn’t put any there by myself
Honestly what should be gone is User-Agent, currently it’s misused to cockblock web browsers or throttling non-Chromium like Google services.
I understand I am being tracked.
From the beginning, I’ve used gm
for convenience; over the years yt
for boundless discovery, learning,
if–being a frontline healthcare
worker–I stumble on a day or
(rarely) two off-duty in a row.
Whereupon I spend long hours,
since I never turn my mainstream
TV on.
I don’t encounter ads in whatsoever
form anywhere, though. I mean Ø,
zilch, nix, nada.
I’ve never paid them a single cent.
[Otoh, in spite of work requiring us
some ways, I have by all means
dodged, pushed off all social “media”
platforms known to man or
woman… even “zoom”, “crew”…
whatnot. Where you’re the product.]
Oh, well.
You’re also being tracked by the way you’re using line breaks :)
The words ‘Google’ and ‘Privacy’ do not go well together.
—
They’re a despicable corp: https://en.wikipedia.org/wiki/Criticism_of_Google
This might qualify as “least surprising news ever”. Google is a privacy-reduction company, it’s literally the essense of what they do.
Doesn’t affect me much. I have long avoided their products and services. I use prvacy-configured Firefox-based and ungoogled-Chromium browsers, a VPN with DNS-level blocking, and reasonaby-hardened Windoze. YMMV.
The only way to be private on a windows system is to not connect it to a network, which makes browsing somewhat problematic. You can’t be private and secure on windows as long as it is regularly connected to a network, no matter what you do.
VPNs do have some legit use (eg circumvent geo-fencing), but only aid privacy in under very specific circumstances (eg, if you KNOW that your ISP is tracking you, which is quite likely if you are in the US (to sell it do make money) or in an authoritarian country like China, Russia etc).
What a VPN does is transferring trust from your current ISP/network work provider to another party. In both cases one party knows exactly what you are doing, in case I) the ISP (or the guy whose network you are using) in case II) the VPN provider. In principle that is exactly the same thing: one party always knows what you have done last summer.
If VPNs can be trusted is debatable. The vast majority are flimsy companies located in some backward countries with non-existing privacy laws, while some others are likely indeed more trustworthy than your average VPN (eg Proton, Mullvad). But in the end it’s about TRUST.
So VPNs in general do NOT increase your privacy at all, but just transfer Trust to a different party, which may or may not be more trustworthy. This means that VPNs do NOT (at least in general) provide privacy, they do so only under specific circumstances (this is when your ISP is less trustworthy, than your VPN provider, in which case changing the ISP would be the 1st logical choice).
VPNs are of course not a bad thing in general, quite the contrary, I just write this, to make people understand that the simple “I use a VPN = I am private and secure” is NOT a valid equation.
If you do want privacy (or at least to the level which is actual possible before going fully paranoid and only communicating via mail pigeons), use Tor on tails, which of course comes with other problems and also only shifts trust (eg in this case you have to trust the tails, tor and firefox developers).
@Anonymous, indeed someone always knows and at the end it’s a matter of trust.
There is, however, a scheme where, in principle, no one knows, but this is available only for DNS resolution.
The concept is that of anonymized DNS resolution via so-called ‘relays’, available with DNSCrypt-proxy as described at [https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS] :
“How does it work?
Instead of directly reaching a server, that is one of the public resolvers, an Anonymized DNS client encrypts the query for the final server, but sends it to a relay.
The relay doesn’t know the secret key, and cannot learn anything about the content of the query. It can only blindly forward the query to the DNS recursive resolver, the only server that can decrypt it.
The DNS resolver itself receives a connection from the relay, not from the actual client. So the only IP address it knows about is the IP of the relay, making it impossible to map queries to clients.”
If this concept could be applied for connections as well as for DNS resolution, wouldn’t that be THE solution?
No one ought to be surprised. Organized crime companies always backtrack any plans if they involve risking profits. Consumers don’t matter – profits do.
The good news is that while I work at it, it is obviously impossible to block all tracking, although one can in fact at least block much of it. But what you can still do quite effectively is to block ads. I don’t use Google products except when absolutely necessary (e.g., I have never used Chrome except at work where for a time Chrome was required), I use Brave search as a default, I don’t use gmail, and I almost never use Youtube. And, oh yes, virtually never use social media, a practice which is without question a quality of life enhancer), but to the extent they can still track me, it obviously is not helping them much as I don’t see the ads they (and their customers) are so anxious to annoy me with. And if they won’t show me content without ads running (despite the various ways one can effectively get around that if one is motivated to do so), that is fine by me.
If a tree falls in the forest and there is no one to hear it…
@Herman Cost, don’t be worried too much!
I have spent several years trying to explain that if everybody is tracked, nobody is tracked. If 99.99% of the people walking down the street wear hats, only the remaining 0.01% are worthy of supervision. The problem is not being monitored, the problem is the statistics that you constitute within that surveillance. If you do what everyone else does, the value of what you do is zero.
The real problem with all this is that more and more people do common things, which by default increases the level of tracking carried out. The primary problem here is ridiculous in its extent, because it is the secondary consequence that is really the problem. In short, the problem is not the tracking, the problem is the excessive amount of tracking because we have already been tracked so much that each time the useful information obtained is less and less. By the way, it is possible to use Chrome safely: Ungoogled Chromium. Smile, it’s a little weekday joke.
@John G. … to develop my first reply concerning specific user parameters,
– Cop : tell us about what you’ve seen, can you describe the fugitive?
– Witness : well, I remember he wore a dress …
– Cop : “he” with a dress?
– Witness : yes officer, because he had a beard and that puzzled me
– Cop’s assistant to Cop : millions wear a dress, millions have a beard …
– Cop to Cop’s assistant (nice guy but understands slowly) : much less wear both.
=> Narrowing the investigation field :)
P.S. : trying to laugh rationally.
@John G., I have to disagree with your assumption, assumption which would be true if there was only 1 tracking parameter, i.e. wearing a hat.
Tracking means following a user’s activity on the Web and includes fingerprinting which is all about combining several, many characteristics : wearing a hat, skirt or pants, flat or high-heel shoes, long or short hair, glasses, clothes etc etc etc … and many many more when it comes to digital fingerprinting. More parameters are monitored, more specific you become.
I agree that zero-tracking is impossible. A user’s IP to start with, otherwise even with a VPN fingerprinting data remains a source of information regarding the user’s digital environment.
Struggling against tracking only means that you make it tougher for analysis to follow you within automatic algorithms (site which you come from, surfing history etc.), in other words, real-time tracking, the one that fills the sites’ logs. But you never are anonymous, for sure, unless to be a talented techie surfing via Tor, maybe …
Anyway, the main thing I guess from a nervous-breakdown point of view, is to be free of advertisement.
@Tom Hawack,
There is no physical way to track 7.000.000.000 human beings. Anyway tracking is barely useless compared to the free disposal of personal info around TikTok, Facebook, Instagram, WhatsApp, Google Mail, Yahoo Mail, Bing, Google Search, Linkedin and dozens more of the worst apps and platforms ever created to measure our stupidity. In fact, tracking methods are just like children games compared to the free an ethernal kingdom of our idiotcracy society that has shown us how to sell our persona life is a better business itself for all companies. In short again, I still don’t know why companies are so interested in cookies when they have millions of entire dumb profiles of dumb people showing their lifes daily online with no same at all. They can track me whatever the time, I have an amazing normal life, watching 80% of my time trees and flowers, mountains and cows. :D
@Herman Cost, I undersatnd your differentiator between advertisement and tracking.
Advertisement may be arguable as such, or as its excess whilst not considering it illegitimate. I’d consider the latter and criticize it only for its excess. Far too many ads, everywhere, now even built-in Windows 11. The trend is : higner.
Tracking is, I believe, arguable in terms of its very legitimacy. We all know countries where state tracking has been or is a deliberate policy, why would tracking for the sake of business be different, on what ground? I see none.
From there on, a practical, pragmatic state of mind could very well be : “Well, as long as I avoid ads why should I care about trackers which then fail to be efficient?”. I guess this is a valid approach, yet not mine. I may see the world as a poor man when we know that wealthy people don’t give a damn of what their domestic staff may think of their behavior given it will never feel free to express it in their face. Poor or not, I’d care about my domestic staff’s thoughts regarding myself. In the same way I dislike being tracked even if it leads to nowhere. By the way, does it ever lead to nowhere ? It may lead to data being held and made available whenever required for who know what. There’s just NO reason for aspects of my life being recorded without my expressed consent. No reason.
Tom, I actually agree with you completely. As I said, I make every effort to avoid being tracked and believe that : 1) I am somewhat successful in doing so; but 2) Despite my best efforts, it is impossible to totally avoid tracking. However, I am at least somewhat comforted by the fact that in my case, at least, the tracking is not helping the Google’s of the world to deliver me targeted advertising that I resent very much and never want to see.
Still, I would hope that some day we actually have right to fully opt out of all forms of personal data collection, and that violators of that right will be open to both civil and criminal prosecution for the theft of valuable intellectual property. But I’m not holding my breath.
@Herman Cost , that’s how I understand/understood it and fully agree. I just added my grain of salt in a general perspective of ads compared to tracking, as a continuation of your post, not as a critic.
Pathetic. What else to expect from a company who’s core business is indeed advertisement and its servant: tracking?
Despite all this, Google’s fame remains. Conclusion: a wide majority of users don’t give a damn about their privacy. In fact one may wonder if the very idea of privacy is not vanishing, slowly but surely, if privacy together with dignity and other principles of life as we’ve known them since perhaps always are deeply anchored in our souls or a simple matter of culture… or opportunity : maybe wonder as well if principles vanish when the reward of betraying them is sufficiently attractive, and pseudo-free products and services blind many when the blind as we say are the product.
As for myself with many others, be we all a minority, I will continue to avoid all of Google. All.
Concerning 3rd-party cookies, generally speaking, whatever browser : blocked. Interesting to notice that the main services bothered by blocking 3rd-party cookies are the ones which aim to centralize users’ data provided by their various domains, Google in particular. Personally I don’t encounter issues with 3rd-party cookies being blocked except on one site, French by the way, which requires user consent of YouTube cookies (and a YouTube cookie to register user consent) to display YouTube embedded videos, which is totally inappropriate to put it mildly. The crook’s name is [france24.com]. So we avoid the crook’s YouTube videos, that’s all there is to it. Boycott, my friends, boycott those who treat you and your rights as less than nothing ; chin up, never surrender, whatever the brightness of the gem.
Third party cookies are the salt and the pepper of the magnificent and obscure highway of the best browsing horror history ever. They will never die. For sure. Thanks for the article! :]
Addendum:
My link broke [https://i.imgur.com/ir2aiDn.png]
Cookies are child’s play. Look what the TechBros are storing in LocalStorage these days.
[https://addons.mozilla.org/en-US/firefox/addon/localstorage-editor/]
High entropy IDs and other nice trackers live there. Just surf to major US and DE newspapers and have a look. You can also see this in the browser dev console without an add-on, but it’s much more inconvenient. I’m sure some people here know this, but it should be mentioned explicitly. Websites today can also hide trackers from us elsewhere.
>It’s only local
JS has full read/write access, so it can also query the local value and send it back via requests.
Edit:
[https://i.imgur.com/ir2aiDn.png]
Large German newspaper for the upper middle class. None of this is a cookie. Everything LS.
@SapereAude, got your corrected screenshot. I use the ‘LocalStorage Editor’ extension as well. Good opportunity to remind that sites use LocalStorage as well as cookies, and that what is uploaded to a user’s LocalStorage is sometimes absolutely fascinating by the amount of information it includes and which is absolutely not required, or at least not required to be kept once the site has been exited. Use an extension such as ‘Cookie Autodelete’ or, better even, ‘Temporary Containers’ (the latter, if set in ‘Automatic mode’ greatly diminishes the need of the former, even if I use both for/in precise reasons/circumstances).
The number of sites which stick a tracker on the user’s back is unimaginable. We should call whatever storage uploaded by a site as a ‘Sticker’. They want to know everything, where you come from directly, your surfing history, your movements on the site itself. Storage keeps the information but sites know more than they store on your device, and an extension such as ‘Clean Links’ will fascinate by what it proposes to circumvent and succeeds to achieve.
The WWW is definitely the World Wild Web.
Next up: Having second thoughts about Manifest v3 as well…
Upcoming Manifest V4:
– Delete uBlockOrigin
– Delete alternative frontends
“rowing back” isn’t really a term? Backpedaling is.
In Australia, UK and Germany it is well understood:
[https://en.wiktionary.org/wiki/row_back]
Never heard it in the UK, maybe that’s on me!
Interesting information, to say the least. However, one thing stays the same. Google calls embedding tracking into browsers “IP Protection” and “Tracking Protection”, thinking that everybody is stupid.
Is that accurately summed as “Google’s privacy sandbox is not about individual’s privacy, but Google’s control over advertising revenue”?