That's exactly what it is, and Google indicated as much already, they originally announced this was dependent on replacing their tracking methods with a new tracking method.
I think the assertion is one of the tyranny of the default. If they are not blocked by default, then for the majority of users, the option effectively does not exist, since they will not proactively look for such a setting.
We've seen this over and over in tech. The spotlight is focused on it, so they hide away and bring it back at a later date, likely with a rebranding and hope no one notices or causes a scene.
I don't use Safari or any AppleWare but I disable 3rd party cookies in Chrome and I can't download files from Google Drive unless I temporarily enable it.
I poked around in dev tools, and it looks like what's happening is in serving to Safari it gives a download link that includes authentication information, but when serving to Chrome it doesn't. Perhaps because it's expecting to get third party cookies?
My guess is that they rolled out special handling for Safari when it started blocking third-party cookies by default, which will eventually make its way to all browsers?
(Disclosure: I work on ads at Google, speaking only for myself)
I think many people will agree that this is just terrible engineering and there are many ways to authenticate users who download files without the use of 3rd-party cookies. Literally every other cloud storage provider was able to figure that one out.
> We believe the web community needs to come together to develop a set of open standards to fundamentally enhance privacy on the web, giving people more transparency and greater control over how their data is used.
> In order to do this, we need to move at a responsible pace. This will allow sufficient time for public discussion on the right solutions, continued engagement with regulators, and for publishers and the advertising industry to migrate their services.
> By ensuring that the ecosystem can support their businesses without tracking individuals across the web, we can all ensure that free access to content continues.
This proves Google's consumer privacy strategy is all smoke and show. It should come to no ones surprise they choose to follow the money (ads). Apple continues to improve privacy on Safari with every major update and Google is still sitting on the sidelines.
news in the past two weeks has been of eu antitrust actions over issues including this 3rd party cookies change, and uk demanding their regulators get veto power over changing 3rd party cookies.
google is trying to escape a colossal regulatory hellfire that has sprung up in the last two weeks over this attempt to do the right thing, that other browsers already do. shit has just gone defcon4 & they are adding time to the doomsday clock that various national & supranational powers have just set ticking. set ticking for doing the right thing. scratch that, for having said they would be doing the right thing, hereby rescinded.
Regulators aren’t concerned with Google blocking third party cookies, they’re concerned about it in conjunction with FLoC providing Google an anti-competitive moat in the adtech space where it also holds a dominant position.
If Google blocked third party cookies absent FLoC, regulators wouldn’t care.
Why don't you think the browsers can agree on replacements? Most of the major browsers have proposals for replacing some piece of advertising-related third party cookies [1][2][3].
(Disclosure: I work on ads at Google, speaking only for myself)
I see this as a natural evolution of the web. The existing web standards and protocols no longer meet security or privacy user needs. Ideally, we do create better open standards. Apple’s Private Relay is great, but its gated off to paying customers.
I'd like to comment about this part from the Google blog:
> By ensuring that the ecosystem can support their businesses […] we can all ensure that free access to content continues.
Internally, Google believes that with Ads they are doing good to the world: the mission of Google Ads literally starts with "power the open and free internet…" (you can find it online). The idea is that for every site online that carries ads on it ("publishers"), it's the website that has chosen to put ads there, to make money. So the assumption is that if websites couldn't make money from ads (or if they made significantly less money, because of worse ads) they'd either stop hosting the website or put it behind a paywall, and users wouldn't get "free access to content".
Of course this applies only to those sites on the internet that have ads at all (doesn't apply to HN, Wikipedia, government/academic websites etc), but then again, ad-tech third-party cookies are also only present on such sites anyway.
-----
(I work at Google in Ads but not on anything related to any of this; this is all my own opinion posted from an alternate account. I find ads annoying and use an adblocker personally, so I was surprised to encounter this point of view.)
-----
Rather than "Google's consumer privacy strategy is all smoke and show", the sense I get internally is that Google is serious about "as much privacy as possible without seriously affecting our revenue". A couple of examples:
- [Edit: Added this point later.] In 2019 most (all I think? It's hard to tell) of "what Google knows about you" was consolidated into a single "My Activity" page (https://myactivity.google.com/), with user controls for turning things off or individual items. This was a lot of effort (Sundar at TGIF spoke proudly of it; see also the blog post https://blog.google/technology/safety-security/putting-you-i...), and personally as a user I feel better having control and visibility over what exactly what Google knows about me, but I don't remember much media coverage or discussion of this; maybe not everyone finds this exciting. :-)
- In 2020, they changed the default for new users to auto-delete this "Web and App Activity" after 18 months. Probably, this doesn't hurt Google's revenue much because data older than this is not very useful for Ads anyway, but it is still an increase in privacy compared to Google remembering everything about you forever (just not as good for privacy as defaulting to Off).
- FLOC is their answer to "how can we have the same level of user-targeting in ads, with more privacy?" The idea is that to decide whether to show me ads about shoes it doesn't need to know every site I've ever visited; it just needs to know roughly what kind of person I am. The old model is that every site carrying ads by Google would have a third-party Google cookie that would record your visit; the new FLOC model is that your browser privately builds up a profile about you and just reveals which bucket you fall into. Obviously your browser tracking you isn't as much privacy as no tracking at all, but if you start with the assumption that well-targeted ads ought to exist and try to maximize privacy under that constraint, then FLOC is a reasonably good answer to that question. (I know some smart privacy/crypto engineers—not from the Ads org—who've worked hard on developing/analyzing it…)
- [Edit: Added this point later.] You can see this Chrome blog post https://...
Sounds like a great reason for everyone to stop using Chrome. This is a capability that's been in Firefox and Safari for awhile now.
We're getting back to a point where the dominant browser is focused on rent-extraction over user-focused design and features, and alternatives are superior in pretty much every way other than bug-compat with the dominant browser (e.g. same thing we had in the IE6 days).
There's no reason anyone who's technically inclined should be using Chrome as a daily-driver at this point. Their interference in ad-blocker extensions should have been enough, this should be the nail in the coffin.
Requiring opt-out (hidden at that!) is statistically the same as not supporting it. Most users will not know about this or be technically inclined enough to change it.
Google knows this. Some analyst or PM modeled it.
edit: Hello Google employees downvoting me. I'm confident nobody else on the planet wants this the way you do. You can censor me, an individual voice. But the world doesn't like or need this, and they're waking up. As are our legislators. Change your behavior and innovate in other areas that benefit society. (There are so many - nearly limitless!) The clock is ticking. They're building the antitrust cases as we speak, and this is the road you're actively choosing to go down. Not a good look, not the best step forward. I really do want the Google of 2005 to succeed; all of this has just been a misstep. Microsoft in 2021 is so much better than Microsoft of years past. Google could do the same. Don't be evil.
Is there a use case for third party cookies outside of ad tracking? I’ve had it disabled for years and don’t recall it breaking any website I actually care to use.
Once case is iframing a site where people will get logged-in behavior without requiring them to log in to each site individually. For example, an embedded video player that wants to disable ads for subscribers or a micropayments service that needs to recognize which account to charge.
(Disclosure: I work on ads at Google, speaking only for myself)
I had to enable third party cookies to log into Pearson’s online learning garbage. It appears the use case here is standing up poorly designed websites.
Google should be barred from making a web browser. The DOJ should come down hard on this behavior.
Not only is this monopolistic, but it's destroying the web and turning our privacy situation into a trash fire.
They're making this 3rd party cookie decision at the behest of their adsense unit, and it's decisions like these that are infectious across product boundaries. AMP, no URL, increasingly unilateral and opaque HTML standards that serve to push ads, ...
Google has been so lazy at innovation in other areas that they can't afford to lose Chrome. It's a key part of their fragile moat. They'll defend it to the death.
Nevertheless, these two products should not be the same company.
You could argue that there are more jobs on the line if they remove support than leaving it as is. AdTech is huge. Now go and tell any government entity about coming down "hard on this behavior".
The role of government isn't to support whichever industry is currently employing a lot of people and ignore everything else. I know it sounds a little insane, but I think the rule of law and our moral center is more on the ticket.
So when a major regulatory authority forbids Chrome from proceeding with the third party cookie deprecation plan, what should Google do? Apparently the vast majority of HN commenters think that they should ignore the regulators, and just plow ahead.
For some reason I imagine that if they actually were to ignore the regulators, the feedback from exactly the same commenters would not be positive.
I think they should deprecate Chrome or spin it off into another company. The issue here is monopoly.
Also, regulators aren't upset about them blocking third party cookies, every other browser already does that. They're upset about Google's attempts to inject new Google-controlled tracking methods that grant them a further advantage at the cost of all their competitors.
The answer is simple: Block third party cookies and don't replace them with anything.
> Also, regulators aren't upset about them blocking third party cookies, every other browser already does that
As far as I can tell, that is untrue. CMA has explicitly stated concerns with any removal of third party cookies by default from Chrome, since they believe ad tech companies are dependent on them but Google isn't. Any new mechanisms introduced for privacy preserving ad targeting are irrelevant, except insofar that they could be used to satisfy the needs of said ad tech companies. That other browsers have been allowed to remove third party cookies by default is also irrelevant: the fact is still that Chrome is not being allowed to do so.
> CMA has explicitly stated concerns with any removal of third party cookies by default from Chrome, since they believe ad tech companies are dependent on them but Google isn't
This is because Google owns Chrome, and hence, doesn't need the cookies to collect web activity. The solution, as I said, is to force them to spin off Chrome.
> Oh, come on.
It's actively harmful to consumers. Chrome is like asbestos, we're better off just... not using it. There are safer alternatives out there.
Many (I suspect a large majority) of users simply don't care about web browser privacy. And I don't mean lack of concern due to ignorance of the scope of the issue. I mean if you describe to them what a third party cookie does, they just don't see a material harm, or risk, or disadvantage.
They may prefer not to see ads at all (who wouldn't?), but in terms of surveillance marketing, it's just not something that is perceived as adversely impacting their day-to-day experience.
Consumer awareness is shifting and fueled by Apple's privacy marketing campaigns. If Apple continues to invest here, I could see Chrome's desktop marketshare start to diminish. Safari has 50% of total mobile marketshare while only 16% in desktop. I see both platforms as low hanging fruit for Safari or Firefox.
Not defending cookies - but I just don't think most of the rest of the world cares. Outside of the tech bubble that really cares, I'm not sure I know a single non-tech person that, other than 'the popup', even knows what a cookie is (let alone gives a damn). 99% of my non-tech friends/relatives are just bored of 'the box thing that comes up every time you visit a website'. No one it them and everyone just clicks the quickest button ('Accept All') to just get on with whatever they were trying to look at.
Turns out, when you follow the GDPR and make it as easy to give as it is to remove/reject consent, people will generally reject consent to be tracker and personally identified unnecessarily.
When you get prompted with a mandatory dialog that you must answer where one of the two choices offers no clear benefits, of course no one is going to pick that one.
This is a meaningless statistic.
That’s why phrasing questions and choices in any kind of poll or survey is a complex subject if the goal is to ensure minimal bias.
What would then be a way to phrase the question with minimal bias in your opinion? What are these benefits I'm missing out on when I deactivate tracking?
Also, judging by the screenshot in the article, Apps can show text to justify the tracking, so they have all chances to phrase that with bias in their favor! Still people don't want it.
Isn't it our jobs as the people who understand these things and are implementing the technologies to not take advantage of the fact that most people using them are ignorant to how this stuff works?
I wouldn't expect the people who built bridges to install technology that secretly tracked you every time you crossed over them.
This is true... but it's also why we, as the informed parties, must actively push change. The 99% of folks who don't understand are going to be taken advantage of, and actively harmed, by privacy issues they don't understand. It's why the default needs to be the right one for consumers.
Eh, we'll see if they can actually hold to that position.
Every time Google delays on a change like this, it becomes a bit more obvious that both Firefox and Safari are more private browsers by default out of the box. Add to this that Firefox already has better uBlock Origin performance than Chrome. Add to this that whenever Manifest V2 is finally deprecated from Chrome their adblocking will get considerably worse.
Firefox and Safari also aren't going to stand still on privacy. I expect them to continue to widen the gap over time if Google keeps delaying on this stuff; regardless of whether they're delaying because of fear of regulators or just because they don't like the idea of a web ecosystem that is less ad-friendly.
----
It is a little bit ironic to hear sentences like this coming from the Chrome PR team though:
> In order to do this, we need to move at a responsible pace. This will allow sufficient time for public discussion on the right solutions, continued engagement with regulators, and for publishers and the advertising industry to migrate their services.
It's funny, given that a primary complaint of Chrome from web developers has been that they constantly move at a breakneck pace with new standards and regularly push out new policies without sufficient developer discussion or thought about the possible issues their changes will introduce. See the entire web audio debacle.
It's almost like Google is a lot more scared of breaking ads than they are of breaking other parts of the web. :)
In today's news, we have Google refusing to do something that would damage their ad business, and we have Apple refusing to do something that would damage their app store business.
We know:
* FLoC is less useful than third-party cookies for tracking visitors.
* Google won't stop supporting third-party cookies until a replacement (like FloC) is available
Yet, in these threads I see both statements:
* Google is pushing FLoC to help its ad business.
* Google won't kill 3rd-party cookies because it would hurt their ad business.
68 comments
[ 4.2 ms ] story [ 135 ms ] threadNobody should still be using it by 2023.
* On Safari it works correctly with default settings.
* On Chrome with third party cookies disabled it doesn't work and takes you to https://support.google.com/drive/answer/2423534
I poked around in dev tools, and it looks like what's happening is in serving to Safari it gives a download link that includes authentication information, but when serving to Chrome it doesn't. Perhaps because it's expecting to get third party cookies?
My guess is that they rolled out special handling for Safari when it started blocking third-party cookies by default, which will eventually make its way to all browsers?
(Disclosure: I work on ads at Google, speaking only for myself)
Kind of ironic that I need to spoof as non-Google device to use a Google product with a Google browser.
> In order to do this, we need to move at a responsible pace. This will allow sufficient time for public discussion on the right solutions, continued engagement with regulators, and for publishers and the advertising industry to migrate their services.
> By ensuring that the ecosystem can support their businesses without tracking individuals across the web, we can all ensure that free access to content continues.
This proves Google's consumer privacy strategy is all smoke and show. It should come to no ones surprise they choose to follow the money (ads). Apple continues to improve privacy on Safari with every major update and Google is still sitting on the sidelines.
https://blog.google/products/chrome/updated-timeline-privacy...
google is trying to escape a colossal regulatory hellfire that has sprung up in the last two weeks over this attempt to do the right thing, that other browsers already do. shit has just gone defcon4 & they are adding time to the doomsday clock that various national & supranational powers have just set ticking. set ticking for doing the right thing. scratch that, for having said they would be doing the right thing, hereby rescinded.
mark Nottingham wrote up some of these new regulatory regimes being imposed on Google on Monday: https://www.mnot.net/blog/2021/06/21/standards-competition-g... https://news.ycombinator.com/item?id=27578618
If Google blocked third party cookies absent FLoC, regulators wouldn’t care.
They're solidifying control over the web.
If Google wasn't having anti-trust worries, maybe they could force it to happen, but it's too blatant now.
My assumption is 3rd party cookies die to regulation, and nothing gets enough consensus to replace them.
(Disclosure: I work on ads at Google, speaking only for myself)
[1] Safari: https://github.com/privacycg/private-click-measurement
[2] Edge: https://github.com/WICG/privacy-preserving-ads/blob/main/Par...
[3] Chrome: https://www.chromium.org/Home/chromium-privacy/privacy-sandb...
> By ensuring that the ecosystem can support their businesses […] we can all ensure that free access to content continues.
Internally, Google believes that with Ads they are doing good to the world: the mission of Google Ads literally starts with "power the open and free internet…" (you can find it online). The idea is that for every site online that carries ads on it ("publishers"), it's the website that has chosen to put ads there, to make money. So the assumption is that if websites couldn't make money from ads (or if they made significantly less money, because of worse ads) they'd either stop hosting the website or put it behind a paywall, and users wouldn't get "free access to content".
Of course this applies only to those sites on the internet that have ads at all (doesn't apply to HN, Wikipedia, government/academic websites etc), but then again, ad-tech third-party cookies are also only present on such sites anyway.
-----
(I work at Google in Ads but not on anything related to any of this; this is all my own opinion posted from an alternate account. I find ads annoying and use an adblocker personally, so I was surprised to encounter this point of view.)
-----
Rather than "Google's consumer privacy strategy is all smoke and show", the sense I get internally is that Google is serious about "as much privacy as possible without seriously affecting our revenue". A couple of examples:
- [Edit: Added this point later.] In 2019 most (all I think? It's hard to tell) of "what Google knows about you" was consolidated into a single "My Activity" page (https://myactivity.google.com/), with user controls for turning things off or individual items. This was a lot of effort (Sundar at TGIF spoke proudly of it; see also the blog post https://blog.google/technology/safety-security/putting-you-i...), and personally as a user I feel better having control and visibility over what exactly what Google knows about me, but I don't remember much media coverage or discussion of this; maybe not everyone finds this exciting. :-)
- In 2020, they changed the default for new users to auto-delete this "Web and App Activity" after 18 months. Probably, this doesn't hurt Google's revenue much because data older than this is not very useful for Ads anyway, but it is still an increase in privacy compared to Google remembering everything about you forever (just not as good for privacy as defaulting to Off).
- FLOC is their answer to "how can we have the same level of user-targeting in ads, with more privacy?" The idea is that to decide whether to show me ads about shoes it doesn't need to know every site I've ever visited; it just needs to know roughly what kind of person I am. The old model is that every site carrying ads by Google would have a third-party Google cookie that would record your visit; the new FLOC model is that your browser privately builds up a profile about you and just reveals which bucket you fall into. Obviously your browser tracking you isn't as much privacy as no tracking at all, but if you start with the assumption that well-targeted ads ought to exist and try to maximize privacy under that constraint, then FLOC is a reasonably good answer to that question. (I know some smart privacy/crypto engineers—not from the Ads org—who've worked hard on developing/analyzing it…)
- [Edit: Added this point later.] You can see this Chrome blog post https://...
> Select Settings > Site Settings > Cookies and site data.
> Select Block third-party cookies.
chrome://settings/cookies
Just turned it on myself. Thank you, OP!
We're getting back to a point where the dominant browser is focused on rent-extraction over user-focused design and features, and alternatives are superior in pretty much every way other than bug-compat with the dominant browser (e.g. same thing we had in the IE6 days).
There's no reason anyone who's technically inclined should be using Chrome as a daily-driver at this point. Their interference in ad-blocker extensions should have been enough, this should be the nail in the coffin.
Requiring opt-out (hidden at that!) is statistically the same as not supporting it. Most users will not know about this or be technically inclined enough to change it.
Google knows this. Some analyst or PM modeled it.
edit: Hello Google employees downvoting me. I'm confident nobody else on the planet wants this the way you do. You can censor me, an individual voice. But the world doesn't like or need this, and they're waking up. As are our legislators. Change your behavior and innovate in other areas that benefit society. (There are so many - nearly limitless!) The clock is ticking. They're building the antitrust cases as we speak, and this is the road you're actively choosing to go down. Not a good look, not the best step forward. I really do want the Google of 2005 to succeed; all of this has just been a misstep. Microsoft in 2021 is so much better than Microsoft of years past. Google could do the same. Don't be evil.
https://support.okta.com/help/s/article/FAQ-How-Blocking-Thi...
(Disclosure: I work on ads at Google, speaking only for myself)
Not only is this monopolistic, but it's destroying the web and turning our privacy situation into a trash fire.
They're making this 3rd party cookie decision at the behest of their adsense unit, and it's decisions like these that are infectious across product boundaries. AMP, no URL, increasingly unilateral and opaque HTML standards that serve to push ads, ...
Google has been so lazy at innovation in other areas that they can't afford to lose Chrome. It's a key part of their fragile moat. They'll defend it to the death.
Nevertheless, these two products should not be the same company.
I want Google to succeed, but not like this.
Should a company with the world's largest advertising and tracking business be in charge of 65% of the web?
Should they be able to unilaterally set standards?
Should they be allowed to delay rollout of consumer protections to defend their ad unit?
This alone poses an enormous problem.
For some reason I imagine that if they actually were to ignore the regulators, the feedback from exactly the same commenters would not be positive.
Also, regulators aren't upset about them blocking third party cookies, every other browser already does that. They're upset about Google's attempts to inject new Google-controlled tracking methods that grant them a further advantage at the cost of all their competitors.
The answer is simple: Block third party cookies and don't replace them with anything.
As far as I can tell, that is untrue. CMA has explicitly stated concerns with any removal of third party cookies by default from Chrome, since they believe ad tech companies are dependent on them but Google isn't. Any new mechanisms introduced for privacy preserving ad targeting are irrelevant, except insofar that they could be used to satisfy the needs of said ad tech companies. That other browsers have been allowed to remove third party cookies by default is also irrelevant: the fact is still that Chrome is not being allowed to do so.
> I think they should deprecate Chrome
Oh, come on.
This is because Google owns Chrome, and hence, doesn't need the cookies to collect web activity. The solution, as I said, is to force them to spin off Chrome.
> Oh, come on.
It's actively harmful to consumers. Chrome is like asbestos, we're better off just... not using it. There are safer alternatives out there.
They may prefer not to see ads at all (who wouldn't?), but in terms of surveillance marketing, it's just not something that is perceived as adversely impacting their day-to-day experience.
https://blog.google/products/chrome/updated-timeline-privacy...
Like how 96% of iOS users asked apps not to track them.
https://arstechnica.com/gadgets/2021/05/96-of-us-users-opt-o...
That’s why phrasing questions and choices in any kind of poll or survey is a complex subject if the goal is to ensure minimal bias.
Also, judging by the screenshot in the article, Apps can show text to justify the tracking, so they have all chances to phrase that with bias in their favor! Still people don't want it.
I’m just saying Apple clearly built this modal to encourage everyone to press no.
I wouldn't expect the people who built bridges to install technology that secretly tracked you every time you crossed over them.
Every time Google delays on a change like this, it becomes a bit more obvious that both Firefox and Safari are more private browsers by default out of the box. Add to this that Firefox already has better uBlock Origin performance than Chrome. Add to this that whenever Manifest V2 is finally deprecated from Chrome their adblocking will get considerably worse.
Firefox and Safari also aren't going to stand still on privacy. I expect them to continue to widen the gap over time if Google keeps delaying on this stuff; regardless of whether they're delaying because of fear of regulators or just because they don't like the idea of a web ecosystem that is less ad-friendly.
----
It is a little bit ironic to hear sentences like this coming from the Chrome PR team though:
> In order to do this, we need to move at a responsible pace. This will allow sufficient time for public discussion on the right solutions, continued engagement with regulators, and for publishers and the advertising industry to migrate their services.
It's funny, given that a primary complaint of Chrome from web developers has been that they constantly move at a breakneck pace with new standards and regularly push out new policies without sufficient developer discussion or thought about the possible issues their changes will introduce. See the entire web audio debacle.
It's almost like Google is a lot more scared of breaking ads than they are of breaking other parts of the web. :)
Yet, in these threads I see both statements: * Google is pushing FLoC to help its ad business. * Google won't kill 3rd-party cookies because it would hurt their ad business.