570 comments

[ 3100 ms ] story [ 2788 ms ] thread
I wonder how Brave and Microsoft Edge will handle this change. Are they also going to ship this "feature"?
Right now third-party cookies are blocked in Brave, so they'll probably also block this as well, but it remains to be seen. (I avoid Edge)
Everything I'm seeing is that it is Chrome doing this, not Chromium. If the Googs decides to add features on top of Chromium in its Chrome release, that does not mean that other Chromium based browsers will have those changes automatically as well. It totally makes sense to me that Googs would not want these in the base Chromium as it's the secret sauce just for the Googs
(comment deleted)
I would think Google would want this in Brave and Edge also. Google will want to advertise to the users of these browsers even though they aren't using Chrome.
Then why are the articles not saying Chromium and specifying Chrome? Has Chrome become the new Kleenex/Xerox/Rollerblade?
Most people reading articles have no idea what Chromium is and how it differs from Chrome.
Microsoft has much more data about you, that just what can be gleamed from the browser.

It doesn't matter if edge does not have this "feature".

Microsoft can simply scan documents on your PC.

Jokes on you, I don’t use Windows
Microsoft will probably redirect it to their own servers. Brave will probably disable it. It's not hard.
It's nefarious how they ask you if you want to turn on "ad privacy", indicating that this feature increases your privacy when in reality it does the opposite.
Technically they’re correct: the privacy offered by this new system is superior to that which is offered by the web with no tracking protection.

Thinking about it in a very abstract way I find the whole thing fascinating. Google is clearly terrified that the tracking protection offered by other browsers is going to become the norm and they’re trying to head that off at the pass by implementing this compromise. But I’m not sure why they’re all that worried about it, they still have the lions share or the browser market. Maybe they’re worried about incoming legislation?

If I'm understanding correctly, they're not turning on some other tracking prevention when you enable this "feature". It's strictly a privacy downgrade.
Not yet but they can't just turn off third party cookies arbitrarily in their browser without giving time for sites and advertisers to update their systems to account for the removal. They're already facing anticompetitive/monopoly scrutiny on many other fronts, they don't need to shoot themselves in the foot in the advertising space as well. Thus the first step is to implement a replacement technology first and then make the change.
> Not yet but they can't just turn off third party cookies arbitrarily in their browser without giving time for sites and advertisers to update their systems to account for the removal.

Of course they can. They just don’t want to.

No, they literally can't. The UK Competition and Markets Authority made Google promise they won't remove 3rd-party cookies from Chrome before adding alternatives.
Sure they can. They just have to do it in a way that doesn't create a disadvantage for other advertising providers.

Google isn't allowed to stop others tracking you without also removing their own ability to track you because that's anti-competitive.

You are assuming reasonableness on behalf of the regulators in question. In an ideal world, they hopefully said "you cannot give information to your own advertising/analytics division that you don't give to others". However, they could just as easily have said "you must provide either third-party cookies or a replacement for them", without offering the much more reasonable alternative of turning both off and not giving Google advertising/analytics any information either.

So, what did the regulators actually say, and does it in fact allow Google to turn off third-party cookies without any replacement? If it does, then this is Google's fault for adding this feature in Chrome. If it doesn't, then this is the fault of bad regulation.

Google has a habit of limiting changes it does not like to specific countries.

So if they are rolling out a UK mandated feature globally there is no question that Google is all for it.

> Not yet but they can't just turn off third party cookies arbitrarily in their browser without giving time for sites and advertisers to update their systems to account for the removal.

This is a good example of anticompetitive/anti-monopoly regulation not only not protecting consumers, but in fact making things actively worse.

A better regulatory response would have been "having an advertising/analytics product and a browser product in one company is anticompetitive, split one of them into a separate business from the other, and then the browser product must not privilege the advertising/analytics product". Then the browser could, in fact, just disable third-party cookies without giving advertisers and analytics companies another alternative.

They could also not run a global surveillance panopticon so that there wouldn't be an unfair competitive advantage. Or telling the UK to get bent and that they won't offer Chrome there is apparently a viable strategy given recent developments with encrypted communication there.

In any case, this is still strictly a privacy downgrade to turn on. It's still deceptive to imply turning it on improves privacy.

After the launch of this feature they plan to disable third party cookies. It's not happening simultaneously because they would get hit with antitrust suits by adtech companies if they gave no time to transition.
That sounds then like a class action lawsuit waiting to be filed.
We're in a transition period to turning off third-party cookies. When that happens, this is objectively more privacy-secure.
> Technically they’re correct: the privacy offered by this new system is superior to that which is offered by the web with no tracking protection.

That’s not true, this new system is a tracker, not tracking protection. Simply turning it off improves privacy.

There’s literally no point in implementing this system if you aren’t going to pair it with tracking prevention, as Google plans to do.
They’re planning on turning off one tracking system they use on us and turning on another, that’s not “tracking prevention”. Every other browser just turned off the old and didn’t replace it, and users are better off for it.
I’m aware. The OP said:

> this feature increases your privacy when in reality it does the opposite

My clarification is that their new tracking system does increase your privacy compared to the old. It just doesn’t increase it as much as other browsers. We’re not in disagreement about what is better for users.

We’re in agreement on the relative privacy, too. My point was just to challenge this “protection” / “prevention” framing. If somebody regularly mugs you then announces they’re going to start taking half as much when they mug you, and that only in response to people increasingly fighting back, framing that as “mugging protection” or “mugging prevention” is not just inaccurate, but pushes an assumption that this person is actually helping us and that demands of no mugging at all are unreasonable.
As of right now they don't turn off 3rd party cookies when you enable this, so no. This objectively decreases your privacy.
It’s beautiful, from a sociopath’s perspective, if you think about it.

“If you let me punch your teeth out, the stabbings will stop (sometime in the future, terms and conditions may apply)”

All while refusing to acknowledge that there is an option that requires neither punching nor stabbing.

To an uninformed user that takes Google’s words at face value it sounds like an upgrade.

>in reality it does the opposite.

Third party cookies can do everything the topics API can do and more. Third party cookies lets sites collect granular data about what exact site you on and any data they want from it. This API just gives them some topics which may even be a random chosen one and not a real one.

Can you give me a source that enabling the topics API disables third-party cookies? And once Chrome has phased out third-party cookies the topics API will strictly decrease my privacy, not increase it.
>Can you give me a source that enabling the topics API disables third-party cookies?

I never claimed that. The current estimated timeline for phasing out 3rd party cookies as of last month is:

23Q4 Opt in testing for sites

24Q1 1% disabled

24Q2 fully disabled

https://privacysandbox.com/open-web/

> And once Chrome has phased out third-party cookies the topics API will strictly decrease my privacy, not increase it.

You are free to disable topics, sites, or even the entire system altogether. While it does decrease your privacy in return you can get more relevant ads. With 3rd party cookies if you disable them all you will break things even if those things are unrelated to ads.

Then bringing up third party cookies seems like a red herring. They're worse, but for example I have a pi-hole at home. This prompt will probably mislead my wife into accepting it as an improvement, while it will presumably undermine the tracking mitigations I've set up for her until I go fix it.

This is unambiguously a privacy downgrade, regardless of what third party cookies may also be able to do.

I brought it up because this API aims to replace a use case of third party cookies.

If you are blocking 3rd party cookies by DNS you will also block topics too.

Precisely. The article (and seemingly everyone else) fails to realize that topics is reducible to TPC. If you have TPC then topics provides no additional tracking capability.

Topics is a mess (see a great analysis from a colleague of mine[1]), but it’s a hard sell to call this current step nefarious.

[1] https://arxiv.org/abs/2306.03825

Time to uninstall chrome! I keep it around just incase but nah.
Out of curiousity, what do you use instead?
Not the OP, but I use Safari on my personal devices, or Firefox if I have to use Windows. The efficiency of Safari is unbeatable, and I prefer its UX.

I also use Kagi instead of Google search.

Firefox -- faster, better feature like container tabs, more secure and more private
For almost all the times when you really need Chrome because Firefox doesn't work, Chromium will work just fine. You probably don't need Chrome.
And how is Chrome not the new Internet Explorer?
Because the new Internet Explorer is Chrome-wannabe
Because Firefox exists. And anyone can use Chromium to compete with Chrome fairly rapidly.

It’s not the new IE. In my mind it’s worse than the new IE because it achieves similar goals as the IE abuse but without necessarily doing anything illegal.

Mozilla and Opera existed at the time, as well as a bountiful amount of IE shells which essentially acted as the Chromium derivative equivalents. Outside of Chrome (technically) shipping the same binaries across all the platforms it supports, and using scope creep in a more subtle way compared to 90s-era IE, I don't see how the situation is materially different between now and then.
This is not exactly right. Netscape Navigator was the original browser. Microsoft invested a lot of money to bring IE up to par and exceed Netscape’s capabilities. And once they wiped out Netscape they coasted and used IE as a Trojan horse to control the web. It was after IE6’s stagnation that Firefox was spun out of Netscape and took some time to compete. Firefox was first released in 2004 and IE6 in 2001. Opera which had been around was proprietary. To the extent they were interested in making the internet a better place it was only to serve their company interests.

Thars very different from the situation we have now where Firefox is well known and open source, and even Chromium’s open source so it can be leveraged by better stewards of the internet.

Don’t get me wrong. My argument is not that Google is better than Microsoft. My argument is simply that the situation we’re facing right now is very different from the IE era. If anything, I’m arguing that the Chrome era is worse because of how much more insidious Google’s actions are.

It was easy for the EU to essentially eliminate the IE threat by forcing MS to unbundle IE and for Firefox (and later chrome) to replace IE purely on the basis of providing a better software. Replacing Chrome on the other hand is a very different kind of problem that is possibly much harder.

Firefox is barely surviving. Skinning Chromium hardly counts as competing with Chrome.

I agree with you that Chrome is even worse than IE ever was. Mostly because Google is much smarter than MS was when it comes to ensuring market dominance. It will be much harder to dethrone Google, simply because Chrome is a much better product.

Chrome is not baked into the operating system.
Maybe not yours, but it's baked into the operating systems used by billions of phones (Android) and millions of kids/others with generally lower tech literacy who may not have great context on the privacy implications of these changes (ChromeOS)?
Because it's been less than 6 years since the last Chrome update. Probably less than 6 weeks even.

I'm not a fan of Chrome though. But the problems with Chrome are not identical to the problems of IE.

My friend Jake runs an analytics company.

He's faced enormous challenges due to Google's "privacy" policies... Google is removing nearly all access to user data, they don't even like you looking at the user agent string (which issues a warning)... not to mention its impossible to know about search traffic and even referring urls.

Meanwhile Google has access to all this data, so he tells me all this is just gaslighting so they can illicitly protect their monopoly on web data.

> Meanwhile Google has access to all this data

I’m loathe the defend Google but I don’t think this is the case. The replacement for user agent sniffing (client hints? I forget) is a universal thing and I don’t think Google has a secret back door tracking mechanism their ad network is able to use. It would certainly be a big story if they did.

Google’s ad network might not have access. But does Google have access?

Because there are many ways Google can leverage this data without giving their ad network access.

Privacy isn’t just about privacy from ads. There are all sorts of non ad related privacy abuses that can exist.

A while ago now I booked a room on Expedia, which ended in me getting a confirmation email with an itinerary to my Gmail backed address. Lo and behold, few minutes later a CTA pops up on my Android phone offering to create a matching trip in Google's trip planning product. I'm sure it's all above board once you got into the fine print but it was not a pleasant experience.
> I don’t think Google has a secret back door tracking mechanism their ad network is able to use. It would certainly be a big story if they did.

Like Chrome??

> I don’t think Google has a secret back door tracking mechanism their ad network is able to use.

they have 80% population using search, youtube, storing browsing history etc while logged into google account, so they have lots of data about most of the people.

Right but that’s not a secret back door tracking mechanism. It’s a pretty blatant one!

My point is that even this blatant logged in user tracking won’t be able to use user agent strings to track either.

yeah, no need some secret backdoor..
you're the one who introduced the concept of it being secret, your quote just said they have access
You only need a backdoor if you do not also have a 6 lane highway to your users premises.
yes, client hints.

google "has access to all this data" in exactly the same way any other website does. you request the information you need from the client, and the client can choose to provide it or not. clients provide it by default.

hate on google all you want, but UA reduction is objectively a good thing. "my friend jacob wants to slurp up everything from the user-agent string on the first request" is not a good argument.

This doesn't make sense. The browser provides the user agent as a header in HTTP requests. They can't detect if or how the server is using that information.

Or do you mean your friend's product is a browser plugin? In which case, um, yes, I don't want it having access to any more information than it it needs to do it's job (and honestly, probably not even that.)

> The browser provides the user agent as a header in HTTP requests.

They (Chrome) are taking it away [0].

[0]: https://developer.chrome.com/en/docs/privacy-sandbox/user-ag...

I'm all on board calling Google out for slowly implementing a user data protection racket, where Google owns all the data and everyone else is squeezed out and has to go through Google as The central data broker. At the same time this user agent reduction thing seems like a decent idea at first blush and good for users privacy.
If that were really their motive, a better strategy would be making user agent string customization a first-class feature.
No, because approximately nobody would customize it.
Then generalize it by default. I just can't buy that Google really has this motive when they simultaneously are introducing WEI.
I think it’s a mistake to assume consistent intentions from a company as big as Google and a product as big as Chrome
Yes, you shouldn't assume consistent intentions from a behemoth like Google. However, in large and fragmented companies, leadership's moral compass often faces numerous pressures, and on average will trend downward in an economic system with perverse incentives such as the one we have today.
They could also use the user agent: "", or omit the http header entirely.
You can already do that with extension, can't you?
An extension isn't first-class support, first-class means supported directly in the browser and easily discoverable.
TBH I'm surprised the User-Agent header has survived as long as it has. Referer, too.
That header and Referer were always a mistake. I don't think The Google's motivation is pure, but I agree in principle.

A lot of sites will break for people as a result, though. Maybe that's what The Google wants, though.

> Referer were always a mistake

Yeah, it's even spelled wrong!

I agree that user agent is not the best idea but it helps endlessly when you need to find out what browser a non techy person is using - just ask them to go to one of the endless sites that tells you what browser you're using based on the user agent string.
My web development knowledge is very limited. But isn't this the main method where simple websites (most static generators) used to decide if the user is browsing from a mobile or not and serve a version based on that?

I would appreciate it if someone explain what other things people do to tackle this, or if I'm completely wrong?

(comment deleted)
Most responsive design is based on screen dimensions with CSS media queries these days, not on the actual class of device.
Though I can see justifications for giving people a different UI depending on whether they use a touch screen or a mouse.
Although really they should be using a pointer media query. Lots of sites I see randomly turn into mobile versions on desktop as soon as you resize the window narrow.
I think media queries have been the way to do that for awhile. Or I think there's some javascript trick to do it.
That's mostly done client-side these days; having the server treat clients differently doesn't happen as much anymore.
The server now needs to respond with the Accept-CH header specifying it wants the client to send the mobile client header by including the "UA-Mobile" value. A compliant client will then send the Sec-CH-UA-Mobile header in its next request with either the value "?0" or "?1".
Not supported on iOS, which is a good chunk of the mobile traffic you’re trying to identify.
You have to do a split approach. Last I knew only Chrome-based browsers support the new UA headers. Firefox and Safari only support the User-Agent header which you have to check for the presence of "Mobi".
The modern solution is to use CSS with media queries. You tell the client how the site is supposed to look on various screen sizes. The client applies the rules without leaking any information about which rules it chose to apply.
Without Referer how will jwz dot org troll HN users?!
Referer is not quite the same as how it was. In recent years, the default behavior in most cases is for the browser to either send just the origin, or no referer at all.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Re...

"Origin" means no path, so the referer might tell me which search engine the user used, but not what search query was done. It's much better than in the old days, where I might even see someone's session ID in the referer.

YouTube got around this in the earlier days since the referer header didn’t sent query strings. Maybe if referer hadn’t existed, YouTube urls would look like /watch/ViDeOID
Will that finally bring an end to having to use user-agent-switcher to get some sites to work on Firefox?
Excellent. Sites shouldn't know what user agent we're using anyway. Pretty much the only thing they use this for is to lock us out when we use "unsupported" browsers. The less information they get, the better. Hopefully they'll get rid of referrer too and weaken fingerprinting methods.

I have no doubt Google has self-serving motivations here but the result is still a win for us. I wish Firefox had enough leverage to force decisions like this down people's throats whether they like it or not but it just ain't so. Reality is imperfect so I'll take what I can get.

There are plugins for Firefox that can make the user agent string anything you want.
It doesn't matter. Actually those plugins are straight up counterproductive.

The best user agent is the one that offers them the fewest identifying bits. In other words, the user agent of the most popular version of Chrome. The ability to set it to "anything we want" is actually a trap. What we really want is for everyone to use the exact same user agent so they can't tell us apart.

If everyone has the same user agent, it's nothing but a waste of bandwidth and it should be removed. Google is actually achieving our objective here.

Firefox has plugins to set your user agent to Chrome.
Pointless. Firefox should just pretend to be Chrome by default without the user having to install plugins or even do literally anything. As should all the other browsers. Anything that leaks out the fact it's not Chrome should be considered a bug and fixed.
Well yeah, they have a pre-configured set of choices, e.g. "Chrome on Windows" but you can do something custom too, if you want.
Yeah I tend to agree here... It really seems like none of the server's business what agent I'm using.
Yup. It's none of their business. They can't discriminate against us if they don't know anything about us.
Can't trust you either. Are you a bot? Well it's good to assume you are by default, since it's the majority of internet traffic anyway. And for your privacy, you're not exactly forthcoming with data to now prove otherwise.

So sorry, until you pay with a unique individual bank account to prove identity, you can't post on future social media sites. You are a bot after all.

Even if I was a bot, what of it? Your site should serve bots just as well as it serves humans. Only people who care about that are those who want to monetize our eyeballs by selling our attention to the highest bidder.

If it's costing you money, have your HTTP server return 402 Payment Required instead of the free page. That's how it should be.

There are vast reasons to prevent brigading, false information, information manipulation and any other number of malicious inputs that otherwise in a forum for people require trust to maintain community quality. Even for free reasons, especially say nice interest groups like one I used to be on for small satellites that got destroyed by uncontrolled bot spam.

I do not agree that every piece of the internet "should be" behind a paywall because bad actors exist. That world is the literal death of the "open" internet, putting everything behind a paywall.

> prevent brigading

Not something that should be prevented.

> false information, information manipulation

Not something any one person should be the arbiter of.

> and any other number of malicious inputs that otherwise in a forum for people require trust to maintain community quality

Trust is how you solve this. Forums shouldn't be letting randoms sign up and post. Just like we developers don't let randoms commit to our git repositories.

But they want that mass market appeal, don't they? They want everyone to have input access, to be able to comment and participate. Usually because they're pushing ads and the more eyeballs the better. They're hopelessly dependent on "engagement".

> That world is the literal death of the "open" internet.

Not really. It might mean the death of the "free" internet but not the "open" one. The open internet is the one where we get to use whatever software we want to interoperate without restriction. It's the one where we get to use a Python script to scrape your site if we wish to do so. It's the one where we get to download videos with yt-dlp.

The project I'm currently working on is a community data aggregator for an upcoming election to improve election transparency. I will not be requesting user sign up or registration because the average age of the users will be over 45 and for a single day without getting into GDPR issues.

But I do intend to arbitrate if the election information being input from multiple geographical locations is valid data or not. Otherwise I'm not doing the project and the existing system of it only being owned by the largest political parties who have their own organization doing the tabulation. Others who have attempted this work have seen active manipulation campaigns over the course of their validation and speak to the only way to counteract the manipulation was bot control.

I do not want mass market appeal. I want the thing to get adoption for a day by people that would otherwise be casual at best internet users.

> The open internet is the one where we get to use whatever software we want to interoperate without restriction. It's the one where we get to use a Python script to scrape your site if we wish to do so

Sorry, Error 402, please provide payment. You're a bot until proven otherwise.

> But I do intend to arbitrate if the election information being input from multiple geographical locations is valid data or not.

How are you going to do that?

I live in a country whose supreme court routinely orders censorship of "fake news" and other kinds of "harmful" information, something not seen since the days of our military dictatorship. This year our government essentially created a ministry of truth. They censored "fake news" which literally turned out to be true after our current president was elected, it's comical.

How do you plan on being any different?

> Sorry, Error 402, please provide payment. You're a bot until proven otherwise.

OK. Do you accept credit cards?

> How are you going to do that?

The same way it's organized among the political parties. Word of mouth, social media and good will among interested parties who trust each other for a common goal of maintaining democratic principles. I don't come from a country that censors such work. Their main problem is it's all pen and paper by people that are usually schoolteachers and farmers on a normal day and they need the tech help.

> OK. Do you accept credit cards?

No I do not accept credit cards. I'm neither a business nor a payment processor. Please contact the administrator. Don't expect a reply. If you have to cold call, you're not in the existing trusted network where others vouch for additions to the network and will be two-factor geo-IP verified. Good luck with your python scraping in your world.

If you don't want my money, then I suppose I just won't get access. That's OK.
Disagree that that is OK.

A good democracy will have access for whoever requests it to validate and learn about their peers more, not forced behind a paywall. Hopefully by enabling my ethos, it marginally feeds towards culturally maintaining that my country doesn't have a Ministry of Truth and other forms of democratic deficits.

An open, democratic web doesn't discriminate against me just because I want to use a Python script instead of a browser.
One person, one vote. [0] https://en.wikipedia.org/wiki/One_man,_one_vote

A core of Democracy is indeed preventing ballot stuffing when people go to upload the vote results they see. We're just not talking about electronic means than paper ones. You say "me", why is your script different from a Russian-style nation state trying to put weight on the scales? Or trying to DDOS the site? And if you are indeed different, to make the distinction in any way, some form of meta information must be monitored and acted upon. You may be innocent, I can not know that in the technological future you propose. Without information, as per security best practices, the wire defaults to closed, not open. The cost is the loss of ease of use and access, but the data integrity is more important than your scripting convenience. The data can at least represent the historical record. Without that historical record, scripting of false data is worse than useless and actively dangerous and not worth putting into the world.

> A core of Democracy is indeed preventing ballot stuffing when people go to upload the vote results they see

> You say "me", why is your script different from a Russian-style nation state trying to put weight on the scales?

Don't accept votes from unknown, untrusted randoms. Even in my country where the election is fully digital, they check my ID before letting me vote. There are ways it could go wrong but that isn't one of them.

> Or trying to DDOS the site?

They can't DDoS you if you have them pay for the resources required to serve them.

> The cost is the loss of ease of use and access

That's fine.

> Don't accept votes from unknown, untrusted randoms.

Trust can be built from metadata. You stop it from being unknown, by shock, building up knowledge through recording it.

> They can't DDoS you if you have them pay for the resources required to serve them.

Not a payment processor. Not a business. Nobody is going to pay for membership. This is not on the table.

> That's fine.

I deeply disagree and you're not changing my position on that nor am I likely to change yours. But I'm the implementer, so guess which way it's going. See: Not accepting your money.

What I have though gotten out of this conversation is that I'm now aware of how much more complex feature set I need to put into the first party tracking to get it right in a shifting tech environment. So food for thought.

> But I'm the implementer, so guess which way it's going.

You're an implementer operating in a deeply adversarial environment where everyone is your enemy. Everything you do can and will be circumvented, especially by the Russia-style attackers you mentioned. See the copyright industry's fruitless attempts to curb copyright infringement. If it actually looks like you succeeded, it's only because people didn't care enough.

Unless the free computing we enjoy today is completely destroyed to the point we can only run government signed software, there's little you can do to defend against these things. To stop this, you will need tyranny the likes of which will destroy everything the word "hacker" stands for. I presumed you cared at least a little about that since you're posting on Hacker News.

Everything can be circumvented. I but this isn't some SaaS service, I don't need to survive forever, just about twelve hours. I can achieve that.

Yeah, I grew up and realized that there's more to the world than mere developer convenience above all else. If Hacking means siding with the developer over everyone else in humanity and societal benefit, let it burn. Luckily, that's not my definition.

You're gonna insult me now? I'm a kid in fantasy land and you're the grown up dealing with the harsh world? Lol. You just admitted that irrelevance is your only leverage.
I'm talking about me. I changed, I matured and took on wider problems. If you read my self improvement as an direcy insult or anything about you, that speaks more about your mindset than anything. And if thats the case I now see why you care so much about your scripts, if you don't have other audiences in mind it has to be the only scope you have to care for.

I'm fine with what my side project is and it's scope. It's secondarily a tech demonstration for the bigger thing that comes later. If that means the early stage is only viewed by 2000 people and improved the lives of some election nerds for no monetary gain plus a news article after submissions close, good, the plan is on track. I'm not trying to be big in this project.

I've always advocated for feature detection. If you test for typeof Object.assign !== 'function' you can be sure you have a reasonably recent browser. If you want fetch, test for window.fetch.

This sort of thing always feels like it's going against the grain, with someone always asking "why wouldn't you do this properly. You know, build an allow list of user agents and match against them". I fully support people being forced into detecting the features they want and doing away with this nonsense,

I don't think web developers should be able to detect stuff like that either. Their ability to detect stuff provides identifying bits for fingerprinting. As far as I'm concerned, all the browsers should normalize the return values of those typeofs and all related functions so that Javascript can figure out exactly zero bits of information about the environment it's running on. Just like browsers will lie to Javascript when it tries to figure out your browsing history by checking the color of links.

The web platform gave web developers way too much freedom and they're abusing it. God giveth and god taketh away.

There's simply no way that can ever be built though. "Browser v2 provides X which will call argument 1 in 2 seconds" -> how would browser v1 possibly hide that it is not v2? Anyone can build a thing that checks for that behavior, and now you have a piece of information.

Or for more useful stuff, "X gets you data from URL Y". Either you get that data or you don't. Voila, data about the browser.

The only alternative is that you never ever release any new features or fix any bugs.

How does cryptography software avoid such side channels? Normalize the performance somehow.

If I remember correctly, Firefox's fingerprinting resistance will actually slow down functionality to achieve that. Reduces the precision of performance timers or something. Makes CAPTCHAs exponentially more obnoxious.

It hides that by being incredibly restricted in what you can do with it, lest you leak side channel information. To the point that you can't do much of anything useful, much less general computation. They're finely crafted Faberge eggs that break if you sneeze near them now or discover a new way of sneezing in the next few decades, not broad tools.

So... yes, you could build a "browser" like that. It would effectively have no scripting at all though, nor could it ever introduce new semantics that send data to another site, directly or transitively. You can do some stuff with that kind of system, but it's limited enough that most people don't choose it.

Gopher exists I guess? Lynx too, though lynx supports css, and that largely can't be allowed either.

Sounds good to me. Javascript is too powerful and should be limited. I shouldn't have to worry that my browser is executing remotely downloaded code that could exfiltrate an unbounded amount of information about me. They should either they get it right by doing it in a way that doesn't harm us, or they shouldn't get to do it at all.

The web should be fully declarative and permissions/capabilities based. If they can't do something that way, they shouldn't get to do it at all.

> Feature detection is too much power for developers

- People on HN.

Yes, it is too much power for them. Power which they abuse by fingerprinting us. Browser vendors agree with me: they reduced the power of developers by lying to Javascript when they tried to check link styles.

Do you think otherwise?

A. Test for window.fetch.

B. Check if a link is visited.

Whether these two even remotely fall into the same category is left as an exercise for readers.

A. Provides bits of identifying information.

B. Provides bits of identifying information.

To me it seems they're in the exact same category.

Knowing which key the user pressed? Provides bits of identifying information.

Knowing the user's mouse position? Provides bits of identifying information.

Knowing which subdomain the user is visiting? Provides bits of identifying information.

Reading URL query string? Provides bits of identifying information.

If this is a category, it's a quite big one!

Huh. Now I'm not sure Javascript should be able to do any of those things either. Now that you mentioned it, I remember reading about how sites fingerprint users by timing keystrokes and mouse movements and numberless other things.

Maybe the ultimate conclusion is Javascript should not actually exist at all. The web should be declarative, not executable. Developers tell the browser what they want and the browser does it. If it can't be done that way, it isn't done.

Just like Chrome's Manifest V3 making extensions more declarative and limited. My only problem with it is the fact it cripples uBlock Origin. I actually do want those restrictions applied to 100% of all the other extensions, it's just that uBlock Origin is too important and trusted and should be an exception. Honestly, uBlock Origin should be literally built into the browsers at this point. The only reason we can't have that is the massive conflicts of interest involved: can't trust an advertising company to maintain an adblocker.

Using an Abortcontroller with fetch for example is only recently supported. I like to use it where I can, but I don't want to crash on a slightly older browser. Feature detection is absolutely practically useful.
I have no doubt that it's useful. My point is it enables abuse towards us and that the potential for abuse overrides the utility.

Road to hell is paved with good intentions. When you propose a law, you must also think about the numberless ways it could be abused and misused to cause harm. Same principle applies here. The code shouldn't just fail, it should fail in ways that prevent the developer from even knowing it failed much less why. Simply because that would leak information.

(comment deleted)
Are we suppose to feel bad for your friend’s analytic company?
I took it more as an anecdote to show how Google is intentionally using its size and influence to engage in anticompetitive practices by forcing the adtech industry to standardize on technologies that only Google can use effectively.

More of a "be upset with Google" than a "feel bad for my friend" kind of thing

The privacy preserving ads tech has been around a while and a lot developed outside of Google and Meta. I made a stab at it while an intern at Mozilla, and we basically succeeded at the very easy part of accounting. Training the bandit is a lot harder.

Also the adtech industry in it's current form is harmful to users. First of it exploits tracking vectors. Secondly it's a malware distribution technique second to none.

We all suffer when competition is stifled.
So it's bad when there's less competition for organized crime?
That just means a more powerful mafia boss in town so probably yeah
We’ve seen time again that’s it’s better to have one strongman than a power vacuum with a lot of local warlords.

If Google wipes out all of the other analytics companies, I can just not use Chrome.

Until everything important in your life requires Chrome.
No company targeting a U.S. population is going to ignore the 60% of the market that uses iOS.
We need legally enforced browser ballots (again). Depending on the benevolence of a few giant gatekeepers is tenuous.
We don’t need browser ballots. No desktop operating system comes with Chrome installed. Every desktop user who uses Chrome, willingly goes and downloads it. They explicitly made a choice.

If you do have browser ballots , you’re going to be able to “choose” which Chromium skin you want to use.

Most people know about Firefox and they still choose Chrome.

And if they choose Firefox - they are still downloading a browser where most of its revenue comes from…Google.

No one is going to pay for a browser. Any browser you choose is going to end up supporting itself via ads

> No desktop operating system comes with Chrome installed

ChromeOS isn't a thing?

It is is in schools. But how many people willingly go out and buy a Chromebook?

ChromeOS is only slightly above Linux in marketshare.

https://gs.statcounter.com/os-market-share/desktop/worldwide...

You’re going to have a hard time convincing regulators that Google is acting monopolistic because it’s forcing less than 4% of the population to use Chrome

Regulators are asleep at the wheel in the US. Companies with a overwhelming market share of search and email can and do leverage that to push users to their browser, then their browser to track users.

It's becoming about control of eyeballs and defaults in several dimensions. Lazy and captured regulators are easily convinced to scope the definition of any given 'market' in whatever way their former or soon-to-be employers demand.

OEMs bundle Chrome and for years so did other common apps like Adobe Reader. Android defaults to Chrome on mobile, which is increasingly important for non-technical users who may not even own a laptop or desktop.

These days sites often instruct users to install Chrome, especially Google properties that billions are already accustomed to.

Have we learned nothing from the IE era and the Microsoft anti-trust case?

Yes, exactly. It's a no brainer.
The market for private user data should not even exist. So the call for more competition in that area is absurd.
I don't think folks are arguing for such a market. Rather that Google owning the market is also bad, maybe even worse.
Surveillance capitalism corporations should not even exist at all. They should be illegal.
it's not stifling any competition. the data that used to be in the user-agent header is now in the sec-ch-ua header. servers can set response headers to request more information if they want it, assuming the website makes more than one http request, which every website does.
You're supposed to feel bad for people who use Chrome.

That is about the entire desktop user base btw.

Seeing this all go down, it feels like this is exactly Google’s master plan.

1. Roll out stuff they brand as “privacy respecting” that actually collects data for their own use.

2. Brand anything that would give competitors access to that data (third party cookies, user agent strings, etc) as a threat to user privacy.

3. Lock all of that stuff down so that nobody can access it (“we’re protecting you!”)

4. I don’t think we need the ???, it’s just straight to profit, via monopoly over the data.

The brilliant/terrible thing about this is that third party cookie tracking is not great so it’s hard to set up a defensible argument where leaving things as they are is the better alternative. Apple and others have been waging a war on third party tracking for years now, and pushing public opinion in that direction, and it seems to me that Google is playing 4D chess here and using it against them (and frankly, the entire internet).

Same playbook with apple vs Facebook
This is why the worlds largest advertising company should not be fielding a search engine, a massive email platform and a browser as well.
They sure have done a job at positioning themselves at the intersection of maximum control over the web.
At least it anti-trust laws are hard at work! Glad it's not like the dark ages, when your operating shipped with a default browser that could be used to install any other browser you wanted.
The solution is very easy for consumers looking for a real privacy solution:

Use a browser that is not made by an advertising company.

In other words, just drop chrome. It has never been easier to do, with Edge and Safari readily available on all major platforms and Firefox for those who prefer it, and of course the many other chromium forks that are around.

There is no reason to be dependent on chrome today. There was a few years where it was overly dominant and very hard to avoid for compatibility and performance reasons, but that is just not true today.

Personally I use Firefox on android and desktop and I don't miss chrome at all. I uninstalled (technically, disabled) it on mobile as Google widgets like to open links in it otherwise.

I have chrome on the desktop as I work in software so I need to test compatibility with it, but that's it.

I agree in principle, but wouldn't wish the coupon catalog emulator that Edge has become onto anyone. It's beyond bizarre.

My personal picks are Firefox on Windows and Linux, and Firefox or Safari on macOS.

I use Safari on Mac OS with Brave on Windows, with iCloud keychain passwords sync between the two.
Isn't Brave basically what Google is trying to turn Chrome into? I use Brave on my mobile phone, but honestly I'm kinda turned off by the weird advertising it shoves on me despite theoretically protecting my privacy.

I just go with Firefox on any actual computer since I can lock it down with whatever extension/config I want.

On Brave many of their ads can be permanently disabled in various settings menus. I use Brave on my phone and laptop and can't recall the last Brave ad I've seen.
Ahh ok - I think what I kept seeing were "Sponsored Images" on the new tab page. Finally found a setting that can be toggled to "Default Images" - hopefully that removes the ads. Some of them have been close to the line of appropriateness for me (i.e. weird anime mobile game ads with suggestive visuals - not something I want a full screen image for).
Yep, definitely configurable. My new tab background is just a plain, purple-y gradient.
believe it or not, these features are liked by edge users.
> Use a browser that is not made by an advertising company.

Personal opinion we need to tweak business incorporation rules to firewall ad business from all other types of businesses. Meaning General Motors can't sell ads. And ad companies can't sell cars.

And as someone on this site suggested extend antitrust dumping laws to services.

and/or make it illegal to gather consumer information without explicit, periodic consent. Make it doubly-illegal to sell data or rent it. (If "rent" doesn't cover it, also outlaw whatever thing google claims it does when it monetizes user profiles for ads.)
Yeah as in if data broker is your business it's your only business with very specific rules about what the data can be used for.
On Apple OS also two alternative browsers rising: Arc https://arc.net and Orion https://browser.kagi.com Both making nice progress with their own strong points.
I really really love Arc. But I don't understand how they will make enough money to support the amount of work they've done. Their website seems to say nothing about this, and everything I've found about it so far is hand waving and speculation.
Arc is fantastic. Their product team is really well focused - the PIP view for google meet that dropped out of nowhere has been a game changer for getting through my day.

Going back to the alternatives from Arc for browsing and Hey for email management is always jarring. They aren't massive UX changes, but they sure are well thought out and impactful.

I’m so hurt by how Edge has turned out. I was ready for a tier-1 browser experience on Windows comparable to Safari on Mac. Microsoft has utterly wasted its leadership opportunity here, cramming in scammy garbage.

Firefox, god love it, is a rough and clunky browser by comparison. Sure you can make it what you want, but it’s an investment. As the only viable noncommercial cross-platform option though, what else are we gonna do

What’s so ‘rough and clunky’ about Firefox? To me it just works everywhere I have installed it!

Genuinely curious!

You know, I shouldn’t malign it. It’s really not bad at all in and of itself. I just wish it was as well integrated and as polished as some of the others can be.
Do you have any examples of that? I really don’t get what’s unpolished about it. That may be because I’m a Linux user though!
Yeah it works amazingly well. And offers some great features like offline translation and container tabs.

I have absolutely no issues with it. Websites all show perfectly, if I ever have an issue it's down to my many adblocking plugins blocking a little too much.

I have F13 bound to open KeePassXC on Mac. It works in every application except Firefox. Firefox blocks it somehow. It’s the reason I don’t use it.
Microsoft is also a web display ads company, what exactly do you think the business model for Bing is?

There’s zero point in switching from Chrome to Edge.

Firefox to my knowledge has no ads revenue, apples limited ads revenue doesn’t come from the web.

Brave I think is a low-key crypto grift run by a homophobe, but still better than Chrome.

> Use a browser that is not made by an advertising company.

> In other words, just drop chrome. It has never been easier to do, with Edge and Safari readily available

Considering Windows 11 has ads in the operating system, how is Edge not made by an advertising company these days?

I don't think there's any 4D chess going on here. Nobody is buying Google's "privacy" argument. This is a simple case of other browser vendors improving actual web privacy and Google undermining that effort.
I hope the regulators are not and wish Google would be hit with huge antitrust fees in the EU due to this. We shall see.
It’s the AI thing. Everybody is building walls around their data.
That is Apple's plan, too, except for the collecting data or profiting part. They still have a monopoly on your data, it's just locked on your devices.
> except for the collecting data or profiting part

Isn’t that pretty much the issue here?

Anyway, what’s really locked? Text messages?

Because I can export pretty much everything else. Images, videos, documents, passwords, bookmarks.

Maybe Apple Music’s playlists?

Data collection isn’t really central to Apple business model though. I’m not too worried about them.
In what sense is this Apple having a monopoly on your data? If it's "locked on your device" then they don't have it. This is literally what we're asking for, or at least half of it. I agree it'd be nice if we could retrieve everything from the device ourselves, but I'll settle for this (and ensure I never give my iPhone the last copy of anything I care about) over carrying a hostile observer everywhere I go.
> stuff they brand as “privacy respecting” that actually collects data for their own use

The kool-aid is in their definition of the word "privacy." You and I might think "privacy" means "other entities aren't observing you" but Google in their benevolence knows that it really means "Google will keep your data safe from third parties." Their newspeak doesn't even allow the concept of "data that Google does not collect."

(A friend of mine was involved in the launch of Google Allo. I asked them if it would be possible to use the virtual assistant features offline without sending everything to Google. They never spoke to me again.)

That's exactly what it is. Google spends a fortune on lobbying Brussels to let the natives know that they have their best interests at heart. That's proof of the opposite as far as I'm concerned. Check out the ads on Zaventem airport (right next to Brussels) if you're ever passing through there, it's comical.

Or check this video if you can't make it in person:

https://www.youtube.com/watch?v=f0UevGxfXXY

Such is the issue with any business connected to a single large and private infrastructure provider. Of course this is, in part, why we have anti-trust laws.
Sounds great. Now we just need to figure out a way to stop Google instead of Google and numerous other surveillance capitalism corporations.
Years ago I remember having a very similar reaction to many online platforms switch to https. It was pitched as protecting people from isp packet based ads but it always felt more motivated by locking the competition out of the data stream
Is there a write up examining the replacement (cohorts I guess) and showing how it is worse for user privacy?
It's arguably not, depending on how you slice "worse."

Google's philosophy on this sort of thing has been pretty consistent for over a decade: they trust themselves with user data. It goes in a vault, it's very hard to access inappropriately, and they have some of the best security possible on the modern web. Practically speaking, yes, it's still a risk; if the data collections get breached, that's all the data. But they don't see themselves as more of a risk than anything else out there, so for them it's not philosophically inconsistent to claim other companies doing what they are doing should be considered a privacy threat.

... And honestly, I think there's a good case to be made that if you don't trust Google to respect your privacy and secure your data, You shouldn't be using Chrome period, because the organization you don't trust controls the source code of that browser.

I guess my question is: how is Google getting that data now? Is FLoC or Topics beamed to Google ad preferences? Is it included in chrome sync?
> Meanwhile Google has access to all this data, so he tells me all this is just gaslighting so they can illicitly protect their monopoly on web data.

To throw them in the same pit, they're taking a page from Apple's playbook: the privacy benefits for the user will justify any market effect from closing the platform and keeping all user data internals. Platform owner gets to protect the user from some of the abuse, while gaining a critical edge on the competition.

In the current climate, I'm not sure there is any good angle to solve this, short of strong regulation limiting the advantage they get from doing these "privacy first" moves (basically find a way to forbid the platform owners from using their own users' data...I'm not holding my breath)

> In the current climate, I'm not sure there is any good angle to solve this, short of strong regulation limiting the advantage they get from doing these "privacy first" moves (basically find a way to forbid the platform owners from using their own users' data...I'm not holding my breath)

Well, you could also look into removing some rules, in addition or instead of piling on new ones. Eg you could weaken intellectual property rights, to make it easier for upstart competitors to take on the established giants.

Or you could make it easier for foreign competitors to enter local markets. (As an example, the US has become more protectionist of their tech markets. And the EU has a lot of red tape that's even harder to follow, if you are from outside the area.)

> make it easier for upstart competitors to take on the established giants

No specific regulation is stopping this. If anything, all the regulation that are getting added have as a goal to reduce the red tape around smaller players and limit the extent of the giant players' monopoly.

If you were thinking about the rules forbidding dark patterns to suck client infos and accelerate growth, it would be a tough sell to be honest.

> If anything, all the regulation that are getting added have as a goal to reduce the red tape around smaller players and limit the extent of the giant players' monopoly.

No?

Lots of regulation just adds red tape in general, and there are clear economics of scale in compliance: larger companies have proportionally an easier time affording the legal experts they need to make sure they are compliant.

I just don't want Google adding extra tracking, I don't mind if they stop your friend Jake from tracking me.
> not to mention its impossible to know about search traffic and even referring urls.

I think it was the migration to https everywhere that killed that. Not sure why it went down that way, or if Google was responsible.

But yeah, when I ran a blog, I would look through the referrer URLs to see what people were actually searching for and write articles about that because it was obviously an untapped void in the market.

No offence, but your friend Jake can go fuck himself.

I have very little trust for Google and other megacorps like it, but I have even less trust for parasitic entities like Jake that just piggyback on top of Google's already horrid practices to extract wealth from, so you'll find no sympathy for Jake from me.

I heard about this the other day and didn’t think much of it.

I got the actual update today on my work laptop and… just wow. How did the folks at Google ship this with a straight face? The changeboarding modal basically lies to your face.

I’ve always felt a little weird about Google’s tracking, but this takes it to another level. Creepy as heck.

Because they don't get to kill third party cookies without shipping it.
Context? That whole project was kind of a cluster when I was involved with it, how does this help? Or is it more, without a replacement for 3p cookie tracking they couldn't break it (useful uses of 3p cookies be damned)?
Regulators in the US, EU and UK have made it clear that Chrome can't remove support for 3p cookies without building a replacement feature that works for non-Google ad networks.
I’m still not sold on your take here. All of that stuff was from no later than mid-2021, back when Google was close to leading the way with this stuff, whereas now they’re just aligning with what everyone else is doing, and if Google isn’t using their privileged position with Chrome to give themselves (google.com or similar) more info than anyone else gets, there can be no credible antitrust argument any more (I say this with a straight face as a technologist). And the fact that other browsers refuse this Topics API would call it into question as a replacement for third-party tracker cookies anyway.

(Related, comments by both of us within https://news.ycombinator.com/item?id=36713737 two months ago.)

https://assets.publishing.service.gov.uk/media/62052c52e90e0...

Whether you're convinced or not, this is the reality. Antitrust regulatories have done their homeworks and made it clear that Google alone cannot deprecate 3p cookie.

Which is weird since apple did that like three years ago? Just no one cared much since it was Safari.

The linked document is about _replacing_ 3pc,not simply eliminating them, which seems a crucial distinction.

Even if Google did not have the privacy sandbox features, they would still have first-party cookies and enough data from the services they run (Search, YouTube, etc). This puts Google in a different position than what Apple did and means they can't just do the same thing (for competition reasons):

3.34 The Privacy Sandbox Proposals aim to replace TPCs with alternative solutions, while leaving first-party cookies unaffected. TPCs are currently the principal means of achieving common identification of web users on web pages and are therefore a fundamental building block of the open display advertising used by publishers and ad tech providers. While publishers and ad tech providers depend on TPCs to collect information about web users and provide it to advertisers to target advertising and carry out related functionalities such as measuring conversions, the CMA is concerned that Google could use first-party cookies to perform these functionalities in competition with publishers and ad tech providers.

3.35 Although rivals can also use first-party data to provide digital advertising services (as the CMA found in the Market Study), their reach and the quality of their data is in many cases much more limited compared to that of Google. The extensive reach of Google’s user-facing services and its ability to connect data with greater precision (because of its large base of users logged into their Google account) provides Google with a significant data advantage over others.

> Which is weird since apple did that like three years ago? Just no one cared much since it was Safari.

Because Apple is not running competing ad network. Their only ad network is running on their own app store. Apple does not get any competitive benefits from 3p cookie deprecation for its ad networks.

> The linked document is about _replacing_ 3pc,not simply eliminating them, which seems a crucial distinction.

I don't know why you're getting the impression that the doc is only about replacing 3pc, but Google which tried to remove 3p cookies drew significant attentions from competing ad network and eventually antitrust regulatories. I know this since some of my work closely depends on this timeline.

It's a government mandated bullshit as a replacement for third party cookies.

When all other browsers disable third party cookies, everything is fine. Apple for example has disabled it for years. When Google does it, antitrust regulators fear that this could benefit Google ads more than non-Google ads. Hence this bullshit to "restore competitiveness" between Google and non-Google ad networks.

My recommendation is to both disable third party cookies and this new thing. You don't need either of them.

> It's a government mandated bullshit

This is definitely what Google would like you to believe. Considering indeed all other browsers have killed third party cookies, Google legally very well could as well. But they'd love you to believe they must provide a way to invade your privacy.

The issue regulators had was Google retaining special access to user tracking, they have no problem with Google removing their own ability to track as well. Of course, that doesn't buy Larry and Sergey's next yacht or private island remodel.

> The issue regulators had was Google retaining special access to user tracking, they have no problem with Google removing their own ability to track as well.

I don't think you understand the issue. Without third party cookies Google still has search ads while adtech competitors without a search engine are decimated. That's the antitrust concern.

(comment deleted)
> My recommendation is to both disable third party cookies and this new thing. You don't need either of them.

then you will see random low quality ads instead of something you may be interested in

But if I block ads in my browsers, at the router level through Ad Guard, route all my personal devices through Tailscale, and use Firefox then I won't see those either.
I think eventually Ads industry will catch up on those like you if it will threaten Ads revenue in significant volumes.

There were news already that they block people from playing youtube videos if they blocked ads.

That's a fine choice by me. In the rare scenarios I turn off my ad blocker, I want to see generic badly targeted ads, not ads precisely engineered to cause me to make a purchase or change my worldview.
Exactly! Ad companies literally pay psychologists to convince people to buy stuff they don't need. Everyone loves to say "those tricks don't work on me!", but the reality is that they absolutely do. You see an ad for Coke a thousand times, and you're at the store and thirsty, hey, there's a refrigerator full of Coke and I haven't had one in a while...

I'm certain a company could convince me to buy a new mechanical keyboard or nice mouse or some app I don't need but that looks pretty cool. That kind of targeting might just separate me from my money. On the other hand, no one's ever going to convince me to buy any brand of tampons.

Oh my god, how will I live my life knowing the parts of the web pages I tune out give pennies to certain companies instead of others. It's FOMO for ads!

Oh wait, I use uBlock Origin, so this doesn't affect me at all! I'm stealing all that data from servers that give it to me when doing an unathenticated GET.

google likely tracks you anyway through your search, youtube, browser history synced to your account, so yes, you take pennies from little competition google still have to actual google.
Not everyone has a google account, nor any of those services.
its probably close to statistical error in terms of revenue.
Just use Ad Nauseum, then everyone gets the pennies, and you don't lose time off of your life looking at things you don't want to see.
I use Firefox, DuckDuckGo, NewPipe/invidious, CookieAutoDelete to logout of Google as soon as the tab is closed.

I'm sure they track me nonetheless, but it's a bit less.

<cough> google container for firefox
You're perfectly free to use an ad blocker as you always have. But for the people who don't block ads, it's obviously preferable to see ads relevant to them than totally arbitrary stuff.
That isn't obvious at all. There are various reasons why someone would not be blocking ads but not all of them include actually wanting to see the ads or caring about the content.
I'd rather not see ads for things I may be interested in. Do you see why?
We could have privacy protection as the default, and then you can opt-in to sharing your personal life with hundreds of companies so they can show you more relevant ads. Since everyone loves relevant ads, they'd be sure to opt-in, right?
there are such browsers and search engines, but looks like majority prefers to use services with quality backed by revenue from relevant ads.
Some government regulators used to primarily focus on natural persons (i.e. citizens/consumers) and prioritize them above all else.

Then neo-liberalism took over and they took a page out of the US’ playbook, and started prioritizing businesses.

But unlike in the US they aren’t comfortable outright stating that they’re prioritizing business interests over consumer interests, so instead they do this weird thing in their communications where they act like they’re standing up for small businesses. Problem however is that their definition of “small” business is everything below a trillion euro market cap.

It’s kind of jarring really, to hear them talk about having to protect those poor advertisers, like it’s some UNICEF donation ad.

> How did the folks at Google ship this with a straight face?

You have been doing 60-70 hours a week for a few years at startups that never took off. You tried to go into some big companies but got rejected several times. You managed to pass the first screening to the process at being hired at Google. You go through all the process. It’s long and tiring. Somehow you went through it after several weeks and so many steps. After several years in your career of not so successful job/startups this is like a huge thing. You can say to all your family and friends and girlfriend that you work at Google. The pay is great but the work is bad. They ask you to code more stuff to track people into Chrome. You evaluate what quitting would be like and what other opportunities like this you could have. And then I guess they are like hmm no. Let’s code this things from now on.

> The pay is great but the work is bad.

In just about any other context this is called a bribe. But you're right. If that person doesn't do it, someone else will.

I’m convinced at least 75% of devs consider working at a FAANG to be the absolute apex of a career, regardless of what’s worked on. Which, to me, says it’s purely about prestige.

It’s impossible to say for sure, but there’s a certain pervasive collective worship of these employers that will just not quit.

Is there? I'm happy to not be making hiring decisions these days but if I was I'd definitely think twice about hiring somebody who was ok spending their days making the web worse.
(comment deleted)
In fairness, if they're applying to work elsewhere, it wouldn't be safe to assume they were ok with what their current or former employers are doing. That might be why they're leaving. I don't give points or demerits for working at Google, personally.
If by “prestige” you mean “enough money to work for 4 years and retire anywhere that’s not the Bay Area and never work another day” then yea, it’s prestige.
> enough money to work for 4 years and retire anywhere that’s not the Bay Area

Four years is probably optimistic, unless you got lucky with stock growth.

I searched for "average cost of living map" and found a site[1] that says cost of living at Santa Clara County is $138K. I then did a search for "average salary at Google" and one website[2] says it's $124K, which suggests saving enough money in 4 years on salary alone would be difficult.

You might think that working for Google while living somewhere outside of Bay Area would be a good way to save, but because compensation is dependent on where you live, this doesn't always work out.

[1] https://www.epi.org/resources/budget/budget-map/

[2] https://www.payscale.com/research/US/Employer=Google%2C_Inc....

Thank you for bringing data to the discussion. I’m not sure that average salary is the right metric, however. The people inventing new adtech projects are being paid 4-5x that number based on my experience. Although anecdotes can only be trusted so far I guess…
That's cost of living for 4 people, mind you:

> The cost of living for a two-parent, two-child family

The typical case is more likely single or DINK.

Manage the money well, throw in a couple of bonuses and a favorable liquidity event around y4 and it's plausible enough to become a motivator or rationalization, I assume.

The people building this ad tech nonsense make well over $124k. I'd wager that number comes from nation/worldwide salaries, and the folks that the original comment described aren't data center janitors or whatever. These folks get paid very well to insure Google dominance – in salary and in stock.
That average salary must include non-engineers.

The average salary for a mid-career engineer at google is north of $300k if you assume no stock movement.

https://levels.fyi

Oh, crap. You put an actual number in your comment, and now there's going to be a whole subthread debating the accuracy of it, completely ignoring the relevant point of the comment.
> there’s a certain pervasive collective worship of these employers that will just not quit

That's my observation as well. And I think this applies especially to Google: for some reason it still has the reputation of this cool tech company here on HN, even though it's an advertising and user tracking/profiling company at this point, and there is really nothing "cool" about it anymore. But criticize Google on HN and you'll get downvoted really quickly.

The collective worship is the set of people who (1a) have worked there previously and (1b) didn’t hate it, or (2) want to work there in the future.

It’s a pretty large absolute number of people, although thanks to section 1 clause b, it’s growing smaller.

YMMV, but “people who worship recent FAANG employment” can be a filter that’s positive to apply when seeking employment.

I think this would actually be bad for their careers. I believe this is all open source and in public and you would get really bad rep for building this. If it was me I would ask for a transfer to a different team.
Nah. You do this kind of dirty work at Google for a few years. Then you say that "after working at Google, you have decided to fight for users" or some other noble goal.

Now you have it both ways. You have the resume prestige of working at Google and the faux prestige of being a "virtuous person" who is willing to forgo the comfy Google life to "do what is right."

devs should definitely have their names on the products they build. same for PMs
There are also a lot of Googlers who got in on their first or second try and genuinely do not understand end-users, do not WANT to understand end-users, and thus are very happy to implement this stuff. Also PMs who are extraordinarily metrics-focused and will buy the koolaid 100%
Maybe they are talking a leaf out of Zuck's playbook. Two steps forward and one step back conditional on backlash. Reddit did this recently. Outrage can be managed until things cool down.
The fix sounds easy to me.

Switch to a better browser.

When I saw that dialog, I didn't know which button to click. I knew I didn't want to share the topics I am interested in or have personalized / more relevant ads of any kind, but the text was so confusion and mixing so many things (like activate the privacy feature when in fact you are activating the tracking feature).

In the end, I reverted to clicking the non-primary button (which you are not supposed to click) and checked in the settings everything was in order.

I’m thoroughly impressed how HN also buried this story so quickly; usually something so dramatic would stick on the front page for days. Speaks a lot about Google-biases in the content moderation of HN.
I use Chrome in development on a Windows box. Here is my experience with this upgrade:

   1. Upgraded manually from 116.0.5845.179 to 116.0.5845.180 through About dialog.
   2. Restart. No notification that anything has changed.
   3. Go to settings, privacy and security, privacy guide, and on the 4th page (only 3 pips!)
   Or go to settings, privacy and security, Ad privacy (the new element)

   4. The privacy guide blurb: Privacy Sandbox trial
      Chrome is exploring new features that allow sites 
      to deliver the same browsing experience using less of your data

   Under Ad privacy:
   5. Ad topics: Site-suggested ads. 
     Based on your activity on a site. This setting is on.
   6. Site-suggested ads. 
     Based on your activity on a site. This setting is on.
   7. Ad measurement. 
     Sites and advertisers can understand how ads perform. 
     This setting is on.
This roll out is filled with dark patterns. At (2) there is no notification that anything has changed. If not for this article, I would not have known about this at all. At (3) the feature seems intentionally hidden. At (4) the description of these features misleads the user that the purpose is to "use less of their data". This is false, or at least badly misleading. At (5,6,7) they've defaulted all new "features" to "on".

This is all so shady, and very un-Google like. I have such high regard for the Chrome team: was there push back on this? Do they realize what a bad look this is?

> Do they realize what a bad look this is?

Let's say that they do realize it. The 0.x% of users that are aware of, understand, and will do anything other than just blindly continuing to use the software is an acceptable number of lost users. In other words, everyone reading HN could stop using Chrome right now, and Googs would not notice the blip

> This is all so shady, and very un-Google like

Where have you been the last several years?

I was expecting this response, and let me say: it fills me with distaste. You cut off any possibility of improvement, on their part, because no matter what they do, you won't accept it. It is the opposite of constructive criticism: it is an ideological stance.
New privacy features that ship less finger printing data? Part of some nefarious plot to harm their competitors ability to harvest data. Won't anybody think of the poor third party tracking/finger printing providers?
> because no matter what they do, you won't accept it.

It's not about acceptance. It's about trust. Trust has two key components:

1) It's earned. Full stop.

2) Regardless of how much trust equity you've built, it can be lost instantly.

Like it or not, this is how trust works. Accepting what Google does is one thing, but at this point there's no reasonable reason to trust it.

I'm having a difficult time trying to remember the last time Google benevolently made a change to improve user privacy without trying to further entrench their status.

This doesn't seem fair to wholly categorize skepticism of Google's motives as an "ideological stance" if Google hasn't demonstrated any willingness to change.

Trust is like a mirror - you can break it and you can fix it, but you'll always see the cracks and wonder what the future holds.
I got a notification in browser of this change.
Really? Where? What did it look like?
On the first launch of a given profile I'm getting a modal pop-up window that says this:

> Enhanced ad privacy in Chrome [this is bold, centered, and larger font]

> We’re launching new privacy features that give you more choice over the ads you see.

> Chrome notes topics of interest based on your recent browsing history. Also, sites you visit can determine what you like. Later, sites can ask for this information to show you personalized ads. You can choose which topics and sites are used to show you ads.

> [a graphic]

> To measure the performance of an ad, limited types of data are shared between sites, such as the time of day an ad was shown to you.

> More about ads in Chrome [V]

> You can make changes in Chrome settings

> ["Settings" and "Got it" buttons]

Clicking the V-looking thingy next to "More about ads in Chrome" expands that to add this:

> More useful ads [that is in bold]

> Sites can ask Chrome for information to help personalize the ads you see.

> • Chrome notes topics of interest based on your recent browsing history.

> • Sites you visit can also determine what you like based on your activity on the site. For example, if you visit a site that sells long-distance running shoes, the site might decide that you’re interested in running marathons.

> Later, a site you visit can ask for this information — either your ad topics or ads suggested by sites you’ve visited.

> Chrome auto-deletes topics and sites that suggest ads within 30 days. Or you can block specific topics and sites you don’t like.

> Measuring how well an ad performs [that is in bold]

> Sites you visit can ask Chrome for information to help them measure the performance of their ads. Chrome lets sites collect limited types of data, such as the time of day an ad was shown to you.

> Learn more about how Google protects your data in our Privacy Policy.

It was a popup explaining it and a button that took you to the ad privacy settings.
"This is all so shady, and very un-Google like"

Since when has shady been un-google like? they ditched "Don't do evil" decades ago.

They are definitely acting in far more ethically concerning ways than they used to, but as for literally ditching the phrase “don’t be evil”, most of the internet conventional wisdom on that is incorrect.

When they reorganized to have Alphabet as a new parent company, Alphabet’s code of conduct said “do the right thing”, but the subsidiary Google that still makes everything we usually discuss as Google kept “don’t be evil” in its code of conduct. At a later point Google did move that sentence out of of the most prominent position in the preamble, but it’s now in the second-most prominent place, right at the end.

But, yes, as I said at the start of this comment, they do a lot more awful or potentially evil things than they used to.

Disclosure: I worked for Google years ago, but I left before all the changes I discuss in this comment and had nothing to do with any of them. I am sad to see Google decline to roughly the level of being at least as ethically good as most of their major competitors, instead of far better as they used to be.

>this feature will track the web pages you visit and generate a list of advertising topics that it will share with web pages whenever they ask

This is factually incorrect. It works like third party cookies, but with privacy. A web page can only retrieve a topic if that site has already observe you visit pages of that topic. In order for you to observe a site that site must send a fetch request to you or embed you in an iframe.

If a random site calls document.browsingTopics() they get no topics as not enough data has been observed by them.

(comment deleted)
People hate on Google yet...continue to use their services and want to work there. Therefore, people do not disapprove.
Perhaps those are mutually-exclusive groups of people.
“I want real Chrome on iOS. Safari sucks! It’s the new IE 6! Chrome is moving the web forward!”

Yeah. Things are going great in Chrome world. Totally should give them dominance over the one sliver they don’t control.

(I have no problem with letting people have FF/etc. but let’s face it, it will be 90%+ Chrome within days)

> Chrome's invasive new ad platform, ridiculously branded the "Privacy Sandbox,"

Ars seems to be confusing the topics API with the privacy sandbox as a whole. Most features are early, like client hints, while others like privacy budget haven't even been released yet.

https://privacysandbox.com/open-web/#proposals-for-the-web

The whole article is a mess of confusion. FLoC and Topics have nothing in common functionally, aside from being useful for ad targeting.
IIRC the failure of the first lead to the second.

And if Steve Gibson is to be believed Topics is not only an improvement, it's an unqualified good. (I'm not yet convinced though if Google didn't have so many other harvesting avenues I'd see it as better for privacy too.)

> Topics is not only an improvement, it's an unqualified good.

It's still sending interest information to advertisers, so it's an unqualified negative. Stop sending information to advertisers. Kill third-party cookies, and anything purporting to replace them.

As much as I hate what Google has done with Chrome and I choose not to use it, the comparisons to the IE6-8 dominance are even more acute when you consider that Chrome is also successful in the enterprise due to its support for both typical group policy/Mobile Device Management configuration as well as its integration into Google Workspace.

Edit: I had initially said “dominant” in the enterprise, but I imagine that title still goes to Edge?

It would be impressive if it wasn’t so depressing and gross.

In what sense did google 'get its way'? Was there some legal attempt to stop them that they somehow defeated?
Our research group does work in this space[1], so I’ll claim some familiarity.

This article has multiple problems:

1. Privacy Sandbox is a project, consisting of many proposals. To pitch it as some cohesive product is misleading.

2. Related: FLoC and Topics are completely separate things, aside from existing under the same project.

3. Topics is reducible to (implementable using) third-party cookies. While the proposal has issues and doesn’t resist tracking as well as Google claims (see below article), Ars’ implication that this is somehow making Chrome less privacy-preserving is patently false.

[1] https://arxiv.org/abs/2306.03825

I didn't read the Ars article as saying FLoC or Topics make Chrome less privacy-preserving than it was before, but rather that, once Chrome disables third-party cookies, they make Chrome less privacy-preserving than other browsers with third-party cookies disabled. What the author would prefer is that Google also disable third-party cookies and also not ship FLoC or Topics.
> What the author would prefer is that Google also disable third-party cookies and also not ship FLoC or Topics.

That's not an option now thanks to multiple antitrust regulatories. Google actually tried to get rid of 3p cookies to use it as an advantage against competitors as well as privacy friendly PR but this has been blocked. One example from CMA (but not limited to): https://assets.publishing.service.gov.uk/media/62052c52e90e0...

Sorry for responding 12 hours later, but I felt I should actually read the ruling here before I replied.

It's certainly interesting. The CMA seems to be attempting to balance interests of multiple parties, including both user privacy, healthy competition in the ads space, and the ability for digital publishers to generate revenue from displaying ads.

However, most of it appears to focus on the way Google's superior access to information could distort competition. It's not just about cookies. For example. Google could mine synced history data from Chrome.

Now, I'm not so naive as to think this would actually happen, but again, the Ars author's solution here could solve that particular problem: If Google ceased all behavior-based advertising in favor of, for example, subject-based advertising, there would be no distortions to competition. Google can't track you, and neither can other advertisers. Everyone has a level playing field.

Of course, that would drop revenues for digital publishers and advertising networks, including Google, but it would solve the problems of user privacy and distorted competition.

The one thing this ruling makes very clear though, is that it's very difficult to balance these concerns while Google makes a browser. There's a conflict between Google running a behavior-based advertising network and shipping a browser, and these regulatory bodies seem to be bending over backwards to try to find a solution where both of these things can exist. They could most certainly have taken the much easier road of forcing Google to discontinue Chrome.

Regarding the option of Google ceasing all behavior-based tracking to avoid competition issues: I doubt they could do that to the ad industry unilaterally. Even if they would then be following the same rules themselves, I don't think they'd be able to get away with choosing how all other advertisers must operate by doing that.

Regarding the "easier road" of having Google discontinue Chrome: WTF That would not be easier and would affect so much more.

By "easier", I mean it would be easier for the regulators to say, "you can have a dominant ad network or a dominant web browser, but not both."

But I was a bit imprecise with my language there. There are other regulatory remedies to a ruling like that besides discontinuing Chrome. For example, it could be spun off into a separate company, one which does not share any data with Google.

As for the fantasy scenario where Google stops behavior-based tracking, reading that ruling, I think they could get away with it, but there would be some grumbling. Let's say Google stopped tracking on its end, and then six months later, decided to block third-party cookies by default. Regulators could insist that Google keep third-party cookies on, but what leg would they have to stand on? Yes, it would affect their competitors in a big way, but it wouldn't give Google a distorting advantage over them.

And with every other browser blocking third-party cookies, if regulators tried to force Google to keep them, Google could just stop developing Chrome. Without behavior-based tracking, they have no business reason to develop it anymore, and how could regulators possibly say, "You have to keep making a browser, even though your competitors don't"?

> If Google ceased all behavior-based advertising in favor of, for example, subject-based advertising, there would be no distortions to competition.

That still doesn't work. Google already has built dominant ad network/serving infrastructure as well as exclusive access to billions of its first party user data which gives asymmetric power to Google against any other competitors. Probably the only advantage that those competitors have is their own "secret sauce" on user data and removing 3p cookie effectively eliminates this edge and gives Google unilateral power.

The core problem is that privacy and antitrust regulations usually don't work very well together unless it's carefully designed. EU tried it for GDPR (which took 4 years to design) and it only has strengthened big-tech's position.

> They could most certainly have taken the much easier road of forcing Google to discontinue Chrome.

It's much easier said than done. What's the legal basis of doing this? The only applicable law is too general and requires intervention from the Judiciary. And this level of landmark antitrust cases usually takes several years with extremely high level of uncertainties. And it's worth noting that the US congress has failed to introduce a basic level of digital antitrust laws such as AICOA or OAMA, so good luck with any new direct regulations.

And even if assuming that everything works in your favor, the result is almost guaranteed to be other big guys (likely MS) taking the share and doing something worse since the market is already strongly incentivizing this behavior. To apply the same "correction", it will take another multiple years of trial against more well prepared defendant. Regulators and legislators are not that dumb and they actually care about all those unintended consequences.

> What's the legal basis of doing this?

I mentioned this in another reply, but I was imprecise with my language here. I meant that regulators could decide it's not OK for Google to have both a dominant ad network and a dominant browser. Discontinuing Chrome would be one remedy here, but there are also other remedies, such as spinning off Chrome development to a separate company.

As for the legal basis for doing that, I'm not as familiar with UK or EU law as I am with US law, but this was in response to the linked UK ruling by the CMA, where I was expressing my awe at how much effort they were going to in order to try to balance competing interests. I don't think regulators are dumb or lazy, but the report very clearly identifies that the core of the problem is that Google has both a dominant ad network and a dominant browser, but they still went through a lot of trouble to try to find a workable solution.

As for US law, Judge Jackson did rule that Microsoft should be split into two separate companies, one for the OS, and the other for apps, but was overruled on appeal. However, that appeal was muddied by other issues as well, and the case never came before the Supreme Court.

You're right about the US congress, but Europe does seem more eager to go after big tech companies.

It's less privacy preserving in that it is anti-competitive, so now google gets a monopoly on this form of tracking. I assume they'll eventually combine all the data from their other monopolies, and continue to use lobbyists to block improved laws or even enforcement of the existing laws they break.
Ron Amadeo has such a consistently snarky anti Google stance that I no longer read his articles. I haven't seen any other tech company get such dismissive treatment on Ars.
Agreed. I think he crossed the line way beyond being skeptical about Google, and into partisan politics level biased reporting against Google. E.g. his coverage of passkey was so bad - misleading half truths and outright incorrect claims - that made a subsequent article on the passkey by another Ars reporter look completely opposite from what he wrote.
Isn't that much like how reporting of Microsoft during the 90s wasn't "sceptical", but just calling the pot black? At a certain point — i.e. given enough history — it's a given that a company acts against your best interests. I don't see judging a company on their actions as bias.

Google is a corporation that does terrible things. That's not bias, it's observation.

Having said all that, what were his half truths and incorrect claims on passkey? genuinely interested to educate myself.

https://arstechnica.com/gadgets/2023/05/passwordless-google-...

is the article. The title is already misleading - Google doesn't support passwordless account, and there is no way to get a passkey only account. So factually incorrect title. Anyway, read that and contrast that with:

https://arstechnica.com/information-technology/2023/05/passw...

Thanks.

As an aside, I think this is the source of his confusion about password-less accounts. From Google's help page:

> When you create a passkey, you opt in to a passkey-first, password-less sign-in experience

That comma right there reads; "you opt in to a passkey-first _and_ password-less sign-in experience". I understand what they mean, but that kind of marketing speak is often misunderstood by more technically focussed people.

Sure, Google botched some of their communication on their end for sure. But the job of a journalist is to give clarity and pass along as accurate information and valid pros and cons by doing some basic research, so that the readers end up more informed after reading an article. His article did the opposite - see the comment section of the second article for how a lot of people were more confused / misinformed by Ron's article. Of course, not all of that was due to his article, but it's very clear his article made the confusion meaningfully worse.
Oh yeah, I'm not defending the journalism on that piece, just pointing out where he probably got confused. I think I only read it correctly because of all the context in this thread.
Ars Technica has been a political hack rag for a while now
What are you upset about, that he's reflexively anti-big tech which includes Google, or that he's anti-Google out of all the big tech? Because personally I don't give any of the FANG+ the benefit of the doubt on anything now.
Although the source article here is clearly opinionated in one direction, I’m not impressed with your claims about actual problems in it. (For reference, I agree with the direction it takes and would make only minor adjustments to it if I were writing it—the only of any substance would be not calling the Privacy Sandbox an “ad platform” just because in a way it’s a little more like a shop that sells picks to ad platforms.)

> 1. Privacy Sandbox is a project, consisting of many proposals. To pitch it as some cohesive product is misleading.

Look, that’s how Google are branding it. It’s an initiative which has turned into a cohesive brand. Just look at how https://privacysandbox.com/news/privacy-sandbox-for-the-web-... speaks of it all. That’s pretty much how it’s being presented in the browser, too.

> 2. Related: FLoC and Topics are completely separate things, aside from existing under the same project.

They’re about as completely separate as Chrome 17 and Chrome 117, or StarOffice and OpenOffice.org. OK, these are both very imperfect comparisons, but although FLoC and Topics work in somewhat different ways, Topics is for all practical purposes just a fork that continues FLoC. They even treated it that way in the browser (at the time at least, no idea if it’s still so). https://en.wikipedia.org/wiki/Federated_Learning_of_Cohorts#... seems overall a fair enough portrayal. They simply rebranded the basic concept.

> 3. Topics is reducible to (implementable using) third-party cookies. While the proposal has issues and doesn’t resist tracking as well as Google claims (see below article), Ars’ implication that this is somehow making Chrome less privacy-preserving is patently false.

The first and last claims here are obvious nonsense. Third-party cookies only let you track stuff where your code runs, whereas the Topics API uses the entire browser history, so it’s not reducible to third-party cookies unless you mean something very different from me by that word. Ars’ implication is by no means patently false; as far as the current status is concerned, where they’ve added this and not removed third-party cookies, it’s patently true. In the longer term, it’s less clear, better in some ways and worse in others, but “patently false” is still an unreasonable characterisation.

>whereas the Topics API uses the entire browser history

It doesn't use the full history. If a site is using the Topics API it will only get back topics that it has observed from sites in the last 3 epochs. For site X to observe a topic from site Y. Site Y must either:

* Be site X

* Embed site X in an iframe on the page with a special attribute on the iframe element

* Send a fetch request to site X with a special header and site X must respond with a special header

Your description claims that Google sends topics to site X only from history related to site X.

Which makes this useless from advertising point of view. Which also means that Google is using the whole history to come up with "rough tooics".

Let's see:

--- start quote ---

With Topics, your browser determines a handful of topics, like “Fitness” or “Travel & Transportation,” that represent your top interests for that week based on your browsing history.

https://blog.google/products/chrome/get-know-new-topics-api-...

The browser observes and records topics that appear to be of interest to the user, based on their browsing activity.

https://developer.chrome.com/blog/new-in-chrome-115/

With the Topics API, the browser observes and records topics that appear to be of interest to the user, based on their browsing activity. This information is recorded on the user's device.

https://developer.chrome.com/docs/privacy-sandbox/topics/ove...

--- end quote ---

From your last link:

> API callers only receive topics they've observed

> A design goal of the Topics API is to enable interest-based advertising without sharing information with more entities than is currently possible with third-party cookies. The Topics API is designed so topics can only be returned for API callers that have already observed them, within a limited timeframe. An API caller is said to have observed a topic for a user if it has called the document.browsingTopics() method in code included on a site that the Topics API has mapped to that topic.

This doesn't say that topics only come from the same website. It only says that if a website has "observed" any of the thousand or so topics, one will be provided to that site based on user activity.

Edit. Literally last link:

> Map browser activity to topics of interest. With the current design of the Topics API, topics are inferred from the hostnames of pages the user visits.

That sentence is about how the Topics API finds topics, not about who the topics are shared with.
The original claim was that Topics API doesn't use the whole browser history, and that sites inly get topics for that site.

Whereas the description clearly states that topics are derived from the entire browsing history, and they will get topics derived from the test of the history because while coarse, there are still a bunch of them.

A site with a narrow site like a site on fresh-water aquatic plants will probably only get a handful of topics. What will Amazon get? Or Google for that matter? Or a news site? Given that they are likely to "observe" every single topic?

The original discussion was comparing the Topics API to third party cookies.

The way that the Topics API works is that a website that could have set a third party cookie will instead be able to observe a topic, and will then be able to get that topic in the future.

The comment I responded to claimed that Topics API doesn't use the full history and that a site X won't get topics derived for site Y: https://news.ycombinator.com/item?id=37429447
> Topics API doesn't use the full history

That's true, or rather no site gets access to the full history, or to topics that are derrived from the full history, but only to that part of the history that it "observed".

> a site X won't get topics derived for site Y

Unless site Y allowed them to, which of course site Y can also do by allowing them to set a third party cookie.

The top 5 topics for an epoch is calculated using all of your browsing history in that epoch.

A site observing a topic in the last 3 epochs unlocks the ability for document.browsingTopics() to return that topic from your top 5.

Every epoch each site has a 95% chance to be assigned 1 topic out of your top 5 topics and a 5% chance that it is assigned a random topic. When browsingTopics is called it gets the topics it was assigned for the last 3 epochs. Real topics are not returned if the site did not observe that topic in the last 3 epochs as mentioned in the previous paragraph.

It's on a per-tracker basis. For an ad provider to see a given topic it must have been embedded in a site with that topic. In GP's comment "site X" is referring the site being embedded, not the top-level site. Again, this is reducible to third-party cookies.
> Third-party cookies only let you track stuff where your code runs, whereas the Topics API uses the entire browser history

This is false. Topics only allows ad trackers to see topics associated with sites they were embedded in. In this way, topics is reducible to TPC.

Huh. I did not detect such an implication. The gist of the article for me was Google is using a new system. Perhaps there is an implication that based on the deceptive use of the term "privacy" some users might believe that Chrome is now more privacy preserving. That would of course be patently false.

But it seems this comparison to third party cookies ignores the fact that now one company, Google, gets a maximum amount of tracking data without having to cooperate with any other entity. That potentially could be a loss for privacy because the concentration of personal data at one entity, i.e., Google, requires less cooperation, e.g., data sharing. It's easier.

> Topics is reducible to (implementable using) third-party cookies.

Yes, but aren't 3rd party cookies going to get banned? That seems to be the common assumption in the adtech space. If that's true isn't topics just google's mechanism to continue the kind of tracking that lawmakers are trying to ban by banning 3rd party cookies?

This is the first I've heard of such a law. Do you have a reference? Which country?
Going by GDPR any tracking that isn't necessary for your service to work has to be optional and the site operator has to list and explain every bit of data he tracks.

Moving that tracking directly into the browser seems like a cheap attempt at trying to bypass the GDPR.

Search for "death of third party cookies" and you will find a huge amount of material about it. It's basically a trend that everyone in marketing expects. Here's a tiny sample but I've tried to draw on a wide swath of different sources.

[1] https://www.mckinsey.com/capabilities/growth-marketing-and-s...

[2] https://www.forbes.com/sites/theyec/2022/09/12/the-slow-deat...

[3] https://blog.hubspot.com/marketing/third-party-cookie-phase-...

[4] https://www.marketingweek.com/death-third-party-cookies-goog...

[5] https://www.techtarget.com/whatis/feature/The-death-of-third...

As far I can tell, none of those links are talking about "lawmakers banning 3rd party cookies". They're mostly about Google wanting to remove 3p cookies from Chrome. A couple of them reference laws, but it's just talking about general privacy law trends by giving examples of laws that are already passed like GDPR and did not in fact lead to a ban of 3p cookies.

Since none of your links provided any evidence for this, I'm going to guess that the waste swathe of material doesn't actually exist.

I didn't say anything about lawmakers. I said 3rd party cookies are expectetd to be banned (by google and other browser makers only other browser makers have already done that).
No, you very specifically wrote about "lawmakers" being the ones who are "trying to ban 3rd party cookies", not about Chrome.

"If that's true isn't topics just google's mechanism to continue the kind of tracking that *lawmakers* are trying to ban by banning 3rd party cookies?"

If you really didn't think you were talking about lawmakers but about big tech (seems like an odd mistake), you could at least have replied right away that you had no idea of why I was bringing laws up. Would have saved us both some time.

Disclaimer: you work for Google?
If you go to his bio he doesn't say that on his CV, so seems kinda unlikely

Disclaimer: I work for Google but my opinions and web crawling abilities are mine and mine alone.

> 3. Topics is reducible to (implementable using) third-party cookies.

Even with 1st-party cookie jar isolation?

My friend who was the biggest Google evangelist 10yrs ago who went through a round of interviews there (stellar Kotlin programmer) has completely written off the company after this announcement some months ago.

He's committed to deGoogling his life now and is even migrating off Gmail this weekend - I think I'll be joining him.

(comment deleted)
As someone who has left, let me try to help.

Nextcloud

Syncthing

Firefox

Bitwarden

Aegis

GrapheneOS

F-Droid

ntfy

NewPipe

Signal

Matrix

Stop using email or do custom domain + some service. Sync locally with Thunderbird or whatever you like.

Switched to Firefox years ago. Hopefully now more people will.
"Part III. Put Users First; the Rest Will Follow

Like most companies, Google has a mission statement or "philosophy." Google's philosophy is divided into 10 points; each point is one sentence long. The first and most interesting is quoted in the title of this part of the book. Unlike most corporate mission statements, this phrase did not come about through long committee discussions: This statement is Larry Page's mantra. Early on, when people asked him about financing his projects, he always replied with something like, "Don't worry about it. If our users are satisfied, if we give them all they want and more, we'll be able to find some money.""

https://www.oreilly.com/library/view/the-google-way/97815932...

Honestly I never quite understood why most folks switched so easily and unquestioningly to Chrome.

Maybe I'm just an open source purist. However, I will say that in almost all tests with websites I am actually using Firefox is faster.

(Maybe not that much of a purist: I do use Chrome at work as we're using various Google products... docs, meet, etc, and those work better on Chrome. Go figure.)

WebRTC support in FireFox and Safari had been abysmal for years. This has now gotten much better.
When it first came out, Chrome was much, much more performant than Firefox, and had better standards compliance than Safari. It was just a better browsing experience. V8 was a big deal performance-wise.

Firefox has since largely caught-up from a performance perspective, although there is still some functionality inconvenience.

Of course the stated attitude toward the user is night and day - I switched back to Firefox about the same time they started integrating Gmail / Google accounts into Chrome.

(comment deleted)
> When it first came out, Chrome was much, much more performant than Firefox, and had better standards compliance than Safari

When it first came out, it was almost literally Safari (well, WebKit).

Another key differentiator for Chrome, when it came out, was its process isolation model. Firefox has that too now.
I wouldn't underestimate the impact the Chrome TV ads had on regular computer users. The banners atop Google search results encouraging people to switch also played a big role. by the time Chrome launched, I think there were a ton of people who were sick to death of hearing one extended family member or another who was into tech cajole them to drop Internet Explorer. Switching to Chrome was easy. Just click the link that Google gave them, and plus, they were familiar with it from TV.
Chrome also stealth installed itself with Adobe flash and reader updates with a default check. I remember it in antivirus software and who knows what else.

I'll admit this traditional installer dark pattern seems quaint compared to what OSes regularly attack users with these days but this was the behavior of most pay-to-pack-in crapware at the time.

Everyone who was there when it came out knows/remembers why. It was unbelievably fast and lightweight compared to Firefox and IE.
When it first came out, it really was so much faster than every other option that even ordinary users would immediately notice a difference. 2008 Google also had an incredibly positive reputation. If you tried to tell someone in 2008 that Google was an advertising company, you might convince them to agree that it was technically true, but they'd tell you that it was a stupid and reductive view of the company. Everyone was on board with the idea that Google's goal in creating Chrome was to help grow the web because obviously google search was reliant on the open web doing well.
Let’s not forget the bubble we’re in here. Google are aiming for Jane and Joe Muggle who click on that icon to get the internet. Google have done a really effective marketing job there, Chrome in that sense is almost like a virus in the way it has propagated for no other good reason.
Firefox also can display images correctly if the site happens to not include a web optimized version in the correct resolution. I don't know the web you visit, but that is pretty common in a lot of places.

Chrome users looked at worse versions of images on the web for years. It is a completely bonkers performance optimization.

Chrome did kick Firefox off in web development tools though, so I can understand some people. But today I don't think there is much difference anymore. I am not web dev though. On the other hand webdevs should know about image quality on websites.

Following this launch I've been test-driving both Firefox and Vivaldi. I'm surprised how few issues I've encountered browsing with Firefox, despite it not being part of the Chromium borg.

I dare say it's actually a nicer experience overall than Chrome, with the caveat that I haven't looked into battery life impact yet.

When Chrome came out, it was and FELT waaaay faster than Firefox or any other browser. By miles. And back then, Google had a great reputation.
Google sites and services where constantly nagging users to "upgrade to Chrome" and some even broke on Firefox (unless you changed the user agent string to chrome). It was also bundled on nearly every software download site, so you got it even if you never explicitly asked for it.
There are a few replies on performance here: I didn't notice at the time, I just did it because Google was still a 'cool' company.

In the intervening years I bounced between the two depending on which made the most asinine UI decisions but settled on Firefox when my FOSS sensibilities and distaste for Google hardened.

Any thoughts on pros and cons of usung Brave browser on iOS?
I think the Ars writer here is very uninformed. Floc is completely different from Topics, and if you actually read the Topics spec, it seems to be significantly better than 3rd party cookies? At least to me. Maybe I’m missing something.
Topics is a refinement of FloC… no third-party cookies and no Topics would be significantly better but Google is an adtech company and there’s anti-competitive concerns from other ad tech providers
I’ve been waiting for years for Safari to support multiple profiles so I can have a work and personal profile, instead of using Chrome for work. Finally this year we’re getting that, goodbye chrome, it’s been a fun 10 years. Unfortunately Chrome turned into a bloated mess over time, even before this news I was waiting to switch.
So stop using chrome. Tell your CTO that your engineer department no longer wants to develop for chrome as the primary web app target.