People keep forgetting that the vast majority of Google's revenue comes from ads. They're literally an ad company, that dabbles in cool tech as their 20% project.
If Google is phasing out 3rd party cookies, they're not doing it for privacy, they're doing it because they've figured out how to track people without them. And they don't want their competitors to do the same.
Thus: Remove 3rd party cookie support from their market-leading browser to hobble competition.
Looks like they figured out a way to track you without 3rd party cookies and are looking to use their dominant position as a browser vendor to undercut competing ad vendors who haven't figured it out yet. I wonder if those obnoxious Login with Google popups have anything to do with it.
The spec for the targeting replacement is public, I believe it's called FLEDGE. Third party cookies uniquely identify one browser allowing direct targeting, whereas FLEDGE only allows general targeting of larger groups by topic as far as I understand it. I believe it's entirely distinct from Google accounts.
Disclaimer, I work at Google on related things on the Android side, but I only have a layman's understanding of the Chrome side.
The browser, which doesn't need to be Chrome although that's the only implementation I've heard of, does local tracking. It then exposes APIs to ad networks to allow them to target based on that tracking. As far as I understand the "tracking" never leaves the device, and the "targeting" is fairly wide based on topics like "cars" or "holidays".
This is specifically for attribution, and seems to roughly mirror the native SKAdNetwork framework on iOS. Attribution is a distinct problem to targeting – also important, but as far as I can tell PCM/SKAdNetwork would not solve the same problem.
Why would it be okay to let advertisers know you have an interest in cars? Seeing personally targeted ads affects your autonomy.
I don't want to be influenced by ads on every website that are targeted by my socioeconomic status, such as the potential ability to afford a holiday outing or purchase a car inferred through interest in holidays and cars.
Being able to differentiate on interests such as 'holidays' and 'cars' as compared to 'fast food' enables advertisers to sell the same product at different prices to different socioeconomic groups. This is bad for society.
How many people have you met in your life that have told you that they want to help advertisers serve them better personally targeted ads?
If the answer is a very low number, then why is Privacy Sandbox on by default?
In Chrome, none of the Privacy Sandbox APIs even respect the browser's built-in Do-Not-Track setting.
Contextual ads are enough. Advertisers don't have an intrinsic right to optimally profit off my device hardware, and they should be thankful for whatever profit they do end up getting.
Google's tech lead on Privacy Sandbox, Michael Kleber, says that "[…] limiting the web to contextual advertising solutions dramatically decreases the ability of web sites to fund themselves — for example, 52% less revenue for sites on average, and 62% less for news sites, according to https://services.google.com/fh/files/misc/disabling_third-pa..., […]"
48% of current revenue is plenty. Privacy Sandbox is adtech greed forced onto users.
So you're sticking to third party tracking cookies? Sadly this is unlikely to be a false dichotomy, as we've already seen paywalls put up around adblockers, I expect to see the same for browsers without third party cookie support – I already have to mess with Safari on a regular basis to get websites to work because it doesn't accept them.
You just ignored all of my questions and are now insinuating that I said something implying that I am "sticking to third party tracking cookies".
In case you didn't get the drift from "Advertisers don't have an intrinsic right to optimally profit off my device hardware": I block third party cookies in Chrome and use other browsers that have third-party cookies blocked by default.
If you're asking about how I use third party cookies myself in my own software: I maintain a popular consent manager used all across the internet. It doesn't use third-party cookies. We're actually planning to implement Privacy Sandbox regulation capabilities so that our customers can properly gate your APIs based on tracking consent and user privacy rights (since you don't respect your own browser privacy signals).
If you're asking how I will react to a web with more paywalled ad-free content: Emotions ranging from indifferent to pleased, depending on the content source.
Are you aware that your coworkers have frequently claimed that Privacy Sandbox by itself somehow "enhances" ad privacy, conflating the removal of third party cookies with the introduction of Privacy Sandbox? The notice has since been removed, but I'm still waiting (likely forever) for an issue to be addressed about these fraudulent claims[1].
No no, this is a Googler defending the superiority of Google’s new cookie design. You’re supposed to assume your questions were too dumb and Google has everything figured out.
No I think the notion is that users don’t like ads, so there no need for Google to re-design cookies for the web. But it’s very Google-y to assume that users actually like Google ads. Even if they’re very low-quality ads for like mail-order brides and crypto scams which are even on youtube now.
> So you're sticking to third party tracking cookies?
? The correct amount is zero tracking, on the basis that it's enough to know what ad goes to what page, without needing to follow the user around the web and track them individually.
Competition regulators in the UK, US, and EU all made it clear that Chrome could not remove on-by-default third party cookie support without a replacement that worked well enough for other ad networks.
The UK CMA did it with a formal consent decree, EU, the US states, and DOJ each "just" threatened anti-trust action if it happened.
It isn't a false dichotomy; the choice really is between 3p tracking cookies vd. something like the Topics API.
Yes, you've repeated your opinion on that often enough that nobody doubts that it indeed is your opinion.
But the fact is that the regulators covering basically all of the West don't share that opinion. In fact, they're not merely neutral on it. They have expressly forbidden Google from doing what you want.
And while your opinion is as valid as anyone else's, as a practical matter what the regulators decide will trump that opinion.
I would expect that if Google also stopped tracking users it would pass muster; the thing that's illegal is using the browser monopoly to unfairly benefit the ads side of the house.
Regardless, "Google is legally obligated to not protect your privacy" is the weirdest pro-Firefox argument I've read lately, but I guess it's an acceptable conclusion.
The spec and impl might be public, but the actual market analysis that drove the change and how it will make non-Google ad targeting less competitive is not, and your employer will go scorched-earth to hide whatever they can from public inquiry just as they’ve done in current trials e.g. https://arstechnica.com/tech-policy/2023/09/google-fights-to...
It feels like there's a bunch more pieces to the puzzle too. There's Topic API, which by itself only tells a site more about users, but does so in a supposedly privacy preserving way. There's dozens of efforts listed on https://developers.google.com/privacy-sandbox/relevance/prot... , mostly slated for 2023 & seemingly not updated in a while (with abundant broken links too). It's a bit wild that third party cookies are deprecated even though it seems like then promised fair privacy preserving replacement for ads is maybe still being built?
The obnoxious Google Login popups are designed to create lift for Google auth over e.g. Facebook, Microsoft, or even per-site accounts. While logged-in helps them track you, Google already has you through your phone or Google Analytics. Google Plus was where they launched the TOS and formally started cookie-joining across all their platforms.
This has nothing to do with the Google Login pop-up. Incidentally, it used to be that you could turn them off in your Google account settings, and the option is still there, but it seems to be broken since a while now. At least for me.
Just as a reminder to folk, safari never allowed third party cookies by default, and when google made chrome they made the choice to enable third party cookies as the primary purpose of chrome is to support google's ad business. Anything that they do needs to be considered in context, including "different" browsers that just re-ship chromium, as they simply solidify the chromium monopoly of what defines the web - i haven't seen "you must use safari" or "you must use Firefox", only "you must use chrome". I've seen enough people (incl. on HN) claiming that if chrome and the spec or chrome and other browsers diverge chrome is inherently right to recall the days of "IE is always the correct one" (also try to remember that while MS did a bunch of clearly BS reasons to beat netscape, IE was also a more capable, faster, and more responsive browser than netscape at the time, it was only once it rendered netscape irrelevant that the great stagnation happened).
Literally from the first beta release of safari more than a decade ago 3rd party cookies were not allowed by default.
ITP is not about 3rd party cookies, ITP is first and second party cookies where people use indirect load mechanisms to circumvent 3rd party cookie blocking. e.g when people load Facebook buttons and such like directly into a page the 3rd party cookie isn't available in JS but the resource load for the Facebook button allows Facebook (or whoever) to return the tracking identifier directly to the host page so that it can update its own tracking information. ITP (and similar in Firefox) prevents that by saying some variation of "if I see requests to domain X from lots of different domains, we should assume that's being used for tracking purposes, and so not every request to domain X from a domain Y should be completely isolated from queries to domain X from any other domain" so now once you decide the domain X is used for tracking purposes you don't have a "cookies for X" database you have "cookies for X when loaded from Y", "cookies for X when loaded from Z", etc.
What google is talking about is not anything approaching ITP, they're literally talking about something even more basic: JS on domain A can't directly interact with cookie information on domain B, which is the 3rd party blocking that is what Safari and WebKit have always done by default.
Isolated cookies is not 3rd party cookie blocking.
Based on commentary I think google has done a good job of misleading people.
ITP and isolated cookies are a response to companies like Google and Facebook developing mechanisms to defeat/undermine 3rd party cookie blocking.
Google's "tracking protection" is something Safari did from the very first beta two decades ago, Firefox adopted 3rd party cookie blocking more recently, but that's all google is doing right now, and (presumably because) it's a tracking mechanism that they have already defeated.
They're calling it "tracking protection" to try and launder the "tracking protection" terminology of actual privacy mechanisms and terminology of other browsers, rather than actually acknowledging that what they're doing now was insufficient years ago (when safari and firefox had to introduce a bunch of very complex logic to continue to actually protect user privacy).
I literally worked on the webkit for most of a decade. I also worked on and developed a lot of ITP.
ITP is not 3rd party cookie blocking.
3rd party cookie blocking has been the default in safari and webkit since literally the first beta.
ITP is a response to companies like google and Facebook developing techniques to circumvent 3rd party cookie blocking as it became more popular (due to Firefox, Safari, and mostly iOS safari). Google is not developing an equivalent to ITP, it's literally flipping a single flag that they decided to turn off when they launched chrome because they're an advertising company that was dependent on them.
You need to understand here: Google is not working on releasing anything equivalent to ITP or whatever Firefox calls their version, they're working on something much more basic, and it's something they have already circumvented (which is why Safari and Firefox have their complex ITP or whatever mechanisms).
I suggest they do so. It gives a good look at the conflict between the different departments in Google re: revenue vs. value. If there are any questions about the motivations behind changes such as these, this may provide a bit of insight.
Rolling this out to 1% is a big deal and is the culmination of a lot of engineering work. Shout out to all the Googlers and other contributers who have contributed to this goal of phasing out third party cookies.
Google is in the business of surveiling users and selling them to advertisers. Hell, if it weren't for Google, other business models that don't require user surveillance might have taken off. The only solution to surveillance is software that users are in full control of. Chrome isn't that.
Targetting people to arrest and deport them, to use violence against them. That would be a practical example of government privacy violation.
I work at a telco, and they also do this for debt enforcement, locating not-up-to-date-on-payments cars, tracking down kids who ran to their parents from youth services is also done, ...
THAT is a real problem.
Suggesting it's time to buy a present for your wife because of upcoming wedding anniversary is targeted advertising.
There's no difference. Targeted advertising demands information that I (and others) may not want Google (or other scumbag advertisers) to have. That's a privacy violation.
> If a site doesn’t work without third-party cookies and Chrome notices you’re having issues — like if you refresh a page multiple times — we’ll prompt you with an option to temporarily re-enable third-party cookies for that website from the eye icon on the right side of your address bar.
Oh god, we are going to see something more annoying than cookie banners soon. (And this time we are not even sure whether Google is at least trying to do things in users' favor...)
Finally users, who don't care about online privacy will have a similarly bad experience as users who do care, but for some reason have to use a website that uses many third party scripts and cookies. For example some online shop, where they want to buy something but need to allow third party scripts to complete the purchase, enabling those in ublock and reloading the page, only to find out that even more are required.
1: User visits domain A which includes a script from domain T. The script sets a cookie with a unique ID on domain T.
2: User visits domain B which also includes the script from domain T. With the request for the script, the browser also sends the cookie with the unique ID.
3: T now knows "Someone visited domain A and B".
4: If T figures out something private about the user on site A (say their Twitter handle), they now know that Twitter handle X visited domain A and domain B.
Is this a correct summary of what this is about?
I guess this means that Meta knows a lot of domains which handle xyz visits. Because they set the cookie when the owner of handle xyz logs into their account and then sees them on every domain which includes a script from Meta.
They can still accomplish this by loading some resource from meta servers. They don't need the cookie at all. They could do it with a .png icon if they wanted to.
Google loves doing this as they have all the info from everyone anyway and have first hand access to fingerprinting users, so they just cut out the competition who do it in this outdated fashion.
69 comments
[ 4.9 ms ] story [ 138 ms ] thread"chrome://flags/#test-third-party-cookie-phaseout is available from Chrome 118" if you want to test it.
If Google is phasing out 3rd party cookies, they're not doing it for privacy, they're doing it because they've figured out how to track people without them. And they don't want their competitors to do the same.
Thus: Remove 3rd party cookie support from their market-leading browser to hobble competition.
Disclaimer, I work at Google on related things on the Android side, but I only have a layman's understanding of the Chrome side.
https://webkit.org/blog/11529/introducing-private-click-meas...
I don't want to be influenced by ads on every website that are targeted by my socioeconomic status, such as the potential ability to afford a holiday outing or purchase a car inferred through interest in holidays and cars.
Being able to differentiate on interests such as 'holidays' and 'cars' as compared to 'fast food' enables advertisers to sell the same product at different prices to different socioeconomic groups. This is bad for society.
If the answer is a very low number, then why is Privacy Sandbox on by default?
In Chrome, none of the Privacy Sandbox APIs even respect the browser's built-in Do-Not-Track setting.
Contextual ads are enough. Advertisers don't have an intrinsic right to optimally profit off my device hardware, and they should be thankful for whatever profit they do end up getting.
Google's tech lead on Privacy Sandbox, Michael Kleber, says that "[…] limiting the web to contextual advertising solutions dramatically decreases the ability of web sites to fund themselves — for example, 52% less revenue for sites on average, and 62% less for news sites, according to https://services.google.com/fh/files/misc/disabling_third-pa..., […]"
48% of current revenue is plenty. Privacy Sandbox is adtech greed forced onto users.
So you're sticking to third party tracking cookies? Sadly this is unlikely to be a false dichotomy, as we've already seen paywalls put up around adblockers, I expect to see the same for browsers without third party cookie support – I already have to mess with Safari on a regular basis to get websites to work because it doesn't accept them.
In case you didn't get the drift from "Advertisers don't have an intrinsic right to optimally profit off my device hardware": I block third party cookies in Chrome and use other browsers that have third-party cookies blocked by default.
If you're asking about how I use third party cookies myself in my own software: I maintain a popular consent manager used all across the internet. It doesn't use third-party cookies. We're actually planning to implement Privacy Sandbox regulation capabilities so that our customers can properly gate your APIs based on tracking consent and user privacy rights (since you don't respect your own browser privacy signals).
If you're asking how I will react to a web with more paywalled ad-free content: Emotions ranging from indifferent to pleased, depending on the content source.
Are you aware that your coworkers have frequently claimed that Privacy Sandbox by itself somehow "enhances" ad privacy, conflating the removal of third party cookies with the introduction of Privacy Sandbox? The notice has since been removed, but I'm still waiting (likely forever) for an issue to be addressed about these fraudulent claims[1].
Nobody wants Privacy Sandbox except advertisers.
1. https://bugs.chromium.org/p/chromium/issues/detail?id=143154...
>> Contextual ads are enough.
to
> So you're sticking to third party tracking cookies?
? The correct amount is zero tracking, on the basis that it's enough to know what ad goes to what page, without needing to follow the user around the web and track them individually.
Competition regulators in the UK, US, and EU all made it clear that Chrome could not remove on-by-default third party cookie support without a replacement that worked well enough for other ad networks.
The UK CMA did it with a formal consent decree, EU, the US states, and DOJ each "just" threatened anti-trust action if it happened.
It isn't a false dichotomy; the choice really is between 3p tracking cookies vd. something like the Topics API.
That is plenty. Users don't need to assist ad networks.
But the fact is that the regulators covering basically all of the West don't share that opinion. In fact, they're not merely neutral on it. They have expressly forbidden Google from doing what you want.
And while your opinion is as valid as anyone else's, as a practical matter what the regulators decide will trump that opinion.
Regardless, "Google is legally obligated to not protect your privacy" is the weirdest pro-Firefox argument I've read lately, but I guess it's an acceptable conclusion.
If you work on Android maybe you can do a 20% project where you let users completely opt out of motion-based user fingerprinting even when airplane mode is on https://www.thesun.co.uk/tech/7811918/google-is-tracking-you...
Or even a change to let Android users get a percentage of the profits garnered from Google’s fingerprinting of them.
Docs for Protected Audience API: https://developers.google.com/privacy-sandbox/relevance/prot...
It feels like there's a bunch more pieces to the puzzle too. There's Topic API, which by itself only tells a site more about users, but does so in a supposedly privacy preserving way. There's dozens of efforts listed on https://developers.google.com/privacy-sandbox/relevance/prot... , mostly slated for 2023 & seemingly not updated in a while (with abundant broken links too). It's a bit wild that third party cookies are deprecated even though it seems like then promised fair privacy preserving replacement for ads is maybe still being built?
ITP is not about 3rd party cookies, ITP is first and second party cookies where people use indirect load mechanisms to circumvent 3rd party cookie blocking. e.g when people load Facebook buttons and such like directly into a page the 3rd party cookie isn't available in JS but the resource load for the Facebook button allows Facebook (or whoever) to return the tracking identifier directly to the host page so that it can update its own tracking information. ITP (and similar in Firefox) prevents that by saying some variation of "if I see requests to domain X from lots of different domains, we should assume that's being used for tracking purposes, and so not every request to domain X from a domain Y should be completely isolated from queries to domain X from any other domain" so now once you decide the domain X is used for tracking purposes you don't have a "cookies for X" database you have "cookies for X when loaded from Y", "cookies for X when loaded from Z", etc.
What google is talking about is not anything approaching ITP, they're literally talking about something even more basic: JS on domain A can't directly interact with cookie information on domain B, which is the 3rd party blocking that is what Safari and WebKit have always done by default.
Based on commentary I think google has done a good job of misleading people.
ITP and isolated cookies are a response to companies like Google and Facebook developing mechanisms to defeat/undermine 3rd party cookie blocking.
Google's "tracking protection" is something Safari did from the very first beta two decades ago, Firefox adopted 3rd party cookie blocking more recently, but that's all google is doing right now, and (presumably because) it's a tracking mechanism that they have already defeated.
They're calling it "tracking protection" to try and launder the "tracking protection" terminology of actual privacy mechanisms and terminology of other browsers, rather than actually acknowledging that what they're doing now was insufficient years ago (when safari and firefox had to introduce a bunch of very complex logic to continue to actually protect user privacy).
https://www.theverge.com/2020/3/24/21192830/apple-safari-int...
ITP is not 3rd party cookie blocking.
3rd party cookie blocking has been the default in safari and webkit since literally the first beta.
ITP is a response to companies like google and Facebook developing techniques to circumvent 3rd party cookie blocking as it became more popular (due to Firefox, Safari, and mostly iOS safari). Google is not developing an equivalent to ITP, it's literally flipping a single flag that they decided to turn off when they launched chrome because they're an advertising company that was dependent on them.
You need to understand here: Google is not working on releasing anything equivalent to ITP or whatever Firefox calls their version, they're working on something much more basic, and it's something they have already circumvented (which is why Safari and Firefox have their complex ITP or whatever mechanisms).
* https://www.justice.gov/d9/2023-11/417581.pdf
I suggest they do so. It gives a good look at the conflict between the different departments in Google re: revenue vs. value. If there are any questions about the motivations behind changes such as these, this may provide a bit of insight.
https://www.aclu.org/news/immigrants-rights/the-u-s-governme...
Targetting people to arrest and deport them, to use violence against them. That would be a practical example of government privacy violation.
I work at a telco, and they also do this for debt enforcement, locating not-up-to-date-on-payments cars, tracking down kids who ran to their parents from youth services is also done, ...
THAT is a real problem.
Suggesting it's time to buy a present for your wife because of upcoming wedding anniversary is targeted advertising.
Is it what you want - often "no"
Is it better than what we have - often "I suppose so :("
More recent discussion over last few days instead of this old post that's been submitted a bunch.
https://news.ycombinator.com/item?id=38880690
https://news.ycombinator.com/item?id=38866109
Preparing for the end of third-party cookies
https://news.ycombinator.com/item?id=38413263
Oh god, we are going to see something more annoying than cookie banners soon. (And this time we are not even sure whether Google is at least trying to do things in users' favor...)
1: User visits domain A which includes a script from domain T. The script sets a cookie with a unique ID on domain T.
2: User visits domain B which also includes the script from domain T. With the request for the script, the browser also sends the cookie with the unique ID.
3: T now knows "Someone visited domain A and B".
4: If T figures out something private about the user on site A (say their Twitter handle), they now know that Twitter handle X visited domain A and domain B.
Is this a correct summary of what this is about?
I guess this means that Meta knows a lot of domains which handle xyz visits. Because they set the cookie when the owner of handle xyz logs into their account and then sees them on every domain which includes a script from Meta.
So is this an attack on Meta by Google?