What can we rid the world of, thinks Google... Poverty? Disease? Yeah, yeah, but first: Third-party cookies – and classic user-agent strings
Ad giant chides rivals for encouraging invasive tracking techniques
Analysis On Tuesday, Google published an update on its Privacy Sandbox proposal, a plan thoroughly panned last summer as a desperate attempt to redefine privacy in a way that's compatible with the ad slinger's business.
In a blog post, Justin Schuh, director of Chrome engineering, asked the web community for help to increase the privacy of web browsing, something browser makers like Apple and Mozilla have already been doing on their own.
"After initial dialogue with the web community, we are confident that with continued iteration and feedback, privacy-preserving and open-standard mechanisms like the Privacy Sandbox can sustain a healthy, ad-supported web in a way that will render third-party cookies obsolete," wrote Schuh.
"Once these approaches have addressed the needs of users, publishers, and advertisers, and we have developed the tools to mitigate workarounds, we plan to phase out support for third-party cookies in Chrome."
That's a significant shift for a company that relies heavily on cookie data for its ad business. Google Display Network uses third-party cookies to serve behavior-based ads. And Google partners, like publishers that use Google Ad Manager to sell ads, will also be affected.
Cookies are files that get created and stored on internet users' devices when they browse the web. A visited website can set a first-party cookie linked to its domain and may include code allowing other domains, typically associated with ad tracking, ad targeting, or analytics, to add third-party cookies.
Those third-party cookies can be read when the internet user visits other websites, which may allow identification, tracking, or the delivery of interest-based ads at other websites coded to accommodate related ad tech.
Google fights the tide
Over the past few years, as Apple, Brave, and Mozilla have taken steps to block third-party cookies by default and legislators have passed privacy legislation. Meanwhile, ad tech companies have tried to preserve their ability to track people online. Google has resisted third-party cookie blocking and last year began working on a way to preserve its data gathering while also accommodating certain privacy concerns.
Schuh said Google aims to drop third-party cookie support within two years, but added that Google "[needs] the ecosystem to engage on [its] proposals," a plea that makes it sound like the company's initial salvo of would-be web tech specs has been largely ignored.
In a phone interview with The Register, Electronic Frontier Foundation staff technologist Bennett Cyphers said there doesn't appear to have been much community interest in Google's proposals. "When they announced Privacy Sandbox last fall, they threw a bunch of code on GitHub. Those repos don't show much sign of engagement."
Cyphers said he couldn't speak to discussions at the W3C, but said people haven't shown much interest in Google's specs.
Lee Tien, senior staff attorney at the EFF, said in an email that Google is influential with standards bodies like the W3C but that doesn't mean the company will get what it wants by throwing its weight around.
"A big issue, though, is that companies like Google do not necessarily provide solid technical evidence for their technically plausible claims," he said. "They might say that it’s proprietary for business reasons, or that telling the world might help Bad Guys do Bad Things. Those who are on the outside of the company are often unable to evaluate this evidence as a result."
Even so, Cyphers welcomed Google's commitment to move away from third-party cookies.
"That's positive," he said, "but it looks like two steps forward and one, or maybe two, steps back. In the process of getting rid of third-party cookies, it seems like they're setting out to build new protocols into Chrome that will be bad for privacy."
When first floated, Cyphers savaged the Privacy Sandbox proposals as "privacy gaslighting" because they attempt to preserve Google's ad business by trading cookies-based identifiers with other identifiers. This was made possible through proposals like Federated Learning of Cohorts (FLoC) and Private Interest Groups, Including Noise (PIGIN).
"Google not only doubled down on its commitment to targeted advertising, but also made the laughable claim that blocking third-party cookies – by far the most common tracking technology on the Web, and Google’s tracking method of choice – will hurt user privacy," wrote Cyphers at the time.
It's nice Google or nasty advertisers
Schuh in his post repeats that claim, arguing that steps taken by rival browser makers to improve privacy by blocking third-party cookies encourage data-deprived marketers to resort to desperate, nefarious measures to get the information they crave.
"Some browsers have reacted to these [privacy] concerns by blocking third-party cookies, but we believe this has unintended consequences that can negatively impact both users and the web ecosystem," wrote Schuh.
"By undermining the business model of many ad-supported websites, blunt approaches to cookies encourage the use of opaque techniques such as fingerprinting (an invasive workaround to replace cookies), which can actually reduce user privacy and control. We believe that we as a community can, and must, do better."
In other words, by blocking third-party cookies, you're encouraging advertisers to invade your privacy through browser fingerprinting.
As it happens, Google appears to be trying to limit one data point used for browser fingerprinting via its plan to freeze the User-Agent string that browsers send to servers. Its proposed replacement is a mechanism called User-Agent Client Hints, which is designed to reduce the availability of user device characteristics for passive fingerprinting, while allowing servers to negotiate for data they really need.
For all Schuh's talk of community engagement and dialogue, some people don't see any common ground. Twitter user ocdtrekkie, a self-declared "privacy enthusiast" who asked to be identified only as Jacob, rejected Schuh's vision of "a healthy ad-supported web," writing, "That's not what we want. We actually want to kill the ad-supported web and the adtech nightmares built on it."
As browser rivals block third-party tracking, Google pitches 'Privacy Sandbox' peace planREAD MORE
In a Twitter direct message, Jacob said, "Firefox, Edge, and Safari have all chosen to implement tracking protection features that by default make it difficult for advertisers to track users on the web. Google has stubbornly refused to follow suit, because they are an ad company, and Chrome exists to protect their ad business first and foremost."
Jacob also questioned Google's claim last year that the absence of cookies results in 52 per cent less publisher revenue, noting that academic researchers said the figure is more like 4 per cent [PDF].
Via Twitter, Alex Stamos, who served as Facebook's chief security officer before shifting to academia, greeted Schuh's update by offering both face-value take – "This is a huge privacy win!" – and a cynical take – "Google is weaponizing the anti-tech coalition’s confusion on privacy/competition trade-offs to lock in their 1st party ad oligopoly (alongside Facebook)."
"It’s probably both." ®