It is called "third party cookies" not "ad cookies". You can have ads without third party cookies and third party cookies have other purposes than ads.
I know that ads currently are the main use for third party cookies, but I think that everyone who has any interest in these news know what a third party cookie is, so why not use the proper term? I actually thought it was some ad specific Chrome feature, like the Advertising ID in Android, but no, it turns out these are just third party cookies.
I think the main reason Bloomberg is calling them ad cookies is because it is the impact on advertising that's causing this delay. Google promised regulators that they wouldn't get rid of cookies without a replacement for advertising, and those replacements aren't ready yet. On the other hand, this is really hard and I don't know if Google is actually going to be able to do this ever.
> Google promised regulators that they wouldn't get rid of cookies without a replacement for advertising
This is an excellent example of theoretically good intentions (promoting competition) leading to terrible results (preventing the removal of something largely unwanted that's abused by advertisers).
This is technically correct. But from the perspective of a non-technical audience, calling it an "ad cookie" makes a lot of sense. It conveys a lot more information about why people should care, and why Google and others might be reticent to end their usage.
Maybe an "ad-enablement cookie" or a "tracking-enablement cookie" would be better. But the technical term of art, "third party cookie," is french to most people. As long as they make a note of the technical term (it's in the first line!) I think they're well within the limits of journalistic license.
It's also important to point out that phasing out third party cookies while still maintaining tracking in Chrome for themselves seems like a clear antitrust issue. They are effectively making it harder for any competing ad service to track users without making it any harder for themselves.
> It is called "third party cookies" not "ad cookies". You can have ads without third party cookies and third party cookies have other purposes than ads.
As one of the few people who is affected by a legitimate use case of third party cookies that are not ads... this is bullshit, 99% of use cases are for ads, it's an ad cookie.
Enterprise internal sites/SSO tend to rely on third party cookies, because it's enterprise and they can completely control what browser should be used.
Yep. I've been browsing the Internet with third-party cookies blocked by default for several years, and only have three exceptions in my list: Google Drive (to be able to play videos), Mega (the file hosting site), and the official Xbox site (because it wouldn't show the list of games on Xbox Cloud Gaming).
Embedding paid content from one domain into another (i.e authz is needed to prove rights to access), it's common to store the session data in a cookie for the embedded site, at which point it's a third party cookie.
More concretely my particular case is to do with learning management systems which commonly use LTI to embed external content (outside of the US at least). That external content is hosted by some other system (can be another LMS) which usually store their session information in a cookie just because that's how it's always been done - The solution is to not use cookies, it's not needed, each resources can re-auth over the launch protocol (LTI) anyway, and for individual frames to be able to continue navigation/access - the session info can live anywhere else, in the URL for old fashioned navigation, or as part of the initial request body if subsequent requests are done over AJAX.
Third-party cookies can be convenient, sure, but in almost all cases you don't need to use them and you can still get done what you need to get done. Except when you want to track users for ads.
(You can obviously track users without third-party cookies, too, by various fingerprinting methods, but at that point it's a lot clearer that what you're doing is nefarious and doesn't have the user's consent.)
Most of Google's enterprise offerings (like G Suite, Data Studio, etc.) simply refuse to work properly if you don't allow third party cookies. Heck, you can't even download anything or preview a video from Drive without it.
It's exteremely annoying and I'm forced to use it with my current client. MS Teams is worse in everythign they do compared to their competitors. I miss notifications all the time.
I know it's been the case for a while, but as time goes on I actually feel more like the product when I need to use Chrome. They aren't building it for me, they're building it to sell me.
Firefox has done a wonderful job of building first class privacy features into their browser. It's fast, and responsive. They have some leadership issues, but the technical side of things seems to be doing well.
I switched to it as my main browser a few years back and it's been fine and hiccup-free.
I’ve had Mozilla developers tell me they have no interest in getting rid of all the phoning home Firefox does, not even as an advanced or hidden config.
I wish they cared as much about privacy at the technical level as they do in their marketing.
Safari requires MacOS and thus isn't a replacement unless you exclusively use Macs. Also, for all its supposed support of privacy features it doesn't allow you to use good ad blocking plugins like uBlock Origin. I only use the thing because it's the best for battery life, otherwise I think it's significantly inferior to both Chromium and Firefox.
Aside from the other alternative listed below, even within the Chromium universe you have options like Brave and LibreWolf which are very privacy oriented - https://privacytests.org/
Uhh, you absolutely can disable telemetry, it's in the Privacy and Security section of about:preferences, see here: https://support.mozilla.org/en-US/kb/telemetry-clientid . Disabling telemetry is also interpreted as a deletion request, so anything collected so far will be deleted.
> I have a reason to believe that it is a company wanting something beyond what many or most of the users would prefer.
As an exmozillian I find this I have to wonder about your reasons for this. From why you think crash reporting, render time, and privacy preserving analytics aren't giving benefits that users prefer, all the way to characterizing MoCo as "a company".
>> crash reporting, render time, and privacy preserving analytics
Those aren't the only times FF wants to "phone home". Personally, what made me jump from FF to a fork of the same, is Firefox Suggest. To me, this is a disgusting feature. Firefox with this feature says to me, we, Mozilla, want to become more like Chrome/Google.
It makes me not want to share even the tiniest bit of information with Mozilla.
That doesn't even come close to addressing the point I was trying to make.
All of these anti privacy features, default enabled as they are, tells me something about Mozilla. Something you might not even want to think about.
If you're fine with sending to Mozilla everything you type into the address bar, then you probably don't care that much at all about privacy, which would be a shame, because privacy, online and offline, is nothing more and nothing less than a god damn human right.
>> but you can turn it off, doh
99% won't, because they don't know what's the point. Perhaps they're right.
Which is why corporations should not really be able to decide for the 99%. I won't blame Mozilla for trying this in the environment where it's possibly their only way to survive. It's really quite telling Firefox Suggest is only available in the USA.
I have a pet theory for this: it pisses off the Open Source Tea Party.
So, one of the problems with power users is that they not only demand weirdly specific features, but that they all want different features from one another. And they will be very loud about how that particular feature is critical to their workflow. So the net effect is that they overcomplicate software.
Let's say you're a developer and you want to uncomplicate your software. How do you do that? Well, yeah, you could cut features, hide them in a junk-drawer menu, or redesign your UI to guide people to the most common options. But here's the problem: how do you know what the common options even are?
Telemetry.
You put in something in your software that counts up how many times users actually use each feature, and then it pings your server with the counts. You count how many active installations there are and bam, you get the data you need.
Then you release your fancy new redesign only to get assaulted with all sorts of abuse that could only be charitably described as "negative criticism". Oh my god, how could they have removed the "heat CPU when spacebar is pressed" feature!? They have telemetry, don't they know how many times I hit the spacebar?! Everyone else is just happy the app no longer flattens their battery, but the power users shout over them.
If you're a power user, telemetry has zero upside for you. Why the hell would you want the 7zip developers to know that you're the only person who has ever used the "Compress directory and e-mail" shell extension? You don't want the software to be easier to use! You already know how to use it, and screw anyone else who doesn't!
"Professional" software runs the risk of accumulating garbage in their designs and interfaces for exactly this reason. This goes for everything from Photoshop to git to MySQL.
(And yes, there's totally an inverse of this where the developer rounds off all the edges to the point where the software is more useful as a practical demonstration of gaslighting than an actual app.)
> why you think crash reporting, render time, and privacy preserving analytics aren't giving benefits that users prefer,
I think that preferences are things that people express clearly, and you can either agree to honor them, or refuse to honor them. Or you can change the subject to render time, or to whether a corporation is a company.
You said, "I have a reason to believe that it is a company wanting something beyond what many or most of the users would prefer."
You have not articulated any reason. Just an unsupported conclusion, and then quickly switched to saying that preferences could be ignored. (which clearly your preference is ignored), while then trying to throw a bomb saying that the very real (and documented!) benefits that telemetry provides to all users, aren't actually some distraction.
State the nefarious secret reason you believe Mozilla has rather bland anonymous data, and what threat that identifying a CPU and operating system provides.
And for the record, my quip about Mozilla not being a company, was a facetious remark about how poorly managed Mozilla is, and the fact that was originally a nonprofit, but now has this a very unusual architecture of being for-profit corporation that is wholly owned by a nonprofit foundation, due to US tax laws dictating that a minimum percentage of the revenue must come from donation, and the search deals were way out stripping that, and B-corps didn't exist when it was founded.
We both know no one opts in to stuff. More importantly, when dealing with self-selection bias, you don't know if the data you're collecting is representative of the entire population of users, or just the volunteers. So if you don't have a large enough data sample, there are no benefits to anyone. (e.g. "Everything must be fine. No crashes." Little do they know, it immediately crashes when visiting any of the top-100 domains by requests, but the volunteers never visit any of them.)
I would take your claims more seriously, if you could speak to something concrete about deficiencies of what is collected, and how, and what steps were taken to anonymize the data, how it's retained. (Fun fact: You can! It's all documented.), and articulate something beyond, "I just don't wanna, and I think my minority opinion should be imposed on everyone."
> (Fun fact: You can! It's all documented.), or articulate something beyond, "I just don't wanna, and I think my minority opinion should be imposed on everyone."
It's actually that I want Mozilla and the developers there to respect my fundamental human rights as a data subject. The idea that you think I should have to justify my rights to you is absurd.
I honestly don't think you understand the damage that your attitude and your comments are doing to Firefox. Why would anyone ever trust software written by someone with your attitude. It's abhorrent.
Yeah. People are lazy. Humanity has known that for thousands of years.
> Even IP address, even if never stored, is too much telemetry to be collected without consent or other lawful basis, which doesn't seem to be present.
Go home dude. You clearly have no idea how the internet works.
> Yeah. People are lazy. Humanity has known that for thousands of years.
What a disgusting attitude to hold. It should tell you that usera don't want to share telemetry and that decision should be respected. I'm very thankful I live in a jurisdiction that protects me and the public from people like you.
> Go home dude. You clearly have no idea how the internet works.
It's clear you don't understand the regulatory environment that browsers operate in. Hopefully you are not representative of the developers in Mozilla. Otherwise, it's time to jump ship to Librewolf or another privacy-conscious fork.
> I'm very thankful I live in a jurisdiction that protects me and the public from people like you.
If you think your local regulatory environment prevents anything you're upset about, you need to learn about your regulations, because everything I've said is completely GDPR compliant, Which as far as I know, is the strictest law about data collection out there.
All the GDPR says is that you setup data retention controller (a person responsible for data retention and limit access of personally identifiable information. If you can articulate a "legitimate interest", and take steps mitigate access (which can include access control lists, data anonymization, data aggregation, and/or data retention policies), then you're fine. If the data is does not have PII, it literally doesn't matter. I say this as someone that has conducted multiple GDPR compliance audits, at multiple companies.
So to use your telemetry example. While your IP address is PII, and it would be recorded in an access log (along with all requests) up to n days, before being purged, your software information and stack trace information could be stored indefinitely because there is no way to link a stack trace to literally anyone.
> It's clear you don't understand the regulatory environment that browsers operate in.
I already addressed that, but more importantly, I know that you can't get a response from any machine using Internet Protocol without sending your IP address, because it must be provided so the so the response can be sent to back to you. This means that your IP address will always be as you put it "collected" even if it is "not stored" -- even in an http access log (Which, by the way is a legitimate interest for security and debugging reasons.)
You can't articulate an hypothetical threat to an individual from nonPII information, nor explain how anonymization is insufficient protection, nor do you understand the legal or technical requirements involved.
And to cap it off, if you've actually looked at Librewolf. You'd know it makes request to Mozilla all the time (with your IP address! Without your explicit approval! By default!) to download tracking protection data. In fact, Librewolf strongly recommends leaving this on as it increases security and privacy.
Firefox is funded by Google and not by users, I bet they use statistics on web searches via the browser to negotiate those deals.
Just like everything else, if you don't pay for it then you are the product. It would be different if Firefox was funded by donations, but it is a for profit company that gets basically all its money from selling users to Google.
I hate to break it to you, but Google also has that data, because that's the way client-server architectures work.
I really find it hard believe that
SELECT country, COUNT(*) FROM search_log GROUP BY country
is an invasion of privacy, or that somehow getting a commission off of the data you're already providing to a third party, is somehow making a user more of a product, than they already are.
Google don't know how those users interact with firefox search settings though, and without that they don't know how much it is worth to pay for being the default search.
Also, since they are funded by ads it means that they can't make ad blocking as a default feature, since then those users wouldn't be worth anything to sell. Whether you like it or not Firefox isn't free from any of this control.
> Google don't know how those users interact with firefox search settings though, and without that they don't know how much it is worth to pay for being the default search.
Where are you getting your information, because I don't believe this true from my conversations with Firefox developers and data scientists. I think Firefox sends a ping to Google along with a telemetry ping to Mozilla, and then both Mozilla and Google correlate / fight over data as part of the contractual negotiations.
> Google don't know how those users interact with firefox search settings though, and without that they don't know how much it is worth to pay for being the default search.
Why not pay roughly in proportion to the revenue you get from Firefox users searching?
Assuming eternal altruism from a third party is absurd. This data is being soaked up, processed, transformed, stored, and at some level shared via a peering agreement.
I have no real reason to believe Firefox telemetry is used nefariously.
But I also don't believe that personal data Google collect will be used nefariously. I have yet to find a story that proves Google untrustworthy of my data. I consider personalized ads an annoyance (and I block them), but not a significant threat to my privacy, after all, they are shown to no one but me.
Same thing for Windows 10 telemetry.
As you can see, I am rather trusting of big tech, but because I am trusting, I am not going to choose Firefox for privacy reasons. I actually use half Firefox, half Chrome, but privacy has nothing to do with it.
Now, if I was less trusting, enough not to want to share my data with Google and Microsoft, then why would I trust Firefox? I wouldn't want any data to leave my computer unless I explicitly allowed it. Firefox has questionable management and has Google as its biggest partner, enough for the paranoid me to raise concerns. And one thing for sure, with telemetry, if I really had "something to hide" (ex: criminal activity), I wouldn't use Firefox as is.
What about when arrests begin to happen as google reports peoples browsing data (or more) to authorities as women look for ways to get abortions? Or are you of the opinion that “criminals should know better than to use tools like chrome”? Pardon the strong phrasing, it’s just a sentiment I see on here a lot, it’s not directed at you personally
- Criminal should know better than to use Chrome and Firefox, at least not without additional protection, and it includes disabling telemetry in both products.
I am not saying that Google can't do anything bad to me, I just trust that they won't. Answering the other comment about Nest camera, I didn't see any example of Google actually handing out data to police without a warrant, they are just saying that they can. I already know that they can, what I want to know is what they did. I also have no real reason to fear Mozilla, and I left telemetry enabled.
But I think that if you really want people to take your commitment to privacy seriously, "I collect data but trust me, I won't do anything bad" is not enough, I want that of course, but I also want technical commitment, and telemetry that is not strictly opt-in is a big no.
For me, vanilla Firefox is not a privacy-focused browser (and neither are Chrome and Edge). For me the criteria is: would I use it to commit a serious crime? If the answer is "no", it is not private. It is not that I want to commit a crime, or that privacy=crime, but that's like a litmus test. In fact I didn't even look into it but TOR browser comes to mind, it is based on Firefox, but of course, telemetry has been removed.
Google isn't the core problem. It's all the other bottom feeders using the same technologies as Google to engage in mass surveillance. Google's inertia enables the bad actors to persist. Even with Google, the data they have on you isn't safe against an overly broad warrant.
I disabled the web portal ping in the settings (about:config - network.captive-portal-service.enabled - set to false)... I don't think it phones home anymore... But I sure don't like the direction Firefox is going. I've been using it since the beginning and I'm finally thinking of switching.
The funny thing is that I started using Firefox because of extensions.... and they basically blocked extensions on Firefox mobile... I know that you can make collections, but they made it as painful as possible.
I suspect the core issue isn't that you can't disable new privacy violations in Firefox, but that they're regularly added and default to being enabled, such that keeping them disabled is a regular full-time job. It'd be ideal if there was a single "don't phone home" switch that Firefox obeyed for all new telemetry features, but they don't.
That being said, being upset Mozilla has a trash telemetry policy isn't a good excuse to use Chrome, a willfully compromised browser which has refused to implement industry-standard protections.
interesting, do want more information on this. Can someone who work for Mozilla care to comment on this? If this is true, then I would rather be using brave or ungoogled chrome build than Firefox.
To what end and through what means, though? Do you really think Mozilla would never do anything nefarious with the data that they collect? They would never, ever, swear on their mother's grave, sell that data to a third party, is that what you believe?
It is unfortunate that it's enabled by default, but I just have NextDNS block any calls to and from `*.telemetry.mozilla.org`. 0 complaints from me after doing that
General populace has no idea what privacy is. Firefox is a burning house. Zero innovation is the word that best describes them. They did nothing to compete with Chrome. They just exist, try to survive, because for the past 10 years they did nothing to innovate. Total management change needed.
Been my daily driver for quite some time. Great dev tools for working with CSS Grids too for those front end folks out there. Download, install, disable everything related to pocket, install my password manager, and then I've got my ideal browser.
As a Firefox user for the past 8 years or so, the only thing that I switch to chrome for these days is searching in foreign languages. Translation is second class in Firefox compared to Chrome.
You don't have to periodically pop into chrome or chromium in order to get a website to work right?
Just a few weeks back I couldn't place an order on a major airline with Firefox on Linux, Chromium on Linux, or Firefox on Windows. I had to do it with Edge on Windows.
I feel like it's not that common, but it is definitely increasingly common as web designers build sites to the Chrome spec in order to get that "blink" tag to work. It's so weird to me that large companies charging thousands of dollars are okay with the situation, seems like a "needs a shakeup" situation.
Yes, it happens for me. Rarely, perhaps once every three months or so. For example, recently I bought train tickets to Macchu Picchu in Peru and I was only able to do so in Safari. It’s mostly aged government websites that don’t support Firefox
My problem with Edge is that the ultimate intentions are still the same (data collection) since the product is free. Microsoft's recent behavior with Windows 10 also confirms the business model has shifted from "selling software" to data collection and "growth & engagement".
Others have mentioned vertical tabs and dev tools, but they also have some nice built-in features that I would get from extensions on Chrome. Things like their collections, tab groups, shopping extension to find coupon codes, web capture, and immersive reader.
What's more I get the sense that they're innovating. I don't always prefer the changes they make but I like knowing there's a dev team actively working on new features to try and make the product better.
So you instead of having the inconvenience of opting out of a few privacy settings, you'd rather have to opt out of a bunch and still get spied on by Microsoft. I hate to break the news but Edge has turned into the worst browser of all when it comes to privacy.
Is it possible to change the search bar in the new tab page from Bing to another search engine yet? It seemed like it was set to bing, couldn't be disabled, and only the address bar could be changed to another search engine.
Not quite, but there is a setting called "Search on new tabs uses search box or address bar". When set to "address bar", typing anything in that giant search textbox on the new tab page automatically switches focus to the address bar (which uses the default search engine you've configured), so you can just do Ctrl+T and type.
Sure, the rewards, shopping assistant, multiple preloading pages and sending results to Microsoft is so much more privacy friendly.. if you ignore reality
Over the last decade, Safari has been innovating in areas that people aren't calling for, and are trailing years behind in areas that people want to use.
Thank god for the collective effort of the Epic v Apple lawsuit, the recently approved EU regulations designed to allow other browsers on iOS devices while allowing users to uninstall Safari, and Jen Simmons' user and developer advocacy, giving the kick in the pants to force Apple to start catching up with the other browsers.
> Over the last decade, Safari has been innovating in areas that people aren't calling for, and are trailing years behind in areas that people want to use.
Ok. Given the downvotes it sounds like those people are pretty mad about it. Specifics?
I'm talking about a browser here, like the parent was talking about a browser and not talking about an operating system or a company. We all get that distinction, right?
> recently approved EU regulations designed to allow other browsers on iOS devices while allowing users to uninstall Safari
Unfortunately all this will do is speed up Chrome's already out of control market share growth. It'll kill the web, because companies will be able to deploy Chrome-only features, and force iOS users to install Chrome to proceed.
Really? I use Chromium and feel nothing of the sort. I don't get any notifications asking me to "Try the new Chrome!" when I upgrade my OS, and I don't get my links hijacked when I try opening arbitrary files. It doesn't have a weird crypto scheme funding it, there's no weird virtue-signally marketing team ruining things with every update... Chrome is one of the few browsers that isn't pushing that stuff on you, at least when you remove the Google bits.
Imagine if you could sell an attractively priced laptop form factor that people could buy!
Then you could get the data all the time, not just when users browse the internet. Or you could make browsing the internet almost synonymous with using the computer. Whichever works for you semantically.
This! Weirdly I think this anti-cookie movement is actually really bad for smaller Web properties. They will no longer be able to track you much if at all. The likes of Google, Facebook, Tiktok or Snapchat will still be able to just fine though..
We never agreed to be tracked in every part of our online life. The fact they are the little guys isn’t a compelling argument. Facebook is being hurt as much if more anyway
I think the internet is moving in this general direction more broadly because those huge companies you mentioned have an outsized influence in determining the future of the web.
even worse, you aren't the product, the rich data and access to users (via targeted ads) is the product. You are merely a mine-able resource. Another analogy would be we are cattle, but the product is the milk/meat, not the cow.
Why would you think that anything is freely distributed by a company for your benefit? This is almost never the case and has been on longer than the internet.
At this point I cannot read with any sympathy words like “give marketers more time”. Same goes for real estate professionals.
I imagine this as a sign of things to come, and that in some 10 years people will detest those professions.
To make things clear: Getting rid of 3rd party cookies will benefit Google.
Google is building alternative mechanisms that they can use to do similar advertising (the Privacy Sandbox[1]). This may or may not be better than 3rd party cookies (it's nuanced). It's undoubtedly better for Google - they are the ones who are doing most of the work on this, and so their tech will work the best when the transition occurs. Many (most?) AdTech networks will fall even further behind Google's network, giving Google a competitive advantage.
We saw the same thing with GDPR - Facebook and Google were the most involved in the design process and had the biggest budget and were the best prepared when it rolled out. They already had transitioned to GDPR-compliant storage etc, so didn't lose any targeting ability, whereas other companies did, and newcomers had bigger barriers to entry.
I don't think lack of participation from other browsers has been a big component. Firefox actually gave some excellent feedback on the FLoC API. [1] Instead that it's just been really hard to get these new privacy preserving APIs working well. Turtledove/Fledge, for remarketing, in particular, is extremely complicated and not done. Making something fully privacy preserving that recovers no revenue isn't especially difficult, and making something that recovers revenue but has fatal privacy issues is not that bad, but solving both of these at once, while building a system that has good performance on real devices, is somewhere between really hard and not possible.
Did you consider letting people add topics they're interested in to things like the topics proposal? Context-based ads, some random ads, and just serving me ads on topics I opt-in to would be enough for me to turn off any ad-blockers, save for fingerprinting, but I believe some standards-based progress is being made there as well.
If targeting precision plummets, then cpa will probably increase globally because the only effective strategy will be broader targets, or targets with signed in properties. That means higher relative value for signed-in search, mobile ads, and generally any owned properties. The smaller brokers are the ones who will be damaged the most. If Google did this tomorrow, you could probably make a case that it's anti-competitive.
Seems simplistic to draw that conclusion. Especially if you assume they are as hyper focused on profit above all else. If you think that way then there must be some selfish motive to them phasing out ad cookies and so the delay may be about profit but could also indicate something else.
Google would probably face legal issues if they did this too fast, other ad networks depends a lot more on these tracking cookies than Google does so they would sue Google for using their browser dominance to hurt their advertising competitors.
> Especially if you assume they are as hyper focused on profit above all else.
Google is not "they", as in a group of people. Google has been a public company for 18 years, since 2004. The main purpose of a public company has always been to maximize shareholder value by generating as much profit as possible. Google is no different in that regard.
Aren't companies forced to try and make themselves as valuable as possible? My gut says they wanted to get a publicity boost so they decided to cut cookies but then had to backtrack as they realized they'd loose a lot more money than expected. I think the delay is to buy more time to think of some way of minimizing damage (profits).
> I think the delay is to buy more time to think of some way of minimizing damage
That's not a cynical take, that's what they're saying publicly. "That's why we started the Privacy Sandbox initiative to collaborate with the ecosystem on developing privacy-preserving alternatives to third-party cookies and other forms of cross-site tracking. ... The most consistent feedback we’ve received is the need for more time to evaluate and test the new Privacy Sandbox technologies before deprecating third-party cookies in Chrome. This feedback aligns with our commitment to the CMA to ensure that the Privacy Sandbox provides effective, privacy-preserving technologies and the industry has sufficient time to adopt these new solutions. This deliberate approach to transitioning from third-party cookies ensures that the web can continue to thrive, without relying on cross-site tracking identifiers or covert techniques like fingerprinting." -- https://blog.google/products/chrome/update-testing-privacy-s...
They benefitted from all of the good PR they got for pretending to phase out ad cookies in the past. Now they can kick the can down the road and do it again.
They could have chosen not to do it at all unless we believe people were switching to alternatives that pushed them to. That argument is poorly supported, so I'm not as cynical about their intentions here.
We are well past the point where nobody has any reasonable excuse to use Chrome, and the choice to do so is to actively compromise their own safety and security.
Every other browser has already done this. Every. Single. One. But Google won't until they have added a new way to violate user privacy instead. Privacy is a fundamental part of security, you are not reasonably secure if using Chrome. Full stop.
If you absolutely need the Chromium engine, there's Edge or Brave. Both are pretty much 100% compatible, but don't think security is a joke.
If you work on "security" at Google, and you actually mean it, walk out until third party cookies are disabled by default. Tell managers you won't gaslight people into believing they're safe when Google has placed ad revenue so squarely above security and plans to not solve it for at least another two years.
They absolutely are, you cannot have one without the other. The fact that these concepts are inescapably linked together is something many in tech have failed to recognize. Behavior that compromises your privacy will compromise your security (ex. ads are the primary source of malware), and behavior that compromises your security will compromise your privacy (ex. malware generally likes to exfiltrate your private data, and sometimes also track you and display ads). If a company chooses to violate your privacy, they are willfully compromising your security by default.
This doesn’t make logical sense. Ads are a source of malware because it’s a convenient way to distribute content to many people. Email is also a significant source of malware for the same reason.
A better example might be that excessive and unnecessary data collection by a system that gives you limited visibility over use and limited control, exposes you to a higher possibility of security incident. But that isn’t intrinsically true if the data is properly secured.
I tend to agree with the inverse; bad security is probably not good for your privacy.
So, ads are a source of malware because they allow someone to pay to take a trusted position: People trust Google not to send them to the wrong place, but Google sells the top result slot to the highest bidder (users can't tell they're ads anymore). This is ultimately why search ads are the king of malware, and email is kinda secondary.
There are other more clear links between bad privacy and your security. Consider the concept of opsec. Generally celebrities avoid people knowing where they're going day to day.
This is false. The problem is that Google is trying to replace an open method of tracking users (third party cookies), with one which places them in the sole source of authority (FLoC, Topics, etc.).
If they did what every other browser has already done, and just blocked third party cookies entirely, because it's a security issue, they would not face a legal issue. In fact, they would be able to entirely defend the move behind "we're just doing what every other browser did first".
The choice to monopolize tracking instead of removing tracking is the issue at hand there.
Fake news. There is a legal issue and publishers are suing and the eu is launching an anti trust investigation targeted at the removal of 3rd party cookies.
ITP has been mirrored in FF and Brave and potentially others. Their marketshare may be smaller than iOS Safari, but the tech is still there, regardless.
I read your article and you miss the third option for the user
c) do not consume the content
It is actually the best option for the user in most cases when ad-supported content is in question. The way it evolved over the years, the purpose of the content became not to inform the user, but to monetize their visit. As such it transformed from being intelligence amplifying to intelligence insulting (in general).
Why? Because ad supported content tends to be of lower quality, produced en-masse, with inherent conflict of interest, clickbaity and poorly written (ads significantly contributed to detoriation of journalism globally), littered with ads to the point of being impossible to read and finally infested with tracking in the worst privacy-invasive ways.
In the event you still want to access it, the best your browser can do is indeed to try to block all ads/tracking on the page. What this converges to is either the sites producing low quality content disappearing or them actually making it worthwhile for people to pay for. Both outcomes are good for humanity, where preserving the current state is bad.
>As such it transformed from being intelligence amplifying to intelligence insulting
The same thing happens with content supported through direct payments. Think video game streamers producing mindless content all day long, and asking for donations that allow viewers to get a flair next to their name or an in-stream callout of some chosen sentence.
>ads significantly contributed to detoriation of journalism globally
Ads have been in journalism for a long time. When would you say the deterioration happened?
> Think video game streamers producing mindless content all day long, and asking for donations that allow viewers to get a flair next to their name or an in-stream callout of some chosen sentence.
You get what you pay for. If the product is mindless to begin with, I do not think this proves any point. It would be different if stream was paid to begin with.
> Ads have been in journalism for a long time.
You still paid for the newspaper, meaning an economic transactio happend where you valued the content at some price point and were ready to pay. That meant content had to pass at least some quality threshold.
Replacing this with fully free, ad-supported content totally changed incentives.
Now the content can be of zero value (which it in most cases is) and will still be consumed because it is free.
The user of the browser is able to use free websites without paywalls that are supported by ads. The user also sees relevant ads rather than irrelevant ones, and thus has a higher likelihood of seeing a useful ad.
Disclosure: I work at Google but not on ads or Chrome.
Do you also feel this way about paywall circumvention logic?
To me, this is an example of where a browser trying to be a good agent for users overall separates from a browser trying to be a good agent for any particular user. Yes, selfishly, I would rather skip paywalls and not see ads, but an internet where the browsers did that by default for everyone would be a much worse internet.
Browser should behave in the best interest of the user. The best interest of the user in 99.99% of cases is not to see ads (which also come with associated tracking, invasion of privacy, using your bandwidth - all things that the user did not ask for).
What the user wants is content.
So there are two scenarios:
a) content is worth it so the user would pay to access it (for example $0.01 aka micropayments which browsers refuse to natively implement and automate; we can argue why in the light that all three mainstream browsers are directly or indirectly ad-supported and micropayments are an anti-thesis to ads)
b) content is worth it and it is not behind a paywall (this is what most high quality content on the web is actually nowadays - wikipedia, hacker news or your own blog and blogs of many other people are examples)
In the event that content is not worth it (which is sadly true for most ad/affiliate/tracking monetized content on the web today) the user should have these two options:
a) not read it (probably best for them)
b) have their browser block ads/tracking, to at least make it consumable and privacy respecting
In other words the websites wanting to monetize their content should totally be in the position where they need to make that content good enough to be worth something to someone, otherwise why would humanity care about their existence?
> content is worth it so the user would pay to access it
Users have very widely varying amounts of money. Universal paywalls would hit poorer readers far harder than richer ones. They would also push towards centralization via bundling.
> micropayments which browsers refuse to natively implement and automate
I have yet to see a good micropayments proposal, despite 25+y (https://www.w3.org/Conferences/WWW4/Papers/246/) of work on the project. Among other things, they tend to have similar privacy properties to third-party cookies ("third parties can learn every site you visit").
> content is worth it and it is not behind a paywall (this is what most high quality content on the web is actually nowadays - wikipedia, hacker news or your own blog and blogs of many other people are examples)
Hacker News has ads (paid links on the front page for job openings), and Wikipedia has fundraising banners (which many adblockers block). My blog is funded just by me as a hobby project, yes, but most of what I (and I suspect you) read on the web isn't.
> Users have very widely varying amounts of money.
I really do not understand this argument. This is a fact of life.
Isn't the price of gas affecting poorer citizens? Should we subsidize the gas with ads in you car? Isn't the price of housing affecting poorer citizens? Should we subsidize houses with ads on your walls? How abot having ads via an electrode in your brain 24/7 to get food for free? Where would this lead humanity?
Having a price point is how 99% of world's economy works and it is completely normal that everyone can not buy everything, and that people have to budget and prioritise their expenses based on the perceived value they are getting. I am pretty sure that people would give up on 99% ad-supported content on the web quite easilly if it had even a $0.01 price point, because it is simply not worth it for most people (and not consuming it would arguably improve their lives too).
> I have yet to see a good micropayments proposal,
Or the simple answer is just unwillingness to implement because of conflict of interest. We went to the Moon in 8 years and micropayments are objectively a simpler problem.
> Hacker News has ads (paid links on the front page for job openings), and Wikipedia has fundraising banners (which many adblockers block).
I was not aware you can buy an ad on Hacker News. Source?
Wikipedia example is different from what we are discussing, because for Wikipedia user=customer so they are selling their service to their users, for Google Search, Chrome Browser and most ad-supported websites user!=customer (customer there being an advertiser, introducing conflict of interest).
> My blog is funded just by me as a hobby project, yes, but most of what I (and I suspect you) read on the web isn't.
Most of the content I choose to read does not have ads. I do this consciously as I know that the content with ads will be lower quaility and probably not worth my time. This includes almost all news. "We are what we read" [1] and I am very careful about what content I put in my brain, like I am careful what food I put in my body.
> Isn't the price of housing affecting poorer citizens?
Housing is so expensive that advertising couldn't put an appreciable dent in it. But I don't have any sort of moral objection to some company renting out apartments that are a bit cheaper but have advertisements. (And I would be opposed to outlawing them if they existed)
> I am pretty sure that people would give up on 99% ad-supported content on the web quite easilly if it had even a $0.01 price point, because it is simply not worth it for most people
I think you would see that as well, but mostly because of friction, not because of willingness how much value people get out of things.
> We went to the Moon in 8 years
This cost the US a quarter of a trillion dollars, adjusted for inflation. This was a massive investment. Almost everything has received far less investment than that; no need to posit a conspiracy!
If you think it is just a matter of implementation, I would love to see a link to a proposal you would endorse?
> I was not aware you can buy an ad on Hacker News
There's one in the front page right now: "UPchieve (EdTech Nonprofit, YC W21) is hiring senior engineers"
> Most of the content I choose to read...
I can believe this for you, though that you did not notice the ads here makes me wonder whether you might be missing tasteful ads elsewhere? But it's definitely not true for most people: a web without advertising funding is a web that the vast majority of people who currently use the web would enjoy much less.
> I can believe this for you, though that you did not notice the ads here makes me wonder whether you might be missing tasteful ads elsewhere? But it's definitely not true for most people: a web without advertising funding is a web that the vast majority of people who currently use the web would enjoy much less.
"Most people" argument is generally a bad one as it takes a point in time statistic vs a first principles merit-based observation.
For example "most people" enjoyed smoking in 1960s, which can at best be a point in time statistic and in no way a good argument for smoking (actually it is a terrible argument).
Whether you can make a moral based argument for ads requires at least moral consistency. If you can truly say "I strongly believe ads are a driving force for the good in the society, and therefore I also choose to expose my kids to ads from a young age and would not mind them one day living in an apartment that is running ads on their walls 24/7" then you can at least hold a morally consistent position and I would applaud you for that.
I of course completely disagree with this position, and am doing whatever I can to protect my kids from exposure to ads from young age by limiting TV, paying for YouTube Premium, having them use an ad-free search engine, use a browser that has built in ad blocker and so forth. I teach them that companies never give away things for free unless it benefits them in some other way, and that in life you always get what you pay for.
An Internet where browsers suppressed ads by default would be a much better Internet. Yes, sites wouldn't be able to make money from ads. A subset of those sites would not be around; another subset would make use of patronage, subscriptions, selling something of value, "the person who runs this site has other sources of income", or some other model. And some additional sites would be around to fill the gaps.
("paywall circumvention" is a broad topic. I wouldn't want a browser, for instance, integrating "go get the mirrored content from another site" or "mirror paywalled content to other users", but things like "suppress specific popovers that also block scrolling", sure. If you don't want a user to have the content, don't serve it to them and then hide it.)
Browsers suppressing ads by default leads to the question of what counts as an ad. Borderline cases: sponsored portions of YouTube videos (a la SponsorBlock), videos containing entirely sponsored content, movie trailers, game/software demos, freemium games, free credits for cloud services, product placement, soliciting Patreon subscriptions, sections calling out or listing names of Patreon subscribers, publicly thanking large donors (charities do this), things with ads in the name (e.g. sports arenas and events), things named after donors (e.g. college buildings), soliciting subscriptions to their own subscription service (e.g. Linus Tech Tips YouTube videos promoting Floatplane), soliciting subscriptions to a partnered subscription service (e.g. many youtubers promoting Nebula).
> I wouldn't want a browser, for instance, integrating "go get the mirrored content from another site" or "mirror paywalled content to other users"
Why not? It sounds like if you accept the role of the browser as "do what is best for this specific user despite the broader consequences" they're worth doing?
The unfortunate existence of copyright; browsers shouldn't get their users prosecuted. If copyright wasn't a factor, yes, browsers could absolutely support and contribute to mirror networks.
The replacements are topics, attribution reporting, fledge etc: APIs that allow you to either do something or learn something based on a user's behavior on a different site, but without allowing you to connect the user's identity on one site to their identity on another. None of them give Google's ad system special treatment.
There are quite a few uses for cookies besides tracking users across sites. Sometimes there are other ways to do it, but those ways are often significantly more complicated.
Can be done with a redirect through the authenticator domain that would then pass a token in a query parameter or something. Not as streamlined, but it works. Some oauth flows are already doing this exact thing.
They have several different proposals for replacing cookies in ways that attempt to preserve the economic benefits of cookies without the privacy impact. The official announcement discusses this some [1] and there are more details on the privacy sandbox website [2].
The browser matches clicks or views with conversion data defined by an adtech. Later, the browser sends the resulting reports to a predefined endpoint, with some delay and noise.
--
OK is it just me or is this super hand wavy ? Where's the beef ?
web pages do NOT need cookies or javascript period.
and if you insist on that your users must use javascript to view your web site, then cookie is not even needed, one can do some finger printing and there is your permanent cookie!
This development of web has many tech savvy people stop using internet on their phone and switched back to old dump phones (and this comes from someone who has being promoting JS since before nodejs came along). Please bring back web pages that does not require cookie or javascript to function, a web page that can work in the terminal browser like lynx or links2 is the base standard for web page. JS and cookies are just icing on the cake not needed.
Web pages don't need javascript? Get real. You have to use javascript for your web app if you want to deliver a reasonable product experience. This is a dead argument I wish people would just stop making. The ship sailed over a decade ago.
Without cookies - and knowing that HTTP is a stateless protocol - how do you suggest we implement a solution that allows me to connect on my bank to view my account balance and make a wire transfer from the comfort of my home ?
The way we did that kind of thing before cookies was by encoding the state in the URL (for GET requests) or hidden fields (for POST). Higher-level Web frameworks at the time would often abstract this away from the app code while allowing the app to be deployed in either mode. Here's an example for ASP.NET: https://docs.microsoft.com/en-us/dotnet/api/system.web.confi...
If you encode auth token in the URL then a shared URL accidental or otherwise means being authenticated. There is a lot of existing infrastructure that assumes the URL is public knowledge while cookies are not.
If you do this through hidden forms then page navigation can no longer be done through hyperlinks and must now all be form submissions, which means a malfunctioning back button and logout when refreshing or opening a link in a new tab.
Please do not do this.
First party cookies are very useful and it's bad enough that people keep trying to replace them with javascript+localstorage despite the decades of security best practices that have been built into them.
I do agree that we can do away with third party cookies however.
FWIW I'm not suggesting that people do any of this today. But it is how it was actually done - it wasn't the case that advanced web apps that required per-client state management weren't possible at all without cookies.
exactly! web developer in the late 90's did that and worked fine. Yeah it is a bit more pain to use, however it keeps web stateless which was a what it suppose to be. If you want to make your fancy desktop stateful programs do it with something that is not document base like html.
It didn't keep the web stateless, though. It implemented state on top of what we had at the time, with certain flaws that others have already pointed out in this thread.
I always wonder what specifically marked the turning point for web usability. Too many dark UX patterns, popups, ads and extremely heavy frameworks for extremely simple sites.
I feel that we got to a point where the community put out a couple recipes for deploying websites and everyone just jumped on it irrespective of the problem, mimicked the same patterns (email newsletter popups, ads, google analytics, 30 million external assets, etc) and called it a day.
While I think your opinion is a bit extreme, I agree that there are so many things that we don’t need, but companies are hiring and new devs are copying the recipes.
The web is SO much more usable now than at anytime earlier.
For example, browsers used to actually allow pop-up windows (as in it would open a new desktop window (not a tab), sometimes off-screen). And then when you closed it the browser would let it spawn more pages.
There was a common pattern of spamming popup windows with a "close" button the same place a "run" button was when you downloaded an executable in Windows 95.
And then after closing 10 windows with the button in the same place they'd hit you with an executable download.
I agree and I remember those days. However, I think there is a distinction between browser improvements vs web usability.
I’m moreso talking about _how_ people design sites for the web and how poor design choices lead to poor usability. I think the proliferation of tools that require not too much in-depth knowledge (react), heavy CSS frameworks and large client side JS libs have ruined a lot of the web surfing I used to enjoy
> I always wonder what specifically marked the turning point for web usability. Too many dark UX patterns, popups, ads and extremely heavy frameworks for extremely simple sites.
It's funny that you include popups in that, because actual popups are almost nonexistent today, whereas they were ubiquitous in the early 2000s web.
Cookies are actually incredibly valuable as a place to store web auth tokens where JavaScript cannot get access to your valuable user information.
No matter what happens, if I store my JWT in a no JavaScript cookie, it's safe. Nowhere else on the web is safe in that way.
I also feel like it's a mistake too Tell people to use fingerprinting instead of cookies, when users actually have control of cookies, it's almost always better for them If we use them instead of fingerprinting.
Not just HTTP-only cookies (no JS), but also the control for 'Secure' (HTTPS only) and 'SameSite' for CSRF blocking. Not using cookies and storing your auth tokens in other places is a rookie mistake.
That said, 3rd-party cookies should be blocked by default. IDPs and other exceptional cases can request permission or use one-time query param hashes to exist without them.
How about using browser-supported auth mechanisms instead of manually reimplementing auth using cookies? There is HTTP basic auth, or TLS client certs and probably more.
Basic Auth with digests has some issues, but both that and client certs mostly fail because of poor browser implementation.
Client certs would really be ideal if browsers handled them better and sync'd the certs between devices (like bookmarks), but I guess that still wouldn't solve the signing in from a new/different (non-synced) device.
Safari is generally in favor of facilitating sites making money from ads, as long as the privacy impact is minimal. For example, they proposed and implemented https://webkit.org/blog/8943/privacy-preserving-ad-click-att.... So I could see them implementing Topics if they were convinced that its specific tradeoff of better monetization for publishers vs leaking some bits about the user was worth it.
Well I can make an article and submit it if you want saying the same thing. This is an issue that badly needs to be addressed. The software industry is crap and HN are not angels or not complicit.
> The Alphabet Inc. unit has been working with publishers, marketers and regulators on its plan to replace cookies, the software marketers use to track people’s online activity and tailor ads accordingly, through an initiative known as the Privacy Sandbox.
How about not fumbling around, not "working with" anyone, but just flipping the damn third-party cookies setting to "disabled" by default without providing any replacement at all? It takes less than a minute to make that change in the code.
States and governments have literally sued Google over their plans to remove third-party cookies. Advertising is a multi-hundred-billion dollar business. There are a lot more players than just Google here, and none of them want Google to rock the boat. The EU Commission has already launch an anti-trust investigation over their removal of third-party cookies. How do you think Google waking up tomorrow to announce the removal of third-party cookies would go over, from their perspective? If they don't "work with" anyone?
You can even see people claiming this in this very thread:
> Google would probably face legal issues if they did this too fast, other ad networks depends a lot more on these tracking cookies than Google does so they would sue Google for using their browser dominance to hurt their advertising competitors.
Then it's just one more reason why the world's biggest online advertising company shouldn't be allowed to also own the world's most popular search engine, the world's most popular mobile operating system, and the world's most popular browser.
> How do you think Google waking up tomorrow to announce the removal of third-party cookies would go over, from their perspective? If they don't "work with" anyone?
People (those of them who still don't block ads for some reason) will cheer that it's the end of creepy targeted advertising.
I agree with you, but it's become increasingly clear that regulators are unwilling to break Google up. So in the meantime we have to deal with these half-solutions and investigations that help nobody and hurt everybody.
> States and governments have literally sued Google over their plans to remove third-party cookies.
... While continuing to track people by other means. Rip out both and the problem should go away (at least, if the regulators actually care about users).
Google's approach has been "fine, we'll add a way for all ad companies to track people, not just us". Another fair approach would have been "fine, we'll prevent all ad companies from tracking people, including us".
That doesn't fix it. You're proposing that Google, as a company that has one of the biggest first-party businesses, remove third party tracking while continuing to permit first party tracking.
If the complaint is that Google's first-party properties are giving information about the user to the ads department behind the scenes, then address that directly, as an anti-consumer behavior, rather than saying "you have to make sure your browser supports other companies' anti-consumer behavior too to be fair".
It's pretty widely agreed as being acceptable for sites to advertise to their users based on those users activities on the site. For example, if you read a lot of NYT news on investing the NYT might choose to show you investing ads while viewing other NYT news stories. The same goes for Youtube and other Google properties using first-party information in first-party advertising. I haven't heard people claim this is anti-consumer behavior?
First-party and third-party advertising are to some extent competing for the same advertiser dollars. An advertiser could pay to advertise on Youtube (to Youtube's audience with Youtube's information: 1st party tracking) or with Google Ad Manager on many smaller sites around the web (to those site's audiences with Google Ad Manager's information: 3rd party tracking). I'm just giving two examples here, and there are lots more in both categories; YouTube is an example of a site with a big 1st party audience and its own ad system, but so are Instagram, TikTok, Reddit, etc.
Since Google has a large 1st-party presence, competition regulators have raised issues with them making browser changes (removing 3rd-party cookies) that would have a side effect of shifting advertising dollars from 3rd-party to 1st-party contexts.
It also takes you less than a minute to change the "disable all cookies" settings to true in your browser. Then tell us how you feel about not being able to connect on any websites, and how long until you revert the setting.
Cookies allow marketers to identify you - which is bad. They also allow all your tools to identify you - which is good. It's not like cookies are this inherently evil thing that has no legitimate use. They serve a real purpose but are also being abused. And as it turns out, it's not that simple to keep their usefulness while addressing their abuse. Because ultimately, both marketers and tools use the cookies in the exact same way, it's what they do after that is the issue.
Edit: hadn't seen you were talking about third-party cookies specifically. I fully agree with that. I have personally disabled them since safari disables them by default, and I have little to no impact on my day to day.
I'm only talking about THIRD-PARTY cookies. First-party cookies are here to stay — that's absolutely unquestionable. But third-party cookies have very limited useful use cases. I can't really remember anything except comment widgets like Disqus.
> it's not that simple to keep their usefulness while addressing their abuse
It very much is. First-party cookies are mostly used for good, and third-party cookies are mostly used for evil.
There still are legitimate use cases for third-party cookies. Let's say you pay for YouTube Premium. Would you be okay seeing ads in YouTube videos embedded on other sites? Should YouTube disallow embedding? That's just 1 of many examples of user expectations that break without third-party cookies.
Also, like it or not, the majority of the internet runs on ads currently. Remember the outrage from Youtube creators when adpocalypse happened and everyone's income just dropped? Now imagine you're a website owner and suddenly your website isn't making any more money and needs to shutdown.
I am a website owner. It costs me a whopping 45€/month to run. I'm paying that from my own money and I plan to keep it that way forever. Not everything that could possibly be used to earn money should be used to earn money. I enjoy respecting my users.
I know that ads currently are the main use for third party cookies, but I think that everyone who has any interest in these news know what a third party cookie is, so why not use the proper term? I actually thought it was some ad specific Chrome feature, like the Advertising ID in Android, but no, it turns out these are just third party cookies.