Google extends third party cookie deadline until late 2023
digiday.comSo when a major regulatory authority forbids Chrome from proceeding with the third party cookie deprecation plan, what should Google do? Apparently the vast majority of HN commenters think that they should ignore the regulators, and just plow ahead.
For some reason I imagine that if they actually were to ignore the regulators, the feedback from exactly the same commenters would not be positive.
I think they should deprecate Chrome or spin it off into another company. The issue here is monopoly.
Also, regulators aren't upset about them blocking third party cookies, every other browser already does that. They're upset about Google's attempts to inject new Google-controlled tracking methods that grant them a further advantage at the cost of all their competitors.
The answer is simple: Block third party cookies and don't replace them with anything.
> Also, regulators aren't upset about them blocking third party cookies, every other browser already does that
As far as I can tell, that is untrue. CMA has explicitly stated concerns with any removal of third party cookies by default from Chrome, since they believe ad tech companies are dependent on them but Google isn't. Any new mechanisms introduced for privacy preserving ad targeting are irrelevant, except insofar that they could be used to satisfy the needs of said ad tech companies. That other browsers have been allowed to remove third party cookies by default is also irrelevant: the fact is still that Chrome is not being allowed to do so.
> I think they should deprecate Chrome
Oh, come on.
> CMA has explicitly stated concerns with any removal of third party cookies by default from Chrome, since they believe ad tech companies are dependent on them but Google isn't
This is because Google owns Chrome, and hence, doesn't need the cookies to collect web activity. The solution, as I said, is to force them to spin off Chrome.
> Oh, come on.
It's actively harmful to consumers. Chrome is like asbestos, we're better off just... not using it. There are safer alternatives out there.
At least make it abundantly clear why, and then sue the regulators.
Not defending cookies - but I just don't think most of the rest of the world cares. Outside of the tech bubble that really cares, I'm not sure I know a single non-tech person that, other than 'the popup', even knows what a cookie is (let alone gives a damn). 99% of my non-tech friends/relatives are just bored of 'the box thing that comes up every time you visit a website'. No one it them and everyone just clicks the quickest button ('Accept All') to just get on with whatever they were trying to look at.
Just because people don't understand the technical details doesn't mean they don't want the outcome.
Like how 96% of iOS users asked apps not to track them.
https://arstechnica.com/gadgets/2021/05/96-of-us-users-opt-o...
When you get prompted with a mandatory dialog that you must answer where one of the two choices offers no clear benefits, of course no one is going to pick that one. This is a meaningless statistic.
That’s why phrasing questions and choices in any kind of poll or survey is a complex subject if the goal is to ensure minimal bias.
What would then be a way to phrase the question with minimal bias in your opinion? What are these benefits I'm missing out on when I deactivate tracking?
Also, judging by the screenshot in the article, Apps can show text to justify the tracking, so they have all chances to phrase that with bias in their favor! Still people don't want it.
I don’t know. I’m not saying it should be.
I’m just saying Apple clearly built this modal to encourage everyone to press no.
Turns out, when you follow the GDPR and make it as easy to give as it is to remove/reject consent, people will generally reject consent to be tracker and personally identified unnecessarily.
This is true... but it's also why we, as the informed parties, must actively push change. The 99% of folks who don't understand are going to be taken advantage of, and actively harmed, by privacy issues they don't understand. It's why the default needs to be the right one for consumers.
Isn't it our jobs as the people who understand these things and are implementing the technologies to not take advantage of the fact that most people using them are ignorant to how this stuff works?
I wouldn't expect the people who built bridges to install technology that secretly tracked you every time you crossed over them.
Eh, we'll see if they can actually hold to that position.
Every time Google delays on a change like this, it becomes a bit more obvious that both Firefox and Safari are more private browsers by default out of the box. Add to this that Firefox already has better uBlock Origin performance than Chrome. Add to this that whenever Manifest V2 is finally deprecated from Chrome their adblocking will get considerably worse.
Firefox and Safari also aren't going to stand still on privacy. I expect them to continue to widen the gap over time if Google keeps delaying on this stuff; regardless of whether they're delaying because of fear of regulators or just because they don't like the idea of a web ecosystem that is less ad-friendly.
----
It is a little bit ironic to hear sentences like this coming from the Chrome PR team though:
> In order to do this, we need to move at a responsible pace. This will allow sufficient time for public discussion on the right solutions, continued engagement with regulators, and for publishers and the advertising industry to migrate their services.
It's funny, given that a primary complaint of Chrome from web developers has been that they constantly move at a breakneck pace with new standards and regularly push out new policies without sufficient developer discussion or thought about the possible issues their changes will introduce. See the entire web audio debacle.
It's almost like Google is a lot more scared of breaking ads than they are of breaking other parts of the web. :)
You can opt into blocking third party cookies now.
> Select Settings > Site Settings > Cookies and site data.
> Select Block third-party cookies.
For quick access, you can copy/paste this into the Omnibar:
chrome://settings/cookies
Just turned it on myself. Thank you, OP!
It's like an addict who tells themselves "I need to quit sometime" but constantly puts off actually quitting.
Google Drive itself uses third-party cookies. You can't download files from Google Drive without enabling them, for some reason.
Are you saying you can't download files from Google Drive in the default Safari configuration?
I don't use Safari or any AppleWare but I disable 3rd party cookies in Chrome and I can't download files from Google Drive unless I temporarily enable it.
I just tried it:
* On Safari it works correctly with default settings.
* On Chrome with third party cookies disabled it doesn't work and takes you to https://support.google.com/drive/answer/2423534
I poked around in dev tools, and it looks like what's happening is in serving to Safari it gives a download link that includes authentication information, but when serving to Chrome it doesn't. Perhaps because it's expecting to get third party cookies?
My guess is that they rolled out special handling for Safari when it started blocking third-party cookies by default, which will eventually make its way to all browsers?
(Disclosure: I work on ads at Google, speaking only for myself)
Hm. Maybe I can just spoof my user-agent as Safari when using Google drive.
Kind of ironic that I need to spoof as non-Google device to use a Google product with a Google browser.
Was the delay caused by between Chrome and Ads teams not aligning on privacy sandbox APIs?
I think many people will agree that this is just terrible engineering and there are many ways to authenticate users who download files without the use of 3rd-party cookies. Literally every other cloud storage provider was able to figure that one out.
We've seen this over and over in tech. The spotlight is focused on it, so they hide away and bring it back at a later date, likely with a rebranding and hope no one notices or causes a scene.
Sounds like a great reason for everyone to stop using Chrome. This is a capability that's been in Firefox and Safari for awhile now.
We're getting back to a point where the dominant browser is focused on rent-extraction over user-focused design and features, and alternatives are superior in pretty much every way other than bug-compat with the dominant browser (e.g. same thing we had in the IE6 days).
There's no reason anyone who's technically inclined should be using Chrome as a daily-driver at this point. Their interference in ad-blocker extensions should have been enough, this should be the nail in the coffin.
Chrome still lets you block third party cookies. Not with an extension or some low level tweak; it's just in the settings.
Is there a use case for third party cookies outside of ad tracking? I’ve had it disabled for years and don’t recall it breaking any website I actually care to use.
Apparently certain workflows in Okta would be hampered or prevented if third cookies were totally blocked.
https://support.okta.com/help/s/article/FAQ-How-Blocking-Thi...
Once case is iframing a site where people will get logged-in behavior without requiring them to log in to each site individually. For example, an embedded video player that wants to disable ads for subscribers or a micropayments service that needs to recognize which account to charge.
(Disclosure: I work on ads at Google, speaking only for myself)
They're used for fraud prevention. How you're tracked is similar to ads, but the end goal isn't targeting ads better, it's preventing chargebacks.
A lot of older SSO technology like Gigya use 3rd Party Cookies. They've had a hell of a time on Apple devices.
I had to enable third party cookies to log into Pearson’s online learning garbage. It appears the use case here is standing up poorly designed websites.
Basically it’s deprecated technology, anybody using for “legit” reasons needs to migrate to a new solution anyway.
It shouldn't be a setting.
Requiring opt-out (hidden at that!) is statistically the same as not supporting it. Most users will not know about this or be technically inclined enough to change it.
Google knows this. Some analyst or PM modeled it.
edit: Hello Google employees downvoting me. I'm confident nobody else on the planet wants this the way you do. You can censor me, an individual voice. But the world doesn't like or need this, and they're waking up. As are our legislators. Change your behavior and innovate in other areas that benefit society. (There are so many - nearly limitless!) The clock is ticking. They're building the antitrust cases as we speak, and this is the road you're actively choosing to go down. Not a good look, not the best step forward. I really do want the Google of 2005 to succeed; all of this has just been a misstep. Microsoft in 2021 is so much better than Microsoft of years past. Google could do the same. Don't be evil.
Google should be barred from making a web browser. The DOJ should come down hard on this behavior.
Not only is this monopolistic, but it's destroying the web and turning our privacy situation into a trash fire.
They're making this 3rd party cookie decision at the behest of their adsense unit, and it's decisions like these that are infectious across product boundaries. AMP, no URL, increasingly unilateral and opaque HTML standards that serve to push ads, ...
Google has been so lazy at innovation in other areas that they can't afford to lose Chrome. It's a key part of their fragile moat. They'll defend it to the death.
Nevertheless, these two products should not be the same company.
I want Google to succeed, but not like this.
You could argue that there are more jobs on the line if they remove support than leaving it as is. AdTech is huge. Now go and tell any government entity about coming down "hard on this behavior".
The role of government isn't to support whichever industry is currently employing a lot of people and ignore everything else. I know it sounds a little insane, but I think the rule of law and our moral center is more on the ticket.
Ignore the "adtech is a big business" issue.
Should a company with the world's largest advertising and tracking business be in charge of 65% of the web?
Should they be able to unilaterally set standards?
Should they be allowed to delay rollout of consumer protections to defend their ad unit?
This alone poses an enormous problem.
Cocaine is not a small business either, but we do crack down on it. How sure are you that adtech is a net positive for society?
Looks like FLoC isn't taking off as well as they hoped.
One could say it's been a FLoP
> We believe the web community needs to come together to develop a set of open standards to fundamentally enhance privacy on the web, giving people more transparency and greater control over how their data is used.
> In order to do this, we need to move at a responsible pace. This will allow sufficient time for public discussion on the right solutions, continued engagement with regulators, and for publishers and the advertising industry to migrate their services.
> By ensuring that the ecosystem can support their businesses without tracking individuals across the web, we can all ensure that free access to content continues.
This proves Google's consumer privacy strategy is all smoke and show. It should come to no ones surprise they choose to follow the money (ads). Apple continues to improve privacy on Safari with every major update and Google is still sitting on the sidelines.
https://blog.google/products/chrome/updated-timeline-privacy...
news in the past two weeks has been of eu antitrust actions over issues including this 3rd party cookies change, and uk demanding their regulators get veto power over changing 3rd party cookies.
google is trying to escape a colossal regulatory hellfire that has sprung up in the last two weeks over this attempt to do the right thing, that other browsers already do. shit has just gone defcon4 & they are adding time to the doomsday clock that various national & supranational powers have just set ticking. set ticking for doing the right thing. scratch that, for having said they would be doing the right thing, hereby rescinded.
mark Nottingham wrote up some of these new regulatory regimes being imposed on Google on Monday: https://www.mnot.net/blog/2021/06/21/standards-competition-g... https://news.ycombinator.com/item?id=27578618
Regulators aren’t concerned with Google blocking third party cookies, they’re concerned about it in conjunction with FLoC providing Google an anti-competitive moat in the adtech space where it also holds a dominant position.
If Google blocked third party cookies absent FLoC, regulators wouldn’t care.
Google is not doing the right thing.
They're solidifying control over the web.
This is Google admitting FLoC is dead, so they're going to just leave things as they are instead.
Are you saying all of Privacy Sandbox APIs are dead or just FLoC?
Personally, I don't think the concept is a problem the industry can solve on their own.
If Google wasn't having anti-trust worries, maybe they could force it to happen, but it's too blatant now.
My assumption is 3rd party cookies die to regulation, and nothing gets enough consensus to replace them.
Why don't you think the browsers can agree on replacements? Most of the major browsers have proposals for replacing some piece of advertising-related third party cookies [1][2][3].
(Disclosure: I work on ads at Google, speaking only for myself)
[1] Safari: https://github.com/privacycg/private-click-measurement
[2] Edge: https://github.com/WICG/privacy-preserving-ads/blob/main/Par...
[3] Chrome: https://www.chromium.org/Home/chromium-privacy/privacy-sandb...
I see this as a natural evolution of the web. The existing web standards and protocols no longer meet security or privacy user needs. Ideally, we do create better open standards. Apple’s Private Relay is great, but its gated off to paying customers.
I'd like to comment about this part from the Google blog:
> By ensuring that the ecosystem can support their businesses […] we can all ensure that free access to content continues.
Internally, Google believes that with Ads they are doing good to the world: the mission of Google Ads literally starts with "power the open and free internet…" (you can find it online). The idea is that for every site online that carries ads on it ("publishers"), it's the website that has chosen to put ads there, to make money. So the assumption is that if websites couldn't make money from ads (or if they made significantly less money, because of worse ads) they'd either stop hosting the website or put it behind a paywall, and users wouldn't get "free access to content".
Of course this applies only to those sites on the internet that have ads at all (doesn't apply to HN, Wikipedia, government/academic websites etc), but then again, ad-tech third-party cookies are also only present on such sites anyway.
-----
(I work at Google in Ads but not on anything related to any of this; this is all my own opinion posted from an alternate account. I find ads annoying and use an adblocker personally, so I was surprised to encounter this point of view.)
-----
Rather than "Google's consumer privacy strategy is all smoke and show", the sense I get internally is that Google is serious about "as much privacy as possible without seriously affecting our revenue". A couple of examples:
- [Edit: Added this point later.] In 2019 most (all I think? It's hard to tell) of "what Google knows about you" was consolidated into a single "My Activity" page (https://myactivity.google.com/), with user controls for turning things off or individual items. This was a lot of effort (Sundar at TGIF spoke proudly of it; see also the blog post https://blog.google/technology/safety-security/putting-you-i...), and personally as a user I feel better having control and visibility over what exactly what Google knows about me, but I don't remember much media coverage or discussion of this; maybe not everyone finds this exciting. :-)
- In 2020, they changed the default for new users to auto-delete this "Web and App Activity" after 18 months. Probably, this doesn't hurt Google's revenue much because data older than this is not very useful for Ads anyway, but it is still an increase in privacy compared to Google remembering everything about you forever (just not as good for privacy as defaulting to Off).
- FLOC is their answer to "how can we have the same level of user-targeting in ads, with more privacy?" The idea is that to decide whether to show me ads about shoes it doesn't need to know every site I've ever visited; it just needs to know roughly what kind of person I am. The old model is that every site carrying ads by Google would have a third-party Google cookie that would record your visit; the new FLOC model is that your browser privately builds up a profile about you and just reveals which bucket you fall into. Obviously your browser tracking you isn't as much privacy as no tracking at all, but if you start with the assumption that well-targeted ads ought to exist and try to maximize privacy under that constraint, then FLOC is a reasonably good answer to that question. (I know some smart privacy/crypto engineers—not from the Ads org—who've worked hard on developing/analyzing it…)
- [Edit: Added this point later.] You can see this Chrome blog post https://blog.google/products/chrome/privacy-sustainability-a... where they say "Overall, we felt that blocking third-party cookies outright without viable alternatives for the ecosystem was irresponsible, and even harmful, to the free and open web we all enjoy" — this is something Apple can afford to do because they make money from users using Apple products and iOS apps; they don't benefit from content existing on the web. (See below.)
A couple of other points:
- Google makes a significant chunk of its revenue from ads on its own sites (Google Search, YouTube, etc), where third-party cookies or FLOC are irrelevant. So all this is only about ads on other websites, where Google keeps a fraction of the advertiser money and the rest goes to the "publisher", i.e. the website (I've seen a number like 68% somewhere, not sure whether it applies to all websites). So if all users suddenly started blocking third-party cookies today, the (ad-carrying) websites will together lose more money than Google does, and (for many of them) a greater fraction of their revenue.
- Well targeted ads ("show my ads to people who are likely to buy my product") are worth a lot more (as in, advertisers pay more, as they can measure more conversions) than ads based on nothing more than, say, the content of the web page/site you're visiting (or even worse, completely generic ads: remember "punch the monkey"?). So if ads stopped being personalized, each website would have to carry even more ads to continue making the same amount of money. (Though frankly… there are some websites that seem to have hit physical limits by filling every inch of space with ads, those cannot possibly get worse I imagine.)
- Google stands to profit if there's more content on the web. If every ad-supported site chose to (shut down or) move its content to (say) apps instead, Apple would be ok. Google benefits from content staying on the web because those websites will carry Google (and other) ads, but also indirectly because the web itself becomes more useful and people will continue to use Google Search rather than expect content not to exist on the web (and ads on Search make even more money for Google than ads on other websites). In fact, one thing common to many of Google's products is that they increase the value of the web: Search makes the web more useful; Gmail was the start of web mail being a significant alternative to Outlook etc; similarly Maps; Chrome when it first appeared pioneered tab-isolation and seemed to cause fewer frustrations from browser crashes (remember the comic? https://www.google.com/googlebooks/chrome/); even the much-hated AMP was intended to fix the problem of websites being too slow on mobile (the popular consensus on HN seems to be that it made things worse).
So while it indeed seems true that Apple can afford to pursue the user-privacy angle in Safari harder than Chrome can (Apple doesn't have publishers and advertisers among its constituents), it's also arguable that Google's approach helps keep content on the web and is aligned with user interests that way. (Though personally as a user, I wonder: how many ad-supported websites are really useful to me anyway? I'd be fine and possibly happier if most of the ad-supported websites disappeared and only non-commercial content remained on the web… may not be true for many people though.)
----
Edit: Also, note that (as the article says) this delay is because the U.K.’s Competition and Markets Authority forced it. (Their page is here: https://www.gov.uk/government/news/cma-to-investigate-google... — my understanding is that they thought blocking third-party cookies would make it harder for other ad-tech companies.) Left to itself, Google would like to charge ahead with replacing third-party cookies with FLOC.
How generous! I’m going to extend the date when I’m going to reconsider using Chrome to late 3023
We know: * FLoC is less useful than third-party cookies for tracking visitors. * Google won't stop supporting third-party cookies until a replacement (like FloC) is available
Yet, in these threads I see both statements: * Google is pushing FLoC to help its ad business. * Google won't kill 3rd-party cookies because it would hurt their ad business.
So for two more years, Chrome will be the only major web browser to provide no reasonable expectation of privacy and security.
Nobody should still be using it by 2023.
I don't understand this assertion since Chrome already lets you block third party cookies.
I think the assertion is one of the tyranny of the default. If they are not blocked by default, then for the majority of users, the option effectively does not exist, since they will not proactively look for such a setting.
In today's news, we have Google refusing to do something that would damage their ad business, and we have Apple refusing to do something that would damage their app store business.
And I am sure we are all in agreement that this has absolutely nothing to do with pushback on FLoC and increased attention from regulators...
The article says as much.
That's exactly what it is, and Google indicated as much already, they originally announced this was dependent on replacing their tracking methods with a new tracking method.
Many (I suspect a large majority) of users simply don't care about web browser privacy. And I don't mean lack of concern due to ignorance of the scope of the issue. I mean if you describe to them what a third party cookie does, they just don't see a material harm, or risk, or disadvantage.
They may prefer not to see ads at all (who wouldn't?), but in terms of surveillance marketing, it's just not something that is perceived as adversely impacting their day-to-day experience.
Consumer awareness is shifting and fueled by Apple's privacy marketing campaigns. If Apple continues to invest here, I could see Chrome's desktop marketshare start to diminish. Safari has 50% of total mobile marketshare while only 16% in desktop. I see both platforms as low hanging fruit for Safari or Firefox.
https://blog.google/products/chrome/updated-timeline-privacy...
Is this a chance for chrome to lose the dominant role in browsers market with the increase in privacy awareness for general population?