Feeling the pressure from competing browser developers, Google on Tuesday laid out a plan to drop Chrome support of tracking cookies within two years.
The plan is laid out in a post titled “Building a more private Web: A path towards making third party cookies obsolete.” It articulates a shift from a stance Chrome developers took in August, when they warned that the blocking of support for third-party cookies—which allow advertisers to track people as they move from site to site—would encourage the use of an alternative tracking method. Known as browser fingerprinting, it collects small characteristics of a browser—for instance, installed fonts or plugins, screen size, and browser version—to uniquely identify the person using it. Unlike cookies, fingerprinting is harder to detect, and user profiles can’t be easily deleted.
Instead, Google’s August post unveiled the “privacy sandbox,” a proposed set of open standards that would serve as an alternative to the blocking of third-party cookies. Privacy sandbox uses browser-based machine learning and other techniques to determine user interests and aggregate them with other users. Google—whose ad-driven revenue model strongly favors ads that target individuals’ interests and demographics—said the proposed standard would allow advertisers to deliver more relevant ads without allowing them to track individual users.
In a shift, Chrome Engineering Director Justin Schuh said on Tuesday that adoption of the privacy sandbox will allow Chrome to drop support of the cookies altogether.
Making third-party cookies obsolete
“After initial dialogue with the Web community, we are confident that with continued iteration and feedback, privacy-preserving and open-standard mechanisms like the Privacy Sandbox can sustain a healthy, ad-supported Web in a way that will render third-party cookies obsolete,” Schuh wrote. “Once these approaches have addressed the needs of users, publishers, and advertisers, and we have developed the tools to mitigate workarounds, we plan to phase out support for third-party cookies in Chrome. Our intention is to do this within two years.”
One of the most immediate concrete steps in the two-year process will come in February, when Chrome will limit insecure cross-site tracking starting in February. Under the change, Chrome will treat cookies that don’t include a SameSite label as first-party only and require cookies labeled for third-party use to be accessed over HTTPS.
“This will make third-party cookies more secure and give users more precise browser cookie controls,” Schuh wrote in Tuesday’s post. “At the same time, we’re developing techniques to detect and mitigate covert tracking and workarounds by launching new anti-fingerprinting measures to discourage these kinds of deceptive and intrusive techniques, and we hope to launch these measures later this year.”
Google’s plan to drop Chrome support for tracking cookies follows moves by Apple and Mozilla to block tracking cookies in Safari and Firefox respectively. Microsoft has also disclosed experimental cookie blocking in Edge.
Google’s phasing out of tracking cookie support came after critics said the privacy sandbox proposal didn’t go far enough in protecting the privacy of Chrome users. So far, the privacy sandbox remains a work in progress with little or nothing tangible to assess its merits, but some critics cheered Google’s plan.
“I’ve criticized Google in the past for handwaving a hypothetical alternative to cookie blocking without teeth,” privacy advocate Ben Adida wrote on Twitter. “Now they’re delivering teeth: a plan to kill tracking cookies in 2 years. So I retract my criticism. Kudos to Google. This is a big deal.”
I’ve criticized Google in the past for handwaving a hypothetical alternative to cookie blocking without teeth.
Now they’re delivering teeth: a plan to kill tracking cookies in 2 years.
So I retract my criticism. Kudos to Google. This is a big deal.
— Ben Adida (@benadida) January 14, 2020
Schuh, meanwhile, predicted the measure would be a success.
“Fortunately, we have received positive feedback in forums like the W3C that the mechanisms underlying the Privacy Sandbox represent key use-cases and go in the right direction,” he wrote. “This feedback, and related proposals from other standards participants, gives us confidence that solutions in this space can work.”