Google Backtracks on Discontinuing Third Party Cookies
- July 31, 2024
- Clayton Rice, K.C.
On July 22, 2024, Google announced the reversal of its plan to eliminate cookies in its Chrome browser. The decision appears to follow objections to Google’s alternative technologies by digital advertising companies. Instead, Google intends to introduce a new feature in Chrome that will allow users to make informed decisions that affect their web browsing experience. The announcement provides an opportunity to discuss the privacy implications of third party cookies that function as a tracking technology for surveillance and ad-tracking purposes.
1. Introduction
There are numerous articles online that discuss questions such as: What are cookies? What are the different types of cookies? Where are cookies stored? What are they used for? In addressing these questions, some articles highlight the privacy implications of “third party cookies” which are central to this post on the recent announcement by Google. I will rely on two posts by Cloudflare and TechTarget that both offer a straight forward analysis relevant to these questions. (here and here) Cloudflare Inc., headquartered in San Francisco, California, provides content delivery network services, cloud cybersecurity services and domain name services. (here) It has been reported that Cloudflare is used by more than 20% of the internet for web security services and handles an average of 45 million HTTP requests per second. (here and here) TechTarget Inc., based in Newton, Massachusetts, with offices worldwide, offers digital marketing services to business-to-business technology vendors and has been recognized by B2B Magazine on the Media Power 50 list. With a network of over 150 websites and 1,100 content channels, TechTarget promotes its services as “the modern digital buying context.” (here)
2. What are cookies?
Cloudflare defines cookies as, “small files of information that a web server generates and sends to a web browser.” Web browsers store the cookies they receive for a predetermined period of time or for the length of a user’s session. The relevant cookies are attached to any future requests the user makes of the web server. They help inform websites about the user enabling the websites to personalize the user experience. TechTarget has defined a cookie as, “information that a website puts on a user’s computer.” They are sometimes referred to as browser cookies, web cookies or internet cookies. Cookies first appeared in 1994 as part of the Netscape Navigator web browser. They helped the browser understand if a user had already visited a certain website.
3. What are cookies used for?
Cloudflare has grouped cookies into three categories: (a) user sessions; (b) personalization; and, (c) tracking. I will give you Cloudfloare’s brief summary of each.
- User Sessions: Cookies help associate website activity with a specific user. A session cookie contains a unique string (a combination of letters and numbers) that matches a user session with relevant data and content of that user.
- Personalization: Cookies help a website “remember” user actions or user preferences, enabling the website to customize the user’s experience.
- Tracking: Some cookies record what websites users visit. This information is sent to the server that originated the cookie the next time the browser has to load content from that server. With third-party tracking cookies, this process takes place anytime the browser loads a website that uses that tracking service.
Advertising is not the only use for tracking cookies. According to Cloudflare, “many analytics services also use tracking cookies to anonymously record user activity.”
4. What are the various types of cookies?
Both Cloudflare and TechTarget have listed various types of cookies. I will not mention all of them. Here are four that are common to both lists and are probably the ones commonly encountered by website users..
- Session Cookies: A session cookie is only persistent while the user is visiting a given website. Session cookies have no expiration date and are deleted (or should be deleted) when a user’s session ends.
- Persistent Cookies: These cookies endure for a configurable length of time or until a certain date set by the web server. The predetermined date could be a day, a week, several months or even years. Persistent cookies always contain an expiration date.
- Zombie Cookies: These cookies persist even after the user attempts to delete them. They create “backdrop versions” of themselves outside a browser’s typical cookie storage location. They use these backdrop locations to reappear within a browser after they are deleted. Zombie cookies are sometimes deployed by unscrupulous advertising networks and cyber attackers.
- Third Party Cookies: A third party cookie is one that belongs to a domain other than the one displayed in the browser and are most often used for tracking purposes. They are distinct from first party cookies (or same-site cookies) which are associated with the same domain that appears in the user’s browser.
Cookies have been part of the digital universe for decades and, according to TechTarget, are generally safe. However, third party cookies are intrusive and can be used to record browsing activity, including for advertising purposes. According to Cloudflare, the privacy implications of third party cookies are heightened because users “lack visibility or control” over what tracking services do with the data they collect. Even when cookie-based tracking is not tied to a specific user’s name or device, browsing activity could be used in a variety of ways ranging from targeted advertising to harassment or stalking of users. The piece by Cloudflare discusses a hypothetical online shopper to illustrate how cookies function and the difference between first and third party cookies.
5. Alice Goes Shopping
Alice has an account on a shopping website. She logs into her account from the site’s home page. When she logs in, the website’s server generates a session cookie and sends the cookie to Alice’s browser. The cookie tells the website to load Alice’s account content so the home page reads, “Welcome, Alice”. Alice then clicks a product page displaying a pair of jeans. When Alice’s web browser sends an HTTP request to the website for the jeans product page, it includes Alice’s session cookie with the request. Because the website has this cookie, it recognizes the user as Alice and she does not have to log in again when the new page loads.
If Alice logs out of the shopping website, her username can be stored in a cookie and sent to her web browser. The next time she loads that website, the web browser sends this cookie to the web server which then prompts her to log in with the username she used last time. If Alice has previously visited a website that sent her browser a tracking cookie, this cookie may record that she is now viewing a product page for jeans. The next time Alice loads a website that uses this tracking service, she may see advertisements for jeans.
When Alice does her shopping at jeans.example.com, the jeans.example.com origin server uses a session cookie to remember that she has logged into her account. This is an example of a first party cookie. However, Alice may not be aware that a cookie from example.ad-network.com is also stored in her browser and is tracking her activity on jeans.example.com even though she is not currently accessing example.ad-network.com. This is an example of a third party cookie.
6. The Privacy Controversy
On July 23, 2024, The Brussels Times reported that Google scrapped its plan to phase out user cookies on its Chrome browser after years of resistance from online publishers. (here) The decision was quickly picked up by other media. (here, here and here) The announcement was made the previous day in a post to The Privacy Sandbox titled A new path for Privacy Sandbox on the web by Anthony Chavez, a Google vice president. “Instead of deprecating third-party cookies, we would introduce a new experience in Chrome that lets people make an informed choice that applies across their web browsing, and they’d be able to adjust that choice at any time,” said Mr. Chavez. (here) Google clarified that it is not abandoning Privacy Sandbox, the 2019 initiative that aims to replace cookies and facilitate ad-targeting without tracking individual users. But it will take years to work out solutions with the advertising industry. The use of cookies has been criticized by digital rights groups for infringing on privacy rights. Under the General Data Protection Regulation of the European Union, websites must obtain user permission to use cookies. (here)
The danger inherent in third party cookies is that they facilitate the building of user profiles from their online activities. The data can then be used for targeted advertising or sold by data brokers to the highest bidder. The potential consequences may be far-reaching because browsing histories may reveal sensitive personal information about such things as an individual’s financial status, medical condition and sexual orientation. The data made be sold to a broad range of purchasers including insurance companies, anti-abortion groups and stalkers. But it gets worse. Third party servers can combine information from multiple third party cookies across different websites where the third party content is embedded and then use it for fraudulent purposes including identity theft. (here) There really is no question that Google could do much more to protect the users of Chrome. Other browsers, such as Safari and Firefox, provide more protection against online tracking by default. Google’s backtracking from the plan to phase out cookies is yet another development consistent with its reputation as one of the internet’s most voracious tracking machines. (here)
7. Conclusion
On July 27, 2024, Scott Simon of NPR interviewed Julia Angwin, founder of Proof News, on a podcast titled After 4 years, Google backtracks on its discontinuation of third-party cookies. During one exchange, Ms. Angwin said the level of surveillance by third party cookie tracking can be innocuous when an advertiser wants to sell you a pair of cowboy boots but terrible in the hands of a bad actor. “And so I think there’s a legitimate concern that this is an industry that’s basically out of control,” she said. In a post on Mashable titled Google has changed its mind about ‘killing’ third-party tracking cookies dated July 23, 2024, Matt Binder concluded that, “the pivot here is that Google will still allow third-party cookies by default and potentially provide a Privacy Sandbox-powered user privacy mode as an alternative option.”