Google has doubts about deleting cookies, so serves CHIP • The registry
Last week, third-party cookies received a stay of execution from Google that will allow them to survive until the end of 2023, almost two years beyond their previously declared decommissioning date. But the ads and search app industry is already planning some sort of resurrection, as third-party cookies are just too useful.
La Chocolaterie is considering a lesser form of third-party cookie, which in theory will not be used for tracking but may support other more acceptable use cases. Google software engineer Dylan Cutler and CTO Kaustubha Govind call their making “partitioned cookies” in a proposal from the Web Platform Incubator’s Community Group called “CHIP.”
Cookies are files that web applications can set in web browsers to store data. They have legitimate uses, like storing data related to the state of the app (for example, if you’re logged in), and they can also be used to track people on websites.
Third-party cookies – set by scripts that interact with third-party servers – track people by storing a value on one website and then reading that value on another website that implements a similar third-party script. The third-party service in this case then knows all of the websites running their script that have been visited by the individual being tracked.
It’s the kind of privacy invasive behavior that has led browser makers like Apple, Brave, Mozilla, and others to block third-party cookies by default. But this has created problems by interfering with applications that rely on third-party cookies to provide services in domain contexts.
The browser security model is based on the distinction between first party and third party contexts. When an individual visits a specific web domain, that domain operates in a first-party context; services available in other areas are considered third parties and face various limitations on what they can do.
Google’s CHIP proposal – Cookies Have Independent Partitioned State – calls for cookies that can be set by a third-party service, but only read in the context of the proprietary site on which they were originally set, as opposed to other sites running also the user’s third-party site. -party scenario.
For example, Cutler and Govind describe a scenario where the site
retail.com wants to work with a third party service
support.chat.com integrate a support chat box on their site.
“Without the possibility of setting a cross-site cookie,
support.chat.com could rather count on
retail.com pass their first-party state (or a value derived from it), ”the Googlers explain in their proposal.“ However, if users haven’t created an account yet and the helper widget helps them to s ‘register, then
retail.com would have no notion of identity to transmit to
Firefox and Safari have each taken steps to implement their own versions of partitioned cookies, so Google’s approach enjoys conceptual support from other browser manufacturers, although implementations currently differ.
Wait a minute
But privacy advocates have challenged Google’s approach – stating their intention to prototype the technology without much consultation.
“The technology has been discussed for some time, it works when combined with other techniques to slightly reduce the damage caused by third-party cookies, but that is not the same as advising against them. third-party cookies, “said Zach Edwards, co-founder of web analytics biz Victory Medium, in a message to The register.
“Google is proposing this change without even recognizing how it fits into larger plans, and so is making people guess and try to work out the timing of Chrome’s upcoming additions and deprecations,” he said. . “It’s a shockingly impossible task if the company making these decisions doesn’t keep a list of changes that impact global businesses, and also casually suggest new additions on websites other than Google and through a A regularly rotating group of largely unknown Google developers, who when asked about proposals they often fall back on “All opinions are mine.”
Such concern is widespread among those involved in advertising technology and marketing as Google is changing the rules by which online advertisers operate. The effort to phase out the third-party cookie is part of the company’s ongoing Privacy Sandbox initiative, which aims to implement several technical specifications that change how online advertising works in the browser. And no one – not Google, its allies, competitors, regulators or internet users – is sure how this ongoing work will work and interoperate over time.
In January, the UK’s Competition and Markets Authority (CMA) began digging into Google’s Privacy Sandbox to see if the proposed changes would put competitors at a disadvantage. In response, Google made a set of commitments to be more open about its technologies and the viability of competing alternatives.
“The CMA has apparently told Google that it needs to change its process and communicate more clearly how data delivery changes are made in Chrome and in Google’s advertising systems,” said Edwards.
“But if this new proposal is how Google perceives the CMA mandate, then people in the UK should schedule a bit more tea time, as they spin their wheels during office hours on requests that are ignored. “
Even seemingly minor proposals like CHIPs can be complicated because they don’t exist in isolation. They must be seen in the context of all the other technologies that they may affect during deployment.
For example, Google has a proposal called First-Party Sets which would make different domains (eg apple.com and icloud.com) owned by the same company function as a single proprietary domain for cookie purposes. Privacy researcher Lukasz Olejnik has expressed concern on how chips can extend tracking possibilities when used in conjunction with proprietary assemblies.
Additionally, the proposal itself recognizes that partitioned cookies cannot currently be defended against Chrome extensions.
“Extensions’ background contexts can query and store cookies on multiple partitions, which means they can store a cross-site identifier on multiple partitions,” Cutler and Govind explain. “Unfortunately, this type of attack is inevitable due to the nature of extensions.”
“Even if we block partitioned cookies (or even all cookies) from extension background contexts, an extension could still use content scripts to write cross-site IDs in the DOM that the site’s own script could copy. in the site’s partitioned cookie jar. “
And there are other potential issues that need to be addressed, such as the risk of making sites more prone to cross-site scripting (XSS) attacks and increasing the risk of denial of service attacks via a proliferation of cookies that exceeds 180 Chrome cookies. -limited by domain.
None of these problems are insurmountable. But perhaps Google’s decision to treat the technical foundations of web advertising – a business it and so many companies depend on – as a set of experiences needs to be reconsidered in light of market power. of the company. Going fast and smashing things can work well for an agile startup, but when giants do, there is collateral damage. ®