How The Third Party Cookie Crumbles: Tracking And Privacy Online Get A Rethink

from the important,-but-not-as-important dept

Google made some news Wednesday by noting that once it stops using 3rd party cookies to track people, it isn't planning to replace such tracking with some other (perhaps more devious) method. This news is being met cynically (not surprisingly), with people suggesting that Google has plenty of 1st party data, and really just doesn't need 3rd party cookie data any more. Or, alternatively, some are noting (perhaps accurately) that since Google has a ton of 1st party data -- more than just about anyone else -- this could actually serve to lock in Google's position and diminish the alternatives from smaller advertising firms who rely on 3rd party cookies to bootstrap enough information to better target ads. Both claims might be accurate. Indeed, in the "no good deed goes unpunished" category, the UK has already been investigating Google's plans to drop 3rd party cookies on the grounds that it's anti-competitive. This is at the same time that others have argued that 3rd party cookies may also violate some privacy laws.

And, yes, it's possible that it can be both good for privacy and anti-competitive, which raises all sorts of interrelated issues.

In theory cookies should have been very pro-privacy. After all, they're putting data on end user computers where they have control over them. Users can delete those cookies or block them from being placed. In theory. The reality, though, is that deleting or blocking cookies takes a lot of effort, and while there are some services that help you out, they're not always great. In an ideal world, we would have built tools that made it clearer to end users what information cookies were tracking, and what was being done with that information -- as well as consumer-friendly tools to adjust things. But that's not the world we ended up in. Instead, we ended up in a world where the hamfisted use of 3rd party cookies is generally just kinda creepy. In the past, I've referred to it as the uncanny valley of advertising: where the advertising is not so well targeted as to be useful, but just targeted enough to be creepy and annoying by reminding you that you're being tracked.

The actual death knell for 3rd party cookies happened a while back. Firefox and Safari phased out 3rd party cookies a long time ago, and Google announced plans to do the same a year ago, with an actual target date for implementation a year from now. Today's news was more about what happens next, with Google promising not to use some sneaky method to basically replace cookies with something even worse. There is a concerted effort by some to track you through a "hashed email address". This is really creepy and kinda sketchy.

As a side note, a few years back, we were approached by a company doing this. They basically asked us to hand over a hashed set of emails we had collected. We looked over the details, and highlighted that they wanted us to use their hash, meaning that they could easily reverse the hash and figure out the emails. We explained that they must be mistaken, because that's really not all that different from just handing over emails, which would be a violation of our own privacy policy. We were told that, no, the whole idea was everyone had to use the same hash, and it was fine because the email addresses were hashed (ignoring the point we made about that being meaningless if everyone is using the same hash). We rejected this deal, even though they were actually offering decent money. I do sometimes wonder how many other publishers just coughed up everyone's emails, though.

So, Google's latest point is that it's not going to use some other unique identifier, and recognizes that the hashed email based-identifier is a bad idea:

We realize this means other providers may offer a level of user identity for ad tracking across the web that we will not — like PII graphs based on people’s email addresses. We don’t believe these solutions will meet rising consumer expectations for privacy, nor will they stand up to rapidly evolving regulatory restrictions, and therefore aren’t a sustainable long term investment. Instead, our web products will be powered by privacy-preserving APIs which prevent individual tracking while still delivering results for advertisers and publishers.

Instead, Google is pushing for a different kind of solution -- what it has referred to for a while now as a "Privacy Sandbox." The idea is not to track individuals but rather to dump you into a "cohort" of similar users, thereby not needing unique identifiers, just slightly more general ones. Google has taken to calling this cohort setup "Federated Learning of Cohorts", or FLoC, which it recently declared to be 95% as good at targeting ads, but in a less creepy way.

In many ways, this is obviously better than the use of full-on individual tracking via 3rd party cookies (or hashed emails). It's sort of a step away from individual targeting and at least a very slight movement back towards contextual advertising, which is something I've argued both Google and Facebook should do. But it's still not ideal. You still have the concerns about how much data Google has about you, and you still have the concerns about whether or not this locks in Google's position. Those don't go away with this move.

And, of course, there's the other framework to think about this: the never-ending threat of new privacy laws. So much of the focus on privacy legislation is (stupidly) about fighting the last battles, and that's why things like the GDPR and California's CCPA focused on useless and counterproductive cookie notifications. In some ways, this could be seen as a step towards getting ahead of that coming meteor, sidestepping it by saying "okay, okay, there are no more third party cookies."

In the end, you can't argue that this is a great solution or a terrible one. It is... just a change. A change that helps one aspect of how our current online privacy paradigm works, but which might cause other problems. It's good in that it's a further step towards the end of 3rd party cookies, which have been abused in creepy ways for too long. But it doesn't really fix overall privacy issues, and could still help lock Google into a position of dominance.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: ads, cookies, online ads, privacy, third party cookies
Companies: google


Reader Comments

Subscribe: RSS

View by: Thread


  • identicon
    Anonymous Coward, 4 Mar 2021 @ 5:03am

    If they do that, are they going to also block those stupid "accept our cookies" -popups that most of the web is now infested with? Because on many sites running with cookies disabled makes the popups reappear with every page refresh, often full-screen or otherwise blocking usage.

    reply to this | link to this | view in chronology ]

    • icon
      PaulT (profile), 4 Mar 2021 @ 5:36am

      Re:

      "If they do that, are they going to also block those stupid "accept our cookies" -popups that most of the web is now infested with? "

      Where are you located? If the EU, then no, because those popups are part of an overreaction to the GDRP, which isn't going anywhere soon. If not, it might even be the same problem if sites are scared of accidentally letting people through via VPNs. Either way, if you refuse cookies then the next time you go to a page you won't have the cookie that says you agreed to accept them as the site is told by GDRP to do, so you'll be asked again.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 4 Mar 2021 @ 10:11am

        Re: Re:

        In that case, I expect Chrome will become useless to anyone in the EU when they remove support for the cookies.

        reply to this | link to this | view in chronology ]

        • icon
          reticulator (profile), 4 Mar 2021 @ 11:34am

          Re: Re: "the" cookies

          I don't believe any browser is removing support for cookies in general. If you reread the article, it's about third-party cookies.

          A "normal" cookie, such as are used to maintain your user session, are sent to you when you visit A.com, do something A.org needs to know (like, you've logged in, or put something in your shopping cart), and returned to A.org on your next request to A.org.

          A third-party cookie is sent to you from... a third party. You visit A.org, and get a cookie from Z.com. Then you make a request to B.org, that also uses Z.com (perhaps for displaying ads). As part of loading the page from B.org, you load a component from Z.com (perhaps an ad). That request to Z.com will include the cookie you received while interacting with A.org. And BINGO! Z.com knows you visited both A.org and B.org.

          So now Z.com "knows" that when you shop for diapers, you also order beer.

          reply to this | link to this | view in chronology ]

          • icon
            reticulator (profile), 4 Mar 2021 @ 11:54am

            Re: Re: Re: "the" cookies

            Ha. I thought it used to be possible to edit a comment after posting. At any rate, typo alerts:

            "visit A.com, do something A.org needs to know" SHOULD BE "visit A.org..."

            "Z.com will include the cookie you received while interacting with A.org" SHOULD BE "Z.com will include the cookie you received from Z.com while interacting with A.org"

            reply to this | link to this | view in chronology ]

        • icon
          PaulT (profile), 4 Mar 2021 @ 11:02pm

          Re: Re: Re:

          "I expect Chrome will become useless to anyone in the EU when they remove support for the cookies."

          You might expect that, but you should probably stop whining so much and take the time to read the article and the messages that pop up to tell you about cookies. You'd learn a lot and be less angry about very simple subjects.

          reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 4 Mar 2021 @ 4:30pm

        Re: Re:

        The solution I use here is that I have an AdBlock filter that just filters out those cookie pop-ups. Most sites use (ahem) cookie cutter banners to display these notifications, so if you filter out that code, you never get the pop ups.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 6 Mar 2021 @ 4:20am

          Re: Re: Re:

          Me too. It's actually pretty fun to go through page source to block the annoying bits. Though I've been wondering why the adblock makers haven't yet added premade block lists for the cookie popups for those users who aren't able to do it themselves.

          reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Mar 2021 @ 11:09am

    To go off on a bit of a tangent, Wolfie Christl of crackedlabs has a good summary twitter thread about the absurdity of using hashed email addresses for 'anonymization' at:

    https://twitter.com/WolfieChristl/status/1288229191759081472

    Plenty of links to external docs of interest.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Mar 2021 @ 11:53am

    No Internet site or company should have the right to ibstall a 'cookie' on anyone's computer! Thry are of no use to anyone except the website and the cookie producer and ehiever they are selling YOUR data to! No website should have the right to expect a visitor to have to jump through hoops to allow/disallow cookies and they should all be disabled, automatically, with an option to allow/enable them if the visitor wants, NOT IF THE SITE OWNER WANTS! Trouble is, as usual, politicians are 'encouraged' to pass legislation, for a contribution, to favor the sites, knowing full well the consequences to the site visitors. As is typical, politicians will do whatever the biggest buck will give them, not what they should do or were voted for to do, protect the public! Money ALWAYS speaks louder than rights and a company can always afford a much more expensive, much more knowledgeable, much more devious lawyer than joe public!!

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Mar 2021 @ 12:23pm

      Re:

      That isn't how the internet works at all. Cookies are on your computer and there are trivially settings to reject all cookies - you will just get a quick lesson as to why even those oriented more towards privacy mostly use session cookies.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 6 Mar 2021 @ 4:29am

        Re: Re:

        Right. Ironically the laws requiring the cookie notices have only made it harder to reject cookies since even sites that would've previously worked with all cookies off will now need them on to remember you've clicked the notice.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Mar 2021 @ 1:47pm

      Re:

      "Install" is a really weird and misleading concept to use here. Cookies (not "flash cookies" and other more hidden tracking objects like single-pixel images, etc. - there are still loads of other methods) are simple text files. They are as "installed" as the rest of the text, images, video, fonts, and scripting that a site uses to display its content.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Mar 2021 @ 1:49pm

      Re:

      "No Internet site or company should have the right to ibstall a 'cookie' on anyone's computer! "

      Calm down .. you agreed to it via the TOS (that no one reads) when you used the their service.

      btw, politicians will not save you from cookies

      reply to this | link to this | view in chronology ]

    • icon
      PaulT (profile), 4 Mar 2021 @ 10:59pm

      Re:

      That's a lot of words to say "I don't know what cookies are and I certainly don't want to use the cookie controls in my browser that already allow me the control I'm demanding!"

      "As is typical, politicians will do whatever the biggest buck will give them"

      Why is any of this the job of politicians?

      reply to this | link to this | view in chronology ]

  • identicon
    Paul, 5 Mar 2021 @ 8:08am

    Changing cohorts ?

    So I question how they place you in a specific cohort.

    And how is it possible to change?

    Do you have to let them know that you are not actually a 35 yr old cross-dressing left handed male?

    reply to this | link to this | view in chronology ]

  • icon
    nasch (profile), 5 Mar 2021 @ 2:47pm

    Hash

    We looked over the details, and highlighted that they wanted us to use their hash, meaning that they could easily reverse the hash and figure out the emails.

    If you can reverse it and get the input back out, then it's not a hash. Hash algorithms are one way functions that map variable length inputs to fixed length outputs in a way that cannot be reversed. It may be possible to correlate the hashed value with other data sets and backtrack to an original email some other way, but it doesn't sound like that's what you mean.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Mar 2021 @ 6:00pm

    The idea is not to track individuals but rather to dump you into a "cohort" of similar users,

    I don't know what this even means. I cannot imagine that Google is claiming that it will stop trying to collect as much personal and behaviour data about individuals as possible. It is not going to delete it's tables with names,DoB, addresses, phone numbers, email addresses, ip addresses etc. It is still able to map all of this to location, web and social network/communications history. It will still be able to hand this over to governments or other political entities when it believes it to be of strategic advantage.

    Is it saying it will not sell individual phone numbers etc as part of it's advertising business? So, for example, only google would know which individuals belong in the mentally_ill+religious+uneducated+conservative+politically_extreme cohort, when they sell access to these people to whoever can pay?

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads
.

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.