> In some ways, this is a loss—tracking cookies are undeniably terrible, and Google's proposed alternative is better for privacy, at least on paper. However, universal adoption of the Privacy Sandbox could also give Google more power than it already has, and the supposed privacy advantages may never have fully materialized as Google continues to seek higher revenue.
Cookies are much maligned these days, but to defend them a little bit - the alternatives are almost universally worse for user privacy. Persistent session storage? Browser fingerprinting? Locking everything behind a user account with mandatory sign-in? Blegh.
On the other hand, cookies are a pretty transparent interaction. It's a tiny file that sites in your browser. You can look at them. They expire on their own. You as a user can delete, modity, edit, hack them to your heart's content. They contain no PII on their own. They are old-fashioned and limited and that's a good thing.
The real problem here is not the cookie - it's the third party data networks. I would much rather focus our ire on the function rather than the form.
> You as a user can delete, modity, edit, hack them to your heart's content.
This is not true in practice though. Cryptography means they cannot be altered (or even read) if their creator doesn't want them to be altered. Of all the CRUD operations, users can only realiably delete the cookie.
But third party cookies are a lot more insidious, because they get sent without any visibility to the user and have generally peripheral relevance to the application they are using. It's like if you go to the supermarket and they ask you if you want to sign up for a loyalty card and you say yes, vs you go to the supermarket and they secretly plant trackers on you so that when you go to other shops they can tell who you are. One is a lot worse than the other.
"Sawdust in bread is much maligned these days, but to defend it a little bit, the alternatives are almost universally worse for your health. Sand? Dog poop? Arsenic?"
This article seems to avoid talking about the elephant in the room: Every other browser just blocks third party cookies with no replacement. And Chrome would too if it wasn't owned by an ad company.
This should be the central argument the DOJ uses to separate Chrome from Google: The entire web for a monopoly-size portion of users is massively less secure because the web browser is owned by a company which is very vested in it being less secure.
You have it backwards. Antitrust is the reason Google can't remove cookies. Because it would be anticompetitive toward their competitors in the advertising market. Google has wanted to block third-party cookies for a long time and they can't because they're not allowed to, legally.
Another assurance Google made was that the User-Agent HTTP header is being phased out, or at least rendered obsolete. It sure seems like this header is in heavy usage for a variety of online advertising related purposes. Time will tell if anyone should take Google's forecasting of the future seriously.
So basically Google added additional tracking and fingerprinting features (so called "Privacy Sandbox") as a replacement for 3P cookies, but decided not to remove them after all.
I think that independent from Google browser vendors should 1) stop adopting any APIs that extend fingerprinting surface and 2) gradually lock down APIs that allow fingerprinting by putting them behind permissions.
> Google has been heartened to see the advertising industry taking privacy more seriously. As a result, Google won't be pushing that cookie dialog to users.
The advertising industry never ever cared about anyone’s privacy. Quite the opposite.
Same for Google, Google is a company. It cares about money income, that’s all. This change gave them even more control on the web.
They just had too much pushback from the advertising industry and a wrong timeline with the DOJ and the antitrust lawsuit. That’s the reason they canceled their plan, anything else is PR BULLCRAP.
I'm not sure I've ever understood the point of this.
Aren't all cookies trivially "any-party" cookies? Can't any form of persistence be used to track a user? 3rd-party cookies as they exist today just give a path of least resistance so that most of that behavior is implemented the same way. Consistent implementation allows the user a simple way to block that behavior.
The only somewhat good use for third-party cookies is various embeds and comment widgets. It wouldn't be all that much of a loss for the users if third-party cookies were removed without a replacement, but with the developer of the world's most popular web browser and the world's most popular mobile OS also being the world's richest internet advertising company, that's apparently an absolute impossibility ¯\_(ツ)_/¯
[+] [-] legitster|11 months ago|reply
Cookies are much maligned these days, but to defend them a little bit - the alternatives are almost universally worse for user privacy. Persistent session storage? Browser fingerprinting? Locking everything behind a user account with mandatory sign-in? Blegh.
On the other hand, cookies are a pretty transparent interaction. It's a tiny file that sites in your browser. You can look at them. They expire on their own. You as a user can delete, modity, edit, hack them to your heart's content. They contain no PII on their own. They are old-fashioned and limited and that's a good thing.
The real problem here is not the cookie - it's the third party data networks. I would much rather focus our ire on the function rather than the form.
[+] [-] Buttons840|11 months ago|reply
This is not true in practice though. Cryptography means they cannot be altered (or even read) if their creator doesn't want them to be altered. Of all the CRUD operations, users can only realiably delete the cookie.
[+] [-] zmmmmm|11 months ago|reply
But third party cookies are a lot more insidious, because they get sent without any visibility to the user and have generally peripheral relevance to the application they are using. It's like if you go to the supermarket and they ask you if you want to sign up for a loyalty card and you say yes, vs you go to the supermarket and they secretly plant trackers on you so that when you go to other shops they can tell who you are. One is a lot worse than the other.
[+] [-] tmpz22|11 months ago|reply
[+] [-] nicce|11 months ago|reply
I have been looking them and yes, in 50 years…
[+] [-] immibis|11 months ago|reply
[+] [-] gnabgib|11 months ago|reply
Google scraps plan to remove third-party cookies from Chrome (26 points, 9 months ago, 3 comments) https://news.ycombinator.com/item?id=41046637
Chrome is entrenching third-party cookies that will mislead users (511 points, 8 months ago, 311 comments) https://news.ycombinator.com/item?id=41391412
What Google's U-Turn on Third-Party Cookies Means for Chrome Privacy (3 points, 7 months ago) https://news.ycombinator.com/item?id=41788239
[+] [-] ocdtrekkie|11 months ago|reply
This should be the central argument the DOJ uses to separate Chrome from Google: The entire web for a monopoly-size portion of users is massively less secure because the web browser is owned by a company which is very vested in it being less secure.
[+] [-] modeless|11 months ago|reply
[+] [-] timewizard|11 months ago|reply
I guess that was going to be too insane to actually manage.
[+] [-] decimalenough|11 months ago|reply
https://blogs.windows.com/msedgedev/2024/03/05/new-privacy-p...
[+] [-] 1vuio0pswjnm7|11 months ago|reply
[+] [-] joshdavham|11 months ago|reply
chrome://settings/cookies
[+] [-] codedokode|11 months ago|reply
I think that independent from Google browser vendors should 1) stop adopting any APIs that extend fingerprinting surface and 2) gradually lock down APIs that allow fingerprinting by putting them behind permissions.
[+] [-] aucisson_masque|11 months ago|reply
The advertising industry never ever cared about anyone’s privacy. Quite the opposite.
Same for Google, Google is a company. It cares about money income, that’s all. This change gave them even more control on the web.
They just had too much pushback from the advertising industry and a wrong timeline with the DOJ and the antitrust lawsuit. That’s the reason they canceled their plan, anything else is PR BULLCRAP.
[+] [-] snackernews|11 months ago|reply
[+] [-] sublinear|11 months ago|reply
Aren't all cookies trivially "any-party" cookies? Can't any form of persistence be used to track a user? 3rd-party cookies as they exist today just give a path of least resistance so that most of that behavior is implemented the same way. Consistent implementation allows the user a simple way to block that behavior.
[+] [-] chris_wot|11 months ago|reply
[+] [-] ChrisArchitect|11 months ago|reply
[+] [-] est|11 months ago|reply
[+] [-] grishka|11 months ago|reply
[+] [-] creatonez|11 months ago|reply