News: 1722344527

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

W3C says Google's cookie climbdown 'undermines' a lot of work

(2024/07/30)


The World Wide Web Consortium (W3C) has published a blog criticizing Google's climbdown over the deprecation of third-party cookies, declaring that the move "undermines a lot of the work we've done together."

Google [1]announced that it no longer intends to drop third-party cookies last week, a decision that came after a five-year effort to build a technology stack that would keep ad revenues rolling in while giving a nod to privacy protection in the form of the Privacy Sandbox.

"If the W3C really believe that cookies are somehow bad then they should be advocating the removal of all cookies, not just those used by 3rd party, non-monopolist players....

While advertising industry critics were delighted with the move – James Rosewell, co-founder of Movement for an Open Web (MOW), declared that Google's "plan had failed" – others, such as the W3C, were less than pleased.

Hadley Beeman, a member of the W3C's Technical Architecture Group (TAG), has written a scathing [2]post about third-party cookies, titled simply: "Third-party cookies have got to go."

Beeman said that Google's announcement "came out of the blue" and "undermines a lot of the work we've done together to make the web work without third-party cookies."

[3]

Members of the W3C community had been working with Chrome's Privacy Sandbox team for several years, attempting to devise an approach that would address the privacy concerns surrounding third-party cookies while keeping advertisers happy. Beeman said: "While we haven't always agreed with the Privacy Sandbox team, we have made substantial progress together."

[4]Google's plan to drop third-party cookies in Chrome crumbles

[5]Oops. Apple relied on bad code while flaming Google Chrome's Topics ad tech

[6]Forget security – Google's reCAPTCHA v2 is exploiting users for profit

[7]Video game actors strike because they fear an attack of the AI clones

Right up until Google appeared to abruptly pull the rug out from under them and opted to allow users to choose between its Privacy Sandbox and traditional third-party cookies.

While acknowledging some of the benefits of third-party cookies, such as shopping and single sign-on, the negatives far outweigh the positives, according to Beeman, who declared them "not good for the web."

[8]

[9]

"They can also be used to invisibly track your browsing activity across sites for surveillance or ad-targeting purposes.

"This hidden personal data collection hurts everyone's privacy."

[10]

Tim Cowen, co-founder of Movement for an Open Web, said of the situation: "The role of standards bodies is to agree neutral technical standards that enable an open and interoperable web, not to advocate on behalf of monopolies for solutions that entrench their power.

"If the W3C really believe that cookies are somehow bad then they should be advocating the removal of all cookies, not just those used by 3rd party, non-monopolist players.

"Cookies are a neutral tool for interoperability and who owns them isn't the issue, it's what they're used for that defines whether they cause harm or not – and that should be decided by regulators and legislators, not technical standards bodies."

[11]

The Register contacted Google and the Movement for an Open Web for comment on Beeman's post, but we have not received a response.

The W3C is a non-profit organization founded by Tim Berners-Lee to come up with standards and guidelines for the web. The "inherent privacy issues" of third-party cookies are noted in the [12]RFC for cookies and HTTP state management , which also states that "third-party cookies are often used to correlate users' activity on different sites" and warns that "resources cannot rely upon third-party cookies being treated consistently by user agents for the foreseeable future."

The TAG has already [13]published a finding highlighting the need to remove third-party cookies from the web, and Beeman worried that Google's climbdown could result in a delay in cross-browser work on alternatives to the technology.

"We sincerely hope that Google reverses this decision and re-commits to a path towards removal of third-party cookies," Beeman said. ®

Get our [14]Tech Resources



[1] https://www.theregister.com/2024/07/23/google_cookies_third_party_continue/

[2] https://www.w3.org/blog/2024/third-party-cookies-have-got-to-go/

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/applications&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZqkOJplnzNgoOkMSF2pyZwAAAAE&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[4] https://www.theregister.com/2024/07/23/google_cookies_third_party_continue/

[5] https://www.theregister.com/2024/07/24/apple_google_topics/

[6] https://www.theregister.com/2024/07/24/googles_recaptchav2_labor/

[7] https://www.theregister.com/2024/07/26/hollywood_video_game_strike/

[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/applications&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZqkOJplnzNgoOkMSF2pyZwAAAAE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/applications&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZqkOJplnzNgoOkMSF2pyZwAAAAE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/applications&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZqkOJplnzNgoOkMSF2pyZwAAAAE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/applications&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZqkOJplnzNgoOkMSF2pyZwAAAAE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[12] https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#name-third-party-cookies

[13] https://www.w3.org/2001/tag/doc/web-without-3p-cookies/

[14] https://whitepapers.theregister.com/



b0llchit

Surprised?

Follow the money

Follow the power

Follow the crimes

ArrZarr

The death of 3rd party cookies in Chrome has been pushed back so many times at this point, that Google giving up on it isn't that surprising to me. They've been trying and failing for years to actually make their tracking stack make sense without third-party cookies make sense.

However: killing third-party cookies directly benefits Google (and the other big players in the tracking market), assuming they can make their stack play nice. This is because killing third-party cookies puts all the hard work of stitching user journeys together onto the tracking provider and requires the provider to have an existing large install base - something very few providers actually have (realistically we're talking Alphabet and Meta), and actively prevents new tracking providers from getting that install base. That is especially true for remarketing providers (the ads that follow you around the web, of which Google (natch) is currently the dominant provider). People complain about not needing to be shown ads for a fridge after just buying one - this is partly due to lazy marketers - but without third-party cookies, we aren't going to see a new provider in the market that can stop that happening. We become reliant upon Google to do something useful for a change.

Blocking cookies does not stop people tracking you. I'm certain that there will be a response below this post talking about how uBlock and NoScript successfully prevent tracking, and you're *probably* correct, but for the vast majority of users, the statement is fundamentally true - all killing third-party cookies does is ensure that we're dealing with Google and Facebook forever.

karlkarl

> all killing third-party cookies does is ensure that we're dealing with Google and Facebook forever.

My browser broadcasts a fake "no cookie support" to reduce cookie churn. I notice that many sites just fall back to adding session IDs to POST or GET requests. I imagine more sites will just start doing this. Yes, it won't persist across reboots or sessions but that isn't a bad thing IMO.

Cookies really are just bits of text, loaded from a file that get added to your HTTP request headers. There are many ways to work around their disappearance.

It's amazing how badly the internet works without third-party cookies

Neil Barnes

Oh, wait, it works fine for Firefox.

Re: It's amazing how badly the internet works without third-party cookies

Anonymous Coward

Yep. It's been fine for years.

I've already turned off 3rd party cookies on every instance of Chrome that I haven't been able to convince clients to delete yet. (I've also turned off graphics acceleration on it, doing my best to convince them to delete that mess.)

Re: It's amazing how badly the internet works without third-party cookies

Missing Semicolon

A lot of small e-commerce sites don't work without 3rd-party cookies, as the checkout process hangs.

W3C now is little more than a rubber stamp for Chrome

Dan 55

And Google can string them around as it likes.

Exhibit A: This story.

The W3C is living in cloud cookoo land

Missing Semicolon

It's all very well to say "ban 3rd-party cookies" but the Big Beasts will only do so if they are replaced with something else. The idea of "no tracking, ever" simply is not acceptable, and will therefore never happen.

Stop searching forever. Happiness is just next to you.