



Last week, third-party cookies were suspended by Google and can survive until late 2023, almost two years after the previously declared decommissioning date. However, the search advertising and app business is already planning some sort of resurgence because third-party cookies are so useful.

Chocolate Factory expects less forms of third-party cookies. It is not theoretically used for tracking, but it will be able to support other, more acceptable use cases. Google software engineer Dylan Cutler and engineering manager Kaustubha Govind have proposed a Web Platform Incubator Community Group called “CHIPs” to call sweets “partitioned cookies.”

Cookies are files that web applications can set in their web browser to store data. They have legitimate uses, such as storing data related to the state of the application (such as whether you are logged in or not), and can also be used to track users throughout your website.

A third-party cookie set by a script that interacts with a third-party server tracks a user by storing the value on one website and reading the value on another website that implements a similar third-party script. To do. The third-party service in this case is aware of all websites running the script that the tracked individual has visited.

This is a type of privacy breach that has led browser makers such as Apple, Brave, and Mozilla to block third-party cookies by default. However, doing so caused problems by interfering with applications that depended on third-party cookies to serve the entire domain context.

The browser security model is based on differences in first-party and third-party context. When an individual accesses a particular web domain, that domain operates in a first-party context. Services available in other domains are considered third parties and face various restrictions on what they can do.

Google’s CHIP Proposal Cookies Having Independent Partitioned State can be set with a third-party service, but within the context of the first-party site set up first, as opposed to other sites running third-party setters A script that only requires a cookie to be read.

For example, Cutler and Govind describe a scenario where the site retail.com is working with a third-party service, support.chat.com, to embed a support chat box on the site.

“Without the ability to set cross-site cookies, support.chat.com could instead rely on retail.com to pass first-party state (or its derivatives),” Google employees suggest. It is explained in. “However, retail.com doesn’t have the concept of an ID to forward to support.chat.com if the user hasn’t created an account yet and the support widget is helping the user sign up.”

Designed to support third-party content delivery networks that use cookies to provide access-controlled content, front-end frameworks that rely on remote hosting and remote procedure calls to interact with services, and software. There are other plausible uses, such as embed code-as-a-service app.

Firefox and Safari have each taken steps towards implementing their own version of the partitioned cookie, so Google’s approach provides conceptual support from other browser makers, even if the implementations are different now. I have received it.

Wait a minute

However, privacy advocates have problems with Google’s approach to proclaiming their intention to prototype technology without much consultation.

“This technology has been around for a while. When combined with other technologies, it can slightly reduce the harm caused by third-party cookies, but it’s not the same as eliminating third-party cookies,” the Web said. Said Zack Edwards, co-founder of. Analytics Biz Victory Medium, a message to the register.

“Google is proposing this shift without even admitting how it fits into a larger plan, so guessing the calendar for people to add and deprecate Chrome in the future. It makes me think, “he said. “The companies that make these decisions don’t have a list of changes that impact global business, and through non-Google websites and regular replacement groups of little-known Google developers. When proposing a new addition, it’s a very impossible task. When you disagree with a proposal, you often rely on “all opinions are my own.” “

As Google is changing the rules run by online advertisers, such concerns are widespread among those involved in advertising technology and marketing. Efforts to phase out third-party cookies are part of the company’s ongoing privacy sandbox initiative aimed at implementing multiple technical specifications that change the behavior of online advertising in browsers. And no one but Google, its allies, its competitors, regulators, or Internet users is confident of how these ongoing tasks will ultimately work and interoperate.

In January, the UK Competitive Markets Authority (CMA) began investigating Google’s privacy sandbox to see if the intended changes would be detrimental to its competitors. In response, Google has promised to be more proactive about the feasibility of alternatives that compete with its technology.

“It seems that CMA needs to change the process and tell Google more clearly how the data supply changes are being made in Chrome and Google’s advertising system,” Edwards said. I will.

“But if this new proposal is how Google recognizes CMA’s obligations, the British people are turning the wheels during business hours in response to ignored demands, so a little more tea. You need to schedule your time. “

Even seemingly minor proposals like CHIP can be complicated because they don’t exist in isolation. They need to be considered in the context of all other technologies that may come into contact during deployment.

For example, Google has a proposal called a first-party set that allows different domains owned by the same company (for example, apple.com and icloud.com) to act as a single first-party domain for cookie purposes. Privacy researcher Lukasz Olejnik has expressed concern about how CHIP can be used in combination with a first-party set to increase tracking potential.

In addition, the proposal itself acknowledges that partitioned cookies cannot currently be protected from Chrome extensions.

“The extension’s background context allows you to query and store cookies between partitions, which means you can store cross-site identifiers between partitions,” explains Cutler and Govind. “Unfortunately, this kind of attack is unavoidable due to the nature of the extension.”

“Even if you block a partitioned cookie (or all cookies) from the extension’s background context, the extension can still use content scripts to copy site-specific scripts into the site’s partitioned cookie jar. You can write the cross-site identifier to the DOM. “

There are also other potential issues that need to be resolved, such as making your site more vulnerable to cross-site scripting (XSS) attacks and increasing the risk of denial of service attacks due to Chrome’s proliferation of more than 180 cookies. .. -Restrictions per domain.

None of these problems are insurmountable. But Google’s decision to treat the technological foundations of web advertising for businesses, which Google and so many companies rely on, as a series of experiments needs to be revisited in the light of the company’s market power. Moving fast and breaking things may work for agile startups, but when giants do so, there is collateral damage.

