Google has been testing a replacement for third-party cookies

The problem is not the option to place cookies per se. The issue is its misuse which aims to de-anonymize users (in order to place ads). I don&#x27;t see how saving the user data somewhere else (in a browser add-on or in the browser natively) is helping here.<p>EDIT: The official description [<a href="https:&#x2F;&#x2F;github.com&#x2F;WICG&#x2F;floc" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;WICG&#x2F;floc</a>], does a better job in explaining the point. They try to cluster (=&quot;cohort&quot;) users interests and exchange that with the ad-service. This could maybe help to increase transparency and authority over your data as it&#x27;s saved locally. But I don&#x27;t see a way to limit the access to the users cohorts (they even say that themself, see link above). Everybody could access my interests - not just Google and other ad services. And of course, if you have 1000 categories and some meta information (region based on IP address etc.), you will be able to track down individual users with pretty good accuracy.

FLoC is an engineering solution to a political problem.<p>The problem with targeted advertising isn&#x27;t the use of cookies, the problem with targeted advertising is the targeting. It doesn&#x27;t matter if you&#x27;re using fancy machine-learning and on-device targeting to avoid technically collecting targeting data. People don&#x27;t like seeing their web history funnel into their advertising.

What this means is not that google has found a privacy-friendly alternative.<p>It means that Google has found out that among 1000 people, your browsing criteria with HTTP headers alone is unique enough to identify you with 95% accuracy, which is actually even more frightening.

This proposal coupled with phasing out third-party cookies inconveniences competitors, while allowing Google to continue gobbling up user data without disruption, because their tracking capabilities are way past needing any cookies, or this new cohort API.

honestly the thing that bugs me the most about the article is cookies == tracking.<p>Sure, cookies are used for tracking, but they are also used for authentication, which is something that nearly every webapp needs to do.<p>I just think that, due to articles like this, cookies end up being viewed as nothing but bad, when they are an important tool for the web when used properly.<p>More on-topic of the article:<p>this doesn&#x27;t look like it really changes anything, to me. Like, so instead of cookies being used to track your data, they use a _browser extension_?? that is potentially even _more_ invasive. Sure, if it does what they say it will do, it kind of obfuscates your personal data. Really, what people want is just....less ads. Less targetted ads. This doesn&#x27;t achieve that.

Just the same stairs but now with only one giant step and Google is the one with giant legs.<p>Also there&#x27;s no &quot;privacy-friendly&quot; tracking technology, it&#x27;s an oxymoron an slick marketing&#x2F;corporate strategy ( that works ).

This is what EFF says about this scheme:<p>&quot;A flock name would essentially be a behavioral credit score: a tattoo on your digital forehead that gives a succinct summary of who you are, what you like, where you go, what you buy, and with whom you associate.&quot;<p><a href="https:&#x2F;&#x2F;www.eff.org&#x2F;deeplinks&#x2F;2019&#x2F;08&#x2F;dont-play-googles-privacy-sandbox-1" rel="nofollow">https:&#x2F;&#x2F;www.eff.org&#x2F;deeplinks&#x2F;2019&#x2F;08&#x2F;dont-play-googles-priv...</a><p>BTW, Chrome users have been part of this system for nearly a year now.

While on the topic of third-party cookies - is there any legitimate use for those at all (outside of semi-covert user tracking)?<p>I understand how first-party cookies are useful - you take a stateless protocol (HTTP) and make it aware of &quot;sessions&quot;. And those in turn are a nifty block to build upon - login&#x2F;authentication, &quot;shopping cart&quot;, whatever...<p>But having one website to be able to save state that is only accessible to a chosen different site - what&#x27;s the use for that?

It&#x27;s not clear to me why we need third-party cookies to be a technology that browsers support. Just axe them. No replacement.

This just sounds like Google is building an API for browser fingerprinting. Advertisers send Google data, and get back a fingerprint of a user.<p>This is only &quot;privacy friendly&quot; because Google limits the accuracy of the fingerprint provided to advertisers by bucketing users into cohort groups. These groups are supposed to be large enough to prevent advertisers to identify individual users.<p>Google would still retain the ability to uniquely identify individual users.

This requires browser integration. What concerns me is this doesn&#x27;t talk about how Google plans to track non-Chrome users. Because you know Google isn&#x27;t going to just stop tracking the other 40% or so of web users.<p>The other big thing that concerns me about this is how it still allows for some of the worst abuses. They are still going to possess entirely too much information about people and will continue to sell advertising that takes advantages of that information.

I think independent groups would be much better advocates for privacy technology than Google which has a huge conflict of interest

In 1997, I had a meeting with Netscape executives about a similar technology I had created out of concern for the privacy implications of cookies. I called it LAD (local advertising decision). The server would send a script down to the browser saying “if the user meets X criteria, show this ad, else show Y” and so on. It could use browser history, installed software, and other factors for targeting.<p>At the time I was laughed out of the room. Turns out I was just 24 years too early.

In addition to the whole fox guarding the henhouse issue, this doesn&#x27;t address the primary harms of user tracking: That it&#x27;s just bad for society that people are targeted and advertised to on this level, as it fosters filter bubbles and encourages unhealthy behaviors.<p>Tracking a group of 1,000 people to cater bad political ads isn&#x27;t meaningfully better than targeting 1,000 individuals with bad political ads.<p>Targeted advertising needs to be treated like unfair gambling practices. Banned across the board, and the industry that remains needs to be heavily regulated and forced to be completely transparent about the process.

Besides usual privacy concerns:<p>Dear advertisers, I do not want to be herded in a bubble (designed by you or anyone else), I actually like to know the world around me.<p>(And this is even more valid for the things I&#x27;m not that familiar with anyway. How would I learn about those segments of reality, if not from your adverisment that you would prefer to rather not show me?)

I&#x27;m sorry but I fail to see the point of this. you can choose to disable cookies, will you be able to disable this new thing? if so, what&#x27;s the big deal about it, other than the same principle with a different name, probably to avoid some EU legislation.<p>Advertisers and trackers have been doing the same thing this thing is supposed to do for years. And where will they implement it? the only way would be at the application level, so every browser now also has to implement internal tracking services to aggregate all the data in their flocs, to then come back to the user to spice up their request? come on...<p>I&#x27;ll keep supporting efforts to make the Internet a more privacy focused place. Advertisers have been buying TV ads for decades and I my TV hasn&#x27;t asked me what I want to share with it, yet.

&quot;Serial killer may have found a life-friendly substitute to knives.&quot;<p>No but seriously, does being in a group of &quot;thousands&quot; of people really preserve privacy particularly well? It seems quite likely that with groups that small, membership itself could be considered privacy-compromising, e.g., a group of people that all have some medical condition.<p>At the most fundamental level, I feel like if you know which advertisments are targetted to me, and those advertisements are well-targeted, then my privacy has been invaded.<p>It seems to me there is a fundamental conflict between good targetted ads and protection of privacy.

This doesn&#x27;t seem to be at the same technology layer as &quot;cookies&quot;, as this seems to be a Chrome-internal (local, which is good, but is this a guarantee?) API that uses your search history and other things to generate a &#x27;cohort&#x27; which is an ID of some sort that you can send over as a part of requests to the advertiser URL&#x27;s.<p><a href="https:&#x2F;&#x2F;github.com&#x2F;WICG&#x2F;floc" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;WICG&#x2F;floc</a>

Is this not how brave ads work, with a local profile that fetches ads you profiles says you should be interested in?

I say this every time, but individual targeting should be illegal. The ad industry thrived for thousands of years without ads that follow you everywhere.<p>Invasive targeting is only 20 years old, a blink in the history of advertising. If it was gone tomorrow these companies would just go back to targeting based on the ad placement rather than unique person viewing it. What we have now is the dystopian sci fi movie where ads shift as different people look at them.<p>If you don&#x27;t think it&#x27;s dystopian, consider that every ad your coworkers see when you&#x27;re sharing your screen is based on the best targeting data advertisers can find. Your screen is disclosing your interests, wealth, medical history, kinks, etc to anyone looking at it. It&#x27;s fucked up.

FYI this was already quietly shoved into Chrome 80

I don&#x27;t believe Google because it could have eliminated all the ways to track people without their consent long ago if it wanted. Almost everybody uses Chrome&#x2F;Blink and agrees to everything they decide. They can define and deprecate almost whatever browser APIs and behaviors they want. But it doesn&#x27;t because they are the single biggest actor making use of these ways. E.g. it is known Google Captcha doesn&#x27;t simply tell them you are a human, it tells them which particular human you are.

They did not find a replacement to cookies. Cookies have become too toxic and are harming them and so they found a way to not store anything on the device and yet be able to target users. This means it will be impossible to stop them from profiling and targeting users as users don’t control anything.<p>They are using privacy preserving techniques, and even if we assume they are doing it well, it just means that we will never get rid of the profiling and paying to get privacy will not happen with google services

Honestly, we don&#x27;t need a _replacement_ for third-party cookies. They&#x27;re not really necessary for anything.<p>There&#x27;s few websites that break without them (e.g.: logging into Atlassian), and that&#x27;s mostly due to bad design (given that every other login flow out there works fine).<p>Their main use has been to track people, hence, we don&#x27;t really need them at all.

&gt; The Sandbox isn’t about your privacy. It’s about Google’s bottom line. At the end of the day, Google is an advertising company that happens to make a browser.<p>It&#x27;s worse than that. Google is an advertising company that makes a browser (63.38% of browsers globally) and mobile operating system (72.48% of phones globally) to vertically integrate, controlling your privacy choices. They&#x27;re also trying their hand at PC&#x27;s (ChromeOS, 1.72% globally). They invent technology across the stack, providing software for free or paid, and open sourcing some to commoditise the technology and to starve competition. I&#x27;d be interested to see how many people use Gmail.<p><a href="https:&#x2F;&#x2F;gs.statcounter.com&#x2F;browser-market-share" rel="nofollow">https:&#x2F;&#x2F;gs.statcounter.com&#x2F;browser-market-share</a> <a href="https:&#x2F;&#x2F;gs.statcounter.com&#x2F;os-market-share&#x2F;mobile&#x2F;worldwide" rel="nofollow">https:&#x2F;&#x2F;gs.statcounter.com&#x2F;os-market-share&#x2F;mobile&#x2F;worldwide</a> <a href="https:&#x2F;&#x2F;gs.statcounter.com&#x2F;os-market-share&#x2F;desktop&#x2F;worldwide&#x2F;" rel="nofollow">https:&#x2F;&#x2F;gs.statcounter.com&#x2F;os-market-share&#x2F;desktop&#x2F;worldwide...</a>

Axios really needs to bring on some literate technical advisory.<p><i>&quot;Cookies are considered third-party data, or user data that&#x27;s collected indirectly from users via browsers or websites.&quot;</i><p>This statement seriously requires qualification. This is exactly what contributes to unreasonable regulation and confused users.

I don&#x27;t understand how retargeting would work with this?<p>Attributions is a big pain too.<p>Without those two things this simply makes google more valuable while killing everyone else who doesn&#x27;t have their own browser which tracks everything from your login, analytics on basically every website, and more.

Part of this is about the middle men. The NY Times cut off ad exchanges in EU and found it didn&#x27;t kill their ad business [1]. One thing it did do was cut out the middle companies doing the brokering. Google has made A LOT of money just being a middle company. Like a car dealership.<p>The proposed system deals with large groups and machine learning. It requires a browser ad on or changes to the browser. This is not approachable for startups, small businesses, or those who are independent. It&#x27;s targeted at Google and further helps solidify their position.<p>As people want to cut Google off from constantly monitoring them they are looking for ways to work around being cut off to keep the data flowing. Branding and marketing their work to make people want it.<p>[1] <a href="https:&#x2F;&#x2F;digiday.com&#x2F;media&#x2F;gumgumtest-new-york-times-gdpr-cut-off-ad-exchanges-europe-ad-revenue&#x2F;" rel="nofollow">https:&#x2F;&#x2F;digiday.com&#x2F;media&#x2F;gumgumtest-new-york-times-gdpr-cut...</a>

&gt; and would&#x27;ve been paralyzed without the ability to use some sort of anatomized data to target people with ads.<p>anatomized? Is that a typo for anonymized? Or does this mean something?

Recent and related: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=25813601" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=25813601</a>

This mainly looks like a push to remove even more user control over tracking. The spec says that the browser can return &#x27;random&#x27; data, but I suspect that Chrome won&#x27;t let you do that, or at least not for long.<p>Instead of the user disabling third-party cookies, every single page author would have to set a new HTTP header to have their page excluded from the machine learning.<p>It also looks like a massive GDPR pitfall. Say you track conversions to a campaign, and track what &quot;cohorts&quot; a user entered your sales pipeline through. The moment you connect this data to the customer, it&#x27;s personal data IMHO. If you operate in Europe, the user should be able to retrieve&#x2F;delete the data, and request it changed if they say it&#x27;s wrong.

Reading this article, which is targeted at advertisers, feels like how I imagine a cow would feel looking in the window of a butcher shop.

Extensions will spring up that will pollute the local storage to help in anonymity, increase the noise and reduce the real value.

Isn&#x27;t that what Brave browser is doing?

Federated means no &quot;theoretical&quot; access to the data. It doesn&#x27;t mean no &quot;practical&quot; access.

What if the user opts out at browser-level? It looks Google business will be very dependent on chrome product.

&quot;Hi early 2000s computer user, let&#x27;s make a deal:<p>I get full access to everything you do online, and get to do anything I want with the information. Perhaps I&#x27;ll use it to maybe target ads slightly better in some cases, and put myself into every value chain you&#x27;re involved with so I can get a cut at every step.<p>Oh, and I&#x27;ll do my best to move all computing online, so that &#x27;everything you do online&#x27; equals &#x27;everything you do with a computer&#x27;.<p>In exchange you&#x27;ll get a web browser that is at times more performant than the others. Hell, I&#x27;ll even throw in a free email account (where I can gather all the best bits of info)!<p>It&#x27;s a pretty good deal, don&#x27;t you think?&quot;

Additionally cookies are not bad, 3rd party cookies are not even necessarily bad. Tracking people is bad.

While we are discussing this, just wish HN readers to shed more light on a practice which I diligently follow.<p>Whenever I visit any website, courtesy the GDPR laws, we are asked to request the terms and cookies. I make it a point to disable all cookies (barring the strictly necessary ones), partners and also the &quot;Legitimate Interest&quot; section, where I click &quot;Object all&quot;, and then click &quot;Save and exit&quot;.<p>However, on many websites I don&#x27;t see any option to &quot;reject&quot; or &quot;object&quot; to cookies, partners, vendors and especially legitimate interest. Particularly concerned about Legitimate Interest since the number of vendors there is humongous.A good example of a site where we cannot choose would be the BBC[1]. We get an option only to read their terms and conditions but no option to reject and object.<p>1) Can anyone please guide how to reject to cookies on such sites where they don&#x27;t have a reject option present?<p>Also, in my iOS, in Safari settings, I have chosen &quot;Block all cookies&quot; to yes.<p>2) How far will blocking all cookies safeguard me from unscrupulous cookies? If my blocking all cookies is enabled in safari settings and suppose I visit some malicious site and accept their cookies, would the owners of malicious site be able to do anything sinister or adversarial to my privacy and integrity? Will the be able to breach my security?<p>Ref. → [1]<a href="https:&#x2F;&#x2F;www.bbc.co.uk&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.bbc.co.uk&#x2F;</a>

Already most of our CPU cycles are eaten up by ad-frameworks in our browser.<p>Now Google want to offload Machine Learning to our browser. That will be bad for battery life, electricity bills, and the environment.<p>On the other hand I use free software. So I can make a version of their extension that just claims that I am obsessed with Ironing. That will also make it easier for the Ad-blocker to do its filtering.

Good news for google shareholders: looks like google is returning back to its roots creating nightmarish ad tech tools to further their goal of turning the world into a digital panopticon. Bonus points for simultaneously crowding out competitors and further solidifying their ubiquity and monopoly.

Cookies work without any third party business involved. The proposed solution won&#x27;t work the same way. It will work only when using a third party business servers.<p>It is not a replacement. It is a proposal how to replace a free, standardized and open world wide web feature with a commercial service.

So if you just use Firefox or Safari instead this method wont work on you?

But this technology only works if you use Chrome as your browser correct?

It&#x27;s possible to imagine an alternative system to FLoC that was actually privacy respecting.<p>Say we had an Open, standardized, human-readable list of categories&#x2F;groups that people could opt into (rather than a bunch of on-the-fly groupings determined by an AI). We could give users the ability to choose 0-X of those categories that they want to associate with. We could even let them choose on a site-by-site basis, so they could decide how ads would be targeted (or if they would be targeted at all) on <i>parts</i> of the web.<p>We could build UIs that helped them with that. We could have easy ways to opt into or out of categories. We could allow them to turn on category suggestions, so with their permission if a user visited a site about a specific kind of product, we could show a one-click option in the browser to add themselves to an associated category and see ads for similar products.<p>We could allow them to group sites together and say things like, &quot;I want news sites that I visit to know that I&#x27;m looking to buy a specific brand of car, but I don&#x27;t want any of the car dealership sites that I&#x27;m looking at to know what brand I want.&quot;<p>For users that don&#x27;t want that level of detail, we could still have a &#x27;smart&#x27; system that consumers could run (clientside) that looked at the websites they visited, or even more personal data, and auto-placed them in categories without them needing to think about the system at all. They&#x27;d just need to select an option to let the browser handle all of their categories for them.<p>But importantly, all of this would be based on consent. And instead of offering users a single choice to opt out, they would have an entire spectrum of choices that allowed them to decide how they presented themselves online, what specific data they shared, and who they shared it with.<p>If users genuinely benefit from targeted ads, then they&#x27;ll opt into the system and pick categories that are relevant to them and send them to sites. If they think Google&#x27;s data collection is accurate, then they&#x27;ll turn on the smart system in Chrome that locally categorizes them. But at any point, for any site, they could choose to turn off the data entirely, or to add themselves to a specific category, or to remove themselves from a specific category. In human-understandable terms, they would know exactly what data they were transmitting to websites.<p>----<p>For all that Google says they&#x27;re working on data privacy, very few of their proposals, even their good proposals, approach privacy from an angle of giving users more control over their identities. Google is still stuck in a world where they think of data collection as something that has to happen without the users knowledge, without the user&#x27;s ability to easily inspect what&#x27;s going on, without the user&#x27;s ability to form multiple identities or even to just opt-into the system at all.<p>What I want is control over my data. And what Google (and companies like them) keep on saying is, &quot;we&#x27;ll be somewhat more responsible with your data, but only if we keep control of it.&quot;<p>And this represents a general attitude that comes up in so many modern tech products, from Youtube, to social feeds, to modern UI design, to device security. These companies are like a controlling, overbearing parent. People want agency over their ads&#x2F;recommendations&#x2F;feeds&#x2F;etc, but the companies think the problem is that they&#x27;re just not good enough at controlling all of that for us. It&#x27;s a way of thinking about UX&#x2F;product&#x2F;process that&#x27;s divorced from user consent and agency as an ideals that we should strive towards.

We wont solve this issue until we stop viewind advertising and increased consumption as healthy...

We live in the timeline where &quot;Alphabet to replace cookies&quot; is a legit headline.<p>What is the public understanding&#x2F;perception of cookies? The past couple of years since the implementation of the GDPR has probably been the biggest and weirdest public education campaign (done entirely through brief pseudo-consent popups).

I&#x27;m happy that HN has accepted a change in the article&#x27;s title, which appears as &quot;Google says it may have found a privacy-friendly substitute to cookies.&quot; This terminology -- &quot;found&quot; -- has been used by Google and others to imply that their capture of behavioral &quot;exhaust&quot; is somehow a natural phenomenon, rather than a conscious, deliberate, profit-driven choice. Google didn&#x27;t &quot;find&quot; a substitute. They are <i>developing it</i> because they are getting pushback from users and companies who object to their tracking methods and they&#x27;re desperate to find something that convinces users they&#x27;ve Really Changed This Time.<p>Don&#x27;t fall for it. Break up with Google. They are abusive.

sudo apt install chromium-browser

So they are now rebranding the fact that they are trying to monopolize the ad space?

Google has already lost the trust of being a company that remotely respects anybody&#x27;s privacy, if any at all. I would rather spend time on some other privacy proposals.

Netscape should have them &quot;herpes&quot; instead of &quot;cookies&quot;.

&quot;In a landmark decision, Google has decided to continue keeping the &quot;Don&#x27;t be evil&quot; principal off of their Company Principles list&quot;