Third-party cookies have got to go

This ship has sailed. The deprecation of 3rd party cookies will impact only the small ad-companies (the few that are still afloat)<p>The behemoths of the industry (GOOG, FB, MSFT, AMZN) have moved beyond cookies to tracking users at an ID level. And with data sharing agreements in place [1] the big guys can track users across the spectrum.<p>Personal anecdote: Couple of days back me and a buddy were chatting over WhatsApp about a particular college. Neither of us had any affiliation to this college, and the college had come up in passing. Couple of hours later, I began receiving ads on my Gmail about that _very same college_<p>Naysayers might refute and put it down to recency bias. But this is just one example. I have noticed many others where my data has moved between GOOG n FB products in almost real time.<p>The deprecation of 3rd party cookies will make the small time companies scramble to figure out alternatives, which will invariably be super expensive. Thereby leading to further deaths of the independent entities.<p>So who is going to benefit from this deprecation? GOOG&#x2F;FB&#x2F;MSFT&#x2F;AMZN again. Yay!<p>[1] <a href="https:&#x2F;&#x2F;www.reuters.com&#x2F;article&#x2F;technology&#x2F;google-secretly-gave-facebook-perks-data-in-ad-deal-us-states-allege-idUSKBN28Q37G&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.reuters.com&#x2F;article&#x2F;technology&#x2F;google-secretly-g...</a>

As if this would change anything.<p>The idea of third party cookies being bad is a reflection of the current state, not a methodology.<p>What happens if third party cookies are blocked?<p>Websites will just add a CNAME entry that points to whatever service they were using before. Then it&#x27;s a second party (subdomain) cookie.<p>We need a different methodology how to keep cookies but limit their lifetime, reach, and damage they can do for its users, and a better unified authentication method that can also be spoofed&#x2F;faked if websites become hostile. They need to be sandboxed, per URL scopes, not per domain.<p>We need to change the way of thinking of trust. Don&#x27;t trust any website by default, only trust it once the user regularly visits it, or maybe set an allowed cookie lifetime per website after the user logs in.<p>But the current way of thinking about this problem led to the shithole that is XSS, session stealing and everything related to it.<p>Source: attempted to build my own browser that wanted to fix this and eventually had to give up

&gt; The unfortunate climb-down will also have secondary effects, as it is likely to delay cross-browser work on effective alternatives to third-party cookies.<p>We don&#x27;t need &quot;effective&quot; alternatives to third-party cookies. The only reason that&#x27;s even considered is because the advertising industry has captured the browser market and are using that control to ensure their continued ability to track users.<p>In fact, blocking third-party cookies is not nearly enough. We need to make sure most users have the capability to block all online ads.

When browsers finally step up and start managing cookies properly for once, can we finally get rid of the silly cookie banners?<p>I still find it odd how I&#x27;m constantly being asked if I&#x27;m fine with a website storing information in a place I have full control over. In theory it&#x27;s the perfect method, privacy wise, it&#x27;s just the user-agents who have dropped the ball massively.

One side has money and power over changing the browser behaviour (Google and advertisers). They can use money for lobbying almost anything they need in all contries. They own almost all levels in the web tech stack.<p>Another side has nothing (users). No power, no comparable money.<p>I would not bet even $1 on users.

&gt; They can be helpful for use cases like login and single sign-on, or putting shopping choices into a cart<p>this doesn&#x27;t make sense. if you&#x27;re just solving oauth without cookies, solve oauth without cookies. make an oauth spec. (isn&#x27;t passkeys supposed to solve oauth?)<p>also oauth uses redirects and query params I thought. I wonder if by &#x27;single sign on&#x27; they mean &#x27;tracking by google but not rando 3rd parties&#x27;<p>let&#x27;s say SSO is an actual exceptional case where 3p cookies are useful. oauth + similar flows are miserable and nonstandard. make everyone happy with you one time in your life W3 group and standardize oauth. literally take whatever oauthlib and passport support today and encode them into a standard<p>not sure why shopping carts need to be third party; in the shopify case, shopify is hosting the store and the cart. if a cart legit needs to be shared across sites ... use oauth

I find it hard to believe Google will let go of their golden goose. It&#x27;s too risky for them.