Google Chrome coders really, truly, absolutely ready to cull third-party cookies from 2024

Google on Monday began the formalities of phasing out third-party cookies from Chrome during the first quarter of 2024, signaling the beginning of the end for legacy online advertising.

It will be a baby step, with just one percent of Chrome browsers tossing their third-party cookies initially. That's still a significant number, given estimates of 3 billion or so Chrome users. And in any event, it's a milestone that marks a major transition for the internet economy.

The Chocolate Factory clarified its cookie-killing timeline in May and confirmed that schedule last month. The one percent will be selected in early 2024, and from the third quarter of that year, the phase-out of third-party cookies will likely expand.

With the publication of its notice of intent to deprecate and remove third-party cookies, those involved in the development of Google's Chrome browser and its associated Chromium open source project now have more specific guidance.

HTTP Cookies are scraps of information defined by websites and stored by your browser on your computer or device. Like little private notes left on your machine by the sites you visit that can be accessed again in future by those sites, typically allowing them to pick up where you left off. When you log into a site, it will set a cookie so that when you return to that website, it can inspect the cookie and figure out which user you are. Technically speaking, cookies are key-value pairs of data set and retrieved by webpages.

They're used mainly for staying logged into sites; personalizing the appearance of a page; and tracking your activities. When used in a Related Sites context (the cookie is written and read by the website being visited), they're not particularly controversial. But when used in a third-party context (set by a third-party tracking script included on the Related Sites website), they pose a privacy problem in that they allow organizations to conduct cross-site tracking.

Essentially, you can end up surfing from site to site, each allowing a third-party cookie to be stored and then subsequently retrieved, allowing whoever manages that third-party cookie to monitor the pages you've visited and therefore the things you're into, and use that insight to target you with ads and other marketing. Chrome is doing away with those kinds of cookies.

Other browser makers such as Apple, Brave, and Mozilla have already begun blocking third-party cookies by default. Google Chrome and Microsoft Edge provide that option, just not out of the box.

Since 2019 – after it became clear that European data protection rules would require rethinking how online ads work – Google has been building a set of ostensibly privacy-preserving ad tech APIs known as the Privacy Sandbox. The stated goal of this toolkit is to mitigate ongoing privacy problems like cross-site tracking and browser fingerprinting while preserving the ability to deliver targeted ads.

One element of the sandbox is the Topics API: that allows websites to ask Chrome directly what the user is interested in, based on their browser history, so that targeted ads can be shown. Thus, no need for any tracking cookies set by marketers following you around, though it means Chrome squealing on you unless you tell it not to.

• Google's third-party cookie culling to begin in Q1 2024 ... for 1% of Chrome users
• Google Chrome Privacy Sandbox open to all: Now websites can tap into your habits directly for ads
• EFF urges Chrome users to get out of the Privacy Sandbox
• Google Chrome pushes ahead with targeted ads based on your browser history

As Google senior software engineer Johann Hofmann observed in his aforementioned notice, the phaseout of third-party cookies and shift to Privacy Sandbox technology – in Chrome at least – is a significant change in the status quo.

"As one of the most impactful changes to the web platform in a long time, the deprecation of 3rd party cookies and the introduction of alternative APIs have received a lot of helpful feedback from web developers to an extent impossible to summarize in a few sentences," said Hofmann.

"As described in the summary, the Privacy Sandbox wants to ensure that a vibrant, freely accessible web can exist even as we roll out strong user protections and we will continue to work with web developers to understand their use cases and ship the right (privacy-preserving) APIs."

The impact of replacing the technical foundation of internet advertising while marketers are still doing business on the premises hasn't been lost on regulators, who have been trying to ensure that Google builds a level-playing field – something critical lobbying groups have disputed. Thus Google has agreed to make specific commitments to the UK's Competition and Markets Authority (CMA) to allay concerns that the Privacy Sandbox doesn't become a killzone for competitors.

One of the issues that has been raised is that advertisers who previously relied on third-party cookies will have a lot less data to make decisions while Google will continue to have insight into online activities because many people use Chrome while signed-in to their Google Accounts. While it seems unlikely that watchdogs want to ensure that every marketer operates from an equal level of informational wealth, competitors have a unique opportunity to hamstring the ad giant by raising the alarm amid its antitrust trials and inquiries around the globe.

Lukasz Olejnik, independent privacy researcher, consultant, and author of Philosophy of Cybersecurity, told The Register in an email that the pending cookie phaseout marks "a substantial conceptual and architectural evolution, with privacy consideration at its core."

"This large system migration is a big challenge of great significance. It deploys privacy-improving changes to ad tech and the advertising ecosystem," said Olejnik. "This system is, nonetheless, fragile. Its analysis is complex. And full implications of the migration are still not fully apparent."

Olejnik said while it can be argued that web browsers including Safari and Firefox have already dealt with third-party cookies, Chrome has a far larger user base.

The UK Competition and Markets Authority became a de facto world technology regulator in this particular case

"It has a prosaic consequence that Chrome's migration was carefully scrutinized by competition regulators in Australia, the EU, and most prominently the UK Competition and Markets Authority, which became a de facto world technology and competition regulator in this particular case.

"Indeed, the EU probe adds to the uncertainty, but so are the CMA process-defined standstill periods and decisions subject to the CMA approval. This is also why the migration is not only about software and standardization. It is also a question of regulations. It is, in fact, a well-regulated territory, subject to competition and data protection laws."

Olejnik said the third-party cookie phaseout is a necessary first step and that it would be unsurprising if the effort takes longer than expected and drags on until 2025. He also anticipates that some of the Privacy Sandbox APIs may require further refinement and that some forms of tracking may persist a bit longer as a result.

Indeed, as browser devs attempt to stamp out cross-site tracking in their own ways, there's still work to be done hammering out an agreed definition of cross-site in the context of cookies and how those kinds of cookies will work in terms of security. As Hofmann observes, Google is working with other browser makers to settle on common security practices for the sake of interoperability. This comes up in scenarios like Salesforce for Microsoft Teams, where Salesforce services utilize Microsoft authentication services and blocking Microsoft as a third-party would cause things to break.

Part of the reason for the incremental third-party cookie phase out is to deal with website breakage. "Despite [third-party cookies] already being blocked in Firefox and Safari and developer outreach efforts to raise awareness and encourage developers to prepare for the deprecation, we currently estimate that a non-trivial number of sites are still relying on third-party cookies for some user-facing functionality," Hofmann said.

The Electronic Frontier Foundation, which has been critical of Google's Privacy Sandbox, offered a more cautious take on the sunset of cookies and what comes next.

"The web in general is rapidly moving away from third-party cookies, with Firefox and Safari leading the way," said EFF senior staff technologist Jacob Hoffman-Andrews in an email to The Register. "When Google Chrome finishes the project on some unspecified date in the future, it will be a great day for privacy on the web.

"According to the announcement, the actual phased rollout is slated to begin in Q3 2024, with no stated deadline to reach 100 percent. Let's hope Google's advertising wing does not excessively delay these critical privacy improvements."

Peter Snyder, VP of privacy engineering at Brave Software, which makes the Brave browser, told The Register in an email that the cookie cutoff and Privacy Sandbox remains problematic as far as Brave is concerned.

"Replacing third-party cookies with Privacy Sandbox won't change the fact that Google Chrome has the worst privacy protections of any major browser, and we’re very concerned about their upcoming plans," he said.

"Google’s turtle-paced removal of third-party cookies comes along with a large number of other changes, which when taken together, seriously harm the progress other browsers are making towards a user-first, privacy-protecting Web."

"Recent Google Chrome changes restrict the ability for users to modify, make private, and harden their Web experience (Manifest v3), broadcasting users’ interests to websites they visit (Topics), dissolving privacy boundaries on the Web (Related Sites), offloading the battery-draining costs of ad auctions on users (FLEDGE/Protected Audience API), and reducing user control and Web transparency (Signed Exchange/WebBundles)," Snyder explained. "And this is only a small list of examples from a much longer list of harmful changes being shipped in Chrome."

Snyder said Google has characterized the removal of third-party cookies as getting serious about privacy, but he argued the truth is the opposite.

"Other browsers have shown that a more private, more user-serving Web is possible," he said. "Google removing third-party cookies should be more accurately understood as the smallest possible change it can make without harming Google’s true priority: its own advertising business."

Knowing Brave would have a few words to say about Chrome's cookie cull and Privacy Sandbox, a spokesperson for Google told us: “Improving user privacy requires building privacy-preserving alternatives that support the critical needs of the digital ecosystem. Some browsers and operating systems have attempted to improve privacy by restricting existing user identifiers, like third-party cookies, without having such alternatives in place.

"This approach backfires on protecting people’s privacy.

"When platforms have attempted these blunt approaches to improve privacy, researchers have noted that more covert forms of cross-site tracking have proliferated. Tracking and profiling users with techniques like browser fingerprinting or identifiers based on user personal identifiable information (such as email addresses) means less privacy, control, and transparency. This is a bad outcome for users and the internet as a whole." ®