No need to read the details
If it is a proposal from Google I know it is privacy raping and benefits only them.
Last week, third-party cookies received a stay of execution from Google that will allow them to survive until late 2023 – almost two years beyond their previously declared decommission date. But the search-ads-and-apps biz is already planning a resurrection of sorts because third-party cookies are just too useful. The …
Never mind that Google, like every corporation, is staffed by individual human beings, many of whom care a lot about privacy, and occasionally even get to express those positions publicly from their work email address. No, it came from Google so it must be bad.
Why should they make any effort to improve privacy if no one is going to even acknowledge it when they do?
SO Google think they can put an acronym into the wild, and no one will call them out on it :o)
[ Google's CHIPs proposal – Cookies Having Independent Partitioned State ]
doesn't really roll off the tongue does it :o)
C - annot
H - ave
I - t
P - erforming
S - atisfactorily
but we here at El Reg will always have your back with our very own TITSUP, used in any situation where you need to look good, but just know it's going to go TITSUP :o)
T - otally
I - mmersive
T - ech
S - uspends
U - sers
P - rivacy
"But doing so has created problems by interfering with applications that rely on third-party cookies to deliver services across domain contexts."
Any applications that rely on third-party cookies to deliver services are broken and should be fixed.
Google can go fuck itself and so can the Reg if it actually believes that the use of third party cookies can be justified in any way whatsoever.
to deliver services across domain contexts
I think the author might have misspelled "advertising".
Not sure why the parent post garnered downvotes: on legal grounds alone a "service" can't rely on the exchange of personally-identifiable information with a third party.
There's a big enough hole in this already in that cookies from different subdomains can be considered "first party" so co-operating entities can already get round third-party blocks by misuse of DNS. And then there's the cross-origin policy framework for web pages which effectively allows the website to choose who it leaks data to rather than the user.
The only defensible policy I can see is same origin for everything (and that includes scripts and media) without explicit, informed consent. If that threatens your business model then you need to find a solution that provides the same level of protection - and this isn't it.
> Any applications that rely on third-party cookies to deliver services are broken and should be fixed.
So if I want to be able to see roughly how many people who visit my website, and use a paid for analytics service to do this who set a cookie, I...shouldn't? That seems a bit silly.
It may seem silly. It may even be harmless in your specific case.
However, in general, if your site is passing information on its visitors to a third party and that third party is getting similar information from other sites then that third party is potentially in a position to make inferences from the behaviour of your unwary visitor, potentially to the extent of identifying them and tracking their browsing habits across all the other sites doing the same as you.
That's a high price others are paying for your convenience.
That's not a price they are paying. In theory any step in the technical supply chain could be doing illegal things, but that doesn't stop us using networks or ISPs or outsourcing the design/creation/procurement/running of hardware, OSes, drivers, networking appliances, etc etc. Why special case this?
So if I want to be able to see roughly how many people who visit my website, and use a paid for analytics service to do this who set a cookie, I...shouldn't ?
yes, you may but not with external cookies. You can, for example, embed your own - 1st party - cookie, and each time that cookie is found by your website, your server queries the paid-for service's server. Thus, you will be in contact with your service provider, and not your visitors (who don't care about how much people visit your site).
If there's a need, there will be an offer and I'm sure there will be 3rd party providers to propose this service. Of course, the big loser will be Google because it will have to play on level playing field with other service providers.
your analytics would not see me as their cookies are blocked (analytics only work if users are not blocking various cookies)
However, your web server logs would get my IP address so in my "visit" case would be more useful than analytics.
.. Yes, I know IP does not mean a unique user, could be a whole company behind it, might be from a VPN, tor exit node, whatever but limited data beats zero data
More acceptable to whom?
I am unconvinced that there are any acceptable use cases for third party cookies. And the number of cookies which need to be set by first parties is really rather small, too - as shown by the number of websites which now offer to save only essential cookies (login status and the like).
I have set Firefox to not allow 3rd party cookies and not yet experienced any noticeable problem with any websites i've visited.
It just Google worried that their bottom line is going to be effected as they won't be able to charge as much for targeted ads if the browsers all block 3rd party cookies.
My Firefox allows all cookies. The Cookie Auto Destroy add-on will nuke those that aren't from a whitelisted site after about twenty seconds.
So, a site can have enough cookie to get the page loaded (and it's disturbing how many sites splatter information all over the place). After that, bye bye.
"neither your nor my addon works on mobile."
Yes it does. Cookie AutoDelete 3.0.2 running on Firefox 60.0.2 for Android. It's what I'm using right now.
"some sites like Medium seem able to track effectively even with"
There are no doubt other methods (that stuff that Chrome refers to as "site data" as distinct from cookies). It's a bit of a game of whack-a-mole. :(
I don't care what Google proposes. Whatever it is is only destined to keep the money flowing in and our privacy being sold out.
I'd vote to simply make the creation of cookies on a users computer a crime. That would solve a lot of security problems and would force all corporations to stop treating customers as sheep to be shorn and then cooked and sold to other lambs for lunch.
It would be a start to cleaning the Internet (yes, just a small start) because storing cookies is like a happy pandemic for corporations.
"For example, Google has a proposal called First-Party Sets that would make different domains (e.g. apple.com and icloud.com) owned by the same company function as a single first-party domain for the purpose of cookies."
A prime example of confusing crap created just to get around the stupid decisions made by marketing people. There is an EXTREMELY simple and obvious solution to the "problem" stated above. One that nobody would be confused by. Which is just to use apple.com. And redirect from the superfluous second domain to the first.
IE6 was considered to be 'The Internet' by millions.
Who decided that Google owns the Internet? I'm sure that they didn't ask the users while they slurped and slurped and slurped data on each and every one of us.
They seem to be deciding on the protocols and everything else that goes on over the interweb.
If they carry on like this then the anti-trust hawks all over the world will start hitting them hard and severely limiting what they can do.
Personally, I hope that google gets broken up into a million little pieces and die a slow painful death.
> IE6 was considered to be 'The Internet' by millions.
> Who decided that Google owns the Internet?
Same people: The mindless, ignorant masses who neither want nor can bother about such obscure issues as "choice", "privacy" and other clearly metaphysical stuff. Those "nothing to hide" people who never pondered why rest rooms have doors or changing cubicles were invented.
Google wasn't coy about its goal to take over the Internet: At some time in the past it used its wealth to make sure whatever you installed on your computer also silently installed Chrome and made it silently the default browser. For years... If only I was paid a dollar for every Chrome I had to uninstall back then from my relatives' or my own computers...
Now Google rules the web and it knows it. They don't need to bother to play nice, they just don't need to pretend anymore. Nobody can or will harm them, politicians can and will be bought as needed, and any bad feelings of the crowds will be dealt with with some shiny beads and mirrors, it's all it takes.
The only real danger for Google today is that it becomes utterly uncool, MySpace-level of uncool, and for this to happen a competitor would have to rise, capture the masses' attention and offer more compelling competing services. Difficult at least, and chances are that newcomer might make us miss our quaint old uncle Google and his stained trench coat dearly... Rocks and hard places come to mind.
If they carry on like this then the anti-trust hawks all over the world will start hitting them hard...
actually, I'm surprised it didn't already happen. Android (the Play Store really) and Search (can include Maps and Mail) should be split into different entities. That would solve the monopoly problem.
Google should not be allowed to do business in the UK until they:
- Split into independent companies - you cannot run a search engine and advertising company at the same time, it's a conflict of interest
- Start paying right amount of tax. They should disclose all offshore arrangements and any avoidance schemes they use and then pay any missing tax for the last 20 years.
- Any service of theirs should have an option to pay a subscription or one off fee instead of pretending it is free and harvesting users' data as a payment.
- They should start paying fair wages to the UK employees. Perhaps there should be 1:10 salary spread ratio mandated for big companies, so that the workers can enjoy the value they produce, not just managers and CEOs.
- Google should allow access to its search database for 3rd parties at a cost, so that alternative search engines can operate.
I could probably go on forever...
> Google should not be allowed to do business in the UK until they:
- Lobby enough and promise shiny positions to key politicians and their families.
Fixed it for you... Money talks, and Google has a lot of money to their talking for them. While I agree with all you wrote, it's utterly utopian and will obviously never ever be even considered.
> you cannot run a search engine and advertising company at the same time, it's a conflict of interest.
Then how is the free search engine funded?
The same conflict of interest argument could be made about news websites, or print newspapers for that matter, and yet somehow we get by without being ensnared by the advertisers.
It isn't, and it ceases to exist. If people plunked a penny each time they wanted to search the Internet, they start having skin in the game and start caring about quality. Not only that, this creates a legally-binding transaction, meaning sales contracts and laws concerning them come into play, putting the providers under scrutiny.
As for other media, newspapers are still sold, even with advertisements. Plus, non-Internet media has the inherent disadvantage (inherent in our case) of lack of specificity.
"Google should not be allowed to do business in the UK until they:"
Have you any idea how many schools rely on Chromebooks and Google services these days? That's just one example of Googles "too big to fail" power they have these days. You can't just say "ban Google until they change" any more. That ship sailed long ago.
Its the websites themselves that deliberately choose to share information. It just happens to be via third-party cookies, as they are easy to use and trust. If not via cookies, websites will share user data through other means.
At least for cookies, the user has some control over it. Like, I can technically block Google cookies on El Reg. But if this data sharing turns into a model between servers only, there won't be much a user can do except for stopping to use services entirely.
The right problem is: how do you stop websites/companies from having to sell user data?
> How do you fix Stupid from taking the rest of us with them while they shout, "Shut up and take my privacy!"?
Can't. Since that's the desirable opinion, it will be advertised ("Trending") and put forward: "See, other people want this, so why don't you? Don't you have rights too? Join the fun!"
No. They can connect server-side to the third party, and transfer browser fingerprints / IP addresses etc., and the third party can try to collate this, but this is hit and miss.
You can't do reliably server side what they currently do with cookies.
Now, they could do it with first party cookies - the server would relay the first-party cookie to the third party server, and relay back a response, but you'd still need to have first party cookies enabled.
You say that at the moment you're in control, but how do you know they aren't doing this already?
"No. They can connect server-side to the third party, and transfer browser fingerprints / IP addresses etc., and the third party can try to collate this, but this is hit and miss."
But constantly improving. Soon, basic fingerprinting using essential elements will be unique enough to disregard cookies for everything but shopping carts.
...aims to implement multiple technical specifications that change how online advertising works in the browser.
So the world's largest advertising broker is changing the way advertising works, without telling anyone else in the business what they'll need to work with in the future?
I predict the great-grandmother of all arse-reamings from the competition authorities.
> if the users have not yet created an account and the support widget is helping them sign up, then retail.com would have no notion of identity to forward to support.chat.com
If the user does not have an account then retail.com has no relationship with them and no history that might be useful to the support service. There is no need for them to identify a potential user of their services to a third party purely to provide support when signing up. None.
That Google think everyone should be identified to every company and third party online shows the root of the problem. Chrome will never be secure and protect privacy because Google don't even know what security and privacy are, their engineers can't even wrap their heads around the concept.
With the example, support.chat.com really needs to work without an account
I recently tried logging into an account I have with an on-line service, had an error message, stopping me logging in, but it looked like some internal error, rather than something I did.
Noticed a link to their help system, which was a chat system (so I assume a bot). So clicked it, got the message back "You need to be logged in to use the help service, click here to login" !!!