back to article Google's plan to drop third-party cookies in Chrome crumbles

Google no longer intends to drop support for third-party cookies – the online identifiers used by the ad industry to track people and target them with ads based on their online activities. In a Monday post, Anthony Chavez, VP of Google's Privacy Sandbox, revealed that the search and ads giant has come to understand that its …

  1. Anonymous Coward
    Anonymous Coward

    Firefox

    Just set Firefox to strict enhanced tracking protection. Presto, 3rd party cookies blocked.

    I've been running it like that for years. Sure, it breaks a few sites, but I didn't want those sites to load anyway.

    Why are you still using Chrome?

    1. Jamie Jones Silver badge
      WTF?

      Huh?

      Google Chrome - Version 127.0.6533.50 (Official Build) beta (64-bit)

      Navigate through the security menu, or use these URLs directly:

      chrome://settings/cookies -- Enable "Block third party cookies."

      chrome://settings/content/siteData - Enable "Delete all cookies and site data on exit."

      Both pages allow white listing of domains, if required.

      1. sev.monster Silver badge

        Re: Huh?

        ETP does a lot more than just block 3rd party cookies. OP didn't really do it justice. I'd recommend looking a bit more into it. The user experience is also way better, with a quick toggle in the address bar.

      2. Jamie Jones Silver badge
        FAIL

        Re: Huh?

        LOL, I'm no Google fanbois by a long shot, but the rabid froth-at-the-mouth downvoters on a factual response make me laugh!

      3. O'Reg Inalsin

        Re: Huh?

        Let me just explain how I recently found Googles setting to be less than perfectly transparent:

        I have pihole set up. Nevertheless, I recently found that running the same site in both Firefox and Chromium produced different ad blocking results.

        - On Firefox, Pihole successfully blocked ads (ads which are not embedded).

        - On Chromium, those same ads were not blocked.

        (I don't use ad blocker extensions on either Browser).

        For a specific example site known the include 3rd party ads: "Why Using an Ad Blocker Is Stealing (Op-Ed) Opinion" on Tom's Hardware (recently referenced by another Reg reader).

        Chromium has a setting under Security (not under Privacy): Use secure DNS. Make it harder for people with access to your internet traffic to see which sites you visit. Chromium uses a secure connection to look up a site's IP address in the DNS (Domain Name System).

        Google gives the following argument as to why DoH is good for you: Motivation: Most DNS resolution today occurs over an unencrypted channel. This is bad for privacy and for security reasons. Anyone who is on-path can eavesdrop on your browsing habits or even tamper with the resolution to have you navigate to a phishing website or an “access blocked” page for censored sites (see https://tools.ietf.org/html/rfc7626#section-3 for examples).

        Nevertheless, I checked the DoH setting and found it was ON, despite having long ago turned it OFF because it prevents PiHole from working to block ads. So I turned DoH off AGAIN and even rebooted the system. Still the ads on Chromium were NOT blocked. No problem - it's DNS cache, I thought. So I brought up "chrome://net-internals/#dns" and pressed the "Clear Host Cache" button. Still the ads were not getting blocked. So I rebooted the system to clear the Chromium cache - Still the ads were not getting blocked :(

        Finally I added "dns.google" to the PiHole blacklist, and rebooted the system again and FINALLY the ads in Chromium were blocked :) "dns.google" is the endpoint for Googles DoH.

        So it appears that Chromium is programmed to use DoH with endpoint dns.google for ads (at least if the ads are otherwise blocked), even when Chromium is set not to use DoH. AND the clear DNS cache setting doesn't actually clear the DNS cache, at least not for ads.

        So sure - many of the "privacy" settings are even working today as expected, and so of course we should thank Google for their kindness. But we should also follow Russian proverb "doveryai, no proveryai (доверяй, но проверяй)" which means "Trust, but verify" - at regular intervals. It is a cold, cold warld out there.

        1. Rich 2 Silver badge

          Re: Huh?

          DoH is snake oil. It serves no purpose other than to give Google a list of all the websites you visit.

          The arguments for it are nonsense; primarily is the one about your ISP knowing your dns queries. So what? Firstly, they probably don’t care. And if YOU care that they know, then the ISP will know where you’re connecting to by a reverse-dns query on your final connection to the remote host (the one you make just after your really secure DoH query)

          The other argument is DNS spoofing. While not unknown, as long as you select a reliable dns service (run your own or - shocking thought! - use the one your ISP makes available) for 99.999% of people, this is a non-issue

          1. nagyeger
            Black Helicopters

            Re: Huh?

            The other reason that DoH is mostly snake oil is that for https to work at all on a shared server, the browser has to send the intended site name unencrypted at the start of the request. I.e. https encrypts content, but sites visited is almost as public as a DNS request. I say mostly and almost, because redirecting all DNS traffic to your local X-letter agency so they can send the agents to the right cafe / train station when you dare to look for theregister.co.uk instead of the approved .com variety is much less resource-hungry than installing a suitable packet filter to strip the relevant bytes off an https header on all potential ports.

            But for your local common or garden mafia-front coffee shop, it's easiest to just assume that they know what you're doing unless you've got peril sensitive, screen-decrypting sunglasses and a VPN.

    2. Falmari Silver badge

      Re: Firefox

      Don't most browsers even Chromium bases ones have the option to block 3rd party cookies?

      I use vivaldi and it has tracking and ad blocking and 3rd party cookies blocking.

      Even Edge has tracking and 3rd party cookies blocking.

      1. Dan 55 Silver badge

        Re: Firefox

        Strict enhanced tracking protection is a bit more than that, but it does break some sites.

    3. Wade Burchette

      Re: Firefox

      Firefox also has their problems with privacy. Starting with version 128, Mozilla added an option "Allow websites to perform privacy-preserving ad measurement". Mozilla didn't openly tell you about this option, and it was turned on by default. From my point of view, "ad measurement" is just as wrong as third party cookie tracking and everything else Google does to track you.

    4. CowHorseFrog Silver badge

      Re: Firefox

      Given FF recent moves, how longer before that option is killed ?

      1. sev.monster Silver badge

        Re: Firefox

        ETP is a major selling point for Firefox over Chrome right now, branding-wise. Everyone interested in what ETP can do surely knows Privacy Sandbox is a joke, so Mozilla has a vested interest in not changing it for now.

        Mozilla is no saint, they just happen to be doing better than the other guys. I wait with bated breath to see how they footgun themselves this time.

  2. Cincinnataroo

    More choices than that have always been available

    Google intends to let Chrome users choose whether to play in its Privacy Sandbox, or in the adjacent land of data surveillance where third-party cookies support all manner of information gathering.

    Whaat? There have always been choices to switch off 3rd party cookies entirely. (Or with exceptions should you wish!)

    This statement is, and afaict, has always been misleading. The choices are:

    1. No cookies stored at all (clear when it shuts)

    2. No third party cookies

    3. No third party cookies with exception that you choose

    4. All the cookies that can eat you, if you want

    5. Weird untrusted "other stuff" like privacy sandbox

    6. The great unmentioned area of local storage which should have equivalent controls

    I reckon that people who accept the defaults get all they deserve, but that's a separate story. (One solution is you have to switch it all on (opt in), or you're forced to set each and every one when you fresh install a browser.)

    What some users want is in-browser-tools to examine, copy, delete, and edit cookies as they choose. Linked to analysis tools so that they can see what the cookie setters are up to, if they choose.

    1. Jamie Jones Silver badge
    2. sev.monster Silver badge

      Re: More choices than that have always been available

      Firefox adds First Party Isolation to this list, where each site has its own cookie jar, so third party cookies can't track you cross domain. FPI, Enhanced Tracking Protection, Fingerprinting Protection (different from the soon-to-be legacy Resist Fingerprinting)... Chrome has no answer to this, and Privacy Sandbox is a suspiciously named red herring that they've dressed up as a koi.

      Also, both Firefox and Chrome have cookie editors built in to the inspector... and Firefox has a UI to see all sites with saved cookies. I believe Chrome and derivatives do too but it's been a while since I've used Chrome.

      1. zimzam

        Re: More choices than that have always been available

        I've been using FPI for a couple of years, it warns of site-breaking as always but I've never come across that (I often wonder if by "site" they actually mean "ads"). It's just a shame that they've still never added this to the settings page, you still have to enable it through about:config.

        1. sev.monster Silver badge

          Re: More choices than that have always been available

          Highly recommend LibreWolf which is a privacy-by-default fork of Firefox. You have to do a little work to get it to stop breaking websites, but honestly the exercise is good for the user to understand the features on offer, and how it affects their security and privacy footprint. It also adds a number of settings toggles for some of these features.

  3. This post has been deleted by its author

  4. sev.monster Silver badge

    "In light of this, we are proposing an updated approach that elevates user choice," wrote Chavez. "Instead of deprecating third-party cookies, we would introduce a new experience in Chrome that lets people make an informed choice that applies across their web browsing, and they'd be able to adjust that choice at any time."

    Yeah, an informed choice to "who do I want to track me across the Internet and build advertising profiles about my habits"?

    How about neither and we call it good?

  5. Anonymous Coward
    Anonymous Coward

    Who’s clicking anyway?

    Who actually clicks on and follows advertising links?

    Tracking aside, who’s supporting these parasites?

    Or are advertisers just happy with being seen?

    1. sev.monster Silver badge

      Re: Who’s clicking anyway?

      Unfortunately, we are a minority. There are plenty of people out there that click on ads, and they're especially more likely to click on ads if they're targeted at their interests. I mean, imagine if the advertisement is for something you already need. Got a cat? Here's an ad for 50% off your favorite brand. click

      1. Mishak Silver badge

        Re: Who’s clicking anyway?

        Except they seem to be more like "You know you bought a new fridge last week after lots of browsing? What about this great deal on one you no longer need?".

      2. Headley_Grange Silver badge

        Re: Who’s clicking anyway?

        Last Christmas at home the house resonated with annoying ads playing on phones as the rest of my family seemed to click on absolutely anything that was put in front of them.

        1. -maniax-

          Re: Who’s clicking anyway?

          Until people have experienced the "clean" web of being behind a decent ad\tracking blocker many people don't realise just how bad the open web experience is.

          Having said that there's still more than enough people who would still choose the open web over a "clean" web either because it's what they're used to or because, for some perverse reason, they enjoy looking at ads and it's people like that that keep the advertising slime in business

          1. ArrZarr Silver badge

            Re: Who’s clicking anyway?

            How dare you, I'm not slime!

            Definitely some kind of unpleasant insect instead.

    2. Anonymous Coward
      Anonymous Coward

      Re: Who’s clicking anyway?

      But it is a security warning about my computer being vulnerable to malware! I have to click the warning, enter my credit card details, and install this program... to renew my subscription like it says!

      Then once I have done that, there is a single lady in my area who is desperate for my cock...

      1. Anonymous Coward
        Anonymous Coward

        Re: Who’s clicking anyway?

        We've all been there. Amiright?

      2. Anonymous Coward
        Anonymous Coward

        Re: Who’s clicking anyway?

        You have chickens? Would you sell me some eggs? Unless you already gave them to the single lady.

    3. CowHorseFrog Silver badge

      Re: Who’s clicking anyway?

      Advertising is the new bullshit.

      Religion was the old bullshit.

      Its hard to appreciate why advertisers would be soo dumb to pay for advertising when the return is so poor.

      Take car ads...

      People buy new cars ata best once every 5 years, and yet dozens of brands are running 1000s of ads a year.

      How fucking bad is that return ?

      1. Roj Blake Silver badge

        Re: Who’s clicking anyway?

        Advertisers are fully aware that half of the money they spend is wasted. The problem is, they don't know which half.

        1. CowHorseFrog Silver badge

          Re: Who’s clicking anyway?

          Only Half ?

          Are you really going to tell me, that the public buy half of all the ads they see on YT ?

          Remember your words, you are the one who said half.

      2. Mike007 Bronze badge

        Re: Who’s clicking anyway?

        If I pay £1 million for an advertising campaign targeting 1 million people, and 5% of them buy a car where I make £5,000 profit... I'm happy.

        A bit like asking why people bother sending out 1 million scam emails if there are only 5 victims. If the cost of sending the emails (time/effort as well as financial) is lower than the money I get from draining those 5 victims bank accounts then it makes sense to send out another spam run...

        1. CowHorseFrog Silver badge

          Re: Who’s clicking anyway?

          mike007: If I pay £1 million for an advertising campaign targeting 1 million people, and 5% of them buy a car where I make £5,000 profit... I'm happy.

          cow: Have you got any proof for these numbers you are sharing ?

          Your numbers simply dont make sense....

          There are at more than 20 different car brands around the world, they are all buying millions if not billions of dollars of ads. Half of the audience are kids. No kid under 15 anywhere in the world is buying a car.

          There are far more than 20 car brands, and given half of the audience are kids, that means 50% of the audience can actually buy a car. How does 50 car brands get 5% return when only 50% of the audience can buy a car ? I havent even attempted to address the fact that many people simply cant afford to buy a car if they wanted too because they cant afford one.

  6. John Robson Silver badge

    I want to have a browser that asks me when cookies are *read*, I don't care about cookies being written.

    There are almost no cookies that should ever be read though.

    1. Mishak Silver badge

      I must be missing something. The point of a write-only cookie is ... ?

      1. John Robson Silver badge

        The point of any cookie is?

        The risk of cookies is always when they're read back to correlate with other data. If your browser reports what cookies a site tried to read, and allowed you to select those which should be visible then you can stay logged in to the relevant sites, and not let the ad companies read anything.

        So rather than having to continually say "don't write this", just write them all, and deny any read attempts (logging them into a sidebar). If I have a site that doesn't work then I can open that sidebar and allow that site to read that cookie.

        1. zimzam

          Isn't that what blocking cross-site tracking does?

        2. ArrZarr Silver badge

          If you prevent any attempt to read from cookies, you'll get hit on every page with "Will you accept our cookies?" banners though.

          The only way to store the information that a user has declined (non-essential) cookies is with a cookie (which is a great example of an essential cookie).

          Though if you hard-block any cookie being set, you would get the same problem anyway.

          1. Not Yb Bronze badge

            Block cookies, then install a "block cookie question popup" extension (several exist). Problem solved?

          2. John Robson Silver badge

            And the request for that specific cookie is the one which you could allow - or you could "allow all" every time, rather than having to go through all the settings individually, in the knowledge that they aren't going to be read.

  7. Brewster's Angle Grinder Silver badge

    "Please agree which of our 362 partners you will accept cookies from..."

    Even the 362 isn't hyperbolic. It was one I got this morning on Android.

    1. Irongut Silver badge

      All of them pre-ticked under Legitimate Interest no doubt. Clearly neither advertisers, nor Google, know the meaning of the work legitimate.

      1. Brewster's Angle Grinder Silver badge

        It's a site called collider.com. It rejected desktop Firefox (blocked to the max) but I've just been there in desktop Chrome: 1568 "partners". (I took a screenshot.)

        The ones at the top are not pre-checked. But when you scroll far enough down, many are. (That's a fucking dark pattern, right there.)

        And, yes, they are flagged as "legitimate interest". CSS suggests I would need to manually uncheck 207 to be able to consent without tracking.

        1. Dan 55 Silver badge

          Try the Consent-O-Matic add-on for Firefox, Firefox Android, and Chrome. It automatically clicks the "no" checkboxes for you for many GDPR pages.

        2. Anonymous Coward
          Anonymous Coward

          Funny. Firefox ESR with enhanced traacking protection to the max and uBlock and it works OK. What am I doing wrong?

          1. hayzoos

            I'm with you, but . . .

            Firefox ESR is about to bump to the next level which means you will soon see a lot of what recent releases do if you want to stay with a supported version.

            I am also using FF ESR with similar but different blocking. I am happy with the current setup, but I am preparing for the change to a new ESR level.

            Another issue I have seen with ESR is some sites consider it to be out of date or unsupported, I have had to school a few in the error of their ways.

  8. Anonymous Coward
    Anonymous Coward

    All you need to know is...

    GOOGLE speaks with forked tongue.

    Everything that they say is a bold faced lie.

    Their whole business model relies on being able to slurp PETABYTES of data from us each and every day.

    As one posted said, "why are you still using chrome?"

    Posting A/C as I refuse to give anything to Google without them working hard for it.

    FSCK Google.

  9. katrinab Silver badge
    Black Helicopters

    Everyone talks about cookies, but there are other ways to store data on the client that could be used for tracking etc. I generally use Local Storage to store user preferences and application state.

    Why does everyone focus on cookies when the GDPR etc talks about tracking technologies. Cookies can be used as a tracking technology. Other things like local storage can also be used as a tracking technology.

    1. ArrZarr Silver badge
      Devil

      GA4 now works (well, kinda works, but what else is new?) even if you block cookies and the site performs as it should, so yes.

      To be honest, I'm glad that third-party cookies are staying because if all the tracking providers are forced into first-party cookies, it essentially prevents any competition to Google, Facebook et al. from starting up, so we'd be stuck with only the current incumbents in the tracking field forever.

      And while I expect you all to be playing the world's smallest violin in my general direction, the less the big tracking players can do to make themselves more indispensable and more black-boxy the easier my job is.

    2. Randesigner

      Agreed. Local Storage is the elephant in the room. All this talk about cookies is a diversion tactic while sites go ahead and store stuff in local storage.

      And clearing cookies does nothing to clear local storage. I haven't checked if there is a browser extension to clear local storage, but on my desktop I end up doing it manually.

      1. Dan 55 Silver badge

        Cookies and site data are grouped together in Firefox.

      2. amajadedcynicaloldfart

        It does clear local storage on Safari..

    3. CowHorseFrog Silver badge

      The point of cookies is not too store stuff on the client, its for the client to provide the cookie back to the servers so said user can be tracked.

      Nobody cares whether the cookie is stored in a "file" or local storage, thats not the point of the exercise or reason for concern.

  10. Tubz Silver badge

    I don't trust Google, so I'll play in the land of data surveillance and then use all the 3rd party tools to block all the crap out there !!

    1. hayzoos

      Ummm, logic?

      So, essentially you are saying you are willing to use third party code to block third party code (and content). Okay, we are all doing it. But, stated the way you did, it sounds illogical.

      At least we have the chance to research the third party tools to block the source unknown third party code and content thrown at us from websites.

  11. glennsills@gmail.com

    Hey Microsoft, want to make Edge more popular

    Instead of hiding the ability to block third party cookies down deep in the settings of Edge and allowing third party cookies by default, block them by default. Heck, surfacing the switch to block the cookies up three or four levels in the settings menu tree would be helpful. Your users would like it and it would cost you next to nothing.

    1. Ken Hagan Gold badge

      Re: Hey Microsoft, want to make Edge more popular

      I doubt it. Most users never change defaults, except that most users do change the default browser.

      I don't know how Google did this, but they appear to have hypnotised 90+% of the computer-using population.

    2. Falmari Silver badge

      Re: Hey Microsoft, want to make Edge more popular

      "Heck, surfacing the switch to block the cookies up three or four levels in the settings menu tree would be helpful. " And impossible.

      Three levels up would place the switch outside Settings and on the same menu tree as Settings.

      Even 2 levels up would place the switch on the Settings menu tree. The switch is hidden they have buried it, but only by one level.

      All browsers should block third party cookies by default, especially when they are the default browser shipped with the OS.

  12. CowHorseFrog Silver badge

    The fact that Google is so scared of cookie blockers, says how little value there is in actually advertising. Beats me why advertisers still pay for ads from them.. then again corporate leaders are hardly leaders, they just copy what they think is popular.

  13. s. pam
    FAIL

    Just say NO -- to Google browsers

    and use uBlock Origin + other blockers to put the screws to the cookies industry!

  14. Yes Me Silver badge
    Flame

    Pants on fire

    "Their goal was to remove the interoperability that enabled businesses to work together without interference from monopolists"

    The person who said that should take up politics. He has the necessary ability to tell grotesque self-serving lies in imposing language.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like