back to article Google has second thoughts about cutting cookies, so serves up CHIPs

Last week, third-party cookies received a stay of execution from Google that will allow them to survive until late 2023 – almost two years beyond their previously declared decommission date. But the search-ads-and-apps biz is already planning a resurrection of sorts because third-party cookies are just too useful. The …

  1. DS999 Silver badge

    No need to read the details

    If it is a proposal from Google I know it is privacy raping and benefits only them.

    1. Anonymous Coward
      Anonymous Coward

      Re: No need to read the details

      Never mind that Google, like every corporation, is staffed by individual human beings, many of whom care a lot about privacy, and occasionally even get to express those positions publicly from their work email address. No, it came from Google so it must be bad.

      Why should they make any effort to improve privacy if no one is going to even acknowledge it when they do?

      1. Anonymous Coward
        FAIL

        Re: No need to read the details

        If they cared about our privacy they wouldn't work for Google.

      2. Jamie Jones Silver badge

        Re: No need to read the details

        Admitting that third-party cookies are bad for privacy, but then leaving them active for a further 2 years whilst they think up an alternative IS NOT an effort to improve privacy.

  2. IceC0ld

    SO Google think they can put an acronym into the wild, and no one will call them out on it :o)

    [ Google's CHIPs proposal – Cookies Having Independent Partitioned State ]

    doesn't really roll off the tongue does it :o)

    C - annot

    H - ave

    I - t

    P - erforming

    S - atisfactorily

    but we here at El Reg will always have your back with our very own TITSUP, used in any situation where you need to look good, but just know it's going to go TITSUP :o)

    T - otally

    I - mmersive

    T - ech

    S - uspends

    U - sers

    P - rivacy

    1. big_D Silver badge

      Why didn't they just admit they are copying what Firefox is already doing? Why bother with a new acronym? NIH syndrome?

  3. Nursing A Semi

    Was this article written for some other website then re-published by the Reg? Reads like it was written for people from Amish communities or maybe 3rd graders?

  4. Anonymous Coward
    Mushroom

    Optional

    "But doing so has created problems by interfering with applications that rely on third-party cookies to deliver services across domain contexts."

    No.

    Any applications that rely on third-party cookies to deliver services are broken and should be fixed.

    Google can go fuck itself and so can the Reg if it actually believes that the use of third party cookies can be justified in any way whatsoever.

    1. Warm Braw

      Re: Optional

      to deliver services across domain contexts

      I think the author might have misspelled "advertising".

      Not sure why the parent post garnered downvotes: on legal grounds alone a "service" can't rely on the exchange of personally-identifiable information with a third party.

      There's a big enough hole in this already in that cookies from different subdomains can be considered "first party" so co-operating entities can already get round third-party blocks by misuse of DNS. And then there's the cross-origin policy framework for web pages which effectively allows the website to choose who it leaks data to rather than the user.

      The only defensible policy I can see is same origin for everything (and that includes scripts and media) without explicit, informed consent. If that threatens your business model then you need to find a solution that provides the same level of protection - and this isn't it.

      1. DarkwavePunk

        Re: Optional

        DNS is a mess. It's used for things way beyond its initial remit. I have stared into the DNS abyss in many sectors and only found ghoulish Lovecraftian tentacles of "Digital Marketing". Or to but it bluntly, it's a fucking shitshow.

    2. Robert Grant

      Re: Optional

      > Any applications that rely on third-party cookies to deliver services are broken and should be fixed.

      So if I want to be able to see roughly how many people who visit my website, and use a paid for analytics service to do this who set a cookie, I...shouldn't? That seems a bit silly.

      1. Warm Braw

        Re: Optional

        It may seem silly. It may even be harmless in your specific case.

        However, in general, if your site is passing information on its visitors to a third party and that third party is getting similar information from other sites then that third party is potentially in a position to make inferences from the behaviour of your unwary visitor, potentially to the extent of identifying them and tracking their browsing habits across all the other sites doing the same as you.

        That's a high price others are paying for your convenience.

        1. Robert Grant

          Re: Optional

          That's not a price they are paying. In theory any step in the technical supply chain could be doing illegal things, but that doesn't stop us using networks or ISPs or outsourcing the design/creation/procurement/running of hardware, OSes, drivers, networking appliances, etc etc. Why special case this?

      2. Zolko Silver badge

        Re: Optional

        So if I want to be able to see roughly how many people who visit my website, and use a paid for analytics service to do this who set a cookie, I...shouldn't ?

        yes, you may but not with external cookies. You can, for example, embed your own - 1st party - cookie, and each time that cookie is found by your website, your server queries the paid-for service's server. Thus, you will be in contact with your service provider, and not your visitors (who don't care about how much people visit your site).

        If there's a need, there will be an offer and I'm sure there will be 3rd party providers to propose this service. Of course, the big loser will be Google because it will have to play on level playing field with other service providers.

      3. Anonymous Coward
        Anonymous Coward

        Re: Optional

        As a visitor to your site, I have not given you permission to pass ANY information about me to a third party.

        So yes, you shouldn't.

        There are other solutions.

      4. tiggity Silver badge

        Re: Optional

        your analytics would not see me as their cookies are blocked (analytics only work if users are not blocking various cookies)

        However, your web server logs would get my IP address so in my "visit" case would be more useful than analytics.

        .. Yes, I know IP does not mean a unique user, could be a whole company behind it, might be from a VPN, tor exit node, whatever but limited data beats zero data

        1. Robert Grant

          Re: Optional

          That's right, IP address is not useful.

      5. iron Silver badge

        Re: Optional

        Alternatively... just so you can get a counter to stroke your e-peen you sell your visitors data to a random third party? That seems a bit evil.

  5. Neil Barnes Silver badge

    more acceptable use cases

    More acceptable to whom?

    I am unconvinced that there are any acceptable use cases for third party cookies. And the number of cookies which need to be set by first parties is really rather small, too - as shown by the number of websites which now offer to save only essential cookies (login status and the like).

    1. mark l 2 Silver badge

      Re: more acceptable use cases

      I have set Firefox to not allow 3rd party cookies and not yet experienced any noticeable problem with any websites i've visited.

      It just Google worried that their bottom line is going to be effected as they won't be able to charge as much for targeted ads if the browsers all block 3rd party cookies.

      1. heyrick Silver badge

        Re: more acceptable use cases

        My Firefox allows all cookies. The Cookie Auto Destroy add-on will nuke those that aren't from a whitelisted site after about twenty seconds.

        So, a site can have enough cookie to get the page loaded (and it's disturbing how many sites splatter information all over the place). After that, bye bye.

        1. Charles 9

          Re: more acceptable use cases

          I use ForgetMeNot, sometimes on the Instant setting . Trouble is, neither your nor my addon works on mobile.

          Trouble is, some sites like Medium seem able to track effectively even with the Instant setting.

          1. heyrick Silver badge

            Re: more acceptable use cases

            "neither your nor my addon works on mobile."

            Yes it does. Cookie AutoDelete 3.0.2 running on Firefox 60.0.2 for Android. It's what I'm using right now.

            "some sites like Medium seem able to track effectively even with"

            There are no doubt other methods (that stuff that Chrome refers to as "site data" as distinct from cookies). It's a bit of a game of whack-a-mole. :(

            1. Charles 9

              Re: more acceptable use cases

              That explains it. The current Firefox is version 89. It only supports 16 curated add-ons. ForgetMeNot and Cookie AutoDelete are NOT on that curated list, and I cannot use an older version due to various important sites I use balking if I don't.

      2. iron Silver badge

        Re: more acceptable use cases

        I've had 3rd party cookies disabled since the days of Netscpae Navigator. The only sites it breaks I don't want to use anyway.

  6. Pascal Monett Silver badge

    It's simple

    Google is desperately trying to find some way to make us believe that its use of cookies is good for us, when it is actually only good for Google's ad business.

    I don't care what Google proposes. Whatever it is is only destined to keep the money flowing in and our privacy being sold out.

  7. SImon Hobson Bronze badge
    Mushroom

    Does seem like another "lets break the internet and everyone else will fall into line because we're too big to fight with" idea from Google. I was going to rattle off a list of examples, but then realised I don't have time in the day for that !

    1. Version 1.0 Silver badge

      I'd vote to simply make the creation of cookies on a users computer a crime. That would solve a lot of security problems and would force all corporations to stop treating customers as sheep to be shorn and then cooked and sold to other lambs for lunch.

      It would be a start to cleaning the Internet (yes, just a small start) because storing cookies is like a happy pandemic for corporations.

      1. heyrick Silver badge

        Downvote because they're also used to hold settings and signed-in state.

        I'd happily agree that unsolicited cookies should be a guillotine offence, but not all cookies are evil. Some are soft and chocolatey.

    2. A.P. Veening Silver badge

      I was going to rattle off a list of examples, but then realised I don't have time in the day for that !

      Only a day? Last time I checked, I would need about 168 hours for a nice (and not even complete) list of examples.

  8. Howard Sway Silver badge

    Keep it simple, stupid

    "For example, Google has a proposal called First-Party Sets that would make different domains (e.g. apple.com and icloud.com) owned by the same company function as a single first-party domain for the purpose of cookies."

    A prime example of confusing crap created just to get around the stupid decisions made by marketing people. There is an EXTREMELY simple and obvious solution to the "problem" stated above. One that nobody would be confused by. Which is just to use apple.com. And redirect from the superfluous second domain to the first.

  9. Wade Burchette

    CHIPs

    Carefully Harvested Important Personal status

    1. elsergiovolador Silver badge

      Re: CHIPs

      Can't Help Ingesting Private Stuff

  10. Anonymous Coward
    Anonymous Coward

    Back in the Day...

    IE6 was considered to be 'The Internet' by millions.

    Who decided that Google owns the Internet? I'm sure that they didn't ask the users while they slurped and slurped and slurped data on each and every one of us.

    They seem to be deciding on the protocols and everything else that goes on over the interweb.

    If they carry on like this then the anti-trust hawks all over the world will start hitting them hard and severely limiting what they can do.

    Personally, I hope that google gets broken up into a million little pieces and die a slow painful death.

    1. Charles 9

      Re: Back in the Day...

      Nah. Sooner they'd pull a Sprawl and become sovereign...

    2. ThatOne Silver badge
      Unhappy

      Re: Back in the Day...

      > IE6 was considered to be 'The Internet' by millions.

      > Who decided that Google owns the Internet?

      Same people: The mindless, ignorant masses who neither want nor can bother about such obscure issues as "choice", "privacy" and other clearly metaphysical stuff. Those "nothing to hide" people who never pondered why rest rooms have doors or changing cubicles were invented.

      Google wasn't coy about its goal to take over the Internet: At some time in the past it used its wealth to make sure whatever you installed on your computer also silently installed Chrome and made it silently the default browser. For years... If only I was paid a dollar for every Chrome I had to uninstall back then from my relatives' or my own computers...

      Now Google rules the web and it knows it. They don't need to bother to play nice, they just don't need to pretend anymore. Nobody can or will harm them, politicians can and will be bought as needed, and any bad feelings of the crowds will be dealt with with some shiny beads and mirrors, it's all it takes.

      The only real danger for Google today is that it becomes utterly uncool, MySpace-level of uncool, and for this to happen a competitor would have to rise, capture the masses' attention and offer more compelling competing services. Difficult at least, and chances are that newcomer might make us miss our quaint old uncle Google and his stained trench coat dearly... Rocks and hard places come to mind.

    3. Zolko Silver badge

      Re: Back in the Day...

      If they carry on like this then the anti-trust hawks all over the world will start hitting them hard...

      actually, I'm surprised it didn't already happen. Android (the Play Store really) and Search (can include Maps and Mail) should be split into different entities. That would solve the monopoly problem.

      1. Charles 9

        Re: Back in the Day...

        Nah, they'll just glom themselves back together more organically. Look what happened to Ma Bell: a monopoly replaced with an even larger oligopoly...

  11. Anonymous Coward
    Anonymous Coward

    CHIPs

    Chumps Haven’t Intelligence Parameters

  12. elsergiovolador Silver badge

    CMA

    Google should not be allowed to do business in the UK until they:

    - Split into independent companies - you cannot run a search engine and advertising company at the same time, it's a conflict of interest

    - Start paying right amount of tax. They should disclose all offshore arrangements and any avoidance schemes they use and then pay any missing tax for the last 20 years.

    - Any service of theirs should have an option to pay a subscription or one off fee instead of pretending it is free and harvesting users' data as a payment.

    - They should start paying fair wages to the UK employees. Perhaps there should be 1:10 salary spread ratio mandated for big companies, so that the workers can enjoy the value they produce, not just managers and CEOs.

    - Google should allow access to its search database for 3rd parties at a cost, so that alternative search engines can operate.

    ...

    I could probably go on forever...

    1. ThatOne Silver badge
      Unhappy

      Re: CMA

      > Google should not be allowed to do business in the UK until they:

      - Lobby enough and promise shiny positions to key politicians and their families.

      Fixed it for you... Money talks, and Google has a lot of money to their talking for them. While I agree with all you wrote, it's utterly utopian and will obviously never ever be even considered.

    2. Robert Grant

      Re: CMA

      > you cannot run a search engine and advertising company at the same time, it's a conflict of interest

      Aren't they all advertising companies?

    3. Man inna barrel

      Re: CMA

      > you cannot run a search engine and advertising company at the same time, it's a conflict of interest.

      Then how is the free search engine funded?

      The same conflict of interest argument could be made about news websites, or print newspapers for that matter, and yet somehow we get by without being ensnared by the advertisers.

      1. Charles 9

        Re: CMA

        It isn't, and it ceases to exist. If people plunked a penny each time they wanted to search the Internet, they start having skin in the game and start caring about quality. Not only that, this creates a legally-binding transaction, meaning sales contracts and laws concerning them come into play, putting the providers under scrutiny.

        As for other media, newspapers are still sold, even with advertisements. Plus, non-Internet media has the inherent disadvantage (inherent in our case) of lack of specificity.

        1. Robert Grant

          Re: CMA

          This all seems I'll advised. 1p is not having skin in the game.

          1. John Brown (no body) Silver badge

            Re: CMA

            It might teach people to curate and use bookmarks/favourites when they see the bill at the end of the month :-)

            I know people who grew up using the internet and they STILL type facebook into Google multiple times every day to get there.

          2. heyrick Silver badge

            Re: CMA

            I think a lot of people might be surprised by how quickly many 1p searches add up to a decent pile of coin.

      2. Anonymous Coward
        Anonymous Coward

        Re: CMA

        They can be funded with adverts like most other sites. They don't have to own the whole advertising company!

    4. John Brown (no body) Silver badge

      Re: CMA

      "Google should not be allowed to do business in the UK until they:"

      Have you any idea how many schools rely on Chromebooks and Google services these days? That's just one example of Googles "too big to fail" power they have these days. You can't just say "ban Google until they change" any more. That ship sailed long ago.

  13. beep54
    Meh

    Chrome

    I find Chrome useful for playing sudoku and a really sucky spades game and that's it. I don't like Chrome

  14. vektorweg

    Solving the wrong problem

    Its the websites themselves that deliberately choose to share information. It just happens to be via third-party cookies, as they are easy to use and trust. If not via cookies, websites will share user data through other means.

    At least for cookies, the user has some control over it. Like, I can technically block Google cookies on El Reg. But if this data sharing turns into a model between servers only, there won't be much a user can do except for stopping to use services entirely.

    The right problem is: how do you stop websites/companies from having to sell user data?

    1. Charles 9

      Re: Solving the wrong problem

      Corrollary: How do you fix Stupid from taking the rest of us with them while they shout, "Shut up and take my privacy!"?

      1. ThatOne Silver badge

        Re: Solving the wrong problem

        > How do you fix Stupid from taking the rest of us with them while they shout, "Shut up and take my privacy!"?

        Can't. Since that's the desirable opinion, it will be advertised ("Trending") and put forward: "See, other people want this, so why don't you? Don't you have rights too? Join the fun!"

    2. Anonymous Coward
      Anonymous Coward

      Re: Solving the wrong problem

      No. They can connect server-side to the third party, and transfer browser fingerprints / IP addresses etc., and the third party can try to collate this, but this is hit and miss.

      You can't do reliably server side what they currently do with cookies.

      Now, they could do it with first party cookies - the server would relay the first-party cookie to the third party server, and relay back a response, but you'd still need to have first party cookies enabled.

      You say that at the moment you're in control, but how do you know they aren't doing this already?

      1. Charles 9

        Re: Solving the wrong problem

        "No. They can connect server-side to the third party, and transfer browser fingerprints / IP addresses etc., and the third party can try to collate this, but this is hit and miss."

        But constantly improving. Soon, basic fingerprinting using essential elements will be unique enough to disregard cookies for everything but shopping carts.

  15. TeeCee Gold badge
    Facepalm

    Er, hang on.

    ...aims to implement multiple technical specifications that change how online advertising works in the browser.

    So the world's largest advertising broker is changing the way advertising works, without telling anyone else in the business what they'll need to work with in the future?

    I predict the great-grandmother of all arse-reamings from the competition authorities.

  16. Jamie Jones Silver badge
    Unhappy

    "Last week, third-party cookies received a stay of execution from Google that will allow them to survive until late 2023"

    When did we let Google own the internet?

    W3C should deprecate them NOW, and all browsers adhering to standards should be modified accordingly.

    1. ThatOne Silver badge

      > When did we let Google own the internet?

      We didn't let it, it bought it. Or rather, it made a successful hostile takeover bid.

  17. iron Silver badge

    > if the users have not yet created an account and the support widget is helping them sign up, then retail.com would have no notion of identity to forward to support.chat.com

    If the user does not have an account then retail.com has no relationship with them and no history that might be useful to the support service. There is no need for them to identify a potential user of their services to a third party purely to provide support when signing up. None.

    That Google think everyone should be identified to every company and third party online shows the root of the problem. Chrome will never be secure and protect privacy because Google don't even know what security and privacy are, their engineers can't even wrap their heads around the concept.

    1. Anonymous Coward
      Anonymous Coward

      With the example, support.chat.com really needs to work without an account

      I recently tried logging into an account I have with an on-line service, had an error message, stopping me logging in, but it looked like some internal error, rather than something I did.

      Noticed a link to their help system, which was a chat system (so I assume a bot). So clicked it, got the message back "You need to be logged in to use the help service, click here to login" !!!

  18. Anonymous Coward
    Anonymous Coward

    CHiPs, huh?

    Somebody please get control to radio out for Jon and Ponch, it looks like we've got that crazy guy Driving Under the Influence, again…

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like