Google’s Chrome will change cross-site cookie handling, ‘aggressively’ tackle fingerprinting

Tagged with: # , # , # , # , # , # , # , #
May 8, 2019 3:32 am

As expected, Google announced coming changes to the way its Chrome browser handles cookies and addresses fingerprinting on Tuesday at its annual I/O developer conference. New tools in Chrome will allow users to block or clear third-party cookies more easily, Google said. The company also announced a browser extension that will show more information about parties involved in ad transactions and tracking.

Chrome’s new cookie handling. Google said “blunt approaches” to cookie blocking haven’t been effective for users because they treat all cookies alike — from first-party cookies used to keep users signed-in to sites to third-party cookies used for tracking — so it’s changing how cookies work in Chrome.

From a security standpoint, Google said this change will also help protect cookies from cross-site injection and data disclosure attacks by default. Eventually, Google said, Chrome will limit cross-site cookies to HTTPS connections.

In the coming months, developers will be required to specify explicitly which cookies are able to work across sites and potentially used to track users through a new mechanism based on the web’s SameSite cookie attribute. The SameSite attribute can be used to restrict cookies to first-party or same-site context.

In the weeds. Chrome 76 will include a new same-site-by-default-cookies flag, according to web.dev. Cookies without the SameSite attribute will not be available in a third-party context. Developers will need to declare cookies that need to be available on third-party sites to Chrome with SameSite=None. Google says this will allow Chrome users to clear cross-site cookies and leave single domain cookies used that are used for logins and site settings in tact.

Developers can start testing their sites to see how the cookie-handling changes will affect their sites in the latest developer version of Chrome.

Cracking down on fingerprinting. The company also said it is taking further measures to restrict browser fingerprinting methods that are used as workarounds to keep tracking in place when users opt out of third-party cookies.

Google said Chrome plans to “aggressively restrict” browser fingerprinting and reduce the ways browsers can be passively fingerprinted. “Because fingerprinting is neither transparent nor under the user’s control, it results in tracking that doesn’t respect user choice,” said Google.

The company added that it doesn’t use fingerprinting for personalizing ads or allow fingerprinting data to be imported into its ad products.

User cookie controls. Google said it will provide users will more information about how sites are using cookies and give them simpler controls for managing cross-site cookies. The company didn’t say what these changes will look like in the Chrome interface, but said it will preview the features for users later this year.

Ad data browser extension. The company also announced it is developing an open-source browser extension that will show the names of ad tech players involved in an ad transaction as well as the companies with ad trackers attached to an ad. The extension will also show the factors used for personalization. That will be the same information Google shows when you click “Why this ad”.

Why we should care. The end of digital advertising ecosystem’s reliance on cookies for tracking and attribution has been a long time coming. Cookies aren’t supported on mobile apps, and the mobile web and apps now account for the majority of ad spend. Google and Facebook have led a shift away from cookies to relying on deterministic IDs of signed-in users.

Chrome is not a first mover in this realm, either. It’s following in Apple’s Intelligent Tracking Prevention (ITP) footsteps. The latest version, ITP 2.2, will limit cross-site cookie tracking of users in Safari to one day. Earlier this week, Microsoft announced its Chromium-based Edge browser will also have new tracking controls for third-party cookies.

For marketers, the full impact of these changes and how users respond to the tools likely won’t be seen for months, but stand to have a significant impact on remarketing, analytics and attribution efforts. It’s also unclear if (or how much) Chrome’s new requirements will benefit Google with its first-party relationships with billions of users over other ad tech firms, as the Wall Street Journal has predicted.

The Chrome announcements come amid a broader PR campaign by Google aimed at would-be U.S. regulators. Google CEO Sundar Pichai published an op-ed in The New York Times Tuesday night titled “Privacy should not be a luxury good” in which he reiterated Google’s position that “a small subset of data helps serve ads that are relevant and that provide the revenue that keeps Google products free and accessible” and listed ways in which the company addresses user data. Pichai called for federal data privacy legislation in the vein of the EU’s GDPR. Google reportedly began lobbying for a “friendly” version of a federal law last summer.