I honestly think this move toward "less tracking" (3rd party cookie restrictions) is having the opposite intended effect.
It used to be you could just "clear your cookies" and you'd have a virtually clean identity on the internet. Now basically every ad platform, including Google Ads, is heavily encouraging the use of "first party data" - aka name, email addresses, phone numbers, mailing addresses - as a way to target customers. Google Ads help docs specifically cite the phasing out of cookies as the reason advertisers should send Google as much "first party data" as possible.
In effect, that means "clearing your cookies" will do nothing if you're the average Google users who's still logged into chrome/google after clearing your cookies.
And instead of Google + ad networks just having your data in cookies, now they have your name, email, mailing address, zip code, etc provided to them on the backend with no way for the consumer to easily opt out or delete their data.
Edit: adding another supporting example: for advertisers tracking conversions, it’s no longer good enough to just fire a conversion pixel on a checkout page. Now it’s heavily encouraged to send the user’s personal data (email, name, phone, etc) along with the conversion pixel/tag so Google (or whatever ad platform) can match the conversion to clicks without cookies at all. This type of conversion tracking was not pushed or encouraged until browsers started phasing out 3rd party cookies.
Edit 2: Google has even gone as far as adding a setting to their AdWords tracking tag that automatically scrapes the HTML of a page in search of anything that resembles a user’s email address or phone number to make it easier to collect first party data automatically.
I agree with your general comment, and would add fingerprinting to the list. Many ad networks now fingerprint users to generate an identity for tracking when cookies are not available, which didn't used to be worth it before the phase out. And of course clearing your cookies doesn't clear your fingerprint.
> Google has even gone as far as adding a setting to their AdWords tracking tag that automatically scrapes the HTML of a page in search of anything that resembles a user’s email address or phone number to make it easier to collect first party data automatically.
The help docs are a bit cryptic, but the UI within Google Ads is a lot more straightforward in how it works. It searches the landing page for an email address to automatically pair with a conversion event. All the advertiser needs to do is accept some privacy policies and enable the feature.
Now you can just not have an account or any first party data given to a customer, or with tools like anonaddy and fake people generator, you can spoof first party data that won't be matched when hashed and compared across different platforms.
I'm curious, would you purchase a membership to youtube if it included absolutely no tracking, sharing of first-party data, or advertising at all?
I guess I shouldn’t have been shocked but this week looking at some display ads, in Googles audience builder there’s literally an “upload email of who you want to target” feature. Made my skin crawl. Can’t tell me that’s not abused to the ends of the earth and back - some marketing interns will just go nuts, GDPR be damned
There's got to be some more regulation around advertising in general. I just don't see how it adds anything to the world that even begins to compensate for the damage. It should be like cigarettes, something we used to see as a legitimate business but decided we're really just better off taxing the heck out of and boxing into very limited places.
Sorry but this just sounds like victim blaming. If a guy threatens you with a stick, and you take his stick away and he pulls out a gun and goes “look at what banning my stick led to!”, it’s not the banning that’s the problem.
So with first party sets is this suggesting that Google can declare doubleclick.com as a "trusted first party" and undermine any ability to allow Google.com and YouTube.com cookies but block their 3rd party ad tracker?
It seems like they're just trying to remove any distinction between 1st and 3rd party cookies at all.
I mean, if you block cookies, you’re using a browser extension, and that extension blocks whatever you tell it to; it’s not affected by First Party Sets.
Google’s changes only affect people who use vanilla Chrome. And the people who use vanilla Chrome without any privacy extensions don’t have much privacy to begin with, so First Party Sets does not make things much worse than they already are.
> I mean, if you block cookies, you’re using a browser extension
If all you want to do is blocking cookies, why would you use a browser extension for that? Most browsers ship with a configuration option to disable them.
For Chrome/Chromium it's over at chrome://settings/cookies
Google pretend-playing "building a more private web" again.
Blocking third party cookies is great, but with these "Third-Party Sets", self-appointed gatekeeper Judge Google (Judge Dread) takes requests from website owners for lists of domains they control to be partially exempted from these third party cookie restrictions.
Instead of making third-party cookies obsolete as is one of the exclaimed goals of the broader initiative, they turned it into an insidious and opaque tool that lets them increase their insight, influence, and control over the web and all its users even further.
This is bad for both advertisers and their prey alike.
Addendum:
Getting rid of third-party cookies whilst not breaking Single Sign-On and similar such features could also have been achieved with a user-controlled local browser setting and a new type of permission request popup.
The need for Google to be in control of this is non-existent and the people working there are more than smart enough to understand this. They are playing us all here.
> with a user-controlled local browser setting and a new type of permission request popup.
Settings and pop ups mean that users have to understand them - which can be a huge user education challenge. I'm pretty skeptical of the argument that it's simple to add in a new user facing pop up and have the majority of users use it correctly.
Nevertheless: even if a solution turns out to be too difficult for users to understand no matter how you present it (at which point you might want to rethink whether this apparently fundamentally flawed idea should even be implemented at all), violating your users' agency by taking the reigns and obfuscating the whole thing to them is morally wrong and in simple terms: an arsehole move.
The FPS spec as described looks entirely duplicable by others and openly reimplementable by just cloning the FPS repo and following the same spec (which is open). Someone could choose in their browser to use a different set or a different repo or some hierarchical structure.
Because domain owners use /.well-known/first-party-sets.json, others can also scan for that themselves and perhaps build an independent repo from spidering.
Doesn't part of this update also make fingerprinting users even more robust with webGPU? Aka you don't need cookies because we can see who you are without them based on your machines unique specs
If you look at historical submissions from chrome.com you'll find that Chrome 112 and Chrome 111 release posts are submitted to HN as well. The fact that this submission was near the top probably reflected people's excitement over WebGPU.
I think you're probably right. For example, we're no longer recommending that Windows users to download chrome since Window's default browser (Edge) is fine now... so I'm sure edge popularity is taking away a lot of marketshare from Chrome. Not to mention the news this week of Safari surpassing Edge in popularity. Either way it's clear there is competition and Google is a little afraid.
Javascript and the browser use the response headers. The example they gave is overriding CORS. Let say you're running code locally and using remote APIs. Now you can override CORS to allow your local code to still call the APIs.
It's an override, so I imagine future requests will follow the header changes you institute. Now all we need is response editing to really integrate burp/mitmproxy-esque response hacking.
I appreciate all the concern everyone has with third party cookies with respect to privacy but this really kills the use case of third party embedded web apps. Saleforce ecosystem is going to take a real hit as a result of this change. Hopefully everyone will figure out away to implement First Party Sets quickly and Saleforce will be able to offer a solution.
Readit News
It used to be you could just "clear your cookies" and you'd have a virtually clean identity on the internet. Now basically every ad platform, including Google Ads, is heavily encouraging the use of "first party data" - aka name, email addresses, phone numbers, mailing addresses - as a way to target customers. Google Ads help docs specifically cite the phasing out of cookies as the reason advertisers should send Google as much "first party data" as possible.
In effect, that means "clearing your cookies" will do nothing if you're the average Google users who's still logged into chrome/google after clearing your cookies.
And instead of Google + ad networks just having your data in cookies, now they have your name, email, mailing address, zip code, etc provided to them on the backend with no way for the consumer to easily opt out or delete their data.
Edit: adding another supporting example: for advertisers tracking conversions, it’s no longer good enough to just fire a conversion pixel on a checkout page. Now it’s heavily encouraged to send the user’s personal data (email, name, phone, etc) along with the conversion pixel/tag so Google (or whatever ad platform) can match the conversion to clicks without cookies at all. This type of conversion tracking was not pushed or encouraged until browsers started phasing out 3rd party cookies.
Edit 2: Google has even gone as far as adding a setting to their AdWords tracking tag that automatically scrapes the HTML of a page in search of anything that resembles a user’s email address or phone number to make it easier to collect first party data automatically.
> Google has even gone as far as adding a setting to their AdWords tracking tag that automatically scrapes the HTML of a page in search of anything that resembles a user’s email address or phone number to make it easier to collect first party data automatically.
Really? Link?
https://support.google.com/google-ads/answer/10763826?sjid=1...
The help docs are a bit cryptic, but the UI within Google Ads is a lot more straightforward in how it works. It searches the landing page for an email address to automatically pair with a conversion event. All the advertiser needs to do is accept some privacy policies and enable the feature.
I definitely did not consent, in fact I go out of my way to tell companies I give such information to not to share it with anyone.
I'm curious, would you purchase a membership to youtube if it included absolutely no tracking, sharing of first-party data, or advertising at all?
It seems like they're just trying to remove any distinction between 1st and 3rd party cookies at all.
Non-goals: ... Information exchange between unrelated sites for ad targeting or conversion measurement.
To get something onto the list (https://github.com/GoogleChrome/first-party-sets/blob/main/f..., currently empty) you need to make a public PR with rationale (https://github.com/GoogleChrome/first-party-sets/blob/main/F...). It doesn't look to me like DoubleClick would qualify?
Quite literally the same company is trying to neuter adblocking with Manifest V3 right now and pitched it as "improvements to security."
Google’s changes only affect people who use vanilla Chrome. And the people who use vanilla Chrome without any privacy extensions don’t have much privacy to begin with, so First Party Sets does not make things much worse than they already are.
If all you want to do is blocking cookies, why would you use a browser extension for that? Most browsers ship with a configuration option to disable them.
For Chrome/Chromium it's over at chrome://settings/cookies
DoubleClick is hard coded into every Chrome browser :) [1]
[1] https://chromium.googlesource.com/chromium/src/+/e51dcb0c148...
Blocking third party cookies is great, but with these "Third-Party Sets", self-appointed gatekeeper Judge Google (Judge Dread) takes requests from website owners for lists of domains they control to be partially exempted from these third party cookie restrictions.
Instead of making third-party cookies obsolete as is one of the exclaimed goals of the broader initiative, they turned it into an insidious and opaque tool that lets them increase their insight, influence, and control over the web and all its users even further.
This is bad for both advertisers and their prey alike.
Addendum: Getting rid of third-party cookies whilst not breaking Single Sign-On and similar such features could also have been achieved with a user-controlled local browser setting and a new type of permission request popup.
The need for Google to be in control of this is non-existent and the people working there are more than smart enough to understand this. They are playing us all here.
Settings and pop ups mean that users have to understand them - which can be a huge user education challenge. I'm pretty skeptical of the argument that it's simple to add in a new user facing pop up and have the majority of users use it correctly.
Nevertheless: even if a solution turns out to be too difficult for users to understand no matter how you present it (at which point you might want to rethink whether this apparently fundamentally flawed idea should even be implemented at all), violating your users' agency by taking the reigns and obfuscating the whole thing to them is morally wrong and in simple terms: an arsehole move.
I'd see a browser side system that could actually more user friendly and more unified than the current SSO situation.
More specifically, website owners populate /.well-known/first-party-sets.json for their site and Chrome will always allow those cookies.
Because domain owners use /.well-known/first-party-sets.json, others can also scan for that themselves and perhaps build an independent repo from spidering.
Sounds like most of the laws passed in my lifetime
Deleted Comment
Literally. Lol.
Deleted Comment
Instead of direct JavaScript includes I now recommend just putting it in an iframe and I share example code on the homepage.
This lets me still update the script while also ensuring it can not access cookies or other things in the main page context.
What do you think?
---
EDIT: That might have been too cynical. Let me take another stab:
That opens up some cool new possibilities, but also a seemingly large new attack surface.
Does anyone know what's been done to mitigate it?
The mitigations, however, feel rather light given the exposure.
Would it make sense for GPU access to be a permission that users have to explicitly grant?
Dead Comment
They've restarted actively advertising their browser on Youtube, and now random releases are getting to #1 slot on HN.
I'm guessing this is having to do with Edge gaining popularity?
Google can only funnel people to Google Search with Chrome and first party Android. If Chrome falls, they're in a precarious position.
Google is being IBMified right now.
Haven't the responses already been handled? Assuming no time travel, it's not clear what actually happens after you edit a response header.
If they integrate request header modification, we can get rid of cookie tools and plugins such as ModHeaders.
This is a really great dev experience improvement.
https://developer.chrome.com/blog/deps-rems-113/
Does that mean there are no changes here?