The end of third-party cookies on Chrome, within 2 years
Last week, Google announced the end of support for third-party cookies in Chrome within 2 years, like tweeted Justin Schuh, Chrome's Director of Engineering Trust & Safety.
This announcement was long overdue, with Chrome lagging behind other browsers when it comes to blocking third-party trackers, such as John Wilander notes, the Apple engineer responsible for the privacy protection system Intelligent Tracking Prevention (ITP), integrated into Safari.
Google's motivations
Google had already hinted at his intentions last August, indicating that it wanted to better protect the privacy of its Chrome users, but taking care to differentiate itself from other browsers which directly block third-party cookies without offering alternatives to advertisers. The 2 arguments highlighted at the time :
- Blocking third-party cookies encourages the use of fingerprinting, a process aimed at creating a fingerprint of a user via the characteristics of their browser, its extensions, its IP, etc. unlike cookies, the user cannot easily reset their fingerprint. If Chrome's efforts to block fingerprinting are laudable (but far from being unique, Firefox and Safari are already fighting against fingerprinting), this argument is fallacious to say the least: fingerprinting is a dirty practice, and cannot be used as an alibi to justify the use of third-party cookies.
- Blocking third-party cookies reduces publishers' advertising revenue; Google is basing this on a internal study to indicate an average revenue drop of 52% when third-party cookies are removed. If the figure is credible (from experience, the drop is much more severe in RTB), it is not very serious to put forward a study based on the internal advertising tool Doubleclick, of only 3 pages and without any external audit.
Alternative proposals that respect privacy?
As alternatives therefore, Google created the project “Privacy Sandbox” in order to write down your first ideas and thus preempt discussions with other browsers, the advertising ecosystem and the web in general. Google's stated goal is to create new standards that respect privacy, Google's hidden goal is to allow its advertising model based on surveillance capitalism to flourish. Unlike Apple or Firefox, blocking third-party cookies without a plan B is not possible for Google, for several reasons:
- Google would be shooting itself in the feet by killing Doubleclick, its dominant advertising tool among publishers and advertisers as well as AdSense, its advertising network also dominant on the web.
- Google could partly compensate for the loss of advertising revenue linked to Doubleclick and AdSense (commission on publishers' advertising revenues and on advertisers' advertising expenses) by transferring advertisers' expenses to its own sites (Google AdWords, YouTube, etc.), but would be attacked for abuse of a dominant position.
- Google would attract the wrath of publishers due to significant losses in advertising revenue.
In order to move towards the creation of new standards, Google therefore invites stakeholders from the web and the advertising ecosystem to participate in the discussions of the w3c group Web Advertising Business Group on his proposals. By the end of 2020, Google aims to carry out the first tests, first on measuring conversions, then on personalized advertising. But if we look in detail as the EFF does Google's Privacy Sandbox proposals, it appears that these do not protect user privacy, but rather Google's advertising model, surveillance capitalism.
Conversion measurement
Today, this measurement is possible without third-party cookies, but only for analytics tools. When clicking on an advertisement (for example, a sponsored link on Google), the user is redirected to the advertiser's site with a tracking parameter in the URL. This parameter is captured by the analytics tool to place a 1st party cookie. This cookie is then sent to the analytics tool when browsing the site, until the possible purchase, making it possible to make the link with the initial click. If the conversion measurement is carried out by a tool distributing the advertising (examples: the Criteo retargeter or the advertiser's adserver), it broadcasts from its own domain and therefore places a third-party cookie. The advertiser must install a script of this tool on their conversion page in order to carry out the measurement.
How to do without third-party cookies? Here it should be noted that Apple has already proposed to w3c a technique to measure conversions without tracking users, called "Private Click Measurement". Google copies Apple with its “Conversion Measurement API”, but in a crude way: the advertiser can add metadata to the click on an ad, including the URL of the conversion page, the conversion reporting URL. and an additional identifier. This information is then stored by the browser, which can then return the reporting URL to the additional identifier if the user converts. Problem: if Apple passes 6 bits of information in the additional identifier (i.e. 2^6 = 64 different values, which allows the advertiser to know which advertising campaign and which advertisement "converted", but does not allow individualized tracking), Google passes 64 bits of information (which corresponds to 2^64 different values), which makes it possible to track each user.
Personalized advertising
Google proposes here to use the user's browsing history in order to assign them to a cohort. The process called “Federated Learning of Cohorts” (or FLoC) allows you to use machine learning models locally, and update them without sharing all user information (browsing history) with the network (if you want to know more about Federated Learning, I advise you Google's excellent comic strip on the subject).
All this seems promising, the problem is that the cohort in which your browser will classify you will, according to Google's proposal, be sent in the HTTP header of all the sites with which you have interactions (active or passive, advertisers are therefore included)... Which will allow these same advertisers who track you today almost everywhere on the web to infer a lot of additional information about you thanks to this cohort (a bad credit score, belonging to a minority, what you like, where you are). move...), without any transparency (a local machine learning model). E-Commerce sites will be able to study the behavior of cohorts and adapt their message and pricing according to the target. Also, websites that currently respect your privacy (do not use third-party cookies) will not be able to choose not to receive your cohort.
Conclusions
While it is too early to judge the alternatives that the Chrome team will put in place to replace third-party cookies, the first proposals suggest that Google will first prioritize its advertising business model, and not respect for the privacy of its browser users.