Google has set an aggressive two-year deadline for dropping support for third-party tracking cookies in its Chrome web browser. Tracking cookies, which allow advertisers to virtually follow people around the web, are used for ad targeting. The move follows a number of privacy hardening steps by Google for its Chrome browser.
Justin Schuh, engineering director for Google Chrome, said in a post Tuesday that the phasing out of third-party cookies was in response to evolving attitudes about online privacy. “Users are demanding greater privacy – including transparency, choice and control over how their data is used – and it’s clear the web ecosystem needs to evolve to meet these increasing demands,” he wrote.
The move was anticipated. In August, Google announced the introduction to its own Privacy Sandbox standard to Chrome. A Privacy Sandbox is designed to deliver ads to users that publishers can target toward interests, but don’t infringe users’ privacy, according to Google.
Instead of relying on tracking cookies, Privacy Sandbox uses browser-based machine learning to assess user interests. Individual user data is then aggregated with data of other users, with similar interests, and then shared with advertisers in a process called federated learning of cohorts (FLOC). The standard also includes things such as a “privacy budget” that limits the amount of browser metadata a site can collect in order to thwart browser fingerprinting.
Privacy Sandbox is in development, as are several other technologies Google hopes to roll out over the next two years to keep advertisers happy during the sunset of tracking cookies. Part of that phase out includes limiting insecure cross-site tracking starting in February.
“[Treating] cookies that don’t include a SameSite label as first-party only, and requiring cookies labeled for third-party use to be accessed over HTTPS… [we] will make third-party cookies more secure and give users more precise browser cookie controls,” Schuh wrote.
SameSite prevents the browser from sending this cookie along with cross-site requests in order to mitigate the risk of cross-origin information leakage, according to the Open Web Application Security Project.
Google also plans to go beyond removing support for third-party cookies. “We’re developing techniques to detect and mitigate covert tracking and workarounds by launching new anti-fingerprinting measures to discourage these kinds of deceptive and intrusive techniques, and we hope to launch these measures later this year.”
Google’s moves follow similar steps by Apple and Firefox, which both block many third-party cookies. Apple uses what it calls “intelligent tracking prevention.” Microsoft’s new Chromium-powered Edge browser also include tools to block tracking.
“Fortunately, we have received positive feedback in forums like the W3C that the mechanisms underlying the Privacy Sandbox represent key use-cases and go in the right direction. This feedback, and related proposals from other standards participants, gives us confidence that solutions in this space can work,” Google wrote.
Concerned about mobile security? Check out our free Threatpost webinar, Top 8 Best Practices for Mobile App Security, on Jan. 22 at 2 p.m. ET. Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts to discuss the secrets of building a secure mobile strategy, one app at a time. Click here to register.
