Hacker News

139 Comments:
negus said 5 days ago:

Yes this will have a great negative impact for Google's adtech competitors who unlike Google do not have other means to spy on users such as Chrome, search engine, Accelerated Mobile Pages, Gmail, voice assistant and so on.

But Google really has no choice here due to aggressive campaign by Mozilla, Apple and Microsoft who boast with their Intelligent Tracking Prevention ( https://webkit.org/blog/8828/intelligent-tracking-prevention... ) implementation blaming Google as a company which does not value users privacy. Google would lose privacy-conscious users otherwise.

But it is clear for me how all this anti-thirdparty cookies situation will go further: server side third party ad trackers -- this will bypass Same Origin Policy and will pose a privacy and security threat for users and websites even more than todays third party frontend ad trackers.

rpastuszak said 5 days ago:

I find their "removing 3rd party cookies will incentivise businesses to rely on fingerprinting" discourse dangerous.

It implies that other browser vendors (Mozilla, Safari/WebKit, new Edge) are in fact making the Web a more dangerous place.

I believe it's dangerous because it creates a harmful, unproductive PR narrative—people might just assume this is a true statement, without learning about both sides of the problem. I'm not trying to strip anyone of agency, I just don't think most of my friends would have time to research this topic and might decide to follow the main opinion instead.

The answer I'd like to hear: Yes, it does push some actors towards fingerprinting, but preventing fingerprinting should be dealt with regardless. Changes should happen both on legislative and browser-vendor level.

> But it is clear for me how all this anti-thirdparty cookies situation will go further: server side third party ad trackers -- this will bypass Same Origin Policy and will pose a privacy and security threat for users and websites even more than todays third party frontend ad trackers.

Server-side as well as white-labelled (subdomain) integrations already exist. Lotame (DMP) has at least one product of this kind, afaik.

stubish said 4 days ago:

I also don't see what has changed if businesses using 3rd party cookies to identify and track users switch to fingerprinting to identify and track users. My privacy is still being invaded in exactly the same way. Forcing companies to fall back to more bizarre and costly tactics seems to be the only path to victory.

snowwrestler said 4 days ago:

A big difference is that every browser provides easy-to-use native features to clear or block cookies--not true for fingerprinting. The complexity and opacity of how it works makes fingerprinting harder to block and clear.

sroussey said 5 days ago:

15-20 years ago, we found that people that were aggressive online and harassing people often cleared their cookies too. That constant clearing of cookies had us look into using flash to hold cookies, since that data didn't really get deleted when you cleared your cookies in the browser. So there is something to be said about that issue.

That said, Apple/Mozilla/etc know this and so they are simultaneously trying to make fingerprinting more difficult. If they were not, I would agree with Google's stance. But since they are, it is really more of a footnote.

qbaqbaqba said 5 days ago:

> 15-20 years ago, we found that people that were aggressive online and harassing people often cleared their cookies too.

You forgot to mention them abusing children and planing terror attacks.

eitland said 4 days ago:

> 15-20 years ago, we found that people that were aggressive online and harassing people often cleared their cookies too.

This might very well be true for what I know, but the general idea that optional privacy leads to more hostile environments seems to have been conclusively destroyed by HN and certain other forums, especially when compared to Facebook.

SilasX said 5 days ago:

I remember in the days of MSN gaming zone (zone.com, c. 1999), I was a vicious troll, and I'm pretty sure MS used their control of the OS to enforce a machine ban, as every attempt to use it from my home desktop was blocked. Also, somewhere in the Windows system registry I found a list of all the screen names I used.

3xblah said 5 days ago:

"... this will bypass Same Origin Policy..."

Same Origin Policy does not seem to provide any protection against DNS-based tracking.

For example, putting a series of links to resources in a page and making conclusions from the series of DNS requests made automatically by "modern" browsers like Chrome, Safari, Firefox, Edge, Opera, etc.^1,2

To be fair, this sort of tracking is arguably brittle, e.g., if user has auto-loading of images disabled or is not using a cache that randomises the ordering of IP addresses within a response packet like BIND.

It can also be easily avoided by user control over her client automatically making DNS requests for any resource^3 and user control over her own source of authoritative DNS data. For example, using a client that does not automatically load resources and using a local source of DNS data like a HOSTS file or a zone file served from a logging authoritative server on localhost like tinydns.

1. https://www.ndss-symposium.org/wp-content/uploads/2019/02/nd...

2. http://dnscookie.com

3. Not just images or third party scripts

ma2rten said 4 days ago:

I think there are currently more reliable ways of fingerprinting.

3xblah said 4 days ago:

Most of them rely on Javascript or some other "modern" browser feature.

Not very reliable when user disables it or uses client that does not support it.

HTTP headers are malleable yet I still see the big tech companies appearing to treat them as reliably identifying a program/device. A new user-agent string or set of HTTP headers is not necessarily a new program/device.

Koremat6666 said 5 days ago:

Privacy is one side of the coin. Other side of the coin is that web adverts help web remain open, it helps independent and anti-establishment institutions to have an audience in a profitable manner. Remember, free speech does not exist unless that speech is also economically sustainable.

Arguably gun owners, strip clubs and porn magazines have fought for free speech more than facebook and google combined.

I am happy to willingly share my personal data with your advertisers if that helps you keep profitable (NYT, Reason, Cato, Vice, Pornhub etc.) you need to figure out how to achieve that without acting like jerks.

JohnFen said 5 days ago:

This is why tracking should be opt-in. Then you can allow it to support the things that you value without my privacy being invaded.

Koremat6666 said 4 days ago:

For that we need to somehow agree that tracking is not just a legitimate business practice but also a desirable one (as long as the individual has consented).

But these discussions will soon go into "how easy it should be to opt in?". Should it be a pop up like "allow location" or something more complex as enabling CORS.

air7 said 5 days ago:

The issue with server side 3rd party ads is that the advertiser has no way to assure the impressions are real.

kerkeslager said 5 days ago:

From the advertiser's perspective, that's a problem.

From my perspective, good. Advertising is toxic even when it's not invading my privacy, and maybe if we make it less effective people will do less of it.

lubujackson said 5 days ago:

Reality leans the other way. What eill likely happen is that sites that used to make 100k a year from ads see their revenue drop to 70k then 50k then 30k. To stay afloat they plaster more and worse ads in order to survive.

This is exactly what happened during the first dot com crash when we went from $35 CPM banner ads to $1. Suddenly, ads were slathered on every page or websites simply disappeared. What we really need is a deal that works well for all three parties: advertisers, consumers and content providers. Google Adsense was this perfect solution for a while (until it got optimized to max profitability).

Maybe online advertising is like social networks and can only enjoy brief moments of relative balance before the cycle starts anew.

lotu said 5 days ago:

There is zero chance that poorer tracking will reduce advertising meaningfully. You can’t track the effectiveness of TV and and radio and newspaper ads, but it’s not like people don’t use them.

waynesonfire said 5 days ago:

why is that good? you're paying for it.

sroussey said 5 days ago:

No, it would simply move even more from impression to action.

Glyptodon said 5 days ago:

Assuming they implement via some kind of full server-side proxying of an arbitrary endpoint bi-directionally so that it appears first-party (and no 3rd party cookies) I would think they'd have nearly as good of means for verifying impressions as they do already. The main "downside" seems like it'd just be harder to create unified multi-site profiles as they'd have to resort to fingerprinting of some kind to track people across multiple sites.

hnick said 4 days ago:

I think the main issue is impressions vs clicks.

As I understand it today, I can view an ad on a random site and have a cookie with my unique ID in it saved. If I view other network ads, they know it's me and update my profile. Then when I check out, the site I'm buying from reads this cookie and reports back that it worked based on impressions.

AFAIK this won't be easy to replace if a random eCommerce store is blocked from reading Facebook et al cookies, it won't be able to report back reliably. You could do something like submit their email address or other data to Facebook and see if you get a hit, but that's probably illegal in many places without permission. And in most cases, the cookie from the ads will be blocked as it's third party (but would be able to be written for ads shown on-platform, which doesn't really matter since they can track server side anyway).

But clicks are very easy, you just tie a unique ID to the ad URL and have the landing page and checkout page track that. No cookies needed. It can report back in real time or later to update stats.

musicale said 5 days ago:

That sounds very close to "it makes it harder for advertisers to track you."

Which is of course the intent.

cpeterso said 5 days ago:

Perhaps ad servers could tag served ad images or JS with tracking IDs that get round-tripped back to the advertiser through the first-party server, third-party requests, or navigator.sendBeacon().

marcosdumay said 5 days ago:

How relevant is this information?

AFAIK, all that matters is how many conversions you get from $ spent. Both of those are perfectly visible, no tracking needed.

lern_too_spel said 5 days ago:

How would you know that a conversion came from an impression?

dylz said 5 days ago:

> Google would lose privacy-conscious users otherwise.

Would these users be using Chrome in the first place?

negus said 5 days ago:

Why not? Privacy is not the only goal even for paranoids. It is all about compromise. Otherwise you would use lynx or wget -- truly private web clients. Or at least turn off JS.

unknown2374 said 5 days ago:

Why are you speaking as if there are no better alternatives than Chrome? Other than a few organizations who decided that only supporting Chrome as a browser is enough for their sites and some extensions, there are viable web browser alternatives from companies which don't make their money off of user's data.

koruptshun said 5 days ago:

Google created Chrome, and bribed Mozilla with billions, to keep ad blocking from becoming a standard browser feature.

The Google search engine could be run for some small number of billions per year (or less) but Google extracts tens of billions per year from our pockets. It's a leech on society in the same way that Wall Street is.

They successfully propagandized the idea that "relevant ads are good" when it's patently obvious that relevant search results are what you want from a search engine. There's no need for ads at all.

MarioMan said 5 days ago:

>Google created Chrome, and bribed Mozilla with billions, to keep ad blocking from becoming a standard browser feature.

This caught my attention, as I haven't heard anything about this before. Do you have a source with more details on it specifically? All I see is that Google pays Mozilla to make Google Search the default search engine and pays Adblock Plus to whitelist their ads. I'm not seeing any sources indicating that Google paid Mozilla any money to keep ad blocking out of their standard feature set.

zpeti said 5 days ago:

I think this is an easy move for Google, it's a "strategy credit" as Ben Thompson would put it.

Google already knows most of what it needs about you, and it will in the future from searches. It has no motivation to allow 3rd parties help in tracking visitors. This way it can build a moat around its business while pretending to care about privacy. It's bullshit.

wtetzner said 5 days ago:

Google's reason for wanting this is bullshit, but that doesn't mean it wouldn't be a beneficial move in general.

ocdtrekkie said 5 days ago:

The beneficial move would be for Chrome to accept the industry-standard choice of letting users easily block all tracking and fingerprinting... including Google's.

But that wouldn't be good for Google. This is the exact reason an ad company should not be allowed to own a web browser.

IAmEveryone said 5 days ago:

But... they are going to not just allow users, but per default, block 3rd party cookies?

Edit: comment was either edited, or I’m going senile. In any case: Chrome does allow blocking all cookies as well, and has from the first release. Fingerprinting isn’t easily avoided, but they have taken some steps to make it harder.

m0zg said 5 days ago:

Exactly. Google's real interest here is in making the lives of its many competitors _much_ harder. I'm fine with that though. Ads will become more expensive, so there presumably will be fewer of them. Not that I'd know, I've been using adblock everywhere for the past decade.

shostack said 4 days ago:

Fewer, more expensive ads are preferable in some cases. It tends to push out bottom feeding advertisers and leads to higher quality ads from bigger brands. It also allows for fewer ad placements which can sometimes be more profitable if it sufficiently improves user engagement and stickiness.

Jweb_Guru said 4 days ago:

I was just thinking the other day that if there's one thing I want more of, it's more consolidation around the largest corporations in the world.

3fe9a03ccd14ca5 said 5 days ago:

So... let anyone who wants to keep tracking us without our material consent or knowledge? No thanks.

zpeti said 5 days ago:

If you want to use chrome, be aware of the company’s underlying motivations.

But I’d recommend not using it at all, I don’t.

amluto said 5 days ago:

> By undermining the business model of many ad-supported websites, blunt approaches to cookies encourage the use of opaque techniques ...

This is disingenuous. Reducing tracking does not undermine websites. It undermines advertisers that depend on tracking. If tracking stopped, advertisers would target something else (e.g. content or coarse location) and roughly the same amount of money would go to websites. Google’s privileged position would be a lot less inherently valuable, though.

hurricanetc said 5 days ago:

>By undermining the business model of many ad-supported websites, blunt approaches to cookies encourage the use of opaque techniques such as fingerprinting (an invasive workaround to replace cookies), which can actually reduce user privacy and control.

Sure. So how about we block fingerprinting? Oh waaaaaait I see. What you actually want is your privacy invading business model to not be impacted.

Why are sites able to ascertain the type of browser, operating system, OS version, webkit version, Safari version, time zone, language, platform, vendor, screen dimensions, plugins, etc.

This shit should be as locked down as location, web cam, and microphone. Block all of it.

notsureifreal said 5 days ago:

You'll end up trying to read a news article in a foreign language, that looks like a mobile website, has 1000px headline and can't be navigated because some of the functionality is broken.

hurricanetc said 4 days ago:

Nonsense. You can write a perfectly modern and beautiful site without any JS at all.

Canada said 4 days ago:

Browsers send an accept language header that I wish web sites would respect instead of using geoip.

phelm said 5 days ago:

I have disabled 3rd party cookies in my browser for about a year now. My experience has been fine, I have had very few issues with things that I care about, no whitelist and not had to re-enable them yet.

driverdan said 5 days ago:

I've been blocking 3rd party cookies for many years. It doesn't cause any issues for 99.9% of sites. I think I've encountered less than 10 and I whitelisted the ones I needed.

reaperducer said 5 days ago:

Same here. Web sites that block content because of a lack of third-party cookie support are pretty rare. I ran into one last week and was so surprised by the message it took me a few seconds to realize was happening.

cj said 5 days ago:

Seconding this.

chrome://settings/content/cookies

Go there and enable "Block third-party cookies".

The internet still works without them.

cpeterso said 5 days ago:

Safari has blocked third-party cookies by default for a long time, so websites and advertisers that want to support iOS web users already need to work without third-party cookies.

wnevets said 5 days ago:

This has been my experience as well. Most sites I've encountered have already moved away from depending on 3rd party cookies.

ocdtrekkie said 5 days ago:

Indeed. Google Chrome's statements about the dangers and risks of blocking third party cookies is classic FUD. And it's solely about protecting their own data collection.

Despegar said 5 days ago:

> Users are demanding greater privacy--including transparency, choice and control over how their data is used--and it’s clear the web ecosystem needs to evolve to meet these increasing demands. Some browsers have reacted to these concerns by blocking third-party cookies, but we believe this has unintended consequences that can negatively impact both users and the web ecosystem. By undermining the business model of many ad-supported websites, blunt approaches to cookies encourage the use of opaque techniques such as fingerprinting (an invasive workaround to replace cookies), which can actually reduce user privacy and control. We believe that we as a community can, and must, do better.

The Webkit team already proposed a privacy-preserving way to do ad click attribution [1]. I'm guessing that was too private and Privacy Sandbox works better for Google.

[1] https://webkit.org/blog/8943/privacy-preserving-ad-click-att...

jszymborski said 5 days ago:

In the past Chrome has played fast and loose with standards and features, which was fine for them since Firefox and friends needed to adopt them lest they widen the "Only works on Chrom(e/ium)" gap.

I wonder how removing a feature might go, however. The answer is "probably well because Chrome has overwhelming market share", but I do wonder if, between AMP and "no URLs" and no 3rd party cookies, if there's room for a small but growing "it just works how I'd expect it to on Firefox" contingent to spring up...

unlinked_dll said 5 days ago:

"only works in chrome" == "not going to use" for me and all any company/team where I have influence over software dependencies/tools. Same goes for "only works on one target" software in general though, usually means something is under tested.

dmitriid said 5 days ago:

Or, you know, it might not "just work" in Firefox because Google sabotages it: https://twitter.com/johnath/status/1116871231792455686?s=20

jotto said 5 days ago:

This will break a lot of auth0 jwt/login default integrations since it depends on 3rd party cookies.

marcosdumay said 5 days ago:

This. Mozilla got the right tactics by making them session lived by default. Completely banning them will only break stuff.

Tepix said 4 days ago:

Sites shouldn't rely on 3rd party cookies being enabled. Safari has had them disabled since years (forever?) and more and more people are disabling them manually.

jka said 5 days ago:

There's a short summary of some of the features proposed for the Privacy Sandbox here - https://blog.chromium.org/2019/08/potential-uses-for-privacy...

markosaric said 5 days ago:

This will hurt the ad-tech businesses and websites/publishers who rely on third-party ads/targeting much more than it will hurt Google (and Facebook).

Still, Google's revenue on third-party site ads was $6.4bn in Q3 of 2019 out of the $40.5bn in total revenue so it could be felt a bit there too.

I fear that it all will move to first-party tracking though which will be so much more difficult to block and so much more dangerous in terms of security.

rafaelturk said 5 days ago:

Hard to read this and extract facts. My sense that this article is intentionally vague.

Ajedi32 said 5 days ago:

Tl;Dr:

> [...] we plan to phase out support for third-party cookies in Chrome. Our intention is to do this within two years [...]

As for what they're replacing them with, sounds like they don't quite know yet. They seem to still be in the requirements gathering phase: https://github.com/w3c/web-advertising

bilekas said 5 days ago:

Browser storage just to name one, cookies are really not too important.

With WebAssembly now.. And your company being one of the leading browsers.. The cookie transport looks like pigeon mail.

Ajedi32 said 5 days ago:

They're not getting rid of cookies; just third-party cookies.

SimeVidas said 5 days ago:

> we plan to phase out support for third-party cookies in Chrome

This is news to me.

nprateem said 5 days ago:

Welcome to Hacker News

SimeVidas said 5 days ago:

I visit twice per day.

apeace said 5 days ago:

If anyone from Google is reading this, the new SameSite policies coming to Chrome 80 are breaking "Login with Google" functionality. I opened an issue here: https://github.com/google/google-api-javascript-client/issue...

pc2g4d said 4 days ago:

The arms race moves to its next phase.

I'm not sure this will accomplish much as it's not that hard to serve things from one's own domain. More work for the tracking company to get things set up, I suppose, but harder to detect once established.

ryanmccullagh said 5 days ago:

So now ad companies will just require a CNAME entry in the website's DNS record.

ma2rten said 4 days ago:

And how do they link these between different websites?

wizzwizz4 said 4 days ago:

Server-side magic – fingerprinting, behavioural detection, referer GET stubs, etc.. It's not all that difficult, though it is harder.

Tepix said 4 days ago:

They add the tracking stuff as URL parameters.

Tepix said 4 days ago:

For privacy conscious users who have blocked third party cookies for years, this may make evading tracking ever more complicated.

My guess is we will need custom GreaseMonkey scripts that prevent parameters from being appended to URLs so when you click on a link to another site it will not pass tracking information. Generally whenever a tracking network changes these parameters the Greasemonkey scripts will have to be updated whereas in the past you could just block the third party cookies and avoid a lot of the tracking.

said 5 days ago:
[deleted]
bilekas said 5 days ago:

There have been articles recently which are claiming the value of those cookies are not as valuable as before because the majority of them are avoided/altered to obfuscate to the requester.

So I see this as a : 'Hey we got in before everyone and stopped using cookies first' — When in reality, they're becomming less of a valuable commoddity.

I'll be very happy when companies stop storing excess info in their own storage.

Until then, no round of applause from me .

ragebol said 5 days ago:

> I'll nurse a semi

What? Care to explain for a non-native speaker / non-US based reader?

bilekas said 5 days ago:

Updated, as a non native speaker, it's really not an expression you should learn!

IAmEveryone said 5 days ago:

It’s sexual, and therefore probably not a good expression to use unless you know what you are doing.

But it’s a somewhat eloquent term, in a way.

(It refers to getting sexually aroused, but only mildly)

said 4 days ago:
[deleted]
EGreg said 5 days ago:

What about single-sign-on stuff? What about iframe widgets where you are logged in?? Will there be a way to choose to keep being logged in, in iOS and Android? Or will everything become stateless and dumb?

unilynx said 5 days ago:

They can use redirect flows and POST back to the page you’re logging in to. It will be fine for most Auth flows (but not eg SAML passive logins)

ma2rten said 4 days ago:

Why can't they do this for ads?

tyingq said 5 days ago:

It's difficult to take Google's position on 3rd party cookies as altruistic.

Between Chrome, GA, AdSense, DoubleClick, Gmail, etc, they don't need 3rd party cookies to gather user data. Even if killing 3rd party cookies drops them back a little, it drops the #2 panopticon back more...extending Google's lead.

IAmEveryone said 5 days ago:

AdSense, DoubleClick, and Analytics all need 3rd-party cookies, no?

lmkg said 5 days ago:

DV360 (formerly DoubleClick) definitely does.

Analytics uses first-party cookies for its core functionality. There are optional features where it connects to a third-party cookie from another Google service, e.g. connecting to the DV360 cookie to pull in demographic information.

Rychard said 5 days ago:

They do, but seeing as how most users are force-feeding user data directly into Google's mouth via usage of their search engine and gmail inbox, removing 3rd party cookies from the equation is unlikely to affect their bottom-line in a measureable way.

rahuldottech said 5 days ago:

Not if the user is logged in to the Chrome or Android

awinter-py said 5 days ago:

a large chunk of G's business is first-party ads, i.e. in their own SERP vs on someone else's inventory

interesting to see if that's the future. certainly anyone with substantial inventory has experimented with this (NYT for example) because they suspect they're getting cheating by G/FB

driverdan said 5 days ago:

This is so two-faced. This is the key line:

> Once these approaches have addressed the needs of users, publishers, and advertisers, and we have developed the tools to mitigate workarounds…

A browser vendor that cared about its users would make a browser for them, not publishers or advertisers. It would block all tracking garbage by default.

Just admit it Justin, the real Chrome customers are advertisers. You don't actually give a shit about users if it interferes with ad dollars.

Edit: I left out this good quote

> Some ideas include new approaches to ensure that ads continue to be relevant for users

More user-hostile advertiser appeasement.

skybrian said 5 days ago:

Markets don't work unless both consumers and producers are satisfied. A classic two-sided market is Ebay. If there were nobody selling stuff there, then nobody would shop there. If nobody bought stuff there, nobody would sell there. You need to satisfy both buyers and sellers (somewhat) to have a market.

Google is just acknowledging that for-profit, advertising-supported websites are a three-sided market; consumers, website authors, and advertisers all have interests. Figuring out how to satisfy everyone is tricky.

It may be that these competing interests can't all be satisfied and an advertising-supported Internet isn't going to make it in the long term, but they are going to try.

mattacular said 5 days ago:

> It may be that these competing interests can't all be satisfied and an advertising-supported Internet isn't going to make it in the long term, but they are going to try.

Of course they can't all be satisfied. The needs of advertisers are diametrically opposed to the privacy needs of users. There is no way to square this problem so that both groups are happy and Google certainly understands this. They aren't "trying" things out as experiments, they are executing on strategies to ensure their dominance over the business of digital advertising.

tarr11 said 5 days ago:

Not all users have the same privacy desires.

Many (most?) are happy to provide their personal information "by default" in exchange for better ad targeting, lower prices, etc.

skybrian said 5 days ago:

Have you considered the possibility that the future behavior of consumers and lawmakers is not that easy to predict and people have different opinions about it? We can't reliably predict which products will be popular, the next election, or what laws will pass.

Past results are that the advertising-supported Internet is enormously lucrative. Things are changing though. We will find out what happens when it happens.

roywiggins said 5 days ago:

But why should a browser care about anyone other than the users of the browser? The browser is meant to be my user agent, not a third-party market maker.

(yeah, I know they have to care about website designers, otherwise every website will just break, but when you have substantially a huge share of the browser share, you can tell website designers to get stuffed and they will have to deal with it)

I'm being intentionally simplistic- sometimes, complicating things with markets and so on feels like it obscures more than it illuminates.

skybrian said 3 days ago:

Even if you ultimately care more about users, the incentives are still towards centrism. For example, Firefox still needs to do DRM to keep Netflix happy because users want to watch Netflix videos and will switch browsers to do it.

Compatibility is important, even for the market leader, because if they break too many websites too quickly, that will push people to switch browsers like nothing else. Especially if it's a big website people use every day.

Chrome does have a somewhat easier time taking the lead on deprecating things but it often requires multi-year campaigns and gradual steps. (Consider the campaigns to kill NSAPI and Flash.) This is needed even for Google to maintain compatibility with its own websites.

The analogy to markets still works. Ebay can change the rules to be more buyer-friendly but not so much that too many sellers leave, because buyer-friendly rules don't matter if you can't find the thing you want to buy.

An example of the market breaking down is major news sites blocking Chrome's Incognito mode, despite Chrome's gradual attempts to make fingerprinting harder.

amatecha said 5 days ago:

The World Wide Web is not a market.

fredley said 5 days ago:

Google cares very much about its customers. Its customers are advertisers. Like any good business, it puts its customers first, and anything beneficial it offers anyone else is just to serve its customers, ultimately.

rubber_duck said 5 days ago:

> it puts its customers first

Have you ever dealt with Google as a customer :) ?

negus said 5 days ago:

It is not that easy.

Consider Mozilla, the privacy maniacs. Even they let proprietary and intrusive DRM plugin inside, though it is totally contradicts FOSS approach https://news.ycombinator.com/item?id=7746585

This is life -- you have to take other parties interests into account or you will be buried.

Start block all tracking garbage by default and sites will ban your users, forcing them to choose another product.

Speaking about Google: when you're (unlike Apple) making most of your revenue from ads, any hostile action to ad industry will be considered hypocrisy and unfair competition

arghwhat said 5 days ago:

Privacy ≠ FOSS.

DRM is an entirely different problem to that of privacy. While DRM is disgusting, a threat to open source as we know it and overall harmful to humanity as a whole, it does not inherently violate privacy.

Thus, saying "Even [the privacy maniacs] let proprietary and intrusive DRM plugin inside" doesn't make any sense.

negus said 5 days ago:

Do you know anything about this DRM plugin? Why would you think it does not work in private mode? What would you say about long-living unique user id that it associate with your device that can be read? It does violate your privacy as well

rpastuszak said 5 days ago:

Can we just stop for a second and ask whether advertising is required to support publishers at all?

Even if this question sounds naive, I feel like we should from time to time take a step back and review our situation.

> Speaking about Google: when you're (unlike Apple) making most of your revenue from ads, any hostile action to ad industry will be considered hypocrisy and unfair competition

I can agree with that (esp. given their monopoly), but the truth is not black and white here: there's a difference between applying the same measures equally to everyone and leaving a bunch of escape hatches for yourself, e.g. that time when Chrome decided to exclude certain Google cookies from the "Clear all cookies" screen.

the_gastropod said 5 days ago:

> Can we just stop for a second and ask whether advertising is required to support publishers at all?

I think this misses a larger point: advertising on its own requires absolutely no tracking at all. Consider print publications. They still virtually all advertise. And their ads generally relate, in some way, to the demographics who read the publications. There's no reason that approach can't also work on the web.

The problem we're facing today is the notion that advertisers should be able to uniquely target individuals with specific ads. That's a new idea that I think we, as a society, need to reject.

CarelessExpert said 5 days ago:

Privacy and ethics around proprietary software, while obviously related (in that open software is obviously more transparent), are largely orthogonal. You can have closed/proprietary software that respects privacy (Apple), and you can have open software that doesn't (Chrome).

This just smells of whataboutism.

As for your hypothesis that websites will start blocking browsers that ban tracking and so forth, frankly, that remains to be seen, and my bet is we'd never actually see that happen in practice. The optics are just too toxic. Surveillance capitalism survives because people don't know it's happening. Banning a browser like Firefox would call attention to an infrastructure and ecosystem that those individuals don't want to talk about in public.

Edit: As an aside, if sites did start banning privacy-conscious browsers like Firefox, I'd just stop going to those sites. In that respect, I'd actually perversely appreciate something like this: It'd finally make it blatantly obvious who is and isn't collecting and profiting from data about me and my actions online without my permission.

JohnFen said 4 days ago:

> if sites did start banning privacy-conscious browsers like Firefox, I'd just stop going to those sites.

I already do this -- if a site doesn't work with my defenses against the ad industry up, then I don't go back to that site.

maccard said 5 days ago:

> As for your hypothesis that websites will start blocking browsers that ban tracking and so forth, frankly, that remains to be seen, and my bet is we'd never actually see that happen in practice.

The result of the GDPR regulAtions resulted in a moderate number of us websites refusing access to EU residents rather than attempt to comply. I think it's an entirely reasonably assumption that said sites would block a browser which attempted a similar idea

jolux said 5 days ago:

The DRM is totally different though. Not having it means certain sites can’t be used.

Spivak said 5 days ago:

And ad supporters say that not providing facilities for personalized ads means sites wouldn't be able to exist.

negus said 5 days ago:

There is no difference.

These sites that can't be used without DRM plugin do not provide you a way around DRM because you're ruining their business model (at least they think so, or their content providers).

The same goes with ads. If your browser start for example blocking ads at sites that live from it (like New York Times website), website administration will eventually ban your browser at all.

driverdan said 5 days ago:

Users demand browsers support Netflix and other streaming services which, unfortunately, requires supporting DRM. This is a case of Mozilla putting users first, despite it violating some of their core philosophy.

This is how it should work, users come first.

cortesoft said 5 days ago:

I am not saying they strike the right balance or not, but doesn't there have to be SOME balance?

Users need publishers to be able to make enough money to survive, or there won't be any content for them to use. You can't totally screw over either side, or the other will no longer exist.

roywiggins said 5 days ago:

It's very weird that one browser is so dominant that they, somehow, are expected to make some sort of dictatorial decision on this. If there were meaningful competition, it would not be a problem, since people would just swap browsers. That people think Chrome could single handedly destroy the internet if they made the wrong choice seems to indicate that there's a huge problem. One company shouldn't be able to screw over either side- the internet is huge, and we've delegated these decisions to exactly one company. It's bananapants.

skywhopper said 5 days ago:

I'm not sure why any of this requires third-party cookies or the bloatware that modern websites have become in order to enable this sort of tracking by dozens of entities. The most healthy and consumer-friendly advertising ecosystems (broadcast/cable TV and podcasts are good examples) are the ones where individual tracking is _not_ possible. As soon as it becomes a pure numbers game tied to individuals, then you get the arms race of fraud and manipulation that has led us to the current terrible state of the web.

iamaelephant said 5 days ago:

> I am not saying they strike the right balance or not, but doesn't there have to be SOME balance?

No, absolutely not. User-targeted advertising does not need to exist, a priori. Plenty of empires were built on privacy-friendly content-targeted advertising in the past and there's no reason that can't be done now. Except that Google would make far less money.

johnday said 5 days ago:

What would happen if, for example, all advertising was made illegal globally?

I strongly doubt the internet would stop working.

JohnFen said 4 days ago:

The "balance" that needs to be had is simple: don't spy on people. If you have their informed consent for data collection, then you aren't spying.

patrickaljord said 5 days ago:

You're aware that if Google with its monopoly on Search and quasi-monopoly on Chrome started blocking ads, they would get sued out of hell for monopoly abuse in the EU and probably everywhere else except the US, right?

AJ007 said 5 days ago:

This is actually a legitimate problem already where Google has paid adlockers to not block google.com by default. As an example, say some other vertical search engine purchases advertising on Google (travel, price comparison, etc) those same users who clicked on google may not see any advertising on the vertical search engine which, in those two markets accounts for a very large amount of those search engine’s own revenue.

I think a probable scenario is that Google’s search ads and display ads business will have to be segmented from the rest of Google’s businesses. The other alternative may be to remove search bundled with search advertising, YouTube with its accompanying video advertising, and so on.

I would be more optimistic about Google’s ability to keep itself together, but they seem to have turned themselves in to a case study of corporate mismanagement and disfunction. Who knows what sorts of insane criminal things and accumulating at this point. Those future moments of weakness and going to make them incredibly vulnerable to regulators on both sides of the Atlantic, from both the right and the left. That is not a survivable position.

vbezhenar said 5 days ago:

Blocking ad tracking means breaking the web. It's OK if user willingly wants to break the web for himself by installing addons. But blocking standard mechanisms by default is unacceptable, at least before you develop new standards. Countless websites were broken because browsers started to block popup windows. It was extremely stupid decision.

RockIslandLine said 5 days ago:

"Countless websites were broken because they used popup windows."

I fixed it for you.

JohnFen said 4 days ago:

> Blocking ad tracking means breaking the web.

So, this monster is "too big to fail"? All the more reason to kill it now before it gets even worse.

phkahler said 5 days ago:

>> to ensure that ads continue to be relevant for users

When users can't be tracked, ads will be less targeted which means Google will not be as valuable to advertisers.

wizzwizz4 said 4 days ago:

Users can be tracked, easily, without third-party cookies, by an organisation with enough presence across the web. Google has JavaScript on over half of the top 100 000 most popular websites.

kmlx said 5 days ago:

i feel this comment is a lot more hateful than helpful.

i don't understand how this helps the conversation.

npx13 said 5 days ago:

You care about users privacy? Judging by how passive aggressively Google tries to prevent us actually logging out of a Google Account, you are having a laugh.

sub7 said 5 days ago:

Good riddance. Unfortunately (almost) all our conversations - verbal and text messaging - are being spied on to target us with ads right now.

Addressing anything else is like pissing in the ocean to change it's colour.

Scarbutt said 5 days ago:

Looks like safari gave them no choice, so now they grab this as an opportunity to say the want to do it too.

duxup said 5 days ago:

Does chromium really have to do what Safari did? aka "no option"?

atonse said 5 days ago:

Safari has a tiny share on the desktop, but is pretty large on mobile.

Credit to Apple for being aggressive taking on the ad companies. Yes this is totally a business decision that benefits them, but it also benefits consumers. So in that sense, the incentives are aligned.

Hope they keep going.

wnevets said 5 days ago:

Hasn't safari always defaulted to no 3rd party cookies?

ergothus said 5 days ago:

As I understand it:

No. Rather, Safari uses "Intelligent Tracking Prevention". This blocks SOME (most?) 3rd Party cookies, but not all. For example, single sign on providers will often use cookies, and they are often explicitly 3rd party. ITP tries to let those through.

IIRC Safari can be set to block ALL 3rd party cookies, but it is not the default setting.

SSO providers don't NEED cookies, they can do full page redirects to avoid being 3rd party, but it does complicate matters, and the relationship between you, a site, and a 3rd party identity provider you've presumably agreed to can be a different beast than the tracking cookies that are the focus here, though of course identity providers could always join the dark side as well.

pornel said 5 days ago:

Safari used to allow 3rd party cookies in some circumstances, and of course Google abused that for tracking:

https://nakedsecurity.sophos.com/2017/11/30/google-sued-over...

exabrial said 5 days ago:

I believe they'll just be using the QUIC protocol and IPv6 to track users instead.

exabrial said 5 days ago:

For the downnvoters that don't believe me, go read Brave Browser's research into this.

tboyd47 said 5 days ago:

It's the classic regulatory capture move of pulling up the ladder behind you, only they don't need regulators to do it.

What's more, Firefox is just an off-brand of Google to capture the "privacy first" consumer market segment.

Doesn't mean I'm going to stop using Firefox, but it just helps to see the big picture.

bilekas said 5 days ago:

Another reason why Google's concern here for our privacy is nonsense is if we look here :

https://webkit.org/tracking-prevention-policy/

We can see, google doesn't need to inform their chrome users :

> A privileged third party is a party that has the potential to track the user across websites without their knowledge or consent because of special access built into the browser or operating system.

INOL but my understanding of this would put Google's Chrome into that bracket. Potentially also Microsoft/Apple ?