Yes this will have a great negative impact for Google's adtech competitors who unlike Google do not have other means to spy on users such as Chrome, search engine, Accelerated Mobile Pages, Gmail, voice assistant and so on.
But Google really has no choice here due to aggressive campaign by Mozilla, Apple and Microsoft who boast with their Intelligent Tracking Prevention ( https://webkit.org/blog/8828/intelligent-tracking-prevention... ) implementation blaming Google as a company which does not value users privacy. Google would lose privacy-conscious users otherwise.
But it is clear for me how all this anti-thirdparty cookies situation will go further: server side third party ad trackers -- this will bypass Same Origin Policy and will pose a privacy and security threat for users and websites even more than todays third party frontend ad trackers.
I find their "removing 3rd party cookies will incentivise businesses to rely on fingerprinting" discourse dangerous.
It implies that other browser vendors (Mozilla, Safari/WebKit, new Edge) are in fact making the Web a more dangerous place.
I believe it's dangerous because it creates a harmful, unproductive PR narrative—people might just assume this is a true statement, without learning about both sides of the problem. I'm not trying to strip anyone of agency, I just don't think most of my friends would have time to research this topic and might decide to follow the main opinion instead.
The answer I'd like to hear: Yes, it does push some actors towards fingerprinting, but preventing fingerprinting should be dealt with regardless. Changes should happen both on legislative and browser-vendor level.
> But it is clear for me how all this anti-thirdparty cookies situation will go further: server side third party ad trackers -- this will bypass Same Origin Policy and will pose a privacy and security threat for users and websites even more than todays third party frontend ad trackers.
Server-side as well as white-labelled (subdomain) integrations already exist. Lotame (DMP) has at least one product of this kind, afaik.
I also don't see what has changed if businesses using 3rd party cookies to identify and track users switch to fingerprinting to identify and track users. My privacy is still being invaded in exactly the same way. Forcing companies to fall back to more bizarre and costly tactics seems to be the only path to victory.
A big difference is that every browser provides easy-to-use native features to clear or block cookies--not true for fingerprinting. The complexity and opacity of how it works makes fingerprinting harder to block and clear.
15-20 years ago, we found that people that were aggressive online and harassing people often cleared their cookies too. That constant clearing of cookies had us look into using flash to hold cookies, since that data didn't really get deleted when you cleared your cookies in the browser. So there is something to be said about that issue.
That said, Apple/Mozilla/etc know this and so they are simultaneously trying to make fingerprinting more difficult. If they were not, I would agree with Google's stance. But since they are, it is really more of a footnote.
> 15-20 years ago, we found that people that were aggressive online and harassing people often cleared their cookies too.
You forgot to mention them abusing children and planing terror attacks.
Acting like children, sure.
No terror stuff, but plenty of anti-Semitic material.
> 15-20 years ago, we found that people that were aggressive online and harassing people often cleared their cookies too.
This might very well be true for what I know, but the general idea that optional privacy leads to more hostile environments seems to have been conclusively destroyed by HN and certain other forums, especially when compared to Facebook.
We had a million communities, and learned a lot about how people act and react. Trolls, spammers, and people with some severe mental problems.
FB is interesting in that you would think that it would inhibit all bad behavior since you are using a real name. But really, people don’t care quite so much. Much improved though! Well, except for the bots, hacked accounts, and bad actors.
From the standpoint of dealing with crap messages, there are no silver bullets. But there are tools. Not everyone knows how to snowshoe, so you can have a decent win with even simple blocks.
I remember in the days of MSN gaming zone (zone.com, c. 1999), I was a vicious troll, and I'm pretty sure MS used their control of the OS to enforce a machine ban, as every attempt to use it from my home desktop was blocked. Also, somewhere in the Windows system registry I found a list of all the screen names I used.
"... this will bypass Same Origin Policy..."
Same Origin Policy does not seem to provide any protection against DNS-based tracking.
For example, putting a series of links to resources in a page and making conclusions from the series of DNS requests made automatically by "modern" browsers like Chrome, Safari, Firefox, Edge, Opera, etc.^1,2
To be fair, this sort of tracking is arguably brittle, e.g., if user has auto-loading of images disabled or is not using a cache that randomises the ordering of IP addresses within a response packet like BIND.
It can also be easily avoided by user control over her client automatically making DNS requests for any resource^3 and user control over her own source of authoritative DNS data. For example, using a client that does not automatically load resources and using a local source of DNS data like a HOSTS file or a zone file served from a logging authoritative server on localhost like tinydns.
3. Not just images or third party scripts
I think there are currently more reliable ways of fingerprinting.
Not very reliable when user disables it or uses client that does not support it.
HTTP headers are malleable yet I still see the big tech companies appearing to treat them as reliably identifying a program/device. A new user-agent string or set of HTTP headers is not necessarily a new program/device.
Privacy is one side of the coin. Other side of the coin is that web adverts help web remain open, it helps independent and anti-establishment institutions to have an audience in a profitable manner. Remember, free speech does not exist unless that speech is also economically sustainable.
Arguably gun owners, strip clubs and porn magazines have fought for free speech more than facebook and google combined.
I am happy to willingly share my personal data with your advertisers if that helps you keep profitable (NYT, Reason, Cato, Vice, Pornhub etc.) you need to figure out how to achieve that without acting like jerks.
This is why tracking should be opt-in. Then you can allow it to support the things that you value without my privacy being invaded.
For that we need to somehow agree that tracking is not just a legitimate business practice but also a desirable one (as long as the individual has consented).
But these discussions will soon go into "how easy it should be to opt in?". Should it be a pop up like "allow location" or something more complex as enabling CORS.
The issue with server side 3rd party ads is that the advertiser has no way to assure the impressions are real.
From the advertiser's perspective, that's a problem.
From my perspective, good. Advertising is toxic even when it's not invading my privacy, and maybe if we make it less effective people will do less of it.
Reality leans the other way. What eill likely happen is that sites that used to make 100k a year from ads see their revenue drop to 70k then 50k then 30k. To stay afloat they plaster more and worse ads in order to survive.
This is exactly what happened during the first dot com crash when we went from $35 CPM banner ads to $1. Suddenly, ads were slathered on every page or websites simply disappeared. What we really need is a deal that works well for all three parties: advertisers, consumers and content providers. Google Adsense was this perfect solution for a while (until it got optimized to max profitability).
Maybe online advertising is like social networks and can only enjoy brief moments of relative balance before the cycle starts anew.
> What we really need is a deal that works well for all three parties: advertisers, consumers and content providers.
I don't think such a thing actually exists. I mean, there is a way to do advertising that doesn't require spying on everybody -- contextual ads -- but advertisers seem to consider that a bad outcome, and instead are spending a lot of time and energy trying to figure out how to continue to spy on everybody.
An appropriate free market solution would be to construct an easy way to search only the ad-supported web, or only the non-ad-supported web and let people choose.
The problem right now is that it's all mingled together.
People easily forget the days of punch the monkey and x10 ads
Did those companies go out of business? An ad company in its death throws is going to be annoying right up until someone puts it out of its misery.
There is zero chance that poorer tracking will reduce advertising meaningfully. You can’t track the effectiveness of TV and and radio and newspaper ads, but it’s not like people don’t use them.
> can't track the effectiveness of TV, radio, and newspaper ads
Sure you can. "Use check-out code 'newspaper1' to get 5% off any purcahse!" or something.
why is that good? you're paying for it.
Here are the ways I can pay for it:
1. Find out about content I want. Decide to pay for it. Pay for it. Receive content. A simple, fair transaction where everyone gets what they want with no bullshit.
2. Find out about content I want. Receive content, along with ads that spy on me, distract me from the content I actually cared about, and tell me my girlfriend isn't hot enough, my car isn't fast or luxurious enough, my house isn't big enough, my family isn't safe enough, etc. Under the barrage of this constant psychological attack, I'll occasionally fall for it and end up spending much more money on things that I don't need than I would have spent on the content. And yet the content that I actually cared about and wanted to pay for only receives a fraction of those profits.
No, it would simply move even more from impression to action.
Assuming they implement via some kind of full server-side proxying of an arbitrary endpoint bi-directionally so that it appears first-party (and no 3rd party cookies) I would think they'd have nearly as good of means for verifying impressions as they do already. The main "downside" seems like it'd just be harder to create unified multi-site profiles as they'd have to resort to fingerprinting of some kind to track people across multiple sites.
I think the main issue is impressions vs clicks.
As I understand it today, I can view an ad on a random site and have a cookie with my unique ID in it saved. If I view other network ads, they know it's me and update my profile. Then when I check out, the site I'm buying from reads this cookie and reports back that it worked based on impressions.
AFAIK this won't be easy to replace if a random eCommerce store is blocked from reading Facebook et al cookies, it won't be able to report back reliably. You could do something like submit their email address or other data to Facebook and see if you get a hit, but that's probably illegal in many places without permission. And in most cases, the cookie from the ads will be blocked as it's third party (but would be able to be written for ads shown on-platform, which doesn't really matter since they can track server side anyway).
But clicks are very easy, you just tie a unique ID to the ad URL and have the landing page and checkout page track that. No cookies needed. It can report back in real time or later to update stats.
Minor point but the e-commerce site will not be able to read the cookie from Facebook - it will have a special code snippet on the "thank for your purchase" page. When your browser loads this page it also loads the snippet from Facebook (could be a 1x1 pixel or iframe etc etc) and your browser dutifully passes on the cookie as usual to facebook.com when it loads that snippet (i.e. facebook.com is the third party host) then Facebook's servers log the http request with the cookie ID so they mark that as a successful "conversion" (aka sale).
The browser will not make cookies from other sites available to the e-commerce site. There is no chance for the e-commerce site to take a look at what is in the Facebook cookie
Yeah true,and thanks for that. I unintentionally oversimplified.
I meant the 'page' (including the FB pixel JS on it) could read the pixel but the problem is of course the page is composed of resources from multiple domains and parties.
I'm pretty sure these days the default is just a JS ping to an endpoint, but the eponymous pixel exists under noscript tags for legacy support.
That sounds very close to "it makes it harder for advertisers to track you."
Which is of course the intent.
Perhaps ad servers could tag served ad images or JS with tracking IDs that get round-tripped back to the advertiser through the first-party server, third-party requests, or navigator.sendBeacon().
How relevant is this information?
AFAIK, all that matters is how many conversions you get from $ spent. Both of those are perfectly visible, no tracking needed.
How would you know that a conversion came from an impression?
How do you know the highway billboard or TV commercial lead to conversions?
Maybe it helps society to go back to such models over destroying privacy.
(And as answer to the question: Statistical methods by comparing areas/times with no ads vs. with ads etc.)
That ship already sailed. People are not going back to blind ad investment most of which has incredibly low ROI.
As much as many HN readers would love to see ads and even the most benign forms of tracking to disappear, if you're aiming for something realistic (e.g that would still allow ads to exist and be a minimum profitable for all involved) you cannot just go back to the dark ages, and show the same ads to everyone.
You don't have to show the same ads to everyone.
You can - without detailed tracking - identify rough location of the user. (IP etc.)
You can pick ads based on the content, not based on the user. (A site with beauty tips probably has different readers from a site on woodworking; a site with celebrity news has different readers than deep political analysis)
And yes, Google and Facebook would make less money (disclaimer: I have a handful Alphabet shares in my portfolio and probably funds containing those) and yes spread would be higher, but this could still pay a lot of bills and interestingly could lead to revert from clickbait to proper content, as readers of proper content are more likely the target audience for high-paid ads.
Strangely, I still see plenty of billboards and TV commercials.
Well TV commercial effects on web traffic and on revenue are measurable. We do that for a client. We can even tell which creatives, channels, surrounding program types work better.
Ad tech doesn’t a priori have the right to do whatever they dream up. We can choose to fight it with both legal and technical means.
> People are not going back to blind ad investment most of which has incredibly low ROI.
Not willingly, but perhaps they can be forced through legislation. In any case, as long as the industry insists on spying on me, I will continue to fight them tooth and nail.
So what service do I subscribe to so that I never see ads at all?
Ads are pollution, and need to be treated as such. Information providers need to develop business models which do not depend upon advertising revenue. (foundations, Patreon, whatever).
I would love that. Unfortunately I also love the fact that I can share links to sites without paywall issues. I don't know how to combine those things in a working manner. But I hope there are smarter people than me.
Short term: Less tracking is good. (Not only for privacy, but also since I don't want to see "optimized" content – I want to be surprised, contradicting opinions etc. like in a good newspaper)
Tracking clicks is easy and non-invasive. Tracking exhibitions is basically impossible, even if the browser cooperates. So you either take the number of direct conversions the easy way, or you do some of the many causal research techniques later to try to discover indirect conversions.
The one thing that you can't reliably do, browser privacy or not, is gathering the useless number ad-companies currently rely on.
Tracking incremental conversions is possible with statistics but only if you know who saw your ads.
> Google would lose privacy-conscious users otherwise.
Would these users be using Chrome in the first place?
Why not? Privacy is not the only goal even for paranoids. It is all about compromise. Otherwise you would use lynx or wget -- truly private web clients. Or at least turn off JS.
Why are you speaking as if there are no better alternatives than Chrome? Other than a few organizations who decided that only supporting Chrome as a browser is enough for their sites and some extensions, there are viable web browser alternatives from companies which don't make their money off of user's data.
Google created Chrome, and bribed Mozilla with billions, to keep ad blocking from becoming a standard browser feature.
The Google search engine could be run for some small number of billions per year (or less) but Google extracts tens of billions per year from our pockets. It's a leech on society in the same way that Wall Street is.
They successfully propagandized the idea that "relevant ads are good" when it's patently obvious that relevant search results are what you want from a search engine. There's no need for ads at all.
>Google created Chrome, and bribed Mozilla with billions, to keep ad blocking from becoming a standard browser feature.
This caught my attention, as I haven't heard anything about this before. Do you have a source with more details on it specifically? All I see is that Google pays Mozilla to make Google Search the default search engine and pays Adblock Plus to whitelist their ads. I'm not seeing any sources indicating that Google paid Mozilla any money to keep ad blocking out of their standard feature set.
I think this is an easy move for Google, it's a "strategy credit" as Ben Thompson would put it.
Google already knows most of what it needs about you, and it will in the future from searches. It has no motivation to allow 3rd parties help in tracking visitors. This way it can build a moat around its business while pretending to care about privacy. It's bullshit.
Google's reason for wanting this is bullshit, but that doesn't mean it wouldn't be a beneficial move in general.
The beneficial move would be for Chrome to accept the industry-standard choice of letting users easily block all tracking and fingerprinting... including Google's.
But that wouldn't be good for Google. This is the exact reason an ad company should not be allowed to own a web browser.
But... they are going to not just allow users, but per default, block 3rd party cookies?
Edit: comment was either edited, or I’m going senile. In any case: Chrome does allow blocking all cookies as well, and has from the first release. Fingerprinting isn’t easily avoided, but they have taken some steps to make it harder.
It's edited, sorry! I felt it was important to clarify that the general Privacy Sandbox concept they are promoting is designed and built around allowing data collection about users that can be used for ad targeting, whether it utilizes third party cookies explicitly or not.
Note that blocking all cookies breaks the web, blocking third party cookies breaks adtech. It's important to note that even if Chrome has supported the former, it has resisted implementing the latter.
Meanwhile, Firefox, Edge, and Safari have chosen to implement tracking prevention, which has the goal of preventing any ad targeting towards a given user.
Exactly. Google's real interest here is in making the lives of its many competitors _much_ harder. I'm fine with that though. Ads will become more expensive, so there presumably will be fewer of them. Not that I'd know, I've been using adblock everywhere for the past decade.
Fewer, more expensive ads are preferable in some cases. It tends to push out bottom feeding advertisers and leads to higher quality ads from bigger brands. It also allows for fewer ad placements which can sometimes be more profitable if it sufficiently improves user engagement and stickiness.
I was just thinking the other day that if there's one thing I want more of, it's more consolidation around the largest corporations in the world.
Yeah, for the life of me, I can't see this as a good thing. Sounds like a black mirror story.
So... let anyone who wants to keep tracking us without our material consent or knowledge? No thanks.
If you want to use chrome, be aware of the company’s underlying motivations.
But I’d recommend not using it at all, I don’t.
> By undermining the business model of many ad-supported websites, blunt approaches to cookies encourage the use of opaque techniques ...
This is disingenuous. Reducing tracking does not undermine websites. It undermines advertisers that depend on tracking. If tracking stopped, advertisers would target something else (e.g. content or coarse location) and roughly the same amount of money would go to websites. Google’s privileged position would be a lot less inherently valuable, though.
>By undermining the business model of many ad-supported websites, blunt approaches to cookies encourage the use of opaque techniques such as fingerprinting (an invasive workaround to replace cookies), which can actually reduce user privacy and control.
Sure. So how about we block fingerprinting? Oh waaaaaait I see. What you actually want is your privacy invading business model to not be impacted.
Why are sites able to ascertain the type of browser, operating system, OS version, webkit version, Safari version, time zone, language, platform, vendor, screen dimensions, plugins, etc.
This shit should be as locked down as location, web cam, and microphone. Block all of it.
You'll end up trying to read a news article in a foreign language, that looks like a mobile website, has 1000px headline and can't be navigated because some of the functionality is broken.
Nonsense. You can write a perfectly modern and beautiful site without any JS at all.
Browsers send an accept language header that I wish web sites would respect instead of using geoip.
I have disabled 3rd party cookies in my browser for about a year now. My experience has been fine, I have had very few issues with things that I care about, no whitelist and not had to re-enable them yet.
I've been blocking 3rd party cookies for many years. It doesn't cause any issues for 99.9% of sites. I think I've encountered less than 10 and I whitelisted the ones I needed.
Same here. Web sites that block content because of a lack of third-party cookie support are pretty rare. I ran into one last week and was so surprised by the message it took me a few seconds to realize was happening.
Go there and enable "Block third-party cookies".
The internet still works without them.
Safari has blocked third-party cookies by default for a long time, so websites and advertisers that want to support iOS web users already need to work without third-party cookies.
This has been my experience as well. Most sites I've encountered have already moved away from depending on 3rd party cookies.
Indeed. Google Chrome's statements about the dangers and risks of blocking third party cookies is classic FUD. And it's solely about protecting their own data collection.
> Users are demanding greater privacy--including transparency, choice and control over how their data is used--and it’s clear the web ecosystem needs to evolve to meet these increasing demands. Some browsers have reacted to these concerns by blocking third-party cookies, but we believe this has unintended consequences that can negatively impact both users and the web ecosystem. By undermining the business model of many ad-supported websites, blunt approaches to cookies encourage the use of opaque techniques such as fingerprinting (an invasive workaround to replace cookies), which can actually reduce user privacy and control. We believe that we as a community can, and must, do better.
The Webkit team already proposed a privacy-preserving way to do ad click attribution . I'm guessing that was too private and Privacy Sandbox works better for Google.
In the past Chrome has played fast and loose with standards and features, which was fine for them since Firefox and friends needed to adopt them lest they widen the "Only works on Chrom(e/ium)" gap.
I wonder how removing a feature might go, however. The answer is "probably well because Chrome has overwhelming market share", but I do wonder if, between AMP and "no URLs" and no 3rd party cookies, if there's room for a small but growing "it just works how I'd expect it to on Firefox" contingent to spring up...
"only works in chrome" == "not going to use" for me and all any company/team where I have influence over software dependencies/tools. Same goes for "only works on one target" software in general though, usually means something is under tested.
Or, you know, it might not "just work" in Firefox because Google sabotages it: https://twitter.com/johnath/status/1116871231792455686?s=20
This will break a lot of auth0 jwt/login default integrations since it depends on 3rd party cookies.
This. Mozilla got the right tactics by making them session lived by default. Completely banning them will only break stuff.
Sites shouldn't rely on 3rd party cookies being enabled. Safari has had them disabled since years (forever?) and more and more people are disabling them manually.
There's a short summary of some of the features proposed for the Privacy Sandbox here - https://blog.chromium.org/2019/08/potential-uses-for-privacy...
This will hurt the ad-tech businesses and websites/publishers who rely on third-party ads/targeting much more than it will hurt Google (and Facebook).
Still, Google's revenue on third-party site ads was $6.4bn in Q3 of 2019 out of the $40.5bn in total revenue so it could be felt a bit there too.
I fear that it all will move to first-party tracking though which will be so much more difficult to block and so much more dangerous in terms of security.
Hard to read this and extract facts. My sense that this article is intentionally vague.
> [...] we plan to phase out support for third-party cookies in Chrome. Our intention is to do this within two years [...]
As for what they're replacing them with, sounds like they don't quite know yet. They seem to still be in the requirements gathering phase: https://github.com/w3c/web-advertising
Browser storage just to name one, cookies are really not too important.
With WebAssembly now.. And your company being one of the leading browsers.. The cookie transport looks like pigeon mail.
They're not getting rid of cookies; just third-party cookies.
> we plan to phase out support for third-party cookies in Chrome
This is news to me.
Welcome to Hacker News
I visit twice per day.
The arms race moves to its next phase.
I'm not sure this will accomplish much as it's not that hard to serve things from one's own domain. More work for the tracking company to get things set up, I suppose, but harder to detect once established.
So now ad companies will just require a CNAME entry in the website's DNS record.
And how do they link these between different websites?
Server-side magic – fingerprinting, behavioural detection, referer GET stubs, etc.. It's not all that difficult, though it is harder.
They add the tracking stuff as URL parameters.
For privacy conscious users who have blocked third party cookies for years, this may make evading tracking ever more complicated.
My guess is we will need custom GreaseMonkey scripts that prevent parameters from being appended to URLs so when you click on a link to another site it will not pass tracking information. Generally whenever a tracking network changes these parameters the Greasemonkey scripts will have to be updated whereas in the past you could just block the third party cookies and avoid a lot of the tracking.
There have been articles recently which are claiming the value of those cookies are not as valuable as before because the majority of them are avoided/altered to obfuscate to the requester.
So I see this as a : 'Hey we got in before everyone and stopped using cookies first' — When in reality, they're becomming less of a valuable commoddity.
I'll be very happy when companies stop storing excess info in their own storage.
Until then, no round of applause from me .
> I'll nurse a semi
What? Care to explain for a non-native speaker / non-US based reader?
Updated, as a non native speaker, it's really not an expression you should learn!
It’s sexual, and therefore probably not a good expression to use unless you know what you are doing.
But it’s a somewhat eloquent term, in a way.
(It refers to getting sexually aroused, but only mildly)
What about single-sign-on stuff? What about iframe widgets where you are logged in?? Will there be a way to choose to keep being logged in, in iOS and Android? Or will everything become stateless and dumb?
They can use redirect flows and POST back to the page you’re logging in to. It will be fine for most Auth flows (but not eg SAML passive logins)
Why can't they do this for ads?
It's difficult to take Google's position on 3rd party cookies as altruistic.
Between Chrome, GA, AdSense, DoubleClick, Gmail, etc, they don't need 3rd party cookies to gather user data. Even if killing 3rd party cookies drops them back a little, it drops the #2 panopticon back more...extending Google's lead.
AdSense, DoubleClick, and Analytics all need 3rd-party cookies, no?
DV360 (formerly DoubleClick) definitely does.
Analytics uses first-party cookies for its core functionality. There are optional features where it connects to a third-party cookie from another Google service, e.g. connecting to the DV360 cookie to pull in demographic information.
They do, but seeing as how most users are force-feeding user data directly into Google's mouth via usage of their search engine and gmail inbox, removing 3rd party cookies from the equation is unlikely to affect their bottom-line in a measureable way.
Not if the user is logged in to the Chrome or Android
a large chunk of G's business is first-party ads, i.e. in their own SERP vs on someone else's inventory
interesting to see if that's the future. certainly anyone with substantial inventory has experimented with this (NYT for example) because they suspect they're getting cheating by G/FB
This is so two-faced. This is the key line:
> Once these approaches have addressed the needs of users, publishers, and advertisers, and we have developed the tools to mitigate workarounds…
A browser vendor that cared about its users would make a browser for them, not publishers or advertisers. It would block all tracking garbage by default.
Just admit it Justin, the real Chrome customers are advertisers. You don't actually give a shit about users if it interferes with ad dollars.
Edit: I left out this good quote
> Some ideas include new approaches to ensure that ads continue to be relevant for users
More user-hostile advertiser appeasement.
Markets don't work unless both consumers and producers are satisfied. A classic two-sided market is Ebay. If there were nobody selling stuff there, then nobody would shop there. If nobody bought stuff there, nobody would sell there. You need to satisfy both buyers and sellers (somewhat) to have a market.
Google is just acknowledging that for-profit, advertising-supported websites are a three-sided market; consumers, website authors, and advertisers all have interests. Figuring out how to satisfy everyone is tricky.
It may be that these competing interests can't all be satisfied and an advertising-supported Internet isn't going to make it in the long term, but they are going to try.
> It may be that these competing interests can't all be satisfied and an advertising-supported Internet isn't going to make it in the long term, but they are going to try.
Of course they can't all be satisfied. The needs of advertisers are diametrically opposed to the privacy needs of users. There is no way to square this problem so that both groups are happy and Google certainly understands this. They aren't "trying" things out as experiments, they are executing on strategies to ensure their dominance over the business of digital advertising.
Not all users have the same privacy desires.
Many (most?) are happy to provide their personal information "by default" in exchange for better ad targeting, lower prices, etc.
I'm sure most are just ignorant as to how much information they are exchanging and not necessarily happy to provide this "by default".
There is nothing wrong in being ignorant if the efforts to get rid of that ignorance outweigh the benefits for most users. My mother spends 15 minutes on internet talking to me and watching youtube. She does not care if advertisers know her age and location.
And many of them are equally ignorant as to how much money they have saved due to ad-powered web. What we really need is a transparency on this trade-off, not just bashing the status quo.
There has actually been research on this (in small settings). Even when made aware of the potential consequences, people do not choose to pay significantly more for equivalent products with better privacy protection.
"Everybody is just ignorant" is not a good way of evaluating markets.
Extremely dubious claim. What personal information? To which companies? For how long? Etc.
Have you considered the possibility that the future behavior of consumers and lawmakers is not that easy to predict and people have different opinions about it? We can't reliably predict which products will be popular, the next election, or what laws will pass.
Past results are that the advertising-supported Internet is enormously lucrative. Things are changing though. We will find out what happens when it happens.
Google doesn't need to predict the future of an advertising supported internet when they can manipulate it directly eg. with their chrome marketshare.
Although Google is a powerful position, this is fundamentally not how markets work. Google is not a dictator directly controlling users, advertisers, or websites. They are other people who make their own decisions based on their perceived interests.
Not even monopoly markets are dictatorships.
But why should a browser care about anyone other than the users of the browser? The browser is meant to be my user agent, not a third-party market maker.
(yeah, I know they have to care about website designers, otherwise every website will just break, but when you have substantially a huge share of the browser share, you can tell website designers to get stuffed and they will have to deal with it)
I'm being intentionally simplistic- sometimes, complicating things with markets and so on feels like it obscures more than it illuminates.
Even if you ultimately care more about users, the incentives are still towards centrism. For example, Firefox still needs to do DRM to keep Netflix happy because users want to watch Netflix videos and will switch browsers to do it.
Compatibility is important, even for the market leader, because if they break too many websites too quickly, that will push people to switch browsers like nothing else. Especially if it's a big website people use every day.
Chrome does have a somewhat easier time taking the lead on deprecating things but it often requires multi-year campaigns and gradual steps. (Consider the campaigns to kill NSAPI and Flash.) This is needed even for Google to maintain compatibility with its own websites.
The analogy to markets still works. Ebay can change the rules to be more buyer-friendly but not so much that too many sellers leave, because buyer-friendly rules don't matter if you can't find the thing you want to buy.
An example of the market breaking down is major news sites blocking Chrome's Incognito mode, despite Chrome's gradual attempts to make fingerprinting harder.
The World Wide Web is not a market.
Google cares very much about its customers. Its customers are advertisers. Like any good business, it puts its customers first, and anything beneficial it offers anyone else is just to serve its customers, ultimately.
> it puts its customers first
Have you ever dealt with Google as a customer :) ?
It is not that easy.
Consider Mozilla, the privacy maniacs. Even they let proprietary and intrusive DRM plugin inside, though it is totally contradicts FOSS approach https://news.ycombinator.com/item?id=7746585
This is life -- you have to take other parties interests into account or you will be buried.
Start block all tracking garbage by default and sites will ban your users, forcing them to choose another product.
Speaking about Google: when you're (unlike Apple) making most of your revenue from ads, any hostile action to ad industry will be considered hypocrisy and unfair competition
Privacy ≠ FOSS.
DRM is an entirely different problem to that of privacy. While DRM is disgusting, a threat to open source as we know it and overall harmful to humanity as a whole, it does not inherently violate privacy.
Thus, saying "Even [the privacy maniacs] let proprietary and intrusive DRM plugin inside" doesn't make any sense.
Do you know anything about this DRM plugin? Why would you think it does not work in private mode? What would you say about long-living unique user id that it associate with your device that can be read? It does violate your privacy as well
AFAIK in firefox DRM plugins are sandboxed
Can we just stop for a second and ask whether advertising is required to support publishers at all?
Even if this question sounds naive, I feel like we should from time to time take a step back and review our situation.
> Speaking about Google: when you're (unlike Apple) making most of your revenue from ads, any hostile action to ad industry will be considered hypocrisy and unfair competition
I can agree with that (esp. given their monopoly), but the truth is not black and white here: there's a difference between applying the same measures equally to everyone and leaving a bunch of escape hatches for yourself, e.g. that time when Chrome decided to exclude certain Google cookies from the "Clear all cookies" screen.
> Can we just stop for a second and ask whether advertising is required to support publishers at all?
I think this misses a larger point: advertising on its own requires absolutely no tracking at all. Consider print publications. They still virtually all advertise. And their ads generally relate, in some way, to the demographics who read the publications. There's no reason that approach can't also work on the web.
The problem we're facing today is the notion that advertisers should be able to uniquely target individuals with specific ads. That's a new idea that I think we, as a society, need to reject.
> And their ads generally relate, in some way, to the demographics who read the publications. There's no reason that approach can't also work on the web.
That's how it USED to work on the web and still does in some parts. Until Google (and others) started selling increasingly accurate demographic and behavioural targeting. Now advertisers are addicted to targeting 50+ females who like baking, cats, have at least one grandchild and who have recently shown an interest in Easy Bake Ovens.
Is this working for them? I find it hard to believe that targeting more and more specific groups is actually worth the money for them. Is it really worth it to whatever company makes Easy Bake Ovens to pay for that kind of specific advertising? It seems (naively) that they would be better off finding out where their customers congregate and just buying ads there, without the extra cruft.
I mean, logically it should be worth it because they pay for it, but part of me is wondering if the ad companies are conning their customers on this.
I see what you mean, but I struggle to understand how is this a larger point?
I dislike ads for two reasons:
- highly targeted ads can impact my behaviour in ways I’m not aware of (existing vs. created needs, emotions vs. rational decisions) - it’s an invasion on our personal (internet) and public (your street, your neighbourhood) spaces.
The points above allow for manipulation at a unprecedented scale.
Again, this is more of a mental exercise, a problem I like to revisit from time to time, but if we take the points above into account, removing targeting doesn’t solve the issue completely.
I do think that contextual targeting is a more viable alternative, unless it becomes a rebranded version of behavioural (which is already happening).
Sorry, I should have been more clear. I think this is an important (larger) point because we don't need to pretend that this move would completely upend the ad industry. It will just slightly change it, and revert it to how it worked for the hundreds of years that preceded ~2005. I think ceding the argument that this change "breaks" advertising is the wrong move. I think it's important to keep focus of what we do want to break: the sleazy practice of tracking individuals so that they can be targeted for specific ads. That's gross, and absolutely deserves to go away. Publishers can continue to be supported by advertisements. There are tons of mailing lists that already work this way, and several very popular websites (e.g., Daring Fireball)
Privacy and ethics around proprietary software, while obviously related (in that open software is obviously more transparent), are largely orthogonal. You can have closed/proprietary software that respects privacy (Apple), and you can have open software that doesn't (Chrome).
This just smells of whataboutism.
As for your hypothesis that websites will start blocking browsers that ban tracking and so forth, frankly, that remains to be seen, and my bet is we'd never actually see that happen in practice. The optics are just too toxic. Surveillance capitalism survives because people don't know it's happening. Banning a browser like Firefox would call attention to an infrastructure and ecosystem that those individuals don't want to talk about in public.
Edit: As an aside, if sites did start banning privacy-conscious browsers like Firefox, I'd just stop going to those sites. In that respect, I'd actually perversely appreciate something like this: It'd finally make it blatantly obvious who is and isn't collecting and profiting from data about me and my actions online without my permission.
> if sites did start banning privacy-conscious browsers like Firefox, I'd just stop going to those sites.
I already do this -- if a site doesn't work with my defenses against the ad industry up, then I don't go back to that site.
> As for your hypothesis that websites will start blocking browsers that ban tracking and so forth, frankly, that remains to be seen, and my bet is we'd never actually see that happen in practice.
The result of the GDPR regulAtions resulted in a moderate number of us websites refusing access to EU residents rather than attempt to comply. I think it's an entirely reasonably assumption that said sites would block a browser which attempted a similar idea
As I said in my edit: I'm actually fine with that (though I stand by my skepticism that it'd actually happen), as it's a clear and unambiguous signal that tells me which sites respect my privacy and which ones don't.
California now has a low that is similar to the EU law in many ways, and other states will soon, so those sites will soon have to block Americans as well, based on where they live if they can determine it, and soon they'll have to just give up and follow the law.
You're talking about CCPA, and I completely agree, GDPR-style privacy regimes are clearly the way the regulatory world is moving. It's just a matter of time at this point.
The DRM is totally different though. Not having it means certain sites can’t be used.
And ad supporters say that not providing facilities for personalized ads means sites wouldn't be able to exist.
I’m not saying they wouldn’t be able to exist though. I’m saying you wouldn’t be able to use them. Firefox does not have the market share to be able to force change there, they’d only be making the experience shittier for their users. You’re welcome to turn the feature off if you don’t like it.
Ad supporters are wrong about this as a blanket statement. There are tons of useful sites that exist, many for years or decades, without any advertising at all.
Some sites would go behind paywalls, some would cease to exist, and some will just run nontargeted ads, but some would do none of those things.
There is no difference.
These sites that can't be used without DRM plugin do not provide you a way around DRM because you're ruining their business model (at least they think so, or their content providers).
The same goes with ads. If your browser start for example blocking ads at sites that live from it (like New York Times website), website administration will eventually ban your browser at all.
Users demand browsers support Netflix and other streaming services which, unfortunately, requires supporting DRM. This is a case of Mozilla putting users first, despite it violating some of their core philosophy.
This is how it should work, users come first.
Additionally they pushed against it initially, and implemented it late. And now it's downloaded separately the first time you approve it's use. Users can disable it in settings.
It's also a choice users are empowered to make.
Just as all this tracking protection stuff is optional but ships out of the box in a configuration that's deemed the most beneficial to the user, DRM, while enabled by default, can be disabled by simply uninstalling the plugin.
As I say: it just smells of whataboutism.
I am not saying they strike the right balance or not, but doesn't there have to be SOME balance?
Users need publishers to be able to make enough money to survive, or there won't be any content for them to use. You can't totally screw over either side, or the other will no longer exist.
It's very weird that one browser is so dominant that they, somehow, are expected to make some sort of dictatorial decision on this. If there were meaningful competition, it would not be a problem, since people would just swap browsers. That people think Chrome could single handedly destroy the internet if they made the wrong choice seems to indicate that there's a huge problem. One company shouldn't be able to screw over either side- the internet is huge, and we've delegated these decisions to exactly one company. It's bananapants.
> In particular, Google:
> has required manufacturers to pre-install the Google Search app and browser app (Chrome), as a condition for licensing Google's app store (the Play Store);
Oh, yeah, it's not organic. But it's happened and we've let it happen, and people are now talking about it as if it's just the background state of things that Google can singlehandedly decide which direction to take the web.
I almost miss Slashdot style "Micro$$$oft" discussions, at least people had some baseline hostility toward browser hegemony.
I'm not sure why any of this requires third-party cookies or the bloatware that modern websites have become in order to enable this sort of tracking by dozens of entities. The most healthy and consumer-friendly advertising ecosystems (broadcast/cable TV and podcasts are good examples) are the ones where individual tracking is _not_ possible. As soon as it becomes a pure numbers game tied to individuals, then you get the arms race of fraud and manipulation that has led us to the current terrible state of the web.
> I am not saying they strike the right balance or not, but doesn't there have to be SOME balance?
No, absolutely not. User-targeted advertising does not need to exist, a priori. Plenty of empires were built on privacy-friendly content-targeted advertising in the past and there's no reason that can't be done now. Except that Google would make far less money.
What would happen if, for example, all advertising was made illegal globally?
I strongly doubt the internet would stop working.
In the short term I think many sites would die, but in the longer run we would see other forms of people trying influence other people to make them buy something or vote for something or believe in something.
I fear that we would see a huge wave of advertising in disguise and other not necessarily more transparent forms of indirect funding and influencing.
For instance, there would suddenly be a very big incentive for product companies to become media companies themselves to make the distinction between reporting, advertising and simply describing their own product go away.
I believe an advertising ban would have a very large number of unintended and undesirable consequences.
Lots of non-ad companies rely on advertising. You would probably kill every marketing department worldwide. You would probably throw a huge number of companies in the world into chaos as they try to figure out how to grow revenue. The world would probably enter a depression worse than the 1920s as revenues severely tank because companies are not allowed to advertise their business.
"The world would probably enter a depression worse than the 1920s as revenues severely tank because companies are not allowed to advertise their business."
Nonsense. I'm not going to stop buying food or soap because I don't see ads for it.
There's no reason to conflate "advertising" with "user-targeted advertising". There's nothing inherently privacy-breaking about advertising. A regular billboard doesn't track users, a print magazine ad doesn't track users and there's no reason internet advertisements absolutely need to track users.
I wasn't conflating anything! I would be perfectly happy if all forms of advertising went away, targeted or otherwise. This wasn't a conversation about the reasons advertising was bad. I was just commenting that I don't think the internet would break if publishers stopped making money through advertising.
The vast majority of the content on the internet would disappear and the entire western world would likely be thrown into one of the worst economic recessions in history.
Probably less than 5% of the internet would work as is. If you give more time (like 10 years), the number would be more than that though.
$300B is no way negligible by any mean and businesses are tightly coupled so the impact will propagate across everywhere. For instance, almost every functional search engines are powered by advertisement in some way (even DDG); how would you use the internet without a search engine?
Given the absolutely ridiculous amount of content that is ad-funded, I very much disagree. All of my preferred youtubers and streamers would immediately be without livelihood. Same is probably true for a whole lot of news websites.
I suggest you pay those people with your money, instead of everyone’s privacy.
I'm completely fine with paying with my privacy. I feel like the vast majority of users prefers to look at ads compared to paying for content. Which matches reality where most people don't care if their browser blocks cookies or not.
As long as this patronage gets traction enough to support creators' livelihood. Unfortunately, the majority is not going to spend a single cent on those small creators when their alternatives are high quality contents built upon millions of dollars. It's even proven by Google Contributor program's failure.
> It's even proven by Google Contributor program's failure.
Although I think your point is correct, I don't think that this program's failure is evidence for it. I give cash money to numerous small creators, but there's absolutely no way that I would have used the Google Contributer program to do it. That requires more trust in Google than I can muster.
The point is that this needs to be done at scale. Even with Google's advantage on its pre-established publisher ecosystem, they couldn't make it because most publishers quickly realized that donation was not enough to offset the loss from disabling advertisements.
Most Magazines and Newspapers would stop too, since they're subsidized by advertising. Broadcast television and radio would cease to exist as well.
Public broadcasters don't live off advertising, do they?
In the US, public broadcasters get most of their money through contributions -- but advertising is a significant part of the mix as well.
More Wikipedia, more paywalls, less free news sites, Facebook, Instagram, etc.
A tremendous amount of resources are wasted on adtech - bandwidth, latency, which ultimately are accounted for in non-renewable time. Just compare using hacker news on mobile to reddit. I have a newish iPhone and reddit is basically unusable. Plausibly it’s a net-neutral situation, the downsides balancing out the upsides.
Similar evaluations can be made in the gaming space, comparing paid, freemium, and advertising driven. It wasn’t until fairly recently that advertising was even a viable revenue source for game developers.
The larger question perhaps is who loses their audience when they can no longer buy targeted advertising? Hint: it’s not the giant brands who blast billions of dollar blindly on mass advertising campaigns and can purchase Super Bowl commercials.
Disclaimer, a significant proration of the money I’ve made in the past decade + was from digital advertising.
> A tremendous amount of resources are wasted on adtech - bandwidth, latency
Not to mention cognitive resources. How much brain power has the world wasted on trying to get people to look at or click on things?
> reddit is basically unusable
Just a tip, if I want to use reddit on an iPhone, I usually go to i.reddit.com or reddit.com/.compact
There are also third party apps (I like Slide for Reddit) which are pretty good.
The "balance" that needs to be had is simple: don't spy on people. If you have their informed consent for data collection, then you aren't spying.
You're aware that if Google with its monopoly on Search and quasi-monopoly on Chrome started blocking ads, they would get sued out of hell for monopoly abuse in the EU and probably everywhere else except the US, right?
This is actually a legitimate problem already where Google has paid adlockers to not block google.com by default. As an example, say some other vertical search engine purchases advertising on Google (travel, price comparison, etc) those same users who clicked on google may not see any advertising on the vertical search engine which, in those two markets accounts for a very large amount of those search engine’s own revenue.
I think a probable scenario is that Google’s search ads and display ads business will have to be segmented from the rest of Google’s businesses. The other alternative may be to remove search bundled with search advertising, YouTube with its accompanying video advertising, and so on.
I would be more optimistic about Google’s ability to keep itself together, but they seem to have turned themselves in to a case study of corporate mismanagement and disfunction. Who knows what sorts of insane criminal things and accumulating at this point. Those future moments of weakness and going to make them incredibly vulnerable to regulators on both sides of the Atlantic, from both the right and the left. That is not a survivable position.
Blocking ad tracking means breaking the web. It's OK if user willingly wants to break the web for himself by installing addons. But blocking standard mechanisms by default is unacceptable, at least before you develop new standards. Countless websites were broken because browsers started to block popup windows. It was extremely stupid decision.
"Countless websites were broken because they used popup windows."
I fixed it for you.
> Blocking ad tracking means breaking the web.
So, this monster is "too big to fail"? All the more reason to kill it now before it gets even worse.
>> to ensure that ads continue to be relevant for users
When users can't be tracked, ads will be less targeted which means Google will not be as valuable to advertisers.
i feel this comment is a lot more hateful than helpful.
i don't understand how this helps the conversation.
You care about users privacy? Judging by how passive aggressively Google tries to prevent us actually logging out of a Google Account, you are having a laugh.
Good riddance. Unfortunately (almost) all our conversations - verbal and text messaging - are being spied on to target us with ads right now.
Addressing anything else is like pissing in the ocean to change it's colour.
Looks like safari gave them no choice, so now they grab this as an opportunity to say the want to do it too.
Does chromium really have to do what Safari did? aka "no option"?
Safari has a tiny share on the desktop, but is pretty large on mobile.
Credit to Apple for being aggressive taking on the ad companies. Yes this is totally a business decision that benefits them, but it also benefits consumers. So in that sense, the incentives are aligned.
Hope they keep going.
Hasn't safari always defaulted to no 3rd party cookies?
As I understand it:
IIRC Safari can be set to block ALL 3rd party cookies, but it is not the default setting.
SSO providers don't NEED cookies, they can do full page redirects to avoid being 3rd party, but it does complicate matters, and the relationship between you, a site, and a 3rd party identity provider you've presumably agreed to can be a different beast than the tracking cookies that are the focus here, though of course identity providers could always join the dark side as well.
Safari used to allow 3rd party cookies in some circumstances, and of course Google abused that for tracking:
I believe they'll just be using the QUIC protocol and IPv6 to track users instead.
For the downnvoters that don't believe me, go read Brave Browser's research into this.
It's the classic regulatory capture move of pulling up the ladder behind you, only they don't need regulators to do it.
What's more, Firefox is just an off-brand of Google to capture the "privacy first" consumer market segment.
Doesn't mean I'm going to stop using Firefox, but it just helps to see the big picture.
Another reason why Google's concern here for our privacy is nonsense is if we look here :
We can see, google doesn't need to inform their chrome users :
> A privileged third party is a party that has the potential to track the user across websites without their knowledge or consent because of special access built into the browser or operating system.
INOL but my understanding of this would put Google's Chrome into that bracket. Potentially also Microsoft/Apple ?