First party cookies are really useful. For instance, they mean you don’t have to log in each time you navigate to a new page on a website…It is third-party cookies that are more contentious.
Over the years, web developers have dreamed up dozens of cute error pages to remind visitors to switch on cookies in their browsers.
Most are riffs on the eponymous baked snack (“Will work for cookies”) or Sesame Street’s Cookie Monster.
But the Cookie Monster may soon have fewer job opportunities – at least, that’s if Google gets its way. The internet giant plans to replace at least part of the cookie ecosystem with its own technology. And these changes could have a far-reaching impact on security and privacy on the web.
The cookie crumbles
In 2020, Google announced that it would phase out support in Chrome for ‘third-party’ cookies, which are used by advertisers, and others, to track users as they move across the internet.
According to Gareth Haken, an analyst at the Information Security Forum (ISF), third-party cookies are favored by the large social media companies and are often placed on sites via social media buttons. But, he says, the tide has been turning against third-party cookies for some time.
Safari and Firefox blocked the technology some time ago, so Google is playing catch-up.
“This will speed up the death of third-party cookies, especially with Chrome banning them… but this will affect only those looking to track users around the internet, such as advertisers,” Haken told The Daily Swig.
What will not change is the way websites use their own cookies. Cookie technology is here to stay, with Google – and others – maintaining that first-party cookies are essential to the smooth running of the internet. “First party cookies are really useful. For instance, they mean you don’t have to log in each time you navigate to a new page on a website,” Haken explains. “It is third-party cookies that are more contentious.”
The privacy risk would become greater still if cohorts are created based on small geographical areas, or other links, such as to an employer. If just one craft ale-drinking biker worked for a particular employer, it might be possible to identify him or her.
Some interests will be kept out of cohorts – adult sites and medical information will not be tracked, for instance. But, Haken says, these interests are grouped together as ‘sensitive’ by FLoC; the system might not be able to distinguish between a history of viewing adult material from researching, say, Covid-19 symptoms.
Potentially, a website owner with access to their customers’ personal identifiable information could use that data to associate cohorts with individuals, Haken warns.
As yet, it’s not clear exactly how FLoC’s cohorts will work in practice, but Google staff have admitted that the system will not be trialed in the EU, over concerns that it breaches parts of the GDPR and the ePrivacy Directive.
Instead, FLoC is being tested in Australia, Brazil, Canada, India, Indonesia, Japan, Mexico, New Zealand, Philippines, and the US.