How The Third Party Cookie Crumbles: Tracking And Privacy Online Get A Rethink

from the important,-but-not-as-important dept

Google made some news Wednesday by noting that once it stops using 3rd party cookies to track people, it isn’t planning to replace such tracking with some other (perhaps more devious) method. This news is being met cynically (not surprisingly), with people suggesting that Google has plenty of 1st party data, and really just doesn’t need 3rd party cookie data any more. Or, alternatively, some are noting (perhaps accurately) that since Google has a ton of 1st party data — more than just about anyone else — this could actually serve to lock in Google’s position and diminish the alternatives from smaller advertising firms who rely on 3rd party cookies to bootstrap enough information to better target ads. Both claims might be accurate. Indeed, in the “no good deed goes unpunished” category, the UK has already been investigating Google’s plans to drop 3rd party cookies on the grounds that it’s anti-competitive. This is at the same time that others have argued that 3rd party cookies may also violate some privacy laws.

And, yes, it’s possible that it can be both good for privacy and anti-competitive, which raises all sorts of interrelated issues.

In theory cookies should have been very pro-privacy. After all, they’re putting data on end user computers where they have control over them. Users can delete those cookies or block them from being placed. In theory. The reality, though, is that deleting or blocking cookies takes a lot of effort, and while there are some services that help you out, they’re not always great. In an ideal world, we would have built tools that made it clearer to end users what information cookies were tracking, and what was being done with that information — as well as consumer-friendly tools to adjust things. But that’s not the world we ended up in. Instead, we ended up in a world where the hamfisted use of 3rd party cookies is generally just kinda creepy. In the past, I’ve referred to it as the uncanny valley of advertising: where the advertising is not so well targeted as to be useful, but just targeted enough to be creepy and annoying by reminding you that you’re being tracked.

The actual death knell for 3rd party cookies happened a while back. Firefox and Safari phased out 3rd party cookies a long time ago, and Google announced plans to do the same a year ago, with an actual target date for implementation a year from now. Today’s news was more about what happens next, with Google promising not to use some sneaky method to basically replace cookies with something even worse. There is a concerted effort by some to track you through a “hashed email address”. This is really creepy and kinda sketchy.

As a side note, a few years back, we were approached by a company doing this. They basically asked us to hand over a hashed set of emails we had collected. We looked over the details, and highlighted that they wanted us to use their hash, meaning that they could easily reverse the hash and figure out the emails. We explained that they must be mistaken, because that’s really not all that different from just handing over emails, which would be a violation of our own privacy policy. We were told that, no, the whole idea was everyone had to use the same hash, and it was fine because the email addresses were hashed (ignoring the point we made about that being meaningless if everyone is using the same hash). We rejected this deal, even though they were actually offering decent money. I do sometimes wonder how many other publishers just coughed up everyone’s emails, though.

So, Google’s latest point is that it’s not going to use some other unique identifier, and recognizes that the hashed email based-identifier is a bad idea:

We realize this means other providers may offer a level of user identity for ad tracking across the web that we will not ? like PII graphs based on people?s email addresses. We don?t believe these solutions will meet rising consumer expectations for privacy, nor will they stand up to rapidly evolving regulatory restrictions, and therefore aren?t a sustainable long term investment. Instead, our web products will be powered by privacy-preserving APIs which prevent individual tracking while still delivering results for advertisers and publishers.

Instead, Google is pushing for a different kind of solution — what it has referred to for a while now as a “Privacy Sandbox.” The idea is not to track individuals but rather to dump you into a “cohort” of similar users, thereby not needing unique identifiers, just slightly more general ones. Google has taken to calling this cohort setup “Federated Learning of Cohorts”, or FLoC, which it recently declared to be 95% as good at targeting ads, but in a less creepy way.

In many ways, this is obviously better than the use of full-on individual tracking via 3rd party cookies (or hashed emails). It’s sort of a step away from individual targeting and at least a very slight movement back towards contextual advertising, which is something I’ve argued both Google and Facebook should do. But it’s still not ideal. You still have the concerns about how much data Google has about you, and you still have the concerns about whether or not this locks in Google’s position. Those don’t go away with this move.

And, of course, there’s the other framework to think about this: the never-ending threat of new privacy laws. So much of the focus on privacy legislation is (stupidly) about fighting the last battles, and that’s why things like the GDPR and California’s CCPA focused on useless and counterproductive cookie notifications. In some ways, this could be seen as a step towards getting ahead of that coming meteor, sidestepping it by saying “okay, okay, there are no more third party cookies.”

In the end, you can’t argue that this is a great solution or a terrible one. It is… just a change. A change that helps one aspect of how our current online privacy paradigm works, but which might cause other problems. It’s good in that it’s a further step towards the end of 3rd party cookies, which have been abused in creepy ways for too long. But it doesn’t really fix overall privacy issues, and could still help lock Google into a position of dominance.

Filed Under: , , , ,
Companies: google

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “How The Third Party Cookie Crumbles: Tracking And Privacy Online Get A Rethink”

Subscribe: RSS Leave a comment
PaulT (profile) says:

Re: Re:

"If they do that, are they going to also block those stupid "accept our cookies" -popups that most of the web is now infested with? "

Where are you located? If the EU, then no, because those popups are part of an overreaction to the GDRP, which isn’t going anywhere soon. If not, it might even be the same problem if sites are scared of accidentally letting people through via VPNs. Either way, if you refuse cookies then the next time you go to a page you won’t have the cookie that says you agreed to accept them as the site is told by GDRP to do, so you’ll be asked again.

This comment has been deemed insightful by the community.
reticulator (profile) says:

Re: Re: Re: "the" cookies

I don’t believe any browser is removing support for cookies in general. If you reread the article, it’s about third-party cookies.

A "normal" cookie, such as are used to maintain your user session, are sent to you when you visit, do something needs to know (like, you’ve logged in, or put something in your shopping cart), and returned to on your next request to

A third-party cookie is sent to you from… a third party. You visit, and get a cookie from Then you make a request to, that also uses (perhaps for displaying ads). As part of loading the page from, you load a component from (perhaps an ad). That request to will include the cookie you received while interacting with And BINGO! knows you visited both and

So now "knows" that when you shop for diapers, you also order beer.

reticulator (profile) says:

Re: Re: Re:2 "the" cookies

Ha. I thought it used to be possible to edit a comment after posting. At any rate, typo alerts:

"visit, do something needs to know" SHOULD BE "visit…"

" will include the cookie you received while interacting with" SHOULD BE " will include the cookie you received from while interacting with"

This comment has been deemed insightful by the community.
PaulT (profile) says:

Re: Re: Re: Re:

"I expect Chrome will become useless to anyone in the EU when they remove support for the cookies."

You might expect that, but you should probably stop whining so much and take the time to read the article and the messages that pop up to tell you about cookies. You’d learn a lot and be less angry about very simple subjects.

Anonymous Coward says:

No Internet site or company should have the right to ibstall a ‘cookie’ on anyone’s computer! Thry are of no use to anyone except the website and the cookie producer and ehiever they are selling YOUR data to! No website should have the right to expect a visitor to have to jump through hoops to allow/disallow cookies and they should all be disabled, automatically, with an option to allow/enable them if the visitor wants, NOT IF THE SITE OWNER WANTS! Trouble is, as usual, politicians are ‘encouraged’ to pass legislation, for a contribution, to favor the sites, knowing full well the consequences to the site visitors. As is typical, politicians will do whatever the biggest buck will give them, not what they should do or were voted for to do, protect the public! Money ALWAYS speaks louder than rights and a company can always afford a much more expensive, much more knowledgeable, much more devious lawyer than joe public!!

This comment has been deemed insightful by the community.
Anonymous Coward says:

Re: Re:

That isn’t how the internet works at all. Cookies are on your computer and there are trivially settings to reject all cookies – you will just get a quick lesson as to why even those oriented more towards privacy mostly use session cookies.

This comment has been deemed insightful by the community.
Anonymous Coward says:

Re: Re:

"Install" is a really weird and misleading concept to use here. Cookies (not "flash cookies" and other more hidden tracking objects like single-pixel images, etc. – there are still loads of other methods) are simple text files. They are as "installed" as the rest of the text, images, video, fonts, and scripting that a site uses to display its content.

This comment has been deemed insightful by the community.
PaulT (profile) says:

Re: Re:

That’s a lot of words to say "I don’t know what cookies are and I certainly don’t want to use the cookie controls in my browser that already allow me the control I’m demanding!"

"As is typical, politicians will do whatever the biggest buck will give them"

Why is any of this the job of politicians?

nasch (profile) says:


We looked over the details, and highlighted that they wanted us to use their hash, meaning that they could easily reverse the hash and figure out the emails.

If you can reverse it and get the input back out, then it’s not a hash. Hash algorithms are one way functions that map variable length inputs to fixed length outputs in a way that cannot be reversed. It may be possible to correlate the hashed value with other data sets and backtrack to an original email some other way, but it doesn’t sound like that’s what you mean.

Anonymous Coward says:

The idea is not to track individuals but rather to dump you into a "cohort" of similar users,

I don’t know what this even means. I cannot imagine that Google is claiming that it will stop trying to collect as much personal and behaviour data about individuals as possible. It is not going to delete it’s tables with names,DoB, addresses, phone numbers, email addresses, ip addresses etc. It is still able to map all of this to location, web and social network/communications history. It will still be able to hand this over to governments or other political entities when it believes it to be of strategic advantage.

Is it saying it will not sell individual phone numbers etc as part of it’s advertising business? So, for example, only google would know which individuals belong in the mentally_ill+religious+uneducated+conservative+politically_extreme cohort, when they sell access to these people to whoever can pay?

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...