Skip to content

Instantly share code, notes, and snippets.

@darobin
Created December 14, 2022 20:01
Show Gist options
  • Save darobin/69120bf9f0ed82a964e8b104e1b5b0b2 to your computer and use it in GitHub Desktop.
Save darobin/69120bf9f0ed82a964e8b104e1b5b0b2 to your computer and use it in GitHub Desktop.
Feedback on "Improving the web platform without third party cookies"

Third-party cookies are a key technology supporting tracking networks, which have been identified as a major threat to privacy [CITATION NEEDED].

The latest draft of the planned update to the cookies spec has some notes on this. It notably talks of 3PC has having "inherent privacy issues." You can also cite that section when you state that In this context, many browsers are restricting or completely deprecating the use of of third-party cookies.

Cookies were originally designed for recognising repeat visitors to a website. They have since been repurposed

I wouldn't bother listing all the use cases for cookies, I think that's going to be a long list and it still won't be complete. I would rephrase as "Cookies were originally designed for recognising repeat visitors to a website but they were soon repurposed for…" The repurposing dates back to 1999 (IIRC), so it's much closer to their invention than to today.

The TAG supports efforts to deprecate third-party cookies.

I would encourage the TAG to push for a deprecation timeline that is not dependent on the standardisation of a list of replacement specs for some functions that are performed today with 3PC. Eliminating 3PC is a net good for the web economy and an unmitigated benefit for our core constituency — people. Endlessly delaying it as we wait for standards with uncertain consensus and unrealistic timelines is harmful to the web. At most, the TAG should establish a list of which standards really are needed and that list ought to be short (I would suggest login flows and attribution).

I think that the statement about 3PC should stand on its own, and then make a subsection for advertising.

Advertising doesn't just fund media.

I wouldn't talk about "targeted advertising" as that can be (and is) done without 3PC. You might want to talk about advertising that relies on in-depth profiling and cross-context recognition.

I also wouldn't walk into the effectiveness crossfire. There is very little in the way of credible research (in either direction) because the system is completely unaccountable. You're setting yourselves up for debates that no one can win. Eg. people use the ATT impact on FB but that doesn't show anything other than that the specific implementation that FB uses (which no one understands, I'm pretty not at FB either) is affected. You hear about the small businesses that are losing ad traffic from FB but not about the small business that lost organic traffic because FB used data from their site to help their competitors advertise. Likewise, you hear about rising costs for SMBs but not about how Google's marketing tools have complex UIs with hostile defaults that systematically lead inexperienced marketers to significantly overspend. I could go on, but it's hard to prove anything — which is itself a problem! The best evidence we have for the system's inefficiencies is the fact that there are companies that are extracting high-margin rent from a system that should be commodity infrastructure. I think that you could include that statement, but relative to the entirety of digital advertising, not specifically targeting.

It's also worth noting that the business model of disinformation is to sell targeting based on data collected in high-value contexts. Third-party cookies are essentially a revenue transfer function from quality publishers big and small to disinfo and hate sites.

Similarly, these technologies also must not consolidate power in the hands of large organizations.

That's always a tricky one. I mean, it's true, but without operational criteria it doesn't mean much.

Rather than large orgs you may want to consider including a brief discussion of intermediaries. By enabling the fluid sharing of personal data, third-party cookies are giving greater power to intermediaries/third-parties (who can recognise people everywhere) than to first parties. This drives power and innovation away from the edges and into unaccountable backend processes. Network effects in the value of data also lead to concentration and winner-take-all. We would be able to hold companies far more accountable for data practices if the data stayed where it originates. We would also eliminate opportunities for intermediary capture.

Also, maybe: The TAG notes that the improvements brought about by the deprecation of third-party cookies must not be defeated by browser vendors preferentially obtaining online behaviour information via the browser or operating system.

Re "Privacy Sandbox" I think that it is worth noting that the label is doing nothing other than creating confusion. (I think the Google folks agree with this, or at least some do.) The moniker covers Google's proposals and it's making it look like Google is single-handledly designing a series of replacement technologies, independently of the standard process and of other proposals. Adding an Android flavour only makes this more confusing. The TAG should encourage abandoning this term.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment