What Are Third-Party Internet Cookies, and Why Is Google Killing Them?

Google this week announced that the company will take steps to eventually eliminate third-party cookies, routinely used by data brokers to closely track and profit from your browsing behavior. But experts say that while the company’s announcement is a good first step, the effort is belated, murky, and not quite the revolution it’s being portrayed as. In a blog post, Justin Schuh, Director of Chrome Engineering, announced that the company’s Chrome browser would be moving away from using third-party cookies sometime in the next two years. First party cookies would still be allowed, but third party cookies used to track you around the internet would eventually be banned.

First party cookies are doled out by the sites you visit directly, retaining login information, site settings, and other details. Third party cookies, in contrast, are created by web domains other than the one you’re currently visiting; they’re predominantly used to track your browsing activity across websites, retargeting, and ad delivery.

The announcement comes six months after Google unveiled its “Privacy Sandbox”—a set of standards intended to balance Google’s insatiable data appetites with consumer privacy. Google’s responding to similar moves by competitors like Apple and Mozilla, who long ago began limiting the ways cookies can be used to track you across the internet. Instead of cookies, Google’s sandbox project would utilize browser-based machine learning and other technologies to deliver targeted ads without such detailed user tracking. Google’s Federated learning of cohorts (FLoC), for example, would deliver targeted ads based on “flocks” of thousands of people with similar interests, instead of tracking users individually. In short, the wild west days of user privacy are coming to a close. Ad companies are finally being shoved by angry consumers, politicians, and activists toward a future where they still track users and sell them behavioral ads—but on a far less granular and creepy level.

“Users are demanding greater privacy—including transparency, choice and control over how their data is used—and it’s clear the web ecosystem needs to evolve to meet these increasing demands,” Schuh said. “We are confident that with continued iteration and feedback, privacy-preserving and open-standard mechanisms like the Privacy Sandbox can sustain a healthy, ad-supported Web in a way that will render third-party cookies obsolete." Consumer groups and privacy experts aren’t entirely certain Google’s particularly well suited to spearhead the privacy revolution. Depending on the year, upwards of 85 percent of Google’s revenues come from advertising, making it a conflict of interest to drive any changes that might erode those revenues—or curtail its overall dominance in the ad space.

John Bergmayer, a privacy expert and lawyer at consumer group Public Knowledge, told Motherboard the company’s announcement was light on new details.

“There is a huge amount of hedging in Google’s statement,” he said. “It seems to be saying that it will block third-party cookies only after its controversial ‘privacy sandbox’ idea takes off. Ok, so what happens if it doesn’t?”

A decade ago, cookies were considered the end all be all of online consumer tracking and advertising. But the widespread use of annoying ads drove users toward ad blocking technologies that have eroded their overall effectiveness for advertisers. The internet has long-since evolved past traditional cookies into much more sophisticated methods of commercial surveillance. Many websites now use fingerprinting technology that identifies key aspects of your computer or mobile device, then tracks you around the internet regardless of your browser’s privacy settings. Internet service providers (ISPs) also use DNS records or deep packet inspection hardware to track user browsing habits, often down to the millisecond, without the need for cookies. Some ISPs like Verizon have even experimented with modifying user data packets to covertly track users around the internet—initially without informing them or letting them opt out. Big tech and big telecom’s dominance extends so far into so many technologies, cookies have almost become an afterthought in the race to track and monetize your every waking moment. “Anything that Google does to improve privacy against third parties opens up Google to the criticism that it can still track users in other ways,” said Bergmayer. “These sorts of apparent conflicts of interest are almost inevitable given the huge number of products Google has—it makes the browser, it’s a dominant online services provider, it’s the dominant ad network.” Privacy expert Guarav Laroia told Motherboard that Google, like so many other tech giants, is likely trying to get out ahead of growing calls for meaningful internet privacy rules on both the state and federal level. But letting ad giants dictate the path forward may result in them abusing the opportunity to simply cement their dominance over the ad market, he warned.

“These kinds of unilateral actions by a tech giant have the potential for anticompetitive effects, especially when it comes to the technical underpinnings of the online advertising ecosystem,” Laroia said. “Exactly how this sandbox is deployed and how these open standards are managed will matter a great deal.” So while Google’s changes may be well intentioned and helpful in some ways, eliminating third-party cookies is only the first step toward fixing what ails the modern internet. As for Google’s pledge specifically, the devil, as always, will be in the details.