Is this really effective for the users' privacy? Won't AdTech networks simply migrate to browser fingerprinting, perhaps with a bit of server-side tracking?
I'm not arguing to give up. Rather, I'm more convinced in investing in privacy NGOs like noyb.eu and make it expensive to toy with my privacy.
> Won't AdTech networks simply migrate to browser fingerprinting, perhaps with a bit of server-side tracking?
they don't even have to. Just store two (or N) sets of cookie trails as they already do. This will waste a few MB of storage on the client side and do nothing to Ad/privacy.
Sites never shared the ID anyway, specially since GDPR-et-al.
AD tech works like this: you send a hash of one ID and on the backend attach all the profile info (nobody will ever share that with partners, because that is gold), then the other side just assign their own hash of their ID and also keep all their targeting info on their backend. The only thing that matters is that party A ID123 is known to match party B IDabc. Note that those IDs are transient and set at random, because party A and party B doesn't want to give up their secret info by matching IDs from multiple sites. That is called cookie match. it does NOT depend on a single cookie jar. It doesn't even depend on cookies! why do you think most Ads (and google search result links -ha!) have those weird hashs appended? zero cookies needed)
Another thing that helps even more than 3rd party cookie is multi-site referrer, but google killed that on both chromium and firefox a long time ago (firefox still have the about:config way to disable/set to single-site, set to multi-site-domain-only, but good luck finding a single human who changes that setting by selecting magic numbers)
This is wrong: third party cookies are still widely used in the ad industry. Among other things, the cookie matching that you describe is dramatically more effective with third-party cookies than first-party only.
(Disclosure: I work on ads at Google, speaking only for myself)
never said it is not widely used or not effective.
Just saying that it won't matter much if removed from the equation.
I mean, if something makes your life easier, you would be a fool to not use it. but that is like saying not having a ferrari prevents you from driving to the store.
Third party cookies are not simply a matter of making adtech developer's lives easier. Imagine you visit shoes.example and are now on news.example. Both of these sites work with ads.example, and the shoe site would like to show you a shoe ad.
With third party cookies this looks like (simplified MVP form):
1. When you visited shoes.example, it loaded a pixel from ads.example. That pixel automatically sent your ads.example cookie, and put you on a remarketing list.
2. When you visit news.example, it sent an ad request to ads.example, which also automatically sent your ads.example cookie. Now the ad tech vendor knows to include the ad from the shoe site because it recognizes the third-party cookie.
On the other hand, without third-party cookies or any replacement browser APIs, how do these identities get joined? Very occasionally someone will follow a link between a pair of sites, and then you can join first party identities, but you probably don't have a chain of identities that connects a news.example first-party identity to a shoes.example identity.
>On the other hand, without third-party cookies or any replacement browser APIs, how do these identities get joined?
1. When you visit shoes.example, it has an iframe to show an ad from ads.example. This iframe runs some JS to compute a browser fingerprint and then nests an iframe to hxxps://ads.example/?target=shoes.example&client=$fingerprint . The ads.example server records that this fingerprint has visited shoes.example
2. When you visit news.example, it has an iframe to show an ad from ads.example. This iframe runs some JS to compute a browser fingerprint and then nests an iframe to hxxps://ads.example/?target=news.example&client=$fingerprint . The ads.example server recognizes the fingerprint, knows that the client visited shoes.example earlier, and returns a shoes ad.
My parent claimed this was possible to do with link decoration and first party cookie matching, and I'm saying it isn't.
I do agree this is possible to do with fingerprints, though (a) all the browsers are trying to prevent fingerprinting and (b) a reputable ad company would not use fingerprints for targeting. This is my understanding of why Google is putting so much effort into https://github.com/WICG/turtledove
right, if you know how cookies and urls work, all that can happen with zero cookies and some query parameters, like the ones google search surreptitious add on every search result.
cookie synch, It's a freaking industry standard. And you want us to believe google money cow will dry as soon as the effort they are leading goes live?
No, it is not possible to remarket at any meaningful scale with "zero cookies and some query parameters" (though Arnavion's sibling comment is correct that it can be done with fingerprinting). Would you be up for describing how you'd do it in the shoes.example/news.example/ads.example case?
> you want us to believe google money cow will dry as soon as the effort they are leading goes live?
"we are confident that with continued iteration and feedback, privacy-preserving and open-standard mechanisms like the Privacy Sandbox can sustain a healthy, ad-supported web in a way that will render third-party cookies obsolete. Once these approaches have addressed the needs of users, publishers, and advertisers, and we have developed the tools to mitigate workarounds, we plan to phase out support for third-party cookies in Chrome. Our intention is to do this within two years." -- https://blog.chromium.org/2020/01/building-more-private-web-...
hint: the same way attribution happened in the early days.
google sends id abc to shoes.com and id xyz to news.com. both sends those ids back to google's own adserver. presto, google knows you are seeing those two ads.
Yeah, the cookie law was a false start. Laypeople don't care about the exact technical implementation (e.g., session cookies vs. persistent cookies vs. local storage vs. browser fingerprinting).
What I care as a EU citizen: Are you collecting and storing information that can directly or indirectly identify me? Yes, tracking and profiling are included in this.
You want to store some session cookies, so you remember my shopping cart? Go ahead!
You want to store some cookies, so you remember I was logged in? Sure!
You want to use every available technological loophole to follow my every path on the Internet? Errrr, no thanks!
I think the cookie law is somewhat meah, but I feel GDPR is pretty future proof. I don't expect GDPR to change a lot, rather our application of it (so-called ECJ recitals) will evolve.
This is basically Google (Chrome) paying Mozilla (Firefox) to kill 3rd party cookies because Google has a better way to fingerprint users without 3rd party cookies, because they have SO MUCH data about us.
This move is aimed at killing other AdTech companies which rely on 3rd party cookies to track users.
They painting this as a 'PRIVACY' move, after they have already found other ways of tracking users across websites and devices.
I'm not arguing to give up. Rather, I'm more convinced in investing in privacy NGOs like noyb.eu and make it expensive to toy with my privacy.