John Wilander, Apple Webkit engineer and architect of Safari’s Intelligent Tracking Prevention (ITP) solution, said Wednesday that Chrome’s new approach to privacy and cookie handling will do little to stop trackers.
Google announced Tuesday that it is changing the way its Chrome browser handles third-party cookies and will more aggressively aim to limit fingerprinting. It will require developers to identify cookies that are allowed to work across sites and potentially could be used to track users with a mechanism based on the web’s SameSite cookie attribute. Cookies without the new SameSite attribute will not be available in a third-party context. The browser will later introduce tools to allow users to block or clear third-party cookies and keep first-party cookies to stay logged in and retain site settings.
“What Chrome has announced is a change to their default cookie policy, going from allowing third-party cookie access to not allowing it,” Wilander said in a Twitter thread. “However, developers can simply reconfigure their cookies to opt out [of] this new policy and we should expect all trackers to do so immediately.”
Wilander said while he sees Chrome’s willingness to “acknowledge that tracking is a problem on the web” and make changes as positive steps, it’s not going far enough. “For a cookie policy to have meaningful effect on cross-site tracking,” he wrote, “you also need to partition storage available to third-parties such as LocalStorage, IndexedDB, ServiceWorkers, and cache.” Safari has enabled this kind of partitioning to prevent cross-site tracking in a third-party context since 2013.
He pointed to a 2013 WebKit bug tracker page on cache partitioning in which a Chrome engineer — back when Chromium used Webkit — essentially asked to be able to opt out of the partitioning because “the cache partitioning feature is not supported by the consensus of the WebKit project.” Just over a month later, Google forked WebKit and launched Blink, its rendering engine still used by Chromium.
ITP cross-site cookie blocking. Safari introduced ITP in 2017 to block third-party trackers from capturing cross-site browsing data — chiefly preventing retargeting efforts. “ITP detects which domains have the ability to track the user and either deletes all of their cookies and website data, or blocks third-party cookie access,” said Wilander. The latest versions, 2.1 and 2.2, go further to keep third-party cookies from abusing first-party storage space, he added.
“This is all to say that Chrome has a long way to go if they are serious about fighting tracking on the web,” Wilander said. “Their announced changes will not do anything now, but they are important steps because they show Chrome’s willingness to move.”
This is all to say that Chrome has a long way to go if they are serious about fighting tracking on the web. Their announced changes will not do anything now, but they are important steps because they show Chrome's willingness to move. — John Wilander (@johnwilander) May 8, 2019
Why we should care. Wilander’s response can be seen simply as a jab at a rival, but it highlights the divergent approaches to — and attitudes toward — tracking by Apple and Google. Apple has long staked out an anti-tracking stance, and ITP’s escalating restrictions have marketers scrambling to understand the impact on retargeting and analytics.
Chrome’s approach is significant given Google’s decade-long role in data collection and tracking. Privacy was a theme of I/O this week (supported by a New York Times op-ed by CEO Sundar Pichai Tuesday) and spanned multiple products, including more location data controls in Android and products such as search and Maps.
That said, Chrome’s cookie handling change is relatively small and likely just a first step. With both a developer component — which may invite workarounds as Wilander suggests — and a user component that may or may not be widely adopted. It’s entirely unclear how much of a shakeup this will mean for marketers. But two different approaches means marketers will need to have both eyes open.
Comments