Google Confirms Its Schedule for Disabling Third-Party Cookies in Chrome - Starting in 2024

"The abolition of third-party cookies will make it possible to protect privacy-related data such as what sites users visit and what pages they view from advertising companies," notes the Japan-based site Gigazine.

And this month "Google has confirmed that it is on track to start disabling third-party cookies across its Chrome browser in a matter of weeks," writes TechRadar: An internal email published online sees Google software engineer Johann Hofmann share with colleagues the company's plan to switch off third-party cookies for 1% of Chrome users from Q1 2024 — a plan that was shared months ago and that, surprisingly, remains on track, given the considerable pushbacks so far... Hofmann explains that Google is still awaiting a UK Competition and Markets Authority consultation in order to address any final concerns before "Privacy Sandbox" gets the go-ahead.
The Register explores Google's "Privacy Sandbox" idea: Since 2019 — after it became clear that European data protection rules would require rethinking how online ads work — Google has been building a set of ostensibly privacy-preserving ad tech APIs known as the Privacy Sandbox... One element of the sandbox is the Topics API: that allows websites to ask Chrome directly what the user is interested in, based on their browser history, so that targeted ads can be shown. Thus, no need for any tracking cookies set by marketers following you around, though it means Chrome squealing on you unless you tell it not to...

Peter Snyder, VP of privacy engineering at Brave Software, which makes the Brave browser, told The Register in an email that the cookie cutoff and Privacy Sandbox remains problematic as far as Brave is concerned. "Replacing third-party cookies with Privacy Sandbox won't change the fact that Google Chrome has the worst privacy protections of any major browser, and we're very concerned about their upcoming plans," he said. "Google's turtle-paced removal of third-party cookies comes along with a large number of other changes, which when taken together, seriously harm the progress other browsers are making towards a user-first, privacy-protecting Web.

"Recent Google Chrome changes restrict the ability for users to modify, make private, and harden their Web experience (Manifest v3), broadcasting users' interests to websites they visit (Topics), dissolving privacy boundaries on the Web (Related Sites), offloading the battery-draining costs of ad auctions on users (FLEDGE/Protected Audience API), and reducing user control and Web transparency (Signed Exchange/WebBundles)," Snyder explained. "And this is only a small list of examples from a much longer list of harmful changes being shipped in Chrome."

Snyder said Google has characterized the removal of third-party cookies as getting serious about privacy, but he argued the truth is the opposite. "Other browsers have shown that a more private, more user-serving Web is possible," he said. "Google removing third-party cookies should be more accurately understood as the smallest possible change it can make without harming Google's true priority: its own advertising business."
The Register notes that other browser makers such as Apple, Brave, and Mozilla have already begun blocking third-party cookies by default, while Google Chrome and Microsoft Edge "provide that option, just not out of the box."

EFF senior staff technologist Jacob Hoffman-Andrews told The Register that "When Google Chrome finishes the project on some unspecified date in the future, it will be a great day for privacy on the web. According to the announcement, the actual phased rollout is slated to begin in Q3 2024, with no stated deadline to reach 100 percent. Let's hope Google's advertising wing does not excessively delay these critical privacy improvements."

TechRadar points out that after the initial testing period in 2024, Google will begin its phased rollout of the cookie replacement program — starting in June.

Thanks to long-time Slashdot reader AmiMoJo for sharing the news.

I've installed Firefox

[olsmeister]

Just did this, realized I alrealdy had it. Apparently had a sudden moment of clarity.

Re:I've installed Firefox

[ozmartian]

How so? Firefox aren't the ones disabling all ad-blockers from their browser and still use their own browser engine, not Chromium.

Re:

[Anonymous Coward]

How so? Firefox aren't the ones disabling all ad-blockers from their browser and still use their own browser engine, not Chromium.

It was that firefox broke adblockers - and in fact most extensions - just a few years ago that originally caused many of us to switch to chrome in the first place.

Where google is doing it out of malice, mozilla did it out of incompetence.
They removed their current extension framework months prior to their new replacement framework had even been started on.
Six months with no adblockers. Six months with no javascript control. We were left out to dry.

There was zero excuse to remove old extensions before thei

Re:

[sound+vision]

I've been daily driving Firefox exclusively with Adblock Plus for over a decade, and Noscript since about 2018, and I don't recall any such period where the plugins didn't work. You must have been running betas or something.

Re:

[LinuxRulz]

Your experience might be right after that breakage, which IIRC happened around 2015. During that time Mozilla phased out XPI extensions (which ran unconfined and could pretty much affect any aspect of the browser) in favor of web extensions (which cannot really toy with firefox's chrome[the name of the internal UI, not the other browser]).

XPI allowed from pretty powerful extensions, such as vimperator. Granted most of those extensions eventually got reimplemented as webextensions (i.e. tridactyl) but that t

Re: I've installed Firefox

[brickhouse98]

Clearly you know nothing of why they did it then.

Re:

[nicubunu]

It was that firefox broke adblockers - and in fact most extensions - just a few years ago that originally caused many of us to switch to chrome in the first place.

If that was tour reason to switch from Firefox to Chrome, it was a bad reason. I was also angry when they broke extension, but broken Firefox extensions were still more powerful than Chrome extensions.

Re: I've installed Firefox

[Z00L00K]

Not many bugs that I have seen, and today one of the remaining Chromium-free browsers. Safari is basically the only other alternative.

But not only third party cookies have to go, also a number of other things like the user agent string that's used for fingerprinting the user.

Re:

[znrt]

But not only third party cookies have to go, also a number of other things like the user agent string that's used for fingerprinting the user.

the user agent string has to go because it is obsolete, unreliable and fundamentally bad design which has never worked right and still today perpetuates bad coding practices, not because it could be used in any fingerprinting scheme (like a zillion other data items in any device ... you simply can't avoid fingerprinting if the browser has to have any meaningful functionality as an application framework).

Re:

[Bu11etmagnet]

> if the browser has to have any meaningful functionality as an application framework

But why does the browser have to have meaningful functionality as an application framework? Why can't it just display web pages?

Re:

[znrt]

well, that ship sailed long ago, and i guess the short answer is because we wanted to have that functionality too.

how it all came to depend on javascript and the browser engine becoming the core platform was a sort of darwinian process that went through several attempts to embed or piggyback that functionality in documents: java applets, ms activex controls, macromedia/adobe flash and some other exotic alternatives that didn't even make it, like ms silverlight or google gears.

so, the demand was clearly the

Borrowed time

[Anonymous Cward]

Safari will happily use 2-3x the RAM of Chromium-based browsers now and Firefox wastes CPU hand over fist when processing video and complex JavaScript. What we really need is for endpoint firewalls to get smarter about MITMing everything, so that the browser itself becomes less and less relevant when it comes to privacy. Everything from inline content filtering, allowing/disallowing scripts to things like overriding cookie lifetimes can and should be done system-wide. Heck, as cookie jars hold all your cli

Re:

[Pentium100]

Yeah, a proxy server that could filter out all the crap would be really useful. I wonder if there are any interesting solutions that use this. Pihole blocks DNS requests, but does not alter the website data, like an adblock-proxy would.

Re: Borrowed time

[Z00L00K]

So basically you'd like the firewall to become a man in the middle.

Re:

[AmiMoJo]

Having the router MITM stuff is a really, really bad idea.

For a start, do you trust every random router you come across, including the airport/hotel WiFi, and your friend's ISP supplied device? Or do you just forego security and privacy when connecting to them?

And what do you do when you are at some business meeting and the guest WiFi requires you install their certificate for "security purposes"?

The browser needs to be secure and private in itself. At most, something you have full control of, like a VPN, i

Not the router

[Anonymous Cward]

Have your PC do it. Mine does. I use AdGuard as my MITM solution, but one could just as easy use the e2bn fork of DansGuardian or another alternative to perform content interception instead.

Re: I've installed Firefox

[PoopMelon]

It is impossible to "remove finger printing techniques", masking your user agent (which you totally can in any browser really), removing third party cookies, or even faking your resolution, and breaking your web layouts in the process, whill not help you. "Fingerprinting" is not done on some magic ubique identifiers fhat are there just existinf, they are acfual peoperties of your system needed to be used by a browser in order to actually function. Check this site out https://amiunique.org/fingerpr... [amiunique.org] and th

Re: I've installed Firefox

[Z00L00K]

Almost none of the data like screen size is needed by the backend systems. Some of it shouldn't even be provided to local javascript.

Re:

[gweihir]

Yep. Which is why the GDPR requires "privacy by default". Apparently software makers do not care enough. In the specific example, all those tracking features could just report a default answer and only tell the server more if you agree to it.

Re: I've installed Firefox

[PoopMelon]

What are you talking about? No, while there are some useless data, a vast amount required. Either o the server clknows what to send you the required data or unavoidable like canvas render test. Accept string - required, encoding -required, prefered language - i know that for a lot of people english is the only language but yes there are other nations using the internet. Upgrade insecure reaquests, timezone (correct javascript funcioning locslized clock) , fonts, almost everything on that list requires or ha

Re:

[gweihir]

You must be a web "developer". No, most things are not required at all. It just takes some actual skills to see that. Helpless wannabees will of course always cry "I need that!", where the "I" is the problem and the "need" is imaginary.

Re: I've installed Firefox

[PoopMelon]

Oh boy you have absolutely no idea what you're talking about do you lol

Re:

[gweihir]

Which is one of the reasons why any form of user tracking without explicite, informed consent is illegal under the GDPR.

Re:

[AmiMoJo]

Chrome is deprecating the user agent string. They have already started reducing it, and it is set to be removed entirely eventually.

Re:

[RitchCraft]

I've been using FireFox exclusively since it was first released. I've ran into zero ( 0 ) bugs over the years. Apart from a framework SNAFU about 10 years ago I've been very happy with FireFox. Thanks to FireFox I've been using the Internet ad free for well over 19 years now. People like you that spew this non-sense are doing others a disservice. FireFox is a MUCH better choice than anything Chromium based.

Re:

[nicubunu]

I am too using exclusively Firefox (even on mobile) and Mozilla Suite before it for a long while (probably from around M15), but to say it zero bugs is an overstatement. Hint: do you ever heard of Bugzilla? Ever used it? (It's Mozilla's bug tracking system).

Re:

[RitchCraft]

It may have bugs from time to time but I have never had one affect me. I never said it was bug free, just that I never experienced one. Heck, no software is ever bug free.

Re:I've installed Firefox

[caseih]

I install PrivacyBadger and uBlock Origin on all machines I come across, on all browsers.

Re:

[martin-boundary]

On top of that, I now always open youtube videos in an incognito window and don't "like" anything anymore. Sorry content producers, please complain to Google about their forced ad-showing policies.

Re:

[MrL0G1C]

I use a TamperMonkey/violentmonkey script called "remove Adblock Thing" by JoelMatic on Github. It's been working better than the previous adblocker. The nice side effect of using scripts rather than extensions is that all of the scripts come back after having to restore from backup unlike extensions which all get nuked by chrome and chromium forks. Firefox is far better for backing up.

Hmmm... Is it 1995 again?

[Mr. Dollar Ton]

I thought everyone's been doing this for years.

Dump chrome

[iAmWaySmarterThanYou]

There are several others out there including ones not based on chrome.

I switched from chrome years ago. Don't miss it a bit.

Your browser should support ad block and other useful extensions, not give away more info than it -has- to, run sufficiently fast without chewing up all your ram and crashing and support the ancient basic functions of bookmarks history etc.

Everything after that is unlikely to be for the end user's benefit.

It would be hard to find a browser that doesn't have all those basics today.

Re: Dump chrome

[PoopMelon]

As far ad i understand is that the main problem is chromium, not chrome, which is nowdays engine of many major browsers (like, not also chrome, but also bave and safari, and even edge). The only major player that has a different engine is Firefox with gecko that is our real omly hope. Google has made its way into engine of all the browsers and now making changes to all the web as it pleases

Re:

[iAmWaySmarterThanYou]

Safari. Native on Mac and Windows. Run it in a vm on Linux, too.

It isn't sexy but it works and doesn't report back to Google.

Re: Dump chrome

[PoopMelon]

Safari is like the internet explorer of post 2020. It is one terrible browser that doesn't follow the w3c standards, has most bugs and security issues of all modern browsers. And id anyone runs safari in a vm on linux, that person is a straight autist

Re:

[iAmWaySmarterThanYou]

You don't see all the Google privacy invading crap in chrome as bugs? Those are features?

I've used it on n off for years. Never had a problem displaying anything. Which standard does it not follow anyone cares about?

Cynical?

[paulidale]

Call me a cynic, but disabling 3rd party cookies is going to help Google maintain their monopoly status. Likewise QUIC prevents anyone but the endpoints (i.e. Google) from tracking you. Google is going to win here at the expense of their competition.

Re: Cynical?

[PoopMelon]

But the thing is that google WILL have that data, even without third party cookies lol

Re:

[Kitkoan]

So, they are pulling an Apple? Disable everything so they can be the gatekeepers of their users info and monetize the hell out of it.

Re:

[AmiMoJo]

Google is working towards making it so that the endpoints can't track you either. A recent proposal to use a pair of proxies, configured so that neither of them can gain enough information to track you, would block one of the last ways left to follow users - IP addresses.

As for the monopoly stuff, there is the Topics API that replaces the need for 3rd party cookies. That is their anti-trust defence.

I know it's fashionable to hate Google, but if they can get all this widely adopted then it will massively imp

Re: Cynical?

[brickhouse98]

The fact you trust them is amazing. They want *all* your data and their actions all lead to that. Pretending the topics api is privacy oriented is the bullshit they want you to believe.

Re:

[AmiMoJo]

So how does the privacy API help Google gather data? Specifically, what is the means of exfiltrating the data in a way that can't be detected?

Re:

[sound+vision]

Came to post this - G has numerous other ways to track you. They don't need cookies. Other players in the market might need them, but not the Goog.

The GDPR law(s) in the EU are a classic example of tech regulation being 20 years out of date by the time it comes into force. Meanwhile the US isn't even trying.

"Begun"?

[93 Escort Wagon]

"The Register notes that other browser makers such as Apple, Brave, and Mozilla have already begun blocking third-party cookies by default, ..."

"Have already begun" doesn't really do the other guys justice.

Apple's Safari has been blocking all third-party cookies since March 2020 - and was blocking tracking cookies long before that.

And while Mozilla's Firefox hasn't been blocking all third-party cookies by default, its advanced cookie management has made it just about trivially easy to do since... well, for as long as Firefox has existed. And they have been blocking tracking cookies by default for years. Firefox even lets you manage cookies on a domain-by-domain basis - so you can choose to prevent doubleclick.net from ever even creating a cookie, or let google.com only create ephemeral cookies that go away the moment your browser closes.

Re:

[AmiMoJo]

One thing I'd like to see in Firefox is ignoring cookie lifetimes like Chrome does. Even if the cookie says it is valid for a year, Chrome will delete it if you don't re-visit the site for some period of time... I think it's a month, I could be wrong.

On the other hand, I like Firefox's containers, Chrome could benefit from those.

Re:

[evanh]

Firefox makes it trivial to enable global auto-delete of all cookies upon exit. That's a very short expiry date. Potentially just seconds.

Re:

[AmiMoJo]

I use CookieAutoDelete. That way I can keep cookies for e.g. Slashdot and stay logged in, but everything else is cleared out 60 seconds after I leave a website. It clears all the cache and other storage too.

In related news . . .

[hawk]

In related news, Foxes, Inc. announced today that it is introducing new security features for henhouses.

"This is a great step forward, and will prevent chickenhawks and weasels from breaking in. By sending population data for each henhouse through our central servers, we [mumble] that away from these pests." :)

hawk

Re:

[Carewolf]

No, Safari are not blocking all third party cookies. Much of the internet doesn't work if you do that. Firefox keep having to ask for permission to allow the third-party cookies anyway, otherwise I couldn't use any Microsoft , Apple, or Google websites.

Until they have a replacement

[MrL0G1C]

Seems pointless since they want to place third party cookies with something else equally as bad.

Re:

[serafean]

It used to be FLoC (Federated Learning of Cohorts) , but that got shuttered due to the outcry, and now google Topics is supposed to fill that gap.

DuckDuckGo?

[mspohr]

Haven't seen any mention of DuckDuckGo in this discussion.
Does anybody know how it compares to other browsers in security features?

Re:

[MIPSPro]

I use it on Android. Blocks ads okay but not as effectively as uBlock Origin. The cookie defaults still suck and it still sucks off any Javascript penis it's handed.

Now do 3rd party scripts

[schwit1]

They should be killed for the same reason.

Re: I'd go so much farther...

[object88]

Out of curiosity, what sites do you visit that actually function with all these bits disabled?

Or did I misunderstand, and you allow-list sites that you regularly use?

Re:

[Seven Spirals]

Pretty much all of them. I'm using Slashdot, right now, with no Javascript and a dead-end overridden CSS sheet neutering all their "styles". When sites don't work, I browse them broken (and they do often look hella messed up) or I just leave. Google based tools mostly break, but Gmail works in it's HTML-only mode. All the other big mail webmail providers break badly and I use IMAP/SMTP when I need to use those. When I'm absolutely forced by work to browse some Javascript-horror, I do it using a VM that imme

Re:

[John.Banister]

I completely agree. No browser should be made to do that to itself.

Re:

[Dwedit]

You can use uMatrix today and have JavaScript disabled on all third party sites by default. And the web becomes cumbersome to use until you find out exactly which third-party javascript and fetches you need to enable for each host before the video on the news article actually loads.

Browsers ask for too much. No sane defaults.

[MIPSPro]

Browser defaults suck. They are setup for advertisers, not for users. Most still allow cookies and third party cookies by default. The big ones all have Javascript on by default. You don't get to run code on my box, sport, no matter how socially acceptable it is, it's still a completely stupid idea, folks. Most of the "plugins" to block these activities do not work (NoScript being a notable exception). Why in the world would I want some advertising-scum to be able to check for their same cookie on 100 diff

Re:

[Voyager529]

Browser defaults suck...The big ones all have Javascript on by default. You don't get to run code on my box, sport, no matter how socially acceptable it is, it's still a completely stupid idea, folks....Just turn it off, NOW.

The thing is...sadly, it's not quite that simple.

Try logging into GoDaddy's website with Canvas Fingerprinting disabled...you can't.

Try signing up for an Outlook.com e-mail address with any form of disabled fingerprinting...you can't. Gmail is no better...and while I haven't done it in a while, I'm fairly certain they want a cell number to sign up now, too.

These are just a handful of known examples off the top of my head...and while they all suck, I know...the fact of the matter is that there are lots of pe

Re:

[MIPSPro]

I respect what you're saying, but I don't think it's that complicated. It's the same thing a lot of people say about food. They have no realistic ability to eat better. "I have to eat fast food. That's the only thing available in my neighborhood." The narrative goes that it's just overwhelmingly convenient and any loss of that convenience is going to be unacceptable. Well, to some extent that is true. People who's value-system places high value on convenience are going to find inconvenient choices to be unt

just stating the obvious:

[dhizzle]

Google is an advertising company. The advertisers don't ply them with money out of goodwill. The advertisers are the customers. Users the product. Oh, and along with Manifest v3 you lose ability to block ads. Enjoy the ads Chrome folks.

Google's cookies

[Dwedit]

Will Google's own third-party cookies be exempt?

I'm a step ahead, I don't use Chrome

[bsdetector101]

Never liked the interface, was/is a memory hog and collects your personal data ! 3 Strikes !!