Google Chrome will phase out third-party cookies and the use of user-agent strings
Google Chrome is by far the most popular internet browser in the market today, claiming a market share of 63.6% as of December 2019, with the runner up being Safari at 17.7%. Chrome’s dominance in the market, aided by the fact that it is a part of the GMS app suite, gives it a commanding position in the market. Because of its controlling presence, all major decisions that Chrome undertakes for itself have a far-reaching impact on the Internet — how it is built and how users can access it. Google has now announced its plans to phase out support for third-party cookies, as well as freeze the use of user-agent strings in Google Chrome.
A cookie, in the context of the Internet, is a piece of data that is stored on the user’s device when the user accesses a website. This cookie stores data related to the user’s interaction with the website, such as items added to cart, login data, form data, and much more. First-party cookies are cookies that are created by the visited website itself, and are necessary for the website to track your activity as you move from page to page. Third-party cookies, on the other hand, are cookies that are created by a party other than the visited website or the user; these usually refer to cookies created by external content, such as advertisements. Since average users often exercise little or no control over the advertisement providers that can serve them, they inadvertently allow these ad providers to track and build the user’s profile based on their browsing history across websites that have ads from the same provider.
For an ad provider, tracking the user is an important task as it allows them to serve users with ads that are more relevant to the user’s taste, and hence, have a higher probability of attracting the user’s attention and interaction. While this goal sounds bearable, the actual implementation of the idea has exceeded the original intent, trampling upon user privacy with little concern.
Browsers took it upon themselves to protect user privacy, with many popular browsers choosing to implement third-party cookie blocking, but without providing an alternative for ad providers to achieve their goals. This had the inadvertent effect of turning ad providers to resort to more opaque profiling techniques such as fingerprinting. With fingerprinting, providers used tiny bits of information that can vary between users, such as what device they have or what fonts they have installed, to generate a unique identifier that can then be used to match a user across websites. While cookies could be cleared by users and thus reset periodically, fingerprints cannot be cleared by users, leaving them without a choice to reset. Blocking cookies also affects websites that rely on ad revenue, so there are a lot of consequences associated with such a restrictive move.
Google Chrome and Privacy Sandbox
Back in August 2019, Google announced Privacy Sandbox, an initiative to develop a set of open standards that aims to improve privacy on the web. Google also outlined some of the early proposals it had towards these open standards. Now, Google has announced an update to this original plan, and that is the intention of phasing out third-party cookies in Google Chrome within the next two years.
Google believes that the Privacy Sandbox initiative can sustain a healthy, ad-supported web in a manner that renders third-party cookies obsolete. The approaches outlined within can address the needs of users, publishers, and advertisers in a harmonious manner, and Google also plans to develop tools to mitigate workarounds that bad actors might employ — and Google hopes to achieve all of this within the next two years in Chrome.
Starting from February 2020, i.e. the next month, Chrome will also look to limit insecure cross-site tracking. Cookies that don’t include a SameSite label will be treated as first-party only, and cookies labeled for third-party use can be accessed over HTTPS only. Google claims that this will make third-party cookies more secure, and give users more precise browser cookie controls. Google is also developing techniques to detect and mitigate covert tracking and workarounds by launching new anti-fingerprinting measures to discourage such deceptive and intrusive techniques — these are promised to be launched later this year.
This aggressive timeline thus encourages the web community to explore alternatives, and do it quick. Google claims to be working actively across the ecosystem so that browsers, publishers, developers, and advertisers can “experiment with the new mechanisms, test whether they work well in various situations, and develop supporting implementations, including ad selection and measurement, denial of service (DoS) prevention, anti-spam/fraud, and federated authentication“.
A User-Agent string is a piece of text that contains several details about the browser type, rendering engine, and operating system, that is sent by the browser to the visited website. User-Agent strings are used to fine-tune features based on the user’s technical specifications. But the user-agent string is now being used as a source for passive fingerprinting information about the user. On top of this massive issue, user-agent strings also create compatibility headaches for minority browsers, wherein websites throw errors to users on select OSs and browsers while accepting others, without any valid reason. Browsers then have to resort to manipulating the User-Agent string to workaround these nonsensical restrictions, which then frustrates the original purpose of the string.
The abuse outlined above has prompted Google to freeze the User-Agent string and replace it with a better mechanism. This replacement comes in the form of User Agent Client Hints (UACH), which fixes some of the issues from User-Agent string. It provides information only when the server requests it — classifying any fingerprinting done as “active” fingerprinting, which can then be worked into implementations like Privacy Budget; and it provides information in small increments as and when requested, instead of revealing everything in every request.
Google thus plans to freeze/stop updating Google Chrome’s User-Agent component with new strings. Google plans to unify all Chrome User-Agent strings into generic values that do not reveal too much information. Chrome v81, expected around March 2020, will begin showing console warnings when pages try to access User-Agent strings. Chrome v83, expected around June 2020, will freeze the browser version and unify the OS version in the User-Agent string. Chrome v85, expected around September 2020, will unify the desktop OS entry into a common value for desktop browsers, and mobile OS strings into a similar common value. This timeline claims to provide three months for developers to move to the new mechanism for their information needs, and six months for more sophisticated OS targeting.
Other browsers like Microsoft Edge, Mozilla Firefox, and Apple Safari have expressed support for User-Agent freezing, but not necessarily for the UACH alternative. For web developers, Google suggests that they are better off employing Feature Detection as the first alternative for the use cases of User-Agent sniffing, and then fallback to UACH when such alternative fails.