With legislators pushing for privacy regulation, Firefox and Safari cracking down on tracking through cookies and Google announcing the big step of working to eliminate third-party cookies entirely, it looks like cross-site tracking through cookies may come to an end. However, advertising companies such as Google still need to offer relevant advertising to preserve their business model. This article takes a look at current cookie tracking mechanisms, anti-tracking measures and alternatives to tracking cookies pursued by the industry.

Ralph Meier already wrote an article on Tracking on the web. Here a description of basic Cookie tracking: Tracking users across multiple sites with cookies works by including tracker resources. For example, example.com and example.org both show google advertisements. When a user visits example.com, the browser loads advertisement resources from Google. Here, Google gets to set a cookie in the user’s browser. When the user then accesses example.org, the browser contacts Google for resources again. The cookies which Google gave the user before on example.com are included in the resource load request. Through the unique cookie and other information the browser sends, such as the exact URL the user is visiting, Google can track individuals across different websites and even inside a website.

Anti-Cookie Tracking Measures

With Cookie tracking becoming prevalent, concerns over privacy and data protection among users and legislators have grown. Firefox has introduced state partitioning in Firefox 86 to prevent the mechanism described above from working. For example, when Firefox receives a Google cookie from a resource load on example.com, it sees it as unrelated for Google resource loads on example.org and does not share the cookie across sites. This separation is continued in other stateful storage, such as caches, local and session storage. Safari went a step further and blocked third-party cookies entirely.

The End of Cookie Tracking?

Even fully eliminating third-party cookies does not eliminate cookie tracking and the restrictions can be circumvented. An advertisement resource can include a script which checks if it can read third-party cookies. If it is unsuccessful, it fully redirects the browser to the tracker, for example through window.location. Here, the tracker can set a first-party tracking cookie. The tracker then quickly redirects back to the site the user came from. Since the tracker has set a cookie as first-party, it does not fall under the third-party cookie restriction. This mechanism is known as bounce tracking. The blocking of such use of first-party cookies would break current web mechanisms and disallow things such as single sign-on (SSO). Also, implementing a block is not trivial, since trackers could for example bypass a stricter isolation of resources on other sites by including a tracking ID in the URL when redirecting back to the original site, which is read out and used by the segregated resource. This technique is known as link decoration. Safari and Firefox both have measures to limit the tracking capabilities through bounce tracking and link decoration.

Google’s Tracking Direction

Google Chrome has the biggest browser market share by a large margin with 65% over second place Safari with 19%. This makes Google a powerful force in shaping the web and pushing the industry forward. Until now, Google Chrome has had much less protection against tracking compared to Safari and Firefox. This is likely due to user data used for advertisement purposes being Google’s biggest asset. However, Google’s direction on cookie tracking is looking to change since the beginning of 2020, where they announced working on alternatives that will render third-party cookies obsolete:

(…) we are confident that with continued iteration and feedback, privacy-preserving and open-standard mechanisms like the Privacy Sandbox can sustain a healthy, ad-supported web in a way that will render third-party cookies obsolete. Once these approaches have addressed the needs of users, publishers, and advertisers, and we have developed the tools to mitigate workarounds, we plan to phase out support for third-party cookies in Chrome. Our intention is to do this within two years.

The pursued alternative has turned out to be Federated Learning of Cohorts (FLoC). This technology aims at replacing individual identifiers with identifiers for groups of people with common interests.

FLoC

FLoC’s specific technical implementation is not yet final, but a number of implementation ideas have been presented and the general direction outlined. FLoC assigns users into cohorts. A FLoC cohort is a short name that is shared by a large number (thousands) of people, derived by the browser from its user’s browsing history. The browser updates the cohort over time as its user traverses the web. The browser uses machine learning algorithms to develop a cohort based on the sites that an individual visits. The algorithms might be based on the URLs of the visited sites, on the content of those pages, or other factors. The central idea is that these input features to the algorithm, including the web history, are kept local on the browser and are not uploaded elsewhere. The browser only exposes the generated cohort.

The specific technical solution that FloC is going to use would be interesting to probe, since anonymizing data while preserving its worth is not trivial. Privacy minded Websites can also exclude a page from the FLoC calculation by setting an appropriate Permissions-Policy header with interest-cohort=().

Conclusion

Tracking is not going away in the foreseeable future – but tracking through third-party cookies may very well be. Tracking cookies can theoretically be used by anyone, while alternatives such as FLoC may aim at being integrated into browsers to leverage Google’s large browser market share and eliminate competition in the advertisement space. Less players or even a monopoly in the advertisement space may be beneficial to end user privacy, but detrimental to other aspects and enable abuse of influence for example.

About the Author

Ahmet Hrnjadovic is working in cybersecurity since 2017. There he is focused in topics like Linux, secure development and web application security testing. (ORCID 0000-0003-1320-8655)

Links

• https://blog.chromium.org/2020/01/building-more-private-web-path-towards.html
• https://blog.google/products/ads-commerce/a-more-privacy-first-web/
• https://blog.mozilla.org/security/2020/08/04/firefox-79-includes-protections-against-redirect-tracking/
• https://github.com/WICG/floc
• https://gs.statcounter.com/browser-market-share
• https://hacks.mozilla.org/2021/02/introducing-state-partitioning/
• https://web.dev/floc/#do-websites-have-to-participate-and-share-information
• https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more/
• https://webkit.org/tracking-prevention/
• https://www.newscientist.com/article/2210928-anonymised-data-isnt-nearly-anonymous-enough-heres-how-we-fix-it/
• https://www.politico.eu/article/brussels-zeroes-in-on-googles-data/