With this sly regime going into the wild next month, the phasing out of third-party cookies will be no loss to Google. In fact, it will be a net gain.
Have you been puzzled by Google's casual resignation to the dwindling life of third-party cookies? What about the brand's shrug at anti-tracking initiatives like Mozilla's Total Cookie Protection? I mean, Google is Mozilla's primary funder. So at a glance it makes no sense at all that Mozilla's Firefox browser would roll out a system which limits the very tracking cookies Google uses to serve targeted ads...
Well, as with every other seemingly good-natured gesture that grandstands its way out of Silicon Valley, it's a trick. Of course it is. Just weeks after Firefox finally provides a default shield against cross-site tracking cookies (something it could have done 15 years ago), Google waltzes in with a new behavioural ad-targeting regime which... Yep, you guessed... Doesn't need cross-site tracking cookies. Not that any of this is choreographed, you understand... Sigh, groan, sigh, shake of the head, roll eyes to fade.
From 10th November 2022, Google will implement an epic consent-dodge which enables it to serve behaviourally-targeted adverts to people who wholly block third-party cookies.
The technology required for this was recognised in the research paper Missed By Filter Lists [PDF] as 'first to third party cookie syncing'. Google is already using said tech for the purpose of general ad management. But use of the technology will extend to full behavioural profiling and ad-targeting from next month.
Google maintains that the new system is a more privacy-orientated way for site visitors to receive targeted ads, since the encrypted process does not expose user data to the advertisers themselves. But the real intention behind it is another classic consent-dodge, with Google getting to re-establish a huge amount of behavioural ad-targeting which had been eroded by growing consumer privacy awareness.
Additionally, the encrypted system can be considered a power-grab, since it shores up Google's data-monopoly, further stifles competition and leaves smaller ad networks wholly dependent on Google for access to targeted consumers.
The tracking process itself is no longer carried out by "small text files". It's carried out by a global and near-unavoidable mesh of programmatical spyware. But cookies have a recognised consent agreement, whereas a global and near-unavoidable mesh of programmatical spyware does not.
The system will be legal on sites that have valid cookie consent mechanisms, but because it involves deliberately bypassing YET ANOTHER clear and globally-recognised expression of disconsent, it's deeply unethical. Google is not the only Silicon Valley monolith bypassing third-party cookie blocks, but it's by far the most prevalent.
The gory detail on all this is well buried behind smiley-faced media spins that present Google's propaganda unchallenged and tell the public nothing at all. But in this post I'll explain how the new process works, what it will mean in privacy terms, and how we can prevent Google from compiling even more data on our Web use.
HOW FIRST-PARTY TRACKING COOKIES WORK
First-party tracking cookies circumvent all blocks and restrictions on the third-party cookie inlet by re-routing via the first-party domain. Here's a simple diagram...
As you see, everything is channelled through the visited domain, and the tracker essentially picks up the cookies 'secondhand'.
The diversion is accomplished through a JavaScript routine, which replaces the standard HTTP cookie header and generates the cookie in-code. Because website admins are willing to place Google's code on their own sites in return for benefits such as insights and monetisation, the script runs within the first-party page. That means the cookies it generates and later reads are first-party, not third, so they evade commonplace third-party blocks. But the flexibility of scripting also means the third-party's code can communicate with the mothership, enabling Google to keep constant tabs on the first-party cookies it's trafficking by proxy.
That's the basic version, but Google's system will go much further, with the sophisticated scripting also connecting to the ad network. And although the first-party cookie itself is confined to the first-party domain that the user is visiting, high adoption will put the spawning and reading code all over the Web, alongside all of Google's other tracking code. Realistically, the grand system will be capable of assembling joined up, cross-site profiles for ad targeting, which will doubtless be able to target with much the same accuracy as the current third-party regime.
The means for Google to target ads without cross-site cookies has been in place for a long time, but previously there was no way for the brand or its publishing partners to demonstrate valid consent. Using a physical cookie rather than an abstract "shadow profile" solves this problem. The tracking process itself is no longer carried out by "small text files". It's carried out by a global and near-unavoidable mesh of programmatical spyware. But cookies have a recognised consent agreement, whereas a global and near-unavoidable mesh of programmatical spyware does not.
WILL AD- AND TRACKER-BLOCKING STILL WORK?
For now, ad-blocking will continue to work, because the display ads themselves are served from third-party domains, which are blockable. However, blocking the ads does not stop Google from building its data dossiers. To prevent that we need to block the first-party tracking cookies and the transmission of their data back and forth to Google - which is a lot less straightforward using existing tracker-blocking mechanisms.
If the scripts that produce the cookies and send home the data are run as supplied by Google, a decent content-blocker like uBlock Origin should be able to take them out. However, website admins are as desperate to target these ads as Google, and many are already using grassroots tricks to ensure that the scripts evade content-blocking tools. The most common evasion tactic is to relocate the scripts to the home server, essentially making them into first-party resources - possibly also disguised with new filenames. This will get them past even the best content-blockers, hosts file blocklists, etc.
Specialised cookie-blocking routines such as Firefox's Total Cookie Protection will not help, because it's only designed to eliminate cross-site cookie use. Google's new behavioural cookies will be of first-party origin and always confined to the visited domain, which means Total Cookie Protection, as it currently stands, will allow them.
In the longer term, the situation will worsen, as more and more site admins cotton onto the evasion techniques. Evasion tutorials for other tracking types are already online and highly visible in search. It will not take long for ad-targeting tutorials to join them.
RECLAIMING PRIVACY
The 100% reliable way to kill this system stone dead is to DISABLE JAVASCRIPT. The command being used to create the cookies is JS-coded and thus the cookies will not generate without scripting capability. Further, with JS disabled, there will be no means for the third party to transmit data back home.
So as I've advised a squillion times, and will keep advising, disable JavaScript unless you are absolutely forced to enable it. Ideally, do all your random browsing with at least one separate browser which has JavaScript disabled, and shift to a range of alternative browsers for various script-dependent tasks. The more browsers you use for script-dependent stuff, the harder you'll be to track. But you'll be vastly, VASTLY harder to track if you don't allow JavaScript at all.
Blocking both third- and first-party cookies will also prevent the trafficking of cookies, but used standalone, this will be a less effective protection method, because JavaScript facilitates completely cookieless fingerprinting.
With that said, more than ever before it makes sense to disable ALL cookies for any Web usage where a login is not required, and then use separate browsers with first-party cookies enabled for various logins - and perhaps the odd site that doesn't load at all without cookies.
THE ENDGAME
Google's envisioned endgame is a system in which there is no way at all to decline tracking or ad-targeting outside of per-site consent forms. That may seem a long way off, but the shift towards first-party origin is well underway. It may be that Google is no longer relying on the withdrawal of Manifest V2 to re-assert its ad empire (clue: the Google-funded Mozilla has pledged to keep V2). Maybe Manifest V2/V3 is the red herring, and the real control play will come courtesy of a full migration of ad-tech into the first-party realm. Whatever the conclusion, Google's move will drive an innovative new wave of blocker-evasion, and it will get much tougher for "privacy browser" and content-blocking purveyors to keep the nasties out.
For 2021 statistics and rigorous analysis of first-party cookie activity, see the research paper Privacy Implications of Emerging Web Technologies [PDF]. For an earlier work on the evasion of content-blocking see the research paper Missed By Filter Lists [PDF].