Google has second thoughts about cutting cookies, so serves up CHIPs

Cookies Having Independent Partitioned State, no fish involved


Last week, third-party cookies received a stay of execution from Google that will allow them to survive until late 2023 – almost two years beyond their previously declared decommission date. But the search-ads-and-apps biz is already planning a resurrection of sorts because third-party cookies are just too useful.

The Chocolate Factory envisions a lesser form of third-party cookie, one that in theory won't be used for tracking but will be able to support other more acceptable use cases. Google software engineer Dylan Cutler and engineering manager Kaustubha Govind call their confection "partitioned cookies" in a Web Platform Incubator Community Group proposal called "CHIPs."

Cookies are files that web applications can set in web browsers to store data. They have legitimate uses, like storing data related to the state of the application (e.g. whether you're logged in), and they can also be used for tracking people across websites.

Third-party cookies – set by scripts that interact with third-party servers – track people by storing a value on one website and then reading that value on another website that implements a similar third-party script. The third-party service in this case then knows all the websites running their script that were visited by the tracked individual.

That's the sort of privacy-invading behavior that led browser makers like Apple, Brave, Mozilla, and others to block third-party cookies by default. But doing so has created problems by interfering with applications that rely on third-party cookies to deliver services across domain contexts.

The browser security model is based on the distinction between first-party and third-party contexts. When an individual visits a specific web domain, that domain operates in a first party context; services available at other domains are considered third-party and face various limitations on what they can do.

Google's CHIPs proposal – Cookies Having Independent Partitioned State – calls for cookies that can be set by third-party service but only read within the context of the first-party site where they were initially set, as opposed to other sites also running the setter's third-party script.

Under this proposal when a user visits green.com and embedded content from red.com sets a cookie in response to the cross-site request, the user agent would only send that cookie when the top-level site is green.com. When they are visiting a new site, blue.com, an embedded red.com frame would not receive the cookie set when red.com was embedded in green.com.

For example, Cutler and Govind describe a scenario where the site retail.com wants to work with a third-party service support.chat.com to embed a support chat box on its site.

"Without the ability to set a cross-site cookie, support.chat.com could instead rely on retail.com passing along their first-party state (or some derived value of it)," the Googlers explain in their proposal. "However, if the users have not yet created an account and the support widget is helping them sign up, then retail.com would have no notion of identity to forward to support.chat.com."

There are other plausible uses too, like third-party content delivery networks that use cookies to serve access-controlled content, front-end frameworks that rely on remote hosting and remote procedure calls to interact with services, and embedded code designed to support software-as-a-service apps.

Firefox and Safari have each taken steps toward implementing their own versions of partitioned cookies, so Google's approach has conceptual support from other browser makers even if the implementations currently differ.

Hold on a minute

But privacy advocates have taken issue with Google's approach – declaring intent to prototype the technology without much consultation.

"The tech has been talked about for awhile, it works when combined with other techniques to slightly reduce the harm from third-party cookies, but it's not the same as deprecating third-party cookies," said Zach Edwards, co-founder of web analytics biz Victory Medium, in a message to The Register.

"Google is proposing this shift without even acknowledging how it fits into larger plans, and thus making people guess and try to work out the calendar for upcoming Chrome additions and deprecations," he said. "It's an outrageously impossible task if the company making those decisions doesn't keep a running list of changes that impact global businesses, and also flippantly suggests new additions on non-Google websites and via a regularly rotating group of largely unknown Google developers, who when challenged about proposals often fall back on, 'All opinions are my own.'"

Such concern is widespread among those involved in ad tech and marketing because Google is in the midst of changing the rules by which online advertisers operate. The effort to phase out the third-party cookie is part of the company's ongoing Privacy Sandbox initiative, which aims to implement multiple technical specifications that change how online advertising works in the browser. And no one – not Google, its allies, its competitors, regulators, or internet users – is certain how these works-in-progress will eventually work and interoperate.

In January, the UK’s Competition and Markets Authority (CMA) began poking around in Google's Privacy Sandbox to see whether the contemplated changes would disadvantage competitors. In response, Google made a set of commitments to be more forthcoming about its technologies and the viability of competing alternatives.

"The CMA seemingly told Google that they need to change their process and communicate more clearly how data supply changes are being made in Chrome and in Google's advertising systems," said Edwards.

"But if this new proposal is how Google perceives the CMA-mandate, then the folks in the UK should schedule a bit more tea time because they are spinning their wheels during office hours on demands that are being ignored."

Even seemingly minor proposals like CHIPs can be complicated because they don't exist in isolation. They have to be considered in the context of all the other technologies they may touch in deployment.

For example, Google has a proposal called First-Party Sets that would make different domains (e.g. apple.com and icloud.com) owned by the same company function as a single first-party domain for the purpose of cookies. Privacy researcher Lukasz Olejnik has expressed concern about how CHIPs might expand the tracking possibilities when used in conjunction with First-Party Sets.

What's more, the proposal itself acknowledges that partitioned cookies cannot currently be defended against Chrome extensions.

"Extensions' background contexts can query and store cookies across partitions, meaning they could store a cross-site identifier across partitions," explain Cutler and Govind. "Unfortunately, this type of attack is unavoidable due to the nature of extensions."

"Even if we block partitioned cookies (or even all cookies) from extensions' background contexts, an extension could still use content scripts to write cross-site identifiers to the DOM which the site's own script could copy to the site's partitioned cookie jar."

And there are other potential problems that need to be ironed out, like the risk of making sites more prone to cross-site scripting (XSS) attacks and increasing the risk of denial-of-service attacks through cookie proliferation that exceeds Chrome's 180-cookie-per-domain limit.

None of these issues are insurmountable. But perhaps Google's decision to treat the technical foundations of web advertising – a business upon which it and so many companies depend – as a set of experiments needs to be reconsidered in light of the company's market power. Moving fast and breaking things may work well for a nimble startup but when giants do so there's collateral damage. ®

Similar topics


Other stories you might like

Biting the hand that feeds IT © 1998–2021