Skip to content

Google’s Plan for Privacy

Published by Cory Underwood on May 15, 2019

This is a mirror of my original post on Medium.

Finally stepping out of the shadows, Google has announced plans to modify Chrome to be more secure. In sharp contrast to Apple’s ‘go it alone’ charge with Webkit’s Intelligent Tracking Prevention, Google has elected to follow a different path.

Google will implement in Chrome 76 its proposed version of Rfc6265bis, which is currently in draft. This specification details a change in the default handling of cookies. In contrast to Apple’s methods, Google is seeking to not just protect Webkit users, but all internet users, as specifications are typically pulled into the other browsers. Should you want to understand this process, more detail can be found at the Internet Engineering Task Force.

Even if this should not prove to be the case, it may not matter — Blink (the browser engine) powers Chrome, Opera, and (soon) Microsoft Edge giving it considerable market share for this being the default behavior. Platforms will need to account for this shift in behavior because it will affect how traffic on the internet passes information between servers.

So what does this mean?

Ad Tech

Ad Tech specifically will need to change how their cookies are set if they hope to continue being able to read cookies in a 3rd party context. This could affect attribution and conversion detection, as well as remarketing efforts.

I suspect the cookies must be changed or an alternate method of handling state tracking must be used. It remains to be seen which platforms will adopt which adjustment and what that means for development teams. Third parties will also be impacted by the next change.

Security

Security is always important. It protects users and companies and is part of the underlying structure of tech that enables things ranging from Online Banking to E-commerce. As an interesting side effect of the above changes which address how cookies are unintentionally shared, the proposed change as defined addresses a different issue in Cross-Site Request Forgery, reducing this as an attack vector by default. This is a good thing.

One of the other changes on the security front will cause sites to share cookies only over Transport Layer Security. This means the responding site is required to receive cookies over HTTPS. When viewed against the above Ad Tech discussion, this means that even if the vendors change the way they set their cookies it will still break unless website operators also configure their site to run over the secure layer — such as with a free certificate from Let’s Encrypt.

Next Steps

Here are five things I would recommend be evaluated:

  • Engineering needs to review their cookie configuration and set the attributes of the cookies correctly (as per https://web.dev/samesite-cookies-explained/ )
  • Engineering needs to ensure that they are serving content over Transport Layer Security, as identified above.
  • Advertisers need to figure out how they are going to receive cookie data and work with customers to ensure the functionality will not break.
  • Companies should speak with their advertisers to make sure they are working on any required solutions.
  • Marketing/Analytics should speak with their development teams to make sure they are aware of the pending changes.

When is all this happening?

Chrome 76 is slated for July 30th. The industry has until then to prep their site and work out plans with their advertisers so their online marketing efforts don’t suddenly break in new and exciting ways.

Best of luck!

Published inBrowser UpdatesPrivacy