Google won't ditch third-party cookies in Chrome after all

https://arstechnica.com/gadgets/2025/04/google-wont-ditch-third-party-cookies-in-chrome-after-all/

87•jnord•4h ago

Comments

legitster•3h ago

> In some ways, this is a loss—tracking cookies are undeniably terrible, and Google's proposed alternative is better for privacy, at least on paper. However, universal adoption of the Privacy Sandbox could also give Google more power than it already has, and the supposed privacy advantages may never have fully materialized as Google continues to seek higher revenue.

Cookies are much maligned these days, but to defend them a little bit - the alternatives are almost universally worse for user privacy. Persistent session storage? Browser fingerprinting? Locking everything behind a user account with mandatory sign-in? Blegh.

On the other hand, cookies are a pretty transparent interaction. It's a tiny file that sites in your browser. You can look at them. They expire on their own. You as a user can delete, modity, edit, hack them to your heart's content. They contain no PII on their own. They are old-fashioned and limited and that's a good thing.

The real problem here is not the cookie - it's the third party data networks. I would much rather focus our ire on the function rather than the form.

tmpz22•3h ago

Blaming privacy violations on cookies has been an absolute masterclass in public relations and is probably the greatest innovation of FANNG.

devrandoom•2h ago

Yep. It's all on the diabolical cookies.

Henchman21•2h ago

Man this reminds me a lot of bank fraud, er… I meant “identity theft”!

matthewdgreen•2h ago

As another user notes above, there are relatively few applications of 3rd party cookies that aren’t a direct privacy violation or that can’t be realized some other way. If the manufacturer installed a special slot on your car that was explicitly designed so that anyone could install a tracking device, the first thing you’d probably do is fill that slot up with epoxy. But when we discuss simply removing that slot as a manufacturer default, everyone on HN is suddenly up in arms: “why are you blaming the third party tracking slot!? The slot itself isn’t what’s tracking you.”

orangecat•2h ago

Right. Disabling third party cookies is the first thing I do with any browser (the second being uBlock Origin), and it's caused problems on exactly one site that I can recall over the last several years.

timewizard•1h ago

That's because Safari made that default years ago and we've all built workarounds for this anyways. Due to the proliferation of JavaScript and it's being default enabled on all sites or they _will_ break... and the ease of setting up APIs in the cloud.. your privacy settings really don't matter much anymore anyways.

Likewise "autoplay blocking" isn't too hard to overcome. It's more out of politeness that it's ever honored.

zmmmmm•2h ago

first party cookies yes

But third party cookies are a lot more insidious, because they get sent without any visibility to the user and have generally peripheral relevance to the application they are using. It's like if you go to the supermarket and they ask you if you want to sign up for a loyalty card and you say yes, vs you go to the supermarket and they secretly plant trackers on you so that when you go to other shops they can tell who you are. One is a lot worse than the other.

frollogaston•2h ago

Is there a legitimate use case for 3P cookies?

ferngodfather•2h ago

Cross domain same identity authentication, but this has been worked around in most cases.

paulryanrogers•2h ago

Yes. My employer uses them to facilitate a widget that site owners can just drop into place. Some of these folks are using platforms they cannot easily change or customize, and/or they cannot manage sophisticated changes.

frollogaston•1h ago

Ah, and I'm guessing this could instead be done with an iframe but it would be ugly.

winrid•32m ago

It would still require 3P cookies.

asddubs•2h ago

seamless comment form iframe embeds. Useful for something like blogger, where *.blogspot.com allows user code and thus cannot host the comment form for logged in users

AlienRobot•1h ago

There is an absurd amount of additional complexity that needs to be centralized in order to avoid third-party cookies.

Any website can add Google Analytics by copy and pasting 1 line of code. To avoid this cookie, you need to have your own analytics web app. This makes sense for medium-size websites, but if you have a small website your host will probably bill it as a separate website.

First-party comments? Now you need your own comment system, which means you have a long list of responsibilities that you simply wouldn't have if you just used Disqus or Facebook comments. All those spam links to virulent sites will be on your servers now.

Honestly, the Internet would be a much more awesome place if 3P cookies were the norm and everyone was okay with embedding everything everywhere. In the past hotlinking was a problem due to bandwidth concerns, but nowadays most of the traffic is bots anyway so it would be a drop in the bucket.

bawolff•1h ago

Lots of the usecases for CORS are also use cases for third party cookies (anytime you set withCredentials = true)

rukuu001•2h ago

Re the supermarkets - I understand this happens in a limited way already with bluetooth scanning :/

pests•2h ago

Not anymore since most devices now randomize any Bluetooth identifiers like they do MAC address. Might be a few scenarios it’s possible but it’s been locked down since it made major headlines years ago.

rukuu001•42m ago

Your phone yes, but I believe there's still issues with peripheral BT devices

meattle•46m ago

And cameras…

Buttons840•2h ago

> You as a user can delete, modity, edit, hack them to your heart's content.

This is not true in practice though. Cryptography means they cannot be altered (or even read) if their creator doesn't want them to be altered. Of all the CRUD operations, users can only realiably delete the cookie.

NBJack•56m ago

I gotta ask: how many cryptographically secure cookies have you encountered? In theory, yes. In practice? That's kind of expensive.

zeroCalories•44m ago

If you wanna do any kind of restful service securely you need to sign your data.

rileymat2•33m ago

As far as preventing editing, but not reading, JWTs are very common.

nicce•2h ago

> They expire on their own.

I have been looking them and yes, in 50 years…

ocdtrekkie•3h ago

This article seems to avoid talking about the elephant in the room: Every other browser just blocks third party cookies with no replacement. And Chrome would too if it wasn't owned by an ad company.

This should be the central argument the DOJ uses to separate Chrome from Google: The entire web for a monopoly-size portion of users is massively less secure because the web browser is owned by a company which is very vested in it being less secure.

modeless•2h ago

You have it backwards. Antitrust is the reason Google can't remove cookies. Because it would be anticompetitive toward their competitors in the advertising market. Google has wanted to block third-party cookies for a long time and they can't because they're not allowed to, legally.

labster•2h ago

They’ve already been found guilty of antitrust, so what do they have to lose?

Honestly I’m surprised Google hasn’t offered to buy Truth Social for a few hundred million just to make this little antitrust problem go away.

CharlesW•2h ago

The parent commenter is correct: Chrome is blocking third-party cookies if the user chooses that behavior. The only thing that's changed is that they won't be doing it by default, or letting users know about this privacy-protecting option.

From TFA: "Until today, Google was still planning to roll out a dialog in Chrome that would prompt users to turn off third-party cookies in favor of Google's updated solution. […] …Google won't be pushing that cookie dialog to users. You can still choose to disable third-party cookies in Chrome, though."

modeless•2h ago

Nothing you said is in contradiction with what I said. Antitrust law is what prevents Google from default blocking third party cookies in Chrome.

kibwen•2h ago

Then you agree that Chrome should be divorced from Google, so that Google is no longer forced into such a position?

pests•2h ago

If the argument is removing third party cookies is detrimental to Google’s competitors then isn’t it just as detrimental after Chrome has been split up?

Google is saying they’re fine with no third party cookies. The rest of the industry needs them.

How do you protect user privacy while also not killing googles competitors? Which need is more important?

bfdm•1h ago

If chrome were split out (and subsequently stopped giving Google direct access to user data), Google would need them too. It would impact all ad players equally.

creato•1h ago

I don't think Google uses data from Chrome this way. I don't think Google actually wants to associate data with people so aggressively. It's obvious when that happens and it feels gross (this is why I stopped using Facebook 10+ years ago, I've never had an equivalent gross-out moment with Google).

I'm guessing the reason google doesn't use third party cookies is because they get higher quality data from people being signed in to Google services, and that is independent of whether they are using Chrome or not.

pests•1h ago

Yea correct. They have numerous other ways of identifying you or fingerprinting you that cookies aren't all that important anymore.

modeless•52m ago

No, the antitrust argument is Google doesn't need third party tracking because they have a huge amount of first party data and ad inventory from search and YouTube and all their other web products. It's not from Chrome. Their adtech competitors don't have first party inventory or data and would be crushed.

frollogaston•2h ago

This reminds of how they sorta allow tracking pixels in Gmail, but that's a bit different because Google doesn't benefit from those at all. I'm guessing 3P cookies help Google too.

cma•2h ago

> Google has wanted to block third-party cookies for a long time and they can't because they're not allowed to, legally.

There's no reason they couldn't allow add-ons to do it: but instead with manifest v3 I think it is impossible to do it in a general way isn't it? Like with the other ad-blocking you have to have a hardcoded number of rules you can define for blocking cookies in the requests as well, at least through the declarativeNetRequest API.

Maybe it is possible for through one of the cookies APIs, but the cookie's API has race conditions where the site can still sometimes see them from what I understand and redirects can activate before your extension gets a chance to respond.

And then of course extensions don't even run on mobile and that isn't an accident.

ocdtrekkie•46m ago

If Google is successfully forced to divest Chrome, Chrome will no longer be in competition with advertisers. So whether you or I are right about the cause, we should both be able to agree that for privacy reasons, Google must divest Chrome.

I do disagree with your cause and effect though, they have gotten blocked from replacing third party cookies with privacy sandbox because it replaces a standard everyone can use equally with a Google-controlled system. They could have cited the industry standard to block third party cookies in other browsers and done so without a replacement, the reason they are being prohibited from doing so is because they are motivated to maintain data access for themselves via privacy sandbox.

You can read countless statements from the Chrome team about Privacy Sandbox where they state how vital spying on users for ad targeting is, they've never "wanted" to remove doing so.

modeless•42m ago

Chrome is not in competition with advertisers. If Google divests Chrome and Chrome removes third party cookies as a result, Google's adtech competitors will be crushed just as effectively as if Google removed third party cookies themselves. Google would survive just fine because they have lots of first party ad inventory and data, and all their adtech competition would be gone. This is the exact opposite of what the antitrust suit is trying to achieve.

Those statements about tracking you're referencing are legal shielding against antitrust suits from adtech competitors.

ocdtrekkie•34m ago

This suggestion that they don't need a replacement for third party cookies seems to directly contradict the number of attempts they've made to develop themselves a replacement. How do you square that belief?

modeless•26m ago

The alternatives are designed to replace the function of third party cookies for Google's competitors to address their antitrust concerns and unblock removing third party cookies in Chrome which, as I said, Google wanted to do. Obviously the effort was unsuccessful. Google was attacked on both sides, on the one hand by adtech who objected to being forced to use something less powerful than third party cookies, and on the other hand by other browser vendors who objected to adding adtech features and certainly didn't have any interest in helping Google avoid their antitrust problem, rather the opposite.

decimalenough•2h ago

FWIW, Edge does not block third party cookies yet, although they are experimenting with it.

https://blogs.windows.com/msedgedev/2024/03/05/new-privacy-p...

timewizard•1h ago

Ah.. I was wondering why they would even bother with something like Related Web Sets. https://privacysandbox.google.com/cookies/related-website-se...

I guess that was going to be too insane to actually manage.

gnabgib•2h ago

Google scraps plan to remove third-party cookies from Chrome (26 points, 9 months ago, 3 comments) https://news.ycombinator.com/item?id=41046637

Chrome is entrenching third-party cookies that will mislead users (511 points, 8 months ago, 311 comments) https://news.ycombinator.com/item?id=41391412

What Google's U-Turn on Third-Party Cookies Means for Chrome Privacy (3 points, 7 months ago) https://news.ycombinator.com/item?id=41788239

joshdavham•2h ago

Even if Google won't disable third-party cookies in Chrome, you still can!

chrome://settings/cookies

chris_wot•2h ago

So turn them off by default, and whitelist the ones that are necessary. It was always a stupid idea to get rid of them completely.

grishka•1h ago

The only somewhat good use for third-party cookies is various embeds and comment widgets. It wouldn't be all that much of a loss for the users if third-party cookies were removed without a replacement, but with the developer of the world's most popular web browser and the world's most popular mobile OS also being the world's richest internet advertising company, that's apparently an absolute impossibility ¯\_(ツ)_/¯

sublinear•1h ago

I'm not sure I've ever understood the point of this.

Aren't all cookies trivially "any-party" cookies? Can't any form of persistence be used to track a user? 3rd-party cookies as they exist today just give a path of least resistance so that most of that behavior is implemented the same way. Consistent implementation allows the user a simple way to block that behavior.

est•1h ago

weird stuff happen when an advertising company is making web browsers. Anti-trust should happen faster to stop the monopoly

ChrisArchitect•54m ago

[dupe] https://news.ycombinator.com/item?id=43764062

Ask HN: State of the Battery Industry

The Problem with Modern Engineering Isn't Speed. It's Chaos

Show HN: AI-powered UX Critiques right in Figma

UN says scam call center is epidemic and expanding globally

Trump says China tariffs will drop 'substantially – but it won't be zero'

The Outlook for Programmers

Reference Measurements of Error Vector Magnitude (EVM)

The Fourth Circuit's Opinion in the Abrego García Case

Google is scrapping its planned changes for third-party cookies in Chrome

Flash Boys Emerge from Shadows to Reorder Stock Trading

Burn Your Title

Proforestation: The case for leaving trees alone

Handy prompt templates and helper scripts

Detecting Malicious Source Code in PyPI Packages with LLMs

Drum Machine Price Before Tariffs: $399, After Tariffs: $977

The Death of Affordable Computing – Tariffs Impact and Investigation [video]

HAIP first AI transparency reports from OECD are released

Research find high levels of microplastics in artery plaque of stroke patients

Coenzyme Q10

Projects for Old OS X

SwiftUI Preferences

Reptends and Reciprocals

Retracing Google's steps: recreating the Webtable in Rust

How safe is the air to breathe? 50M people in the US don't know

The quest to build islands with ocean currents in the Maldives

Keeping Pygmy Sloths Afloat (2018)

Nvidia HGX B300 NVL16 Will Disrupt the AI NIC Market

'Rejection Sensitive Dysphoria' Turns a Small Snub into a Big Deal

Sam Altman to resign as chairman of Oklo

Apple's New Siri Chief Enlists Vision Pro Talent to Start Comeback Bid