What is the impact of browsers no longer accepting 3rd party cookies and Apple’s Intelligent Tracking Prevention?

295 views

I know it impacts advertisers ability to target, but would love a clearer explanation of how it works and the impact.

In: Technology

Cookies are used to remember if you are logged into a page when you leave. And then come back to it.

An analogy:

Every time you go anywhere in public, the shops you use, the buildings you enter, and the people you interact with put a coloured sticker with a number on you. It’s just a sticker, it contains only a number, it’s not “private”. Say the baker always uses a green sticker, and he numbers based on the order you walked into his shop. And the butcher uses a purple sticker and he numbers based on a random number that he makes up. And the grocer uses a green sticker and he numbers based on how much you buy from him.

Whatever. It doesn’t matter. The butcher, the baker and grocer don’t know what the other people’s numbers mean, it’s just a number.

And when you get home, your arm is full of coloured stickers with numbers on. But it means that when you go out tomorrow, the butcher knows that you’re #27, that you buy beef from him regularly and that yesterday you were interested in how to best cook steak.

Not a problem. The grocer knows nothing about what the butcher’s number means or what the butcher knows about you.

The problem comes when the butcher, the baker and the grocer all employ a company to put those stickers on you, because they don’t want to do it themselves. The company does it “for free” to them, and labels you with a pink sticker with a unique number. When the butcher asks and says that you have a pink number #35 on you, the company can tell him everything he’d normally store about you (because the company have recorded it for him). When you go to the grocer, he can also talk to the same company and ask them for everything he wanted to remember about pink #35. Still not a problem.

But now that one company runs all the data collection for lots of people. So they can tell the butcher that you went to a rival butcher’s last week because your pink #35 was spotted there. The butcher can ask for other information about pink #35, so he knows that you bought turkey gravy yesterday and maybe he can try to sell you a turkey today.

And the company then sells that data about pink #35 to completely unrelated companies that you’ve never dealt with, say a clothing store, so they can suggest that if you’re eating that much meat, maybe you should try a bigger size of jeans, and so on.

The stickers are cookies. The company are data aggregators like Google ads, many tracking cookie and analytics firms, and the average website has something like 35 companies that put stickers on you where those stickers are shared with EVERYWHERE you go which uses that same company.

Apple’s (not new, unique or innovative) idea is to keep your arms covered so you only show the stickers you want to the companies that need them and when you go to the butchers they have to give you a new sticker from the company because you refuse to show them your previous ones, so they have no idea who you are. So they can’t tie in that information about you from across the net, sell it, and use it in potentially nefarious ways.

And occasionally, they’ll take the stickers off you entirely because you haven’t needed them in a while.

First u/ledow’s analogy is spot on. It effectively prevents a lot of that creepy behavior when you browse an item at one site and suddenly the Internet is pushing ads for that class of thing on every web site you visit. Buy a lightning cable on Amazon, suddenly the sidebar in Reddit is filled with ads for lightning cables and iPhone accessories.

For the most part, this is a good thing. So far, the only thing I’ve found is that it breaks some banking sites that use a third party for their online banking systems. My personal bank doesn’t work with this turned on in Safari and I have to turn off the feature when using the bank.

Here’s a slightly deeper and wider explanation (ELI8):

Let’s talk apps first.

Your Apple phone is given a unique ID in the factory. This number is unique to your phone like a license plate number or a Social Security or National ID number.

If you open the Facebook App, the Facebook app reads your unique ID number and everything you do in Facebook App is reported back to Facebook with your unique ID. So, if your ID is 2399, Facebook App will tell Facebook say that 2399 is looking at puppy pictures.

Now, if you click on an ad for a Puppy Game the app store will load the Puppy Game, and you install the Puppy Game. When you buy something in the Puppy Game, the Puppy Game tells Facebook: Hey, 2399 just spent money on the Puppy Game! Facebook now knows that 2399 really likes Puppies from information across multiple apps.

Now, Apple doesn’t like apps sharing info. So, instead of telling Facebook your ID is 2399 and telling Puppy Game your ID is 2399, it tells Facebook your ID is 5522 and it tells Puppy Game your ID is 999. Apple knows that 5522 is just an alias for 2399 and that 999 is just an alias for 2399. But to Puppy Game and Facebook apps, 5522 and 999 are different people!

Now your data is more “private” in that two apps can’t share info anymore. Of course, if you log into your Facebook account on both Facebook and Puppy Game, Facebook can now figure out that 5522 and 999 are the same person because you use the same email address and password on both apps and both apps tell Facebook.

In browsers, the idea is similar except instead of Apple providing the ID for your browser, 3rd party sites leave a cookie (basically just a blob of data) on your browser, which acts as the 3rd party’s ID for you. Every website that wants to can look at the cookie and send that cookie back to the website. If two cookies match, then the websites can tell you are the same person. Apple’s tech will do the same thing as for the apps, which is that you can leave a cookie for your website, but Apple will choose the cookie, and you can only get the cookie for your website, and that cookie will be different for other websites so various websites can’t tell you are the same person. Or the user can disallow cookies altogether.

Of course, if you login to a different websites using your email address or Facebook Login, the different websites can tell you are the same person! So, Apple’s move basically prevents websites from stealthily knowing you are the same person. There are many ways you can explicitly tell the site who you are without really know it.

I do work in the field, and as of now the impact is not that noticeable. Sure, there are less people to target, but there are still enough people using chrome (not yet blocking 3rd party cookies), consenting to cookies or not updating their browsers. Those who know enough about tech to block 3rd party cookies probably also know enough to install adblockers anyway.

But it is a huge topic for new business, as there are a lot of cookieless solutions, for example contextual targeting or geo-targeting which yield similar results.

So yea, for users it is way better (as the top comment explains) and for advertisers there are just other ways. In my book it’s a win-win or at least a win-slightlyinconvenienced.

The explanation by u/ledow is mostly correct. There are two things I’d like to add:
– Privacy through aggregation
– Consequences of eliminating cookies

Google, Facebook, etc. are not in the business of selling your data. They’re in the business of selling ads. That might sound weird at first, but consider the fact that their defensible moat of technology and IP is contingent upon having *that* data. Why would you sell your resources instead of leveraging them towards selling your product? They offer targeted advertising, which might give information about those targeted through completed purchases and account creation, but that’s only once a user has made a decision to buy the product advertised.

Eliminating cookies has led to a weird spot. Google’s Chrome is so incredibly popular that they can make changes without much repercussion, and the ones they’re going forward with are “pseudo-privacy” enhancements. They’re more so adjustments to make Google seem like good guys along with Apple, rather than exposing more of you to the internet than before.

Before, you’d get unique identifiers attached to you at a website level, which Google would collect to track you across sites. Because it would take lots of collaboration across many, many sites to discern these identifiers, most people would default to just using Google’s in-house ad offering. This was good for your privacy in that, as mentioned above, Google sells ads *from* data rather than the data itself.

The change coming is that instead of you having a *unique* identifier, you’re getting a *cohort* identifier. Chrome will have machine learning models built in which map your behaviors to pre-determined cohorts (the models are exported from supercomputer computations of data they already had on everyone, so there is no ML computation going on in chrome; it’s just matching your history to cohorts). For example, if you buy pet food and leather belts, you might be put in the pink35 group. To be clear, these cohorts are **tremendously** complex, are based off of thousands of features, and they’re too abstract for any human to discern.

This might seem good for privacy since if you go around with pink35 on you, you’re going around with a tag shared by thousands of people. How could that not help privacy? The reason it doesn’t is that by having cohorts, it becomes quite reasonable to collaborate across sites to discern what these cohorts signify to some extent. You’ve reduced the quantity of identifiers significantly, especially when businesses inside an industry likely share cohort customers. It becomes even worse when there are now thousands of other people who act like you helping to fill in the gaps of what you likely do.

Suppose I’m marked with pink35. Everyone else in pink35 is willing to buy without coupon codes or sales, so sellers adjust their sites to hide them from pink35 or to even increase prices. This is price discrimination and often occurs using geography or device screen size. However, with these cohorts, you can do it easier and more robustly.

Google is saying “look how helpful I am” while causing a large mess.

This analysis of cohorts came from Ben Thompson of Stratechery.

Follow-on question: if cross-site and cross-app tracking becomes less viable, then advertisers don’t make as much money. How does that affect the economy of the web and the availability of “free” websites that make their money selling your data?

Would a VPN take care of cookies and privacy?

Everytime you visit a website, it drops a cookie to facilitate your online experience on the website. This is allowed and is called first party cookie mechanism.

Sometimes a website may access cookies which were dropped by some other website e.g twitter may access cookies dropped by scoopwhoop.com to track your online activity ( after getting in bed with scoopwhoop.com ).

That is why when you go to twitter you see Ads related to your scoopwhoop browsing history. Cookies used in this case are called third party cookies, which Apple disables by default. This mean you cannot be tracked across different domains or websites.

Source : I write code to serve Ads to people. 🙂