Chrome was curiously missing last year at Google’s I/O 2018 developer conference. Almost as if to make up for it, Google used I/O 2019 to promise a bunch of privacy features. I say “promise” because none of the functionality that Google talked about today is available.
Google is changing how Chrome handles cookies, which are used to keep you logged into web services and save relevant information about you at corresponding websites. Cookies can also, however, be used to track your browsing activity across the web. That can be to serve personalized content and ads, or for more nefarious purposes.
Browsers treat all cookies the same. That’s why clearing all your cookies usually solves one problem (trying to reset your settings on a site) but creates another (you’re logged out of all your sites). Google thus notes that blocking all cookies can degrade the web for users. The company also argues that a heuristic-based approach, where the browser guesses a cookie’s purpose, degrades the web for developers.
Google’s solution is two-fold: Provide users with more transparency about how sites are using cookies, and offer simpler controls for cross-site cookies. The company plans to preview these features “later this year.”
But first, Google will modify how cookies work in Chrome by building on the web’s SameSite cookie attribute. In the coming months, Chrome will require developers to explicitly specify which cookies can work across websites (and potentially track users). Developers can test their sites against this change in the latest Chrome developer builds.
This change will let Chrome users clear all such cookies while leaving single domain cookies unaffected, preserving user logins and settings. And, Chrome will be able to provide information about which sites are setting these cookies. Google hopes that will let users make more informed choices about how their data is used. At the same time, it will protect cookies from cross-site injection and data disclosure attacks. Google also plans to eventually limit cross-site cookies to HTTPS connections.
Google claims that because some browsers block cookies outright, some user-tracking efforts have moved “underground.” These harder-to-detect methods that subvert cookie controls are known as fingerprinting. This is a catch-all term for various techniques that try to examine what makes a given user’s browser unique. Fingerprinting naturally does not respect the user’s choice. Google says it plans to “aggressively” restrict fingerprinting in Chrome.
The company didn’t elaborate much on its plans here. Google merely added it will be “reducing the ways in which browsers can be passively fingerprinted, so that we can detect and intervene against active fingerprinting efforts as they happen.”
Ads transparency browser extension
Lastly, Google wants to “give users more visibility into the data used to personalize ads and the companies involved in the process.”
The company plans to release an open-source browser extension for the ads that Google shows on its own properties and its publishing partners. The extension, which will work across different browsers, will show the names of companies “that we know were involved in the process that resulted in an ad.” That includes intermediaries between the advertiser and publisher, and companies with ad trackers present in an ad. The browser extension will also list the factors used to tailor an ad to a user. The extension will do this for each ad Google shows, and will also present an aggregated snapshot for all the ads Google has shown a user recently.
A browser extension seems handy, but it’s unlikely to be something that many users install. Google says it will look for additional ways to show this information to users and even encourage others in the advertising industry to do the same. Google plans to build APIs that let other advertising companies disclose this same type of information to users through the extension. And finally, Google wants to build tools that allow researchers to “view and analyze aggregated and anonymized data from Google and other providers that elect to use these new APIs.”
Like the Chrome changes, this browser extension and APIs will start rolling out “in the coming months.”