How to fix the third-party cookie mistake

The first part of our blog series explained how “allow all cookies” became the default in most browsers despite significant privacy and security concerns. In the second part we discussed the negative effects of disabling third-party cookies in today’s web ecosystem. In the third and final part, we present a solution to the third-party cookie mistake and answer the question of how to block third-party cookies without breaking the user experience on web pages.

In 2015 Cliqz released an anti-tracking technology which aggressively blocks third-party cookies unless certain heuristics are triggered. These heuristics aim to mitigate common cases where cookie blocking breaks workflows, but also require user action to trigger. A Facebook button can be loaded without cookies, but if the user then clicks on it, there is an implied consent to allow the cookies in this case. This method blocks 97% of third-party cookies, with minimal breakage of pages.

In December 2017, this technology was included in the Ghostery 8 release. This increased the number of users with this aggressive cookie blocking behavior and this increased exposure also highlighted more cases where cookie blocking causes problems for websites. In many cases it may not be surprising that developers have not considered or tested the possibility of third-party cookies not being allowed. What surprised us though, is that this is so pervasive that the biggest players fail to handle cookies properly, in some cases causing critical bugs such as the logout issues on office.com.

We argue that we should aim to return to a web where third-party cookies are blocked by default. We are making that possible for users of our anti-tracking technology in Cliqz and Ghostery. However, this is made difficult by the prevailing assumption that cookies are a free-for-all, making many sites fail to function properly in this environment. In this regard we are constantly improving heuristics to mitigate the breakage issues we do find.

We showed multiple cases where the assumption that third-party cookies will be allowed lead to both benign and potentially dangerous issues for users who block cookies. Some of these cases affect payments, so perhaps if cookie-blocking becomes more common and companies’ bottom lines are affected these issues will be fixed. This is a chicken and egg problem though, if the web is broken for users blocking cookies, then we may never achieve the critical mass required to get it fixed.

For users, getting control over which cookies your browser sends out, and to whom, is a key part of protecting privacy online, but also something that is not universally recognized by browser privacy tools. Most adblockers, for example, do nothing to the cookies of third-party requests which are not on their blocklists. More adoption of the kind of cookie blocking that Cliqz and Ghostery do helps to achieve this critical mass and push more websites to ensure that their services still work correctly for users who chose more private browser configurations.

Developers have a part to play here too. By building services which do not require third-party cookies, or at least continue to function without them, it becomes easier for users to turn off third-party cookies, and the web becomes more privacy-friendly. As we have seen in this blog series, even the biggest tech companies are currently failing at this, but this seems to be more due to a lack of awareness, than any difficultly in implementation.

This article was first published in full on WhoTracks.me.