Google strengthens Chrome’s privacy controls

Google today announced a major new initiative around its Chrome browser that will, in the long run, introduce significant changes to how Chrome handles cookies and enhance its users’ privacy across the web.

With this move, Google is making cookies more private and also adding new anti-fingerprinting technology to its browser. While some of the changes here are happening in the Chrome browser, developers, too, will have to prepare for this change and adapt their cookies to this new reality.

“We’ve been thinking a lot about this topic for a while and think it’s really important that users have transparent choice and control over how they are tracked over the web,” Google’s web platform lead Ben Galbraith said in an interview ahead of the announcement.

There will be a number of UI changes in Chrome to enable this, but the company isn’t disclosing any information about this yet. Instead, it is talking about the necessary changes in the web platform to enable this.

The overall idea here is to provide users with more control over how their data is shared. While cookies are very useful to allow you to keep a persistent login to a site or store your preferences, for example, they are also being used to track you across the web. Few users, however, would want to block all of their cookies and lose these conveniences. The compromise here is to only allow the site that originally set the cookie to access it and block third-party cookies, making it harder for others to track you using these cookies.

To do this, Chrome will move to require developers to explicitly allow their cookies to be used across websites. Using the SameSite cookie attribute, developers have to explicitly opt in to make their cookies available to others. SameSite simply stops the browser from sending it when it receives a cross-site request. There are some security enhancements that come with this, but the main goal here is to prevent tracking.

Right now, all cookies pretty much look the same to the browser, so it’s hard to selectively delete third-party cookies. Because this change also makes it easier to identify tracking cookies in the browser, though, users can then also more easily delete them.

“This change will enable users to clear all such cookies while leaving single domain cookies unaffected, preserving user logins and settings,” Google explains in today’s announcement. “It will also enable browsers to provide clear information about which sites are setting these cookies, so users can make informed choices about how their data is used.”

SameSite isn’t new, but it’s not all that widely used, especially given that browsers don’t have to respect it. In the coming months, however, it will become the default in Chrome.

That’s an important fact to stress: This isn’t just about adding a new feature to Chrome that makes it easier to block or delete tracking cookies — it’s about changing how developers use them at a very fundamental level.

Galbraith also tells me that Google will start experimenting with only allowing cross-site cookies if they are served over an encrypted SSL connection. This is currently hidden behind a flag in the Canary version of Chrome, but it’ll likely become more widely available soon, too.

None of these are immediate changes, though. “I compare this to the deliberate way we moved https to the default in Chrome,” Galbraith said. For this, Google signaled its intent for a few years before finally changing the default.

With its anti-fingerprinting technology, Google is doing something similar to what is happening with cookies. “Because fingerprinting is neither transparent nor under the user’s control, it results in tracking that doesn’t respect user choice,” Google explains. “This is why Chrome plans to more aggressively restrict fingerprinting across the web. One way in which we’ll be doing this is reducing the ways in which browsers can be passively fingerprinted, so that we can detect and intervene against active fingerprinting efforts as they happen.”

For a company that makes most of its revenue from advertising, that’s a pretty bold move. It’s also a bit late, given that users have been asking for these privacy controls for a while. Galbraith acknowledged that “this is increasingly an area of concern for users.”

In a related announcement, the Google Ads team today said that it is “committing to a new level of ads transparency.” The first step in actually providing users with better insights into how ads are personalized for them, Google will launch a browser extension that will disclose the names of the companies that were involved into getting these ads in front of you (including ad tech companies, advertisers, ad trackers and publishers) and the factors that were used to tailor the ad to the user.

This extension is going live today in the coming months and will work for all of Google’s own properties and those of its publishing partners. The company is also making an API available to other advertising companies that want to feed the same information into the browser extension.

Even though in the age of mobile apps, tracking users through browser cookies isn’t quite as important as it used to be, it’s still an important mechanism for many online advertising firms, including Google. Google’s move has wide-ranging implications for online advertising and it’ll be interesting to see how Google’s competitors in this space will react to the announcement.