 
		Browser fingerprinting and the death of cookies
 
					Need to know
- In early 2020, Google announced it would phase out all third-party cookie support within two years
- Browser fingerprinting has been shown to identify users with 90–99% accuracy
- Unlike third-party cookies, browser fingerprinting isn't regulated anywhere in the world
The days of third-party cookies are numbered. These little bits of information, embedded in your browser by websites you visit, track you around the web to log your activities and identify you.
They’ve been the go-to for advertisers for years, but new regulations, default browser settings, and actions from large companies such as Google and Apple have slowly eroded their usefulness. Now, a new tracking method has arrived to follow us around the web.
What are third-party cookies?
Cookies are small text files containing pieces of information about the websites you’ve visited and what you did on them. They live in your browser and save things like login details or the items you might have placed in your shopping cart, then report back to their distributors.
Most cookies are harmless or even necessary, but third-party cookies follow you from website to website, tracking your every move. For years now, many browsers such as Firefox, Brave and more have blocked them by default – but not Google Chrome.
Apple’s new App Tracking Transparency (ATT) policy, which went live in April 2020, requires all apps get user permission before tracking activity. This includes the use of third-party cookies.
But according to Google, large-scale blocking of third-party cookies has had two negative effects:
- companies and bad actors have invented newer, harder-to-block methods for tracking you
- legitimate advertisers have lost revenue, with Google believing publisher revenue could fall by 52% on average when cookies are removed.
Similarly, Meta (Facebook) warned a potential 60% loss in ad revenue for small businesses as a result of Apple’s ATT policy, and 50% loss in general from its Audience Network app monetisation system. The degree to which small businesses were affected is unclear, but according to advertising technology company Lotame, ATT-caused ad revenue losses for Facebook, YouTube, Snapchat and Twitter were closer to 12% on average in the last half of 2021.
What is browser fingerprinting?
While third-party cookies can be easily blocked by your browser, browser fingerprinting (also known as online or digital fingerprinting) happens entirely on the server side. All it needs is one quick look at your device and settings to figure out who you are (or probably are) before it builds a profile based on your online activity. Though it might not be able to put a name or face to your algorithm (which cookies don’t do either), it can still track you around the web and log your activity across multiple sessions.
Unlike third-party cookies, browser fingerprinting isn’t regulated, so there’s currently no legal incentive for websites to abstain from using it. And since it uses scripts that look just like the ones websites need to function, it’s very difficult to detect. Google and other companies are moving towards blocking it, but they aren’t all the way there.
How does browser fingerprinting work?
Browser fingerprinting detects information about your device such as the browser you’re using, time zone, operating system, screen resolution, device hardware, and much more. It’s the sheer number of data points that makes fingerprinting so effective.
A fingerprint for one of our laptops, generated by and downloaded from the website AmIUnique, returned around 1420 data points and found our device to be unique out of the 66,539 fingerprints in its dataset. Some are a simple yes/no check, such as if you have Java enabled or use an ad blocker, while others have multiple possible results. Add all that up and you can see why browser fingerprinting has been shown to identify users with 90–99% accuracy.
What’s the solution?
Many popular browsers such as Edge, Firefox, Brave, and more already have anti-fingerprinting systems. But they’re far from perfect and at this stage there’s not much more you can personally do. Not even a VPN will help.
One way browsers fight fingerprinting is via the privacy budget method. A browser might allow a website to ask for data until the browser believes enough has been provided to function, but before enough (often extraneous) information has been given to challenge your anonymity. After that, any further information requests are blocked.
Another method is randomisation, where your browser randomises certain values every session, making the fingerprint less accurate.
Ultimately, you might rely largely on Google, of all sources, to help put browser privacy (somewhat) back on track. Unsurprisingly, the plan includes the continuation of an ad-supported web.
Google agrees the usefulness of third-party cookies is at its end and admits it’s become a problem for user privacy. In a 2020 post on the Chromium Blog, a publication for news regarding the Google-led, open-source Chromium project, Google announced its intention to actively block fingerprinting and proposed privacy budgets as one solution. Given Chromium is the foundation for every major web browser apart from Firefox and Safari, this could be a far-reaching initiative. In early 2020, Google also announced it would phase out all third-party cookie support within two years.
Google hopes to implement a new system called Privacy Sandbox, which is still in relatively early stages of development. Privacy Sandbox is a set of agreed-on standards that Google says “will improve transparency, choice, and control”. The company plans to work with the web community to develop various privacy standards, while still providing “an environment for personalisation”.
What about targeted ads?
You’ll still receive targeted ads, but your user information could be kept on your device and not given to advertisers directly. Google is currently calling its approach Federated Learning of Cohorts (FLoC), in which users with similar interests are lumped into groups or “cohorts” based on information that never leaves your browser.
For example, Google believes it could create cohorts of fans of Star Wars who also like sneakers, but would only do so once said group contains thousands of people. Advertisers then target each cohort as a whole, rather than individual users therein. Your data is anonymised and added to this group before advertisers gain access, so you’re just one more number filling out the crowd.
But there are proposed methods other than FLoC, such as Two Uncorrelated Requests, Then Locally-Executed Decision On Victory (TURTLEDOVE), Secure Private Advertising Remotely Run On Webserver (SPARROW), and Publisher Auction Responsibility Retention Revision of TurtleDove (PARROT), among others, all competing for handling at least part of the future of advertising with varying levels of privacy.
How private will the future of the web be?
Google’s Privacy Sandbox and its competing standards are still being fleshed out and will likely evolve over the next few years. Your level of privacy – with regards to how advertisers target you and websites track you – might increase drastically, slightly, or not at all. You might notice ads become less accurate or you might not.
At the end of the day, there’s too much money on the line for the current ad-based model of the web to ignore the wealth of user data out there. No matter how good the Privacy Sandbox, ATT and their alternatives are, there will likely be work-arounds eventually.
The tug of war between privacy and revenue is unlikely to change anytime soon, but at least for now we can see talk from multiple industry sources about combatting the latest challenges to privacy, at least with regards to targeted advertising and browser tracking.
Related
 
		 
		 
		 
		 
					