A visual consequence of ad is retargeted ads: ads that follow you around the web after you've shown interest in a product.
This is also the origin for clickbait, and fake news — it doesn't matter if you enjoy good content, all that matters is that you click on the website so ads can put a cookie.
What to do about it? Let's consider imaginary browser security settings.
(This presentation is so slick, omg — living up to the Apple standard right there :D)
- 2003 started third-party cookie blocking: drop them if the cookie doesn't exist already. However, it doesn't prevent them from being first-party for a short period of time to see the cookie jar.
- 2017: intelligent tracking prevention deletes tracking cookies by default
- prevent the cross-site tracking we see today
- don't block ads: this is on by default, we don't want to make that decision
- don't use a blocklist, it'd be a management nightmare
- don't break the web and create a bad user experience
How does classification work? With statistics: count how many third-party scripts you see, how many redirections (ads), and subframes.
Can we just delete all of their cookies?
So they decided to use an additional signal: user interaction. If there's no user interaction, you can delete cookies and website data.
Time for a live demo!
A bunch of domains, classified as trackers, appear on the console, and corresponding cookies are deleted.
They observed two counter attacks: HSTS supercookies, and something based on links.
How to fix this? They forbade 3rd parties to set HSTS, and only allow 1st-parties to set HSTS for a small subset of subdomains.
The second evil technique is link decoration.
The logic is that if:
- there's a navigation from a domain classified by ITP
- the landing URL has a query string of fragment
then cap the page client-side cookies by 24h.
And remember, there are legitimate uses for third-party cookies, for example embedded, subscription-based videos.
1. Store ad clicks. Safari will remember which ads were clicked on.
2. Match conversions against stored clicks.
3. When a contribution happens, allow an HTTP redirect to the advertiser website.
but there's no linkability between these two events.
Answer: it's an open question, currently being discussed. Look at the GitHub repo for more info.
A: we restrict this to 6 bits of entropy. You can only track 64 campaigns at once, and 64 types of conversion. They're discussing giving a bit more flexibility, limiting to 12 bits in total.
A: we believe that cross-site tracking is bad for the web. We acknowledge that there are legitimate use case and we try to propose solutions for those.
A: we haven't proposed it as part of the standard, but it's all open-source (including the ML model). Firefox built something similar, Edge has something in beta. Maybe at some point there'll be standardization?
A: The ones you mention (Brave, Firefox) are doing great things.