Google Chrome to Introduce Improved Cookie Controls Against Online Tracking
At the company’s I/O 2019 developer conference, Google has announced its plan to introduce two new privacy and security-oriented features in the upcoming versions of its Chrome web browser.
In an attempt to allow users to block online tracking, Google has announced two new features—Improved SameSite Cookies and Fingerprinting Protection—that will be previewed by Google in the Chrome web browser later this year.
Cookies, also referred to as HTTP cookies or browser cookies, are the small pieces of information that websites store on your computer, which play an important role in improving your online experience.
Cookies are created by a web browser when a user loads a particular
website, which helps the website to remember information about your
visit, like your login information, preferred language, items in the
shopping cart and other settings.
However, cookies are also being widely used to identify users and track their activities not only on the site that issued a cookie but also on any third-party site that includes a resource shared by the same site, for example, cookies used for ad retargeting and behavioral advertising.
Since currently there is no standard way to identify or categorize how websites are using cookies, all these cookies used for different purposes look the same to the browsers and clearing them would log you out of all sites, resetting your online preferences.
Improved SameSite Cookies Offers More Control to Users
While acknowledging this, Google has now planned to modify the way
cross-site cookies work across the Internet, making it easier for Chrome
browser users to block or clear all such third-party cookies without
losing sign-in information and settings.
In a detailed blog post, Google explains a new mechanism that website developers have to follow in the coming months to explicitly specify which cookies on their sites are allowed to work across websites and could be used to track users.
The new mechanism is built on the SameSite cookie attribute that offers developers three different options to control the behavior, and more transparency to the users revealing if a browser cookie is for the same-site or cross-site purpose.
Website developers can opt-in to more security by setting SameSite attribute value to “Strict” or “Lax” that limits a cookie to same-site requests, or to “None” when explicitly required to make it available for cross-sites.
What’s more? The new upgrade would limit cross-site cookies to HTTPS
connections and would also make it difficult for malicious sites to
exploit cross-site vulnerabilities.
“This change also has a significant security benefit for users, protecting cookies from cross-site injection and data disclosure attacks like Spectre and CSRF [cross-site request forgery] by default,” Google explains.
“We also announced our plan to eventually limit cross-site cookies to HTTPS connections, providing additional important privacy protections for our users.”
With the release of Chrome 76, Google will also allow users to set the
default behavior for their browser to define if it should accept or
reject cross-site cookies when visiting a website.
New Protections Against Browser Fingerprinting
Besides cookies, browser fingerprinting is also a common and highly accurate technique used by websites to identify and track individual users across the websites without their knowledge or consent.
Browser fingerprinting is a very effective way to accurately identify users by collecting a wide range of data about their devices through browser APIs and then combining them to calculate and assign a unique value to each browser that can be tracked across the Internet.
At I/O 2019 developer conference, Google also announced that Chrome
would make it harder to do browser fingerprinting by reducing the ways
in which web browsers can be passively fingerprinted.
“Because fingerprinting is neither transparent nor under the user’s control, it results in tracking that doesn’t respect user choice,” Google says. “This is why Chrome plans to more aggressively restrict fingerprinting across the web.”
However, Google also recognizes that both cross-site cookies and fingerprinting have uses beyond just tracking users online and that the company is “committed to working with the web ecosystem to understand how Chrome can continue to support these positive use cases and to build a better web.”