third-party cookies
{{Short description|HTTP cookies used principally for web tracking}}
Third-party cookies are HTTP cookies which are used principally for web tracking as part of the web advertising ecosystem.
While HTTP cookies are normally sent only to the server setting them or a server in the same Internet domain, a web page may contain images or other components stored on servers in other domains. Third-party cookies are the cookies that are set during retrieval of these components.
A third-party cookie thus can belong to a domain different from the one shown in the address bar, yet can still potentially be correlated to the content of the main web page, allowing the tracking of user visits across multiple websites.
This sort of cookie typically appears when web pages feature content from external websites, such as banner advertisements. Although not originally intended for this purpose, the existence of third party cookies opened up the potential for web tracking of a user's browsing history and is used by advertisers to serve relevant advertisements to each user. Third-party cookies are widely viewed as a threat to the privacy and anonymity of web users.
{{As of|2024}}, all major web browser vendors had plans to phase out third-party cookies. This decision was reversed for Google Chrome in July 2024.{{Cite web |date=2024-07-22 |title=Google reneges on plan to remove third-party cookies in Chrome - CBS News |url=https://www.cbsnews.com/news/google-third-party-cookies-chrome/ |access-date=2024-07-25 |website=www.cbsnews.com |language=en-US}}
Mechanism
As an example, suppose a user visits www.example.org. This website contains an advertisement from ad.foxytracking.com, which, when downloaded, sets a cookie belonging to the advertisement's domain (ad.foxytracking.com). Then, the user visits another website, www.foo.com, which also contains an advertisement from ad.foxytracking.com and sets a cookie belonging to that domain (ad.foxytracking.com). Eventually, both of these cookies will be sent to the advertiser when loading their advertisements or visiting their website. The advertiser can then use these cookies to build up a browsing history of the user across all the websites that have ads from this advertiser, through the use of the HTTP referer header field.
{{as of|2014}}, some websites were setting cookies readable for over 100 third-party domains.{{cite web |url=http://webcookies.org/third-party-cookies/ |title=Third party domains |publisher=WebCookies.org |access-date=2014-12-07 |archive-url=https://web.archive.org/web/20141209234746/http://webcookies.org/third-party-cookies/ |archive-date=2014-12-09 |url-status=live}} On average, a single website was setting 10 cookies, with a maximum number of cookies (first- and third-party) reaching over 800.{{cite web |url=http://webcookies.org/number-of-cookies/ |title=Number of cookies |publisher=WebCookies.org |access-date=2014-12-07 |archive-url=https://web.archive.org/web/20141209235956/http://webcookies.org/number-of-cookies/ |archive-date=2014-12-09 |url-status=live}}
The older standards for cookies, RFC 2109{{Cite ietf|rfc=2109|section=8.3|title=HTTP State Management Mechanism}} and RFC 2965,{{Cite ietf|rfc=2965|title=HTTP State Management Mechanism}} recommend that browsers should protect user privacy and not allow sharing of cookies between servers by default. However, a newer standard, RFC 6265,{{Cite ietf|rfc=6265|title=HTTP State Management Mechanism}} released in April 2011 explicitly allowed user agents to implement whichever third-party cookie policy they wish, and until the late 1990s allowing third party cookies was the default policy implemented by most major browser vendors.
Privacy law and cookie consent dialogs
While useful for advertisers, web tracking is widely seen as a threat to personal privacy. This prompted the creation of laws against tracking without user consent, the most notable of which is the European GDPR.{{cite web |title=Art. 4 GDPR – Definitions |url=https://gdpr-info.eu/art-4-gdpr/ |website=General Data Protection Regulation (GDPR)}}
This led to the creation of "cookie consent" dialogs, which rapidly became a standard feature across advertising-funded (and many other) websites, and notable for their use of dark patterns to attempt to force users to allow tracking by making it hard for them to refuse to grant consent.
Some websites also responded by simply geoblocking users from countries with privacy-friendly laws.
Blocking third-party cookies
Most modern web browsers contain privacy settings that can block third-party cookies, and some now block all third-party cookies by default - as of July 2020, such browsers include Apple Safari,{{Cite web|last=Statt|first=Nick|date=2020-03-24|title=Apple updates Safari's anti-tracking tech with full third-party cookie blocking|url=https://www.theverge.com/2020/3/24/21192830/apple-safari-intelligent-tracking-privacy-full-third-party-cookie-blocking|access-date=2020-07-24|website=The Verge|language=en}} Firefox,{{Cite web|date=2019-06-04|title=Firefox starts blocking third-party cookies by default|url=https://venturebeat.com/2019/06/04/firefox-enhanced-tracking-protection-blocks-third-party-cookies-by-default/|access-date=2020-07-24|website=VentureBeat|language=en-US}} and Brave.{{Cite web|last=Brave|date=2020-02-06|title=OK Google, don't delay real browser privacy until 2022|url=https://brave.com/ok-google/|access-date=2020-07-24|website=Brave Browser|language=en-US}} Safari allows embedded sites to use the Storage Access API to request permission to request first-party cookies when the user interacts with them.{{cite web |title=Introducing Storage Access API |url=https://webkit.org/blog/8124/introducing-storage-access-api/ |website=WebKit |date=21 February 2018}} In May 2020, Google Chrome 83 introduced new features to block third-party cookies by default in its Incognito mode for private browsing, making blocking optional during normal browsing. The same update also added an option to block first-party cookies.{{cite web |last1=Protalinski |first1=Emil |title=Chrome 83 arrives with redesigned security settings, third-party cookies blocked in Incognito |url=https://venturebeat.com/2020/05/19/google-chrome-83/ |website=VentureBeat |access-date=25 June 2020 |date=19 May 2020}} Google planned to start blocking third-party cookies by default in late 2024, and in January 2024 started this process with a pilot scheme in which blocking has been implemented for 1% of all Chrome users.{{cite news |title=Google now delays blocking 3rd-party cookies in Chrome to late 2024 |url=https://www.business-standard.com/article/technology/google-now-delays-blocking-3rd-party-cookies-in-chrome-to-late-2024-122072800244_1.html |newspaper=Business Standard India |date=28 July 2022 |access-date=23 September 2022}}{{Cite news |date=2024-01-04 |title=Google Chrome starts blocking data tracking cookies |url=https://www.bbc.com/news/technology-67882315 |access-date=2024-01-05 |work=BBC News |language=en-GB}}
Replacements
Since third-party-cookie-based web tracking was an essential part of the existing web advertising ecosystem, multiple proposals are being implemented to try to replace it.
Google proposes the use of browser-based interest targeting, in which users' interests can be recorded locally by the browser, and then signalled to advertising servers without directly revealing the user's identity. Google's Privacy Sandbox is one such implementation.
Other approaches include the use of browser fingerprinting to track users across sites, which is generally viewed as being as bad a threat to privacy as third-party cookies. There are also concerns that interest-based tracking may itself be abused to fingerprint users.
Circumvention of blocking of third party cookies
A number of methods exists for circumventing the blocking of third-party cookies. One is for the operators of websites to point a DNS name within the site's own domain at an advertiser's server, thus in effect making cookies set on that server first-party cookies from the viewpoint of the browser while still providing a third party with control over the cookie information.
Another approach is for the website operator to proxy traffic from the client to the tracking service's servers. As this would easily allow the website operator to serve false information to the tracking service, this is unlikely to be widely adopted.