Disabling Third-Party Cookies Doesn’t (Meaningfully) Improve PrivacyPosted: 2011/09/26
I noticed in some discussion on Hacker News about Google Chrome an argument that disabling third-party cookies somehow improved privacy. I don’t intend to comment on the rest of the debate, but this particular assertion is troubling.
At time of writing, only two browsers interfere with third-party cookies in any meaningful way. Internet Explorer denies setting third-party cookies unless a P3P header is sent. This is basically an evil bit, and just as pointless. No other browser even pretends to care about this standard.
The other is Apple’s Safari browser, which denies setting third-party cookies unless a user has “interacted” with the framed content. The definition of “interacted” is a bit fuzzy, but clicking seems to do it. No other browser does this, or anything like it. There are some laughably simple hacks around this, like floating an iframe under the user’s cursor (and, for some reason, submitting a form with a POST method). Even if those hacks didn’t exist, the idea is still pointless.
The reason I know about these rules is that we had to work around them when implementing auto-logins at Stack Exchange (there was an earlier version that straight up did not work for Safari due to reliance on third-party cookies). This also came up when implementing the Stack Exchange OpenID Provider, as we frame log in and account creation forms on our login page.
For auto-logins, I ended up using a combination of localStorage and postMessage that works on all modern browsers (since it’s not core functionality we were willing to throw IE7 under a bus at the time, and now that IE9 is out we don’t support IE7 at all). StackID tries some workarounds for Safari, and upon failure displays an error message providing some guidance.
The joke is that there are alternatives that work just fine
ETags have gotten a lot of press, the gist being that you re-purpose a caching mechanism for tracking (similar tricks are possible with the Last-Modified header). This is a fundamental problem with any cache expiration scheme that isn’t strictly time based, as a user will always have to present some (potentially identifying) token to a server to see if their cache is still valid.
Panopticlick attacks the problem statistically, using the fact that any given browser is pretty distinctive in terms of headers, plugins, and so on independent of any cookies or cache directives. My install of Chrome in incognito mode provides ~20 bits of identifying information, which if indicative of the population at large implies a collision about every 1,200 users. In practice, most of these strings are globally unique so coupled with IP based geo-location it is more than sufficient for tracking if you’re only concerned with a small percentage of everyone on Earth. Peter Eckersley’s paper on the subject also presents a rudimentary algorithm for following changing fingerprints (section 5.2), so you don’t even have to worry about increased instability when compared to third-party cookies.
You can get increasingly nefarious with things like “image cookies,” where you a create a unique image and direct a browser to cache it forever. You then read the colors out via HTML5’s Canvas, and you’ve got a string that uniquely identifies a browser. This bypasses any same origin policy (like those applied to cookies and localStorage) since all browsers will just pull the image out of cache regardless of which domain the script is executing under. I believe this technique was pioneered by Evercookie, but there may be some older work I’m not aware of.
If you’ve been paying attention, you’ll notice that none of these techniques are exactly cutting edge. They’re still effective due in large part to the fact that closing all of these avenues would basically break the internet.
Why do we stick to cookies and localStorage?
The short of it is that we over at Stack Exchange are “Good Guys™,” and as such we don’t want to resort to such grey (or outright black) hat techniques even if we’re not using them nefariously. I hope the irony of doing the “right thing” being more trouble than the alternative isn’t lost on anyone reading this.
For global login, localStorage is acceptable since clearing it is somewhat less important. You can only login to existing accounts, only on our network, and on that network there are significant hurdles preventing really nefarious behavior (you cannot permanently destroy your account, or your content in most cases).
What good does Safari’s third-party cookie behavior do?
Depending on how cynical you are, one of: nothing, mildly inconveniencing unscrupulous ad networks, or childishly spiting Google. I’m in the “nothing” category as there’s too much money to be had to believe it deters the seedier elements of the internet, and the notion that Apple would try to undermine a competitor’s revenue stream this way is too conspiracy theory-ish for me to take seriously.
I can believe someone at Apple thinks it helps privacy, but in practice it clearly doesn’t. At best, it keeps honest developers honest (not that they needed any prompting for this) and at worst it makes it even harder for user’s to avoid tracking as more and more developers resort to the more nefarious (but more reliable!) alternatives to third-party cookies.
There may be legitimate complaints about browser’s default behavior with regards to privacy, but having third-party cookies enabled by default isn’t one of them.