Cookies were originally designed for recognizing repeat visitors to a website, but they were soon repurposed for use cases like: login and single sign-on; tracking state (like putting shopping choices into a cart); tracking to better target advertising; detecting fraud; measurement and attribution of ad clicks. Third party cookies (cookies set by someone other than the website being used) have introduced additional vectors for cookies to be used as a data collection mechanism across web sites. This increase in data collection and sharing about people using the web - often in a way that is opaque or incomprehensible to a web user - results in decreased individual and collective privacy.
Third-party cookies in particular are a key technology supporting tracking networks, which have been identified as a major threat to privacy. These tracking networks entail concentrating data in the hands of - and thus giving greater power to - intermediaries with a presence across many sites, away from the individual sites a person is actually visiting. This centralizing effect has repercussions on innovation and accountability, beyond what is in scope for discussion here.
We maintain that security and privacy are essential on the web; a reduction in privacy also has implications for freedom of expression, supporting healthy communities and the enhancement of individual control and power.
Some features of the web that people have come to expect, and which greatly improve user experience, currently depend on third-party cookies, and continuing to support these use cases is important. It is better to approach this with replacement technologies that are designed-for-purpose and built to respect user privacy. Any proposal that acts as a general-purpose replacement for third-party cookies would need to be accompanied by evidence that it does not recreate the same issues.
Some recent good examples of the designed-for-purpose approach include:
- FedCM. Third-party cookies have been used to support single sign-on. FedCM is a set of technologies built to support identity federation, without replicating all functionality of third-party cookies.
- CHIPS. The goal of CHIPS is to allow state, without supporting correlation or tracking between web sites which don't know they are collaborating, for example, when embedding third-party services like customer service webchat.
In all cases, it is important to continually review how such proposals might interact with other emerging or proposed APIs. Be aware that a set of new technologies which carry minimal risk individually, could be used in combination for tracking or profiling of web users.
We support removing third-party cookies from the web platform, and we embrace the opportunity to improve the privacy features of the web. When we review new technologies to replace third-party cookies, we need to ensure that the replacements do not recreate the same pitfalls to privacy.
The TAG considers each new technology proposal both individually, and as they fit together with the web platform as a whole. The web must be cross-platform, so multi-implementer (multi-browser) support and developer support for privacy-related specifications is essential if they are going to achieve the goal of increasing privacy on the web. When we consider whether something makes the web platform better, we should be explicit about what the baseline for comparison is. Is a proposal better for privacy when compared to usage of third-party cookies? Or when compared with a web free from third-party cookies altogether? What about when some user agents restrict third-party cookies, but others do not?
Many varied proposals are being incubated in W3C Community Groups (e.g., PATCG, Privacy CG, WICG) as well as outside (e.g., Privacy Sandbox), and in these incubation stages multi-stakeholder support, consensus, and possible timelines for standardization are uncertain, and far from guaranteed.
We want to emphasize that as any replacement proposals progress, implementations should have a strong commitment toward, and reasonable time frame for, removing third-party cookies.
We are also wary of new mechanisms being introduced that could be abused together with cookies, fingerprinting surface or other tools, for greater privacy invasion.
Given this context, we see an urgency to have a strict timeline for the removal of third-party cookies.
All proposers of new web platform technologies are expected to be able to explain and justify the benefits and trade-offs of their proposal. It is particularly important that proposals which aim to fill gaps left by the removal of third-party cookies provide clear and concrete evidence that individual and collective privacy is still preserved; especially proposals which involve profiling, cross-context recognition, or otherwise aggregating or sharing of web user data between parties. We encourage that proposals claiming to improve privacy on the web platform undergo independent review and analysis; the burden of proof is on the proposers, not reviewers, to justify additions and changes to the web platform. The benefits to web platform users of the removal of third-party cookies must not be undermined by user agents or site authors in other ways.
We are strongly in favor of innovations to build sustainable business models on the web platform, but an in-depth discussion of the various possibilities are outside of the scope of this document. From an architectural standpoint, web standards should avoid encoding particular business models that are available to authors, publishers, and web content creators.
In conclusion, when accommodating changes caused by the removal of third-party cookies, we should avoid introducing new technologies that, when deployed either individually or in combination, effectively preserve the status quo of harmful tracking and surveillance on the web.