I'm confused about if this means that IndexedDB will always wipe data after 7 days. That seems like it would prevent storage from being used for user data in PWAs.
Wow they buried the lede; I'm glad you highlighted this. This is going to be an interesting situation for some Safari users. "Why did your app delete my data?" "If you don't like that you should use Chrome."
Of course Google could do this too, if they had a reason, even if only downstream from Chromium. It's just a commercial decision. Apple have decided they don't want their users to have usable anonymous web apps. Of course, since they don't support beforeinstallprompt, we already know they don't want their users to have web apps, period. Gotta get that sweet 30% cut!
I doubt that this is going to be an issue for applications using ReactNative or other solutions to package websites as applications.
For applications that have you add it to your home screen using the app icon, it may be more of an issue, but why wouldn't you sync that data back up to the server?
Yes of course if you're running a business then you're getting users logged in ASAP. There are other models of software development, however. Even if you're in the commercial sector, some users may be less eager than others to sign up for your fine service. Should you preemptively suck in their data, whoops I mean back up their data, without telling them? It seems there could be several responses to that question...
It's fine that Apple don't want to support this valid mode of app distribution and use. It is a valid mode, however.
It’s the usual “this is why we can’t have nice things”. Anything persistent will be turned into a tracking cookie. So eventually everything becomes ephemeral.
If this is really about protecting users and not about kneecapping web apps shouldn't Apple also wipe user data in native apps that haven't been used in a week?
Chromium (and derivatives such as Edge) allows users to install web apps. You're right that such a facility could be used as a signal for webkit that a particular site's IDB data should be retained for longer than a week.
The browser under discussion in TFA doesn't have PWAs as such. [0] Of course I agree with your restatement of what I said browsers should do upthread. b^)
Yeah it seems they are encouraging that as a solution. Unless I’m misunderstanding.
“ Web applications added to the home screen are not part of Safari and thus have their own counter of days of use. Their days of use will match actual use of the web application which resets the timer. We do not expect the first-party in such a web application to have its website data deleted.
If your web application does experience website data deletion, please let us know since we would consider it a serious bug. It is not the intention of Intelligent Tracking Prevention to delete website data for first parties in web applications.”
Was that section originally in TFA? It's encouraging, but it certainly contradicts claims that this will only be applied to "3rd party" stuff in iframes...
Every iOS app I ever built for a client had Facebook's SDK and tracking installed, at the client's request. Often Google's and Twitter's too and the user has no awareness of this.
The seven day wipe is going to encourage further adoption of Facebook or Google centralized logins, since this flow makes state restoration after a cookie wipe least painful. (Even saved login-passwords combinations can become de-synchronized between devices.) I don't think the theoretical benefits of enhanced privacy are worth the concrete costs of internet centralization.
I would expect the end game of this would be advertising networks injecting content directly into the page as it's rendered on the webserver. If they want tracking, at some point they'll just ask companies to hand over their logs…
Yes. Or sites just CNAMEing entirely over to their ad network, which then proxies the page content and inserts ads. Which are then, as a side effect, are very difficult to block.
And since they can easily correlate logs server side, they can track people between sites.
Yeah, that seems potentially destructive for apps that want users to have a local only copy. You would need to provide a full import / export option in case someone goes on vacation.
Exactly. Which to me suggests this could result in more tracking rather than less. At AutoTempest we haven't even bothered to make user accounts thus far, since there's no reason why you should need an account to search for used cars, and we can store user preferences in cookies or localStorage. If those only persist for 7 days though, we're basically forced to have users create accounts and store their preferences on our servers, to avoid a poor user experience.
Blocking 3rd party cookies I'm fully on board with, but I don't want first party cookies deleted unless I actually specify it. Fortunately as a user I can keep using Firefox, but since iOS is always going to be a large percentage of our users, there's not much choice on the provider side.
This is what we do. Store a 1st party httponly secure cookie jwt representing the user, then grab any extra data from the backend. Or just something like session cookie but persist it.
I wouldn't be surprised if this is one of the ways ad tracking tries to rebuild a universal identifier like the old urchin module. Might not be as easy as a cname but those might get blocked. It's always a game of cat and mouse. Could place uuid as 1st party httponly cookie. maybe uuid is domain scoped. then 'echo out' so accessible by 3rd party JS. Like a hash, one would need to know the global pooled uuid already and then combined with knowable domain could tie that uuid into the 2nd party tracking pool.
> 1st party httponly secure cookies will be erased in seven days.
httponly cookies can't be set from JS, and the seven day erasure only applies to cookies set from JS. That's why they're the recommended method for keeping a user logged in.
Don’t they just mean the localstorage containers for other domains than the current one? Ie your normal app’s storage will be left untouched as it is currently but third party domain localstorage containers will be wiped?
My understanding was that yes, if the user doesn't interact with the site in 7 days then the stored data (in cookies and localStorage) will be deleted.
It is confusingly worded, but DOES NOT mean all browser storage mechanisms will break.
The key phrase is “without user interaction”. Only e.g. invisible nested iframes that scammy ad companies love to use will have their localstorage limits affected. Top level frames are unchanged.
“seven days of Safari use without user interaction on the site”
Does not mean that top-level frames are unaffected. Everybody is affected. They specifically call out first party storage as being misused currently. I think the correct interpretation is:
Whenever the user interacts with your page then the clock gets reset to 7 days, also the clock only runs on days the user uses Safari.
Now ITP has aligned the remaining script-writable storage forms with the existing client-side cookie restriction, deleting all of a website’s script-writable storage after seven days of Safari use without user interaction on the site.
...maybe "script-writable" should be "third-party-in-iframe-script-writable"? If so this document should be edited.
The 7-Day Cap on All Script-Writeable Storage is troublesome: if I don't log into a computer for a week 'cause I'm on vacation then you wipe my saved data? I have local storage based utilities I've written that I sometimes don't touch for weeks, but whenever I go back everything I put in there is STILL THERE.
Seems like a great way to drive less use of local browser storage options and promote greater use of cloud storage solutions. Cynical me says "YAY iCloud".
Ah, that would be an improvement: just re-read the article and I can't find any reference to "active use" vs "calendar". Can you point out where that is?
"seven days of Safari use without user interaction on the site"
It's not immediately obvious the way it's phrased but they couldn't be calendar days if there are days you don't use Safari; it's only counting a day as one where Safari is used and you don't visit the site.
I've been blocking third party cookies since my Opera days. I can't remember exactly when, but at least Opera 9 (2006). Recently, I use the same capability of Vivaldi (Chromium based).
The problem is that this blocking induces some failures which are hard to diagnose. For instance, on the official site of my city I can't use some pages because they loop on requiring my authentication, since they use iframes with shared cookies. On other sites, submitting a form will fail with no error messages. I also remember a Python MOOC that failed with a blank page because of this blocking. Fortunately, all of these errors are uncommon.
This is why I'm glad Safari is doing this. Up until now, you were just a weird nerd user, and they could ignore you.
Now some huge double-digit share of traffic is going to encounter these issues, and force sites that depend on 3rd party cookies to re-architect themselves to support "normal" people on their iPhones.
I use a pihole at home to block various tracking and advert domains and it is astounding how many big shops or sites that will break when you block them, mainly at checkout. They fail silently.
My wife finds that various sites just don't work so I have to disable it whilst she checks out.
If these 3rd party cookies and domains are highlighted and force people's practices to change a bit, I will be happy.
I just don't understand people that run a site that relies on so many third-party sources to actually function. Since the site owner is not in control of the third-party reliability or uptime, it is essentially handing control/resiliance of the original site to the third-party (and putting the fate of their shop in it too). Absolutely baffling.
Exactly. I don't see why they should be allowed in the first place. I also block first-party cookies and while that does break more sites, it's still pretty manageable.
This is the front loaded approach which can cause breakage. I prefer the back loaded approach of using an extension like Cookie Auto Delete or similar that deletes cookies once you're away from a domain for a set amount of time (I think mine is set to 2 minutes).
This is one approach, but you can avoid breakage by accepting cookies initially while enabling "clear cookies on exit." Combined with Firefox containers this works pretty well.
Indeed, this is what I use on Firefox Android as uMatrix would be way too cumbersome. Still have to remember to exit through the menu though, just killing the app won't do it.
Firefox users can turn on privacy.firstparty.isolate which I believe will scope third party cookies to the top level domain you are on. It is off by default, but I've been using it for sometime without issue (except very persistent re-captcha).
My site offers appointment scheduling, my customers like to put our site inside an iframe on their site so their users don't get sent off to a domain they don't know. Our site needs cookies for sessions, no tracking is involved, I would say that's a perfectly legitimate use of third party cookies.
I just tried the new Safari Preview and this indeed stopped our framed web app from working. I managed to get it somewhat working again by asking permission via the new Storage Access API. Yet another popup users need to click through, ugh. I also managed to get one Safari Preview in a state where it would consistently deny access, without prompting the user again. This is going to make for painful support tickets.
I guess a more permanent solution would to ask my customers to put a piece of JavaScript on their page so we can set first party cookies but that seems a support nightmare as well. Any other suggestions to work around this would be most welcome.
Neutering extensions was necessary as they were a major privacy problem in itself. Most extensions would inject themselves in any page, having access to everything on such sites; for example your bank login, credit card transaction details, private FB messages, Gmail etc.
I initially felt the same way, as I relied on ublock origin, but the loss of that extension forced me to switch to pihole, which I think is an overall better approach to ad blocking. It works for all devices on your network, so you get ad blocking on devices that you normally wouldn't like your smart tv and the apple news app.
Being DNS based, pi-hole cannot block specific paths of otherwise-acceptable domains nor can it do any cosmetic filtering. It is not necessarily a better approach for web browsing.
I completely disabled Javascript. I just use another browser when I really need it, turns out that 90% of things I need javascript for, I can just not use. It’s even helped my productivity.
Rather than wiping indexed DB data after 7 days, could you not just make it an opt in thing, like the camera or mic? For example, ask users "Allow myapp.com to store app related data on your computer?". If they allow it, then give access to indexed DB API. That way we can still have fully local PWAs.
I was thinking the same, and a image search revealed the old preferences dialog for Safari: https://www.howtoisolve.com/wp-content/uploads/2014/12/Browe.... So yes; you could block third-party cookies before ITP was introduced. So it seems like they're now backtracking on ITP and just default to blocking third-party cookies by default?
Is there any legitimate reason Chrome doesn't follow suit other than they like ad revenue? An answer from a Googler here would be great. And a real answer, not corp-speak.
Blocking third party cookies seems like overall a good thing for security. Security is good right?
Edit: 2 years is a long time to wait for a security improvement that is literally flipping a switch.
b) Advertisers figure out how to keep personalizing ads through fingerprinting (non-cookie tracking)
Since (b) is worse than the status quo (users can't reset their fingerprint) I think "a security improvement that is literally flipping a switch" doesn't fit.
I'm skeptical about the approach, since I think blocking fingerprinting and server-side correlation of requests is very difficult, but I think the people working on this are very good and have thought a lot more about it than I have.
In other words the Chrome team doesn't care about users, it cares about ads. If it put users first, as it should, third party cookies would have been blocked a long time ago and they would be working on blocking other fingerprinting techniques now.
Today's ads are what we used to call "spyware" back in the day and we used to purchase dedicated antispyware products that protected against them, so yes, browsers should block malware (so ads in their current state).
Browsers, after all, are user-agents designed to serve the user and not corporate interests. Technology as a whole should be there to make our lives easier, not waste our time.
Publishers will not go out of business don't worry. Clickbait will die off because the cheap nasty ads that currently make it viable will disappear. Tasteful, pleasant ads tailored to the current content, negotiated directly between the publisher and the advertiser will remain, and will be harder to block because they are just content served just like the rest of the content on the page instead from a nasty ad network domain.
Maybe free newspapers go out, and free blog platforms go out, but that means that physical local papers don't go out of business and stop having to rely on clickbait. Losing some things means gaining others.
Sorry, clarifying: your prediction is that if internet ads became much less valuable we would see (a) the return of paper newspaper delivery and (b) the end of clickbait?
I doubt it'll go as far as that, but I'd expect at least that if people had had to pay for news all along, the news ecosystem would have been less devastated by the pay-per-click internet than they have been in reality.
> Do you think the browsers should block all ads by default?
Resounding yes. Such a thing would be the single greatest security improvement a browser could implement. It would also completely destroy pretty much the only vector online scammers have to reach you.
Most forms of advertising are totally fine. Hell I’m even favor of targeted advertising so long as it’s targeted to the content demographics instead the literal individual following them around.
Because internet ads are not most ads. If it's attached to an ad exchange or runs any code client side we're firmly in the "not fine category."
Types of ads that I don't like but I won't be up in arms about from a security perspective.
* Paying for sponsored reviews.
* Affiliate links and partnerships.
* Paying promoters and influences to push your product.
* "One way broadcasts" like billboards, commercials, magazines.
* In house ads like Kroger sending you coupons based on your purchase history at Kroger.
* Corporate press events like E3.
* Paying to post on the community billboard.
* Paying have a booth at professional/enthusiast conferences/trade shows.
* Stuff like E3/NintendoDirect/PAX/BlizzCon.
* Selling air time on radio, podcasts, online videos.
* Sponsored articles/announcements on blogs/news sites.
* Native advertising a la Buzzfeed where they would get paid to write a listical "top 10 things you should order off the secret menu at Taco Bell."
* Generic direct mailings and coupon books.
* Paying employees to suggest and guide customers through the sale provided they're upfront about it. I've seen Lululemon do it somewhat tastefully on Reddit when people post topics looking for recommendations.
But ads that come from ad networks/exchanges are nothing like these while simultaneously being the bulk of what ad blockers actually block.
So I don't see it as a contradiction. The kinds of ads that ad blockers block aren't usually these and are instead are the spyware/malware kind.
(i am a user; i don't presume to know what is best for others; speaking as a user that talks to others like me; i don't need to speak about 'users' as a third party entity; i am a significant sample of the set)
I mean MS makes money from their ad network, Firefox has always gotten their money from the largest online advertiser, and Apple can’t risk the potential lawsuit from pissed off ad networks.
As if ads is the only possible business model on the web.
At best the ad revenue is taking money away from other web business models by instituting that kind of mentality that drives people away from donations and paid accounts.
Please, consider a paid account/membership when you read the guardian, the intercept, or look for the donation page of quality content articles in wikipedia or any of the loads of blogs written by authors with patreon accounts.
Yeah, people will not collect subscriptions to content publishers like they collect emojis on their phones.
Estimate how many websites you visit each month; people would need dozens of monthly subscriptions if such a system was set up.
Instead, they will rather go to and pay google news, facebook press or apple information to get all their news content. Where would money be taken away then? Content publishers.
The web shouldn't block ads, it should block JS entirely. There should be a 'global' permission system (similar to Android) that allows me to control exactly what information websites are allowed to access from my browser.
For example, I want to disable WebRTC as it can be used to collect my IP address, or disable WebGPU APIs or anything that can be used to finger print me.
JS has far, far, far too much broad access to information that might seem mundane but can be used to profile a user.
Android is the same - you can get the entire list of installed packages on the system and various other pieces of information to build a unique, persistable tracking ID.
There's also a lack of accountability: What information is being sent to what servers? I want a detailed JSON formatted breakdown of EVERY single piece of data that is being sent from my device.
I should be able to block anything that is outside my own determined comfort zone.
But most OS' just make requests to US IP's without much thought now - just turn on Windows 10 in a VM and watch as it sends so many requests with no insight into the data, which many companies (including Google) don't tell you about.
Ask me about a recent GDPR request to Google which I just got a generic response about (and they didn't action my request to delete information, so now I need to complain to the regulator because it was also late).
So yes, blocking ALL tracking by default is sensible.
Do you hold your mobile native apps to the same standard? As a former iOS developer I guarantee you there's a lot more of your data getting collected from those than you'd think and you can't do anything about it.
I am on the demand side, and the thesis and testing methodology seems extremely flawed.
If you disable third party cookies on a test group of certain publishers our (demand side) bidders will start optimizing towards the control group; this is very obvious.
Also, was this analysis conducted on other ad exchanges? For example, Google ADX makes only ~30% of the global traffic we get, and the traffic has very different characteristics from the traffic we get from APPNEXUS, Rubicon, etc.
I believe this is an analysis for Google's internal conclusions, and not for the industry in general. Has this been made public before?
> If you disable third party cookies on a test group of certain publishers
It says "turned off the availability of personalized data for a small fraction of randomly selected users" and "The experiment was applied to a small fraction of each publisher’s traffic because we did not want to materially affect publisher revenue, though in aggregate the amount of traffic evaluated as part of the experiment was significant". It sounds like you're responding to a version of the experiment that was run on a per-publisher basis?
> was this analysis conducted on other ad exchanges?
It says the experiment was conducted "through the programmatic arm of Google Ad Manager’s serving system". I'm not sure what this means, but I don't think it includes AppNexus or Rubicon.
I believe any publisher could run their own version of this experiment by picking a slice of traffic and telling all their bidders to only show non-personalized ads.
> Using this system, we ran an experiment where we turned off the availability of personalized data for a small fraction of randomly selected users through the programmatic arm of Google Ad Manager’s serving system, thus effectively
disabling access to cookies
This means the cookies for the auctions of a control group of users were not exposed. The experiment is still wrong, the bidders will still react in real time discarding the traffic without identifiers; specially since it comes from ADX where the identifier is the key to evaluating the model.
Not taking any other ad exchange into account is a huge flaw if you want to extrapolate the conclusions into conclusions for the whole industry. Other exchanges provide different identifying properties such as the 4th octet of the ip_address with each auction. Google ADX doesn't send this bit of information, they obfuscate the ip_address always. It's obvious that if you remove cookies from ADX, there is no reason to use ADX since the cookie is the proxy for your model on that exchange, but on the other ad exchanges you could survive just fine.
There is no way I read this experiment in which it makes sense as a conclusion for the whole ad industry.
The trouble is Apple shows this compromise is unnecessary. They work hard to block fingerprinting (especially on iOS) and it WORKS. iOS devices are mostly indistinguishable. Notoriously impossible to fingerprint.
Granted desktop fingerprinting is more of a challenge due to differing OS's, screens, GPUs for WebGL, etc. But it doesn't seem impossible.
They have also blocked third party cookies for so many years. The world did not catch on fire.
I believe they also have an "identifier for vendor" that persists even after app uninstalls/reinstalls and is the same across all the apps from the same developer, so Apple are not ideal either. Still better than the competition though.
I don't know very much about fingerprinting, but it sounds like the reason iOS devices are hard to fingerprint is that the hardware has very little variation?
Given the history of advertising on the web and advertising in general, I am hugely skeptical of anyone who claims that ethical personalized advertising is even possible.
It was critical to election tampering in 2016, it's been used for racism, sexism, and every imaginable sort of scam.
The only way personalized advertising would be remotely ethical is if it were explicitly opt-in. I notice that's not a thing on your list of steps Google is planning on doing. No surprise.
If you think personalized advertising is harmful and shouldn't exist anywhere across society you're going to need to pursue that through legislation and not technology. Otherwise platforms people log into (ex: Facebook) will continue personalizing regardless of what browsers implement.
Why not both? Any time somebody suggests a legislative solution, people come out of the woodwork to say that bad actors will continue being bad actors despite legislation. Privacy should be enshrined both in legislation and in practice.
My parent comment wasn't arguing for privacy, they were arguing against personalization.
Specifically, I referenced two proposals for privacy-preserving ad personalization, FLoC (https://github.com/jkarlin/floc) and TURTLE-DOV (https://github.com/michaelkleber/turtledove), and their response was that privacy wasn't the issue, the effects of personalization are harmful in themselves.
For privacy I do agree that you can't just do it with legislation and you also need technology. But if you think the issue is personalization itself, regardless of how privately it is implemented, then legislation is the critical playing field. Blocking personalization on the open web through technical means while allowing it in walled gardens means you (a) still have most of the claimed harms of personalization but also (b) massively disadvantage the open web.
Ah, I see. For me, the privacy-breaking aspects that are required to personalize ads are the primary negative aspect, and are what I focused on. While the parent comment only explicitly mentioned personalization of ads, tracking by ad companies for the sake of ad personalization is so ubiquitous that unless one explicitly makes a distinction, it is reasonable to take a reference to one as a reference to the other.
Reading through those links on FLoC and TURTLE-DOV, those are interesting concepts. My worry is that even though the ad selection is done in the browser, it will still leak significant information. For image/video ads, it would require bloating the amount of bandwidth used to serve the ads, or would leak information about which ad was selected by the client.
> For me, the privacy-breaking aspects that are required to personalize ads are the primary negative aspect, and are what I focused on.
The two are more or less intertwined. "Personalization" leaks information about people. It has also allowed advertisers to promote material targeting (or eliminating) otherwise protected groups.
People have been outed for being pregnant and for being gay, by outside observers noticing what promotions they were getting.
I don't actually mind platforms personalising ads & content based on information I explicitly provide. I just don't want them stalking me around the web and trying to collect information behind my back.
FLoC is a decent idea and similar to something I thought of where there would be a standardised list of categories and the browser would just have an UI in its settings where you can select the categories you're interested in and the browser would send them in an "Accept" header.
Unfortunately back when I thought of this I wasn't aware of browser fingerprinting or all the other nefarious things the advertising industry is doing. Fingerprinting turns both FLoC and my idea into tracking vectors, so that's out of the question. The authors acknowledge this problem in the readme.
Turtledove is a longer spec and I haven't had the time to read it thoroughly, but while the idea is good, I see some potential problems - first off, this still involves executing JS to do the "ad auction" on the browser which could have security implications (they explicitly mention that JS should be prevented from talking to the outside, leaks would be vulnerabilities in this case, and I don't trust the ad industry to be nice and not attempt to exploit them); there's also the issue that I just don't want my device to expend processing power and expose me to potential security vulnerabilities for ads; I want ads to be served as static images from the website without the whole bidding thing. From an advertiser's perspective, I'm not sure how fetching the potential ads in advance and moving the auction on the client device would work - my understanding is that auctions are in real-time. I'm also not sure whether exposing all the ads to the public (even the ones that ultimately don't get chosen at the auction) and the auction details would reveal information that advertisers consider sensitive.
Finally, if you look at my other post here: https://news.ycombinator.com/item?id=22680559 you'll see that I have other problems with online and targeted ads besides the privacy and security aspect.
Unlike print and TV ads, there little-to-none human review, no accountability (Google isn't liable if they serve me a scam ad if I fall for it), and targeting allows to target scams to only the people most likely to fall for them while hiding these ads from the savvy people who would recognise the scam and report it. At the core, this isn't a tech problem but a law problem, but short of a law it can be solved by tech if we heavily block the current model of ads (targeted and served from a central ad network) so it becomes unprofitable and publishers & advertisers have no choice but to host static ads on their own domain, thus becoming liable if they host malware or something illegal (this would hopefully encourage human review).
As I said previously, I think personalizing should be opt-in and under the users control. If I don't want my race/ political beliefs/ religion/ or sexual orientation tracked, that should be my choice, not under the control of a corporation.
Alex Russel and friends love to bash Safari for lack of PWA support but are mute when it comes to things Google does to Chrome that doesn't benefit (or ever harm) the user and only benefit $GOOG.
> this time as the first mainstream browser to fully block third-party cookies by default
Third party cookies have been blocked in Firefox since September 3rd (2019) [1]. They mention Brave in the article, so surely Firefox being large than Brave should be included in "Major browsers", but not a single mention was made in the article. It really reminds me of the meme "what do you mean you've seen it?".
There are perfectly valid use cases for third party cookies that do not involve tracking. Our business offers an appointment scheduling widget, it needs cookies for user sessions, and those cookies are third party because the widget is commonly included on a web page inside an iframe. That widget now breaks in the new safari preview.
The blog post you reference clearly describes a limited blocklist. As the submission says, no other mainstream browser has blocked all third-party cookies yet.
> Safari continues to pave the way for privacy on the web, this time as the first mainstream browser to fully block third-party cookies by default. As far as we know, only the Tor Browser has featured full third-party cookie blocking by default before Safari, but Brave just has a few exceptions left in its blocking so in practice they are in the same good place. We know Chrome wants this behavior too and they announced that they’ll be shipping it by 2022.
I really thought Firefox did all of this already too. I have no justification for not having truly checked. Hopefully other browsers from Safari will not be far behind.
I hope that there might be a way to safely auto-sync my Firefox profile, bookmarks and history especially, to Safari iff it's really the more secure of the available browsers for iOS.
So much for the advertisement-powered web. Congratulations, privacy people: you win. I hope the new web is everything you hoped. If it isn't, you have only yourselves to blame. Enjoy the paywalls.
"So much for the tracking-advertisement-powered web"
I'm looking forward to it. Seriously. I know you're intending to be facetious with this, but everything you listed sounds good to me. Either charge for your service, or include ads that don't follow me around the Internet.
Somehow advertising worked on radio, on TV, and in print without correlating data about each viewer with all their other habits. I see no reason why that can't be the same online.
No. That’s why I pay for Hulu and Netflix, and DVR other content.
Print as a medium may be dead, but journalism is still here. And it’s possible to provide without invasive tracking, just like it has been for centuries. The transition from ink to pixels doesn’t rely on analytics to succeed.
You reckon Hulu, Netflix, et al, are just sitting on all the user data you are giving them, totally respecting it... definitly not monetizing from it? When was the last time you read T&C?
Yeah, I realized I'd see this reply as soon as I submitted the comment. Of course they're selling my data. I wish they didn't.
And to circle back to the original comment I replied to: They don't have to. A business can be run providing entertainment without granular user tracking. HBO and Showtime did it back when they were just add-ons to cable packages.
What OG commenter was implying, is that the Internet will be worse without 3rd-party cookies and tracking. I can't disagree strongly enough.
It's one thing where a business is using data you provide them to make better decisions, just like a store would use sales numbers to decide how much of an item they should stock up.
The problem here is when data is collected by third-parties I do not know, do not trust, and do not need. They collect data for their benefit without providing me anything of value, only ads aka spam.
Online ads are also nothing like print or TV ads. The latter has a barrier to entry and some minimum criteria they must meet like the laws on what's allowed to be broadcasted and they are at the discretion of the publisher. This makes it less likely that a scam or malware would be promoted for example. Online? It's the Wild West, anyone can advertise anything (fake tech support numbers for example) for a few hundred bucks and targeting means they can make sure only the people most likely to fall for the scam would see the ad, while flying under the radar of anyone savvy enough to recognise it as a scam and report it.
Because managing advertisers and selling ad space is extremely time-consuming or expensive to set up and maintain, and most companies being SMBs they don't have the necessary manpower to do so?
How do you propose to implement ad rotation (a different ad from a different advertiser served on each pageload, important for sales), ad discrimination (different ad from same advertiser once a click was registered on an ad by a particular user) or fraud prevention controls without tracking?
Or maybe I'm misunderstanding and you are suggesting to replace cookies with browser or DNS fingerprinting?
I don't want to be discriminated. If I have to watch ads, then I want the same ads as everyone else. I don't see how that's a problem, as billboards and TV ads are the same for everyone too.
I think the new web will be one made up of closed off islands that use strict paywalls to finance themselves. I also think the total amount of content will be lower and that the remaining platforms will more heavily skew towards "safe" guidelines.
It won't go back to the early web, but it will certainly survive. Much like life, people find a way. If there is demand, innovators will find a way to meet it.
The webs continued existence is not dependent on surveillance capitalism.
> Much like life, people find a way. If there is demand, innovators will find a way to meet it.
That's like saying that life is equally good and the US and North Korea because "people find a way" to work around problems. There's a real way in which economic inefficiencies reduce our standard of living. Making advertising worse on purpose is just a race to the bottom, all feel-good crusading without any end benefit to humanity.
"But I won't be tracked!", the privacy people say. So what? What harm will you have prevented?
