Shared publicly  - 
 
Google, Safari, and a Clamor of Cookie Confusion

http://lauren.vortex.com/archive/000937.html

A technological smoking gun is indeed present in this case. But it's
not the gun being implied by confused headlines and the pronouncements
of some commentators who appear to perhaps be out of their technical
depths in this situation.

Thinking about it all these years later, I can't remember when I first
ran across the term "cookie" in a computing sense. And offhand, the
origins of this term as an "intermediate storage" element are somewhat
hazy.

I do vividly recall that my first active entanglement with these
babies was in the context of so-called "Magic Cookies" used by many
early CRT data display terminals as a memory minimization technique --
to provide for character enhancement functions like blink, underline,
bold, and so on. We Computer Science types have long been enamored of
magical" terminology - Magic Cookies, Magic Packets, Magic Words
(e.g. "XYZZY" - "PLUGH"), and so on.

Even the "magic cookies" of CRTs were much maligned. Of course this
wasn't really the cookies' fault. Memory was expensive and often
minimal in these displays, and magic cookies actually used up one (or
even more) spaces on the screen, making really clean layouts
impossible. Display terminals that featured magic cookies were
considered "terminally" brain dead by those of us in the know, and
were typically assigned to the lowest ranking faculty, staff, and
students. Some colorful disputes ensued.

Flash forward to the Web. The essentially "stateless" nature of basic
HTTP transactions needed a mechanism to provided session-based
coordination, and browser cookies stored on users' local computers
quickly became the mechanism of choice to hold the intermediate data
for this purpose.

As in the case of those magic cookies long ago, there is nothing
inherently good or evil about Web cookies. They are simply local
containers of data that can (subject to various rules) be written and
read by Web sites.

But in the real world of the modern Web, the proper implementation of
those "rules" by browsers and Web sites alike can become fiendishly
complex.

OK, back to the current dramatic brouhaha over Google, Safari,
cookies, and privacy. There's no way to deal with this accurately
without getting somewhat technical, so please bear with me if you
will.

Since the handling of browser cookies has long been complicated and
controversial, all manner of methodologies to deal with them have
emerged over the years.

At one time, I actively micromanaged virtually all of my browser
cookies. But as Web systems became more intricate, such a detailed
hands-on approach becomes decreasingly practical (these days I use
browser extensions to maintain a relatively course control of cookies
at the site level, but I would not recommend even this to most users).

One of the most common problems that Web users get themselves into is
following simplistic advice about "blocking" cookies, and then
becoming confused when they can no longer log into desired sites
because the necessary session state cookies cannot be processed
properly.

The proper handling of so-called "third-party cookies" by browsers and
sites can be particularly challenging to implement. Such cookies are
associated with domains other than that with which the user is
primarily communicating at that moment.

Traditionally, browsers have accepted the reading and writing of
third-party cookies by default, in some cases providing user controls
for more fine-grained management of these cookies related to
particular sites.

Third-party cookies have become controversial since they are sometimes
viewed as being associated with "secretive" tracking practices. But
there is nothing inherently wrong with third-party cookies. Like all
browser cookies, it's what Web sites specifically do with them that
matters, and especially with the rise of social sharing applications,
third-party cookies can play important and utterly benign roles.

Now we reach that smoking gun of which I mentioned earlier.

Safari browser designers sometime back decided to diverge from common
Web practice and block all third-party browser cookies by default.

The underlying rationales for this decision are not entirely clear and
are a matter of some controversy. Even within the Safari developer
groups themselves it's clear there was conflict about whether or not
this actually was a useful, truly privacy-positive move.

But one thing quickly became clear. The default blocking would have
the effect of breaking important functionalities on which many Web
users depended.

Now, please permit me to introduce you to WebKit Bugzilla Bug 35824:
"Relax 3rd party cookie policy in certain cases" -- dating from
March 2010 ( http://j.mp/zwtDhL [WebKit] ).

WebKit is the common core implementation code used by Safari and
various other browsers. Bug 35824 is at the heart of the entire
Google/Safari cookie controversy.

Contrary to the assertions of some observers, Bug 35824 was not a leak
involving third-party cookies being accepted inappropriately. It was
not a loophole that needed to be closed.

In fact, it was exactly the opposite! Bug 35824 represented the
realization that the existing WebKit implementation for third-party
cookies, in conjunction with Safari's change to "no third-party
cookies accepted by default" was too limiting, too closed, and needed
to be loosened to restore key user functionalities.

The resolution of Bug 35824 involved doing just that, and the
discussions associated with that Bug make for fascinating (and
delightfully geeky) reading. One particularly insightful quote from
the associated dialogue:

- - -

"Alright, I'm regretting stepping into the morass that is
third-party cookie blocking. The overarching problem is that
third-party cookie blocking can't actually provide decent privacy
benefits without breaking sites. We can machinate around the
privacy / compatibility trade-off forever. Compatibility always
has a stronger pull because you can see that XYZ works after you
bolster compatibility whereas you don't see the privacy costs
because they're harder to measure."

- - -

At the time, those discussions were most focused on problems that
sites such as Facebook and Microsoft would have with the new Safari
policy, before Bug 35824 was revolved. Google+ would not go public
for more than another year.

But when Google+ did appear, Google quite appropriately used the
provided mechanism of the 35824 bug fix, for key functionality related
to Google+ on Safari browsers, in very much the same way intended for
Microsoft, Facebook, and other sites.

It's at this juncture that the issue of unintended collateral effects
comes into play.

As noted above, cookie handling can be very complex. Nowadays,
traditional cookies have been joined by other (generally less well
known) Web transactional local storage mechanisms, further
complicating the picture.

The necessary loosening of Safari default third-party cookie controls
associated with the 35824 bug fix even further convoluted the cookie
handling process. This ultimately led to some cookies associated with
Google's ad delivery network being mistakenly placed on some Safari
users' browsers, in conflict with what those users might otherwise
have expected from Safari's "no third-party cookies" default (keeping
in mind that few Safari users would likely have had any inkling that
there was already an exception to that seemingly declarative setting,
via the 35824 fix).

The Google ad network cookies in question should not have been placed
through the Safari browsers of users with that "third-party cookie
blocking" setting. Those cookies were in error, and Google is in the
process of removing them.

But those cookies did not contain personal information, nobody was
harmed, nothing was damaged, and there is no indication that this
event was purposeful subterfuge of any kind by Google.

There is an important lesson to be drawn from all this.

My gut feeling is that we've passed beyond the era where it made sense
to concentrate on Internet privacy controls and issues mainly in terms
of specific technologies as we've done in the past.

As noted above, cookies are neither good nor bad, neither
intrinsically righteous nor evil. Cookies, like the other local
storage mechanisms that have now been implemented, are merely tools.
And as with other tools, how they are used is under the control of the
entities who deploy these complex functionalities.

Ultimately, we expect Web sites to just work. It is unrealistic in
the extreme to expect most users to understand and manage the
underlying cookie and related systems of their browsers in detail. As
new methodologies come online, this will only become ever more true.

What we really need to be concentrating on are the fundamental issues
of trust and transparency.

If we as users feel confident that individual firms are doing their
best to be transparent about their policies and are handling our data
in responsible manners, then putting our trust (and data) in the hands
of those firms is a solid bet.

Does this mean that mistakes won't be made and errors won't ever occur
with the firms to whom we delegate these responsibilities?

Of course not. We're all merely humans, and true perfection is not
within our current realm, nor is it likely ever to be.

But to assume that every error involving extraordinarily complicated
software systems is evidence of evil intent is not only inaccurate and
inappropriate, by to my way of thinking essentially perverse.

Unfortunately, the political environment in which we live today is
replete with character assassinations and toxic "big lie" strategies.
It is perhaps unfortunately unavoidable that such perverted approaches
would seep into our considerations of highly technical topics as well.
We must resist this.

When there are technical challenges we should meet them, when there
are technical problems we should solve them. The intersection of
technology with social policies is deep and becoming ever more
entrenched with every passing day.

The accusatory rhetoric that has wrecked much of our political system
cannot be allowed to substitute for reasoned and logical analysis of
technical concerns, or the risks to society will be catastrophic.

Whether we're talking about browser cookies or nuclear weapons, the
same underlying truth applies.

That's what I believe, anyway.

-- Lauren --
23
49
Henrik Grubbström's profile photoBenoît Huron's profile photoRichard Longland's profile photoPartha Guha Roy's profile photo
8 comments
 
What a fantastic writeup +Lauren Weinstein! It provides a lot of color, background, and detail, around something that has exploded onto the scene! In this era of fierce competition between Internet behemoths, people tend to choose sides and find what they can to vilify the other companies. Unfortunately, the bulk of these should be taken with a grain of salt, but with the expansive press coverage and gaudy headlines, this becomes much more difficult.
 
Great write-up. Improving web safety by blocking all cookies is like improving auto safety by requiring a 30MPH governor on all motor vehicles.
And as far as news 'experts' in other fields, they usually botch things pretty bad when there's a science story/chemical spill as well.
 
Nice big picture essay. The more folks that understand this 'Google Cookie Thing' is about trust between me/you and Google the better. Just because a technological door is in place by my command (block all 3rd party cookies) and Google 'forgets' to tell me it needs to open that door for a legitimate reason in no way lets it off the hook. Personally I think the bad press Google has gotten for what is really an oversight is crazy. Like you I think the days of tweaking cookies are behind us and bigger, more dangerous, privacy hacks are the problem. [ sidebar: The shopping sites are more dangerous to privacy then most users know. They studied at the p0rn school of dirty javascript. Don't get me started about ajax. ] just sayin..
 
Great write-up. But I completely disagree with the general no harm, no foul tone. When I disable 3rd party cookies, let the functionality break. Playing coy and coming up with ways to circumvent my desire is dishonest on the face of it; you already know I've shut you down. I can't help but draw a parallel here from "cookies are just tools" to "address books are just data" and last week's brew-ha over privacy. There is an ongoing erosion of not only privacy but the expectation of privacy and an increasing sense of entitlement to what should be considered our personal information and control over our own environment.

It's fine to point out Google wasn't (intentionally) dropping identifiers with their little trick. But let's not pretend like they didn't cross a boundary to do it. The error of dropping advertisement cookies is an artifact of their own culpability.

As a follow-on... surely Google wasn't alone in this. Who else does this trickery and let's hold their feet to the fire as well.
 
+Paul Hosking Totally agree here, if cookeis are disabled they should be disabled, no exceptions. Let everything break.
But who's really at fault then? Seems to me it would be Safari, for fudging the expected behavior in the first place, not Google for using a feature they provided.
 
+Paul Hosking Two things. First, keep in mind that this whole sequence began because Safari wanted to change the default. This meant that things would be breaking but the vast majority of users would have no idea why because they had not chosen to turn off that cookie functionality themselves (the theory being that if they chose to take that action, they should understand or at least be responsible for the consequences). So the default is a really big deal.

But you can also see in the discussions the understanding that blocking all third party cookies per se as a privacy move didn't really make sense given the complexity of cookie interactions, and was something of a false choice, sort of like offering the "security" option to block all URLs that contain the letters "s" "p" and "y" ...
 
Cookies are optional IIRC. The user is free to block all of them or just a select few. A web developer should know this. The laziness that is hidden in relying on cookies to Just Work is showing again. (Background: I was core developer of osCommerce for quite some time and we worked hard on making our system work with even both cookies and JavaScrpt disabled on the client side).

The underlying problem of HTTP being stateless is what this is all about. Cookies have always been a poor solution to this.

Now, blocking 3rd party cookies is perfectly OK according to the current standards. As a user you should however know it might make life a bit more complex. The fact that all browsers have this option to block 3rd party cookies and Safari decided to activate it by default is important to note.

Net result is that there is absolutely no garantuee that cookies work everywhere. And a good developer should know this and his programs should degrade gracefully when this is noted. Facebook, Google etc didn't want to go that extra mile and this analysis seems to promote that attitude. I disagree. And continue to block 3rd party cookies in all my browsers, just as I did in the last 10 years. And guess what - The Web still works for me.

I object to the notion that the user is at fault for using a feature that his browser offers. Either you make cookies mandatory or you must live with the fact that they are optional. Not accepting cookies does not break the web. Period.
 
+Lauren Weinstein actually... as far as I can tell, Safari was implementing a feature that should be default. I don't buy that 3rd party cookies should be considered generally benign and not accepting them is a nonsense privacy move. We've been dealing with this since Doubleclick first started using tracking cookies and assured everyone that they were completely anonymous... until Doubleclick aquired Abacas and started linking that anonymous non-identifying cookie history to identities and addresses. Of course, Doubleclick is now a Google property and at the heart of this particular incident.

+Brian Fields if one wants to blame Apple, it would be for potentially breaking expected functionality. That does not provide a license for developers then to use hackery to circumvent those controls. Not that I'm against a bit of creative hackery. But if your hack invades my privacy, then you deserve every ounce of ire that comes your way when you get busted.

A quote from a WSJ article (http://goo.gl/0hnB6) that I find apropos here:

John Battelle, who has written a book about Google and is chief executive of Federated Media, a Web advertising company that The New York Times Company is an investor in, said in a blog post that he was skeptical about whether Google was truly violating people’s privacy. He said that allowing installation of cookies was standard practice in the Internet industry and “the backbone of the entire Web advertising ecosystem,” so even though Apple’s browser blocks them by default, it’s debatable whether Google’s installation of cookies is an invasion of privacy. And he said Apple might be preventing this activity for its own competitive purposes:

Why do you think Apple has made it impossible for advertising-driven companies like Google to execute what are industry standard practices on the open Web (dropping cookies and tracking behavior so as to provide relevant services and advertising)? Do you think it’s because Apple cares deeply about your privacy? Really? Or perhaps it’s because Apple considers anyone using iOS, even if they’re browsing the Web, as “Apple’s customer,” and wants to throttle potential competitors, insuring that it’s impossible to access to “Apple’s” audiences using iOS in any sophisticated fashion?


There's a fair point on questioning Apple's motivation on this. Remember several months ago when the same questions were raised about Google's use of HTTPS and what that would do to SEO data. But note how Battele views tracking - talk about a sense of entitlement. Right there betrays the fact that 3rd party cookies should be considered suspect.
Add a comment...