Inside Google's war on cookies and spam
Google's latest moves to stop third party trackers and unwanted email
Occasionally in this space, I depart from my usual political and social fare into the drudgery of what I do in my day job, which is cybersecurity. This is one of those times. Last week, Google crossed into the mainstream news when it began a long-planned effort to ban cookies from its browser. I thought I’d shed some light on that, while also adding that it’s not really the most important story. The one nobody is covering seems far more newsworthy to me, so please read down to that part if you’re interested. If not, I won’t be offended.
If you are in the 6 out of 10 of users who browse the web using Google Chrome, your online shopping experiences may soon become less personalized, and—to me, more importantly—if you are one of the 1.8 billion Gmail users, your inbox could be less full, and some messages may not even end up in the spam folder; others will be rejected forever. Google has gotten quite serious in battling spammers and third party data trackers.
About 94 percent of mobile and desktop websites use third party resources, according to Web Almanac’s latest data(for 2021). Among companies that market online, over 80% rely on third-party trackers to customize and micro-target advertising. Google has announced that it has begun its worldwide rollout of a project to ban third party tracking cookies.
Google’s Chrome claims nearly 60 percent of the browser market, with Apple’s Safari adding an additional 28 percent. Microsoft, which in 2000 held over three quarters of the browser market, now squeaks in under six percent. In 2021, Apple began adding end-to-end encryption and browser privacy controls to its Safari browser, beginning with iOS 13. On Macs and iPhones default settings now prevent cross-site tracking, and also hide your IP address from trackers (and even websites).
On January 4th, Google took its long-developed system similar to what Apple calls its “privacy preserving measurement of ad effectiveness” and enabled it by default for 30 million users, or about one percent of its total user base. Google calls their system the “Privacy Sandbox,” Gizmodo reported. To remove the new cookie protections, Google will require that users who want to enable cookies on websites, do so one site at a time, but has also designed some tools to detect problems and enable cookies on those sites automatically. During 2024, Google expects to expand the cookie-killing measure to most—or even all—of its Chrome users.
Now, to get in the weeds a bit. Cookies are small files or bits of metadata web apps use to store information about a user’s activities, location, or technical details, and that information is available to the cookie’s “owner” or the website that created it. Cookies are also commonly used to handle some kinds of session management related to website security by web hosting software. A properly secured web application will use strict controls to prevent session data from being leaked to third parties or hackers. Google’s Privacy Sandbox (and also Apple’s privacy protection) will not disable session cookies or any session token data that websites require to authenticate you as a user. The cookie ban is aimed at third party cookies that track you for marketing purposes, or for adware or even spam.
The fact that so many websites use third party services like scripts and mobile code that load from remote servers might break a lot of websites, especially the ones operated by smaller companies that haven’t had three years to prepare for this. So, Google’s careful rollout is to see how much of the Internet it “breaks” by banning third-party cookies from its browsers, and how well it can train its AI controls to determine which sites to allow, and which sites might be trying to game their system and get around the sandbox.
But lest you think Apple and Google, who together represent nearly 9 in 10 browser users in the western world, are making these privacy changes for purely altruistic reasons—you know they’re not. First, Google is trying to get ahead of Europe’s GDPR privacy controls, but in so doing, has potentially created a situation even more alarming to regulators. Second, Google is taking all the cookies and replacing them, as Apple did, with their own anonymized system that tracks users and reports “cohort” data to advertisers, but that data will come from Google, not tracking cookies.
European privacy newsletter HeyData reported last April that the UK’s privacy Competition Markets & Authority was concerned that the Privacy Sandbox’s proprietary nature “raises questions about the potential concentration of power and control over user data. With Google having full authority over this technology, there's a risk of monopolistic practices and a lack of transparency in data handling.” Would Google use its technological advantage to, um, its advantage? Of course it would, silly.
“Google's deep integration of browser technology, user tracking, and advertising within the Privacy Sandbox has raised alarms among privacy advocates,” the newsletter related. “The integration of these elements can lead to a situation where user data is not only collected but also used to tailor advertising experiences, which ultimately creates a situation where users feel their online activities are constantly monitored and manipulated for commercial gain.”
Now, all that being said, most users are quite comfortable being “constantly monitored and manipulated for commercial gain.” Forbes quoted customer experience data from Accenture and Epsilon stating that 91% of consumers are “more likely to shop with brands that provide offers and recommendations that are relevant to them,” and 80% of consumers are “more likely to make a purchase from a brand that provides personalized experiences.”
Also, data shows 83% of consumers are “willing to share their data to create a more personalized experience,” and 90% are “are willing to share personal behavioral data with companies for a cheaper and easier experience.” In other words, Google has a very large, built-in market for companies wanting to pay them for your metadata that used to be stored in cookies but will now be processed, aggregated, and sold using APIs provided by Google.
In a word: money.
Apple has enjoyed the same kind of service delivery—and the profits that come with it—for several years. Google pays Apple tens of billions of dollars a year for the privilege of being the default search engine on Apple devices. That’s a large slice of the pie that Apple has baked with Tim Cook at its helm, shifting Apple from a device-based company to a hugely profitable services company. Google, you could say, is following Apple’s recipe for its own pie, except while Apple has always altruistically claimed it isn’t interested in selling your data (but it does sell your data, just in bulk), Google is being pretty transparent about it.
In any case, the death of third party cookies is imminent, because both Apple and Google deem it so, and have created their own walled gardens to replace those cookies. So your experience shopping at certain sites will undoubtedly change, and companies once relying on third party cookies packages with marketing plugins, will be forced to buy those from Google—or pay the companies they’re using a fair share of Google’s bill. It’s not a terrible thing for consumers, because you can at least know that some rando site won’t be creating cookies all over your system that persist essentially forever, so hackers can later mine that data to manipulate you into giving them your bank account password.
The bigger story.
But though that’s the big story in the media, it’s not the biggest boon to your online life and not really the most effective weapon Google is using against spammers. Google has announced strict new email sender guidelines that go into effect in February, 2024. As in browser privacy, Google is following Apple’s lead. In 2021, Apple introduced Apple Mail Privacy Protection, which quickly propagated across its mail platforms. Of Apple’s 58% of the email client market share, 56.6% uses the AMPP service. Google’s Gmail comes in second, with just under 30% of email client users, with Outlook, Yahoo! Mail, Outlook.com and others rounding out the last 10%.
AMPP hides your IP address from email senders, which also prevents them from being able to know whether you opened the email (though there are other, less reliable methods of divining this data) and blocks things like geolocation. These features were Apple’s attempt to get ahead of privacy laws like GDPR and California’s CCPA.
While Apple’s privacy changes tend to be centered around use of brand data and engagement (a standard called BIMI), Google’s Gmail guidelines are much stricter. Google has nearly three million corporate users, or 36 percent of the enterprise market, while Microsoft Outlook (and its Office 365 cloud service) has 332,000 more, with a market share of over 40%, according to 6Sense, a technology profile company. Google is telling all “bulk senders” that they need to support specific standards to add “unsubscribe” headers to their emails, and to comply with existing security controls to prevent misuse of domain names. These security controls include an alphabet-soup like SPF, DKIM, DMARC, and ARC.
They also mandate strict compliance with the “unsubscribe” standard described in RFC 8058 to allow one-click opt-out for marketing emails. These apply to any mailer that sends 5,000 or more emails a day. Non-compliance will, immediately in some cases, result in those emails going to the user’s spam folder, due to a “quarantine” setting on the DMARC configuration if the sender has not properly arranged to use the domain the email is “from” on the servers that actually send the traffic. Over time, that “quarantine” can evolve into an email block as Google’s servers determine the “reputation” of the sender’s computers.
In February, when Google’s new email sender standards go into effect, you might see many emails that previously littered your inbox now head directly to the spam folder. You might want to read some of those emails, but the sender has not properly complied with Google’s new standards. So you’ll have to pull them from the spam, over and over again. But many of the emails that go bye-bye will be a welcome respite from the flood of unwanted marketing, political, and scam email that we all wade through daily. And over time, many of the worst offenders, the ones trying to phish us or hack our data, will hopefully be snuffed out, or forced to change domains much more often, making them less effective.
Things had gotten so bad at our company, which uses Microsoft servers, layered in conjunction with cloud-based AI services that sandbox every message before it gets into our network, anything making it through the gauntlet that has a “gmail.com” domain gets tagged with additional warnings, even if it’s perfectly valid. Hopefully, Google’s new changes will reduce the amount of Gmail-based phishing and scams.
It will, however, affect many smaller mailers, like small banks, credit unions, and companies that are using enterprise software to generate their invoices as they go paperless. Just having a service send an email from “billing@mycompanyme.com” to 5,000 users once a month can get you tagged as a spammer if it’s not done correctly. And the number of people who know how to navigate the waters of email security and domain alphabet soup, while growing, is also expensive. Security is always inconvenient, and yes, it costs money. But the price of a company being hacked is also expensive (the average is around $5 million for ransomware attacks, and $10 million if it’s healthcare-related).
There’s no real financial reward for Google, or for Apple, to introduce greater privacy controls and anti-spam measures for email. They won’t get more market share because of it, and there’s really not a lot of data they can sell regarding the blocking of unwanted emails. But there is satisfaction in cleaning up the cesspool that many of our inboxes has become.
I’m glad that Big Tech has moved to reduce the amount of garbage in my inbox, along with giving me some tools to limit third party access to my browser activity. This is all good news. Now, when will the phone companies, which have only had like three decades to work on it, start to deal with spoofed texts, spam callers, and swatting?
Note as well, this is part of Google's war on third-party ad blockers, with the deprecation of Manifest V2 Chrome extensions, replacing that standard with a much more limited version that will hobble the effectiveness of those blockers on Chrome-based browsers (Chrome, Microsoft's Edge).[1]
Given Google's current war on ad-blockers with YouTube users[2], this is less of a privacy-preserving play and more of a monopolist protecting their revenue streams (ads on YouTube, GMail, Search) and attempting to become the primary data broker for overall usage stats. They do not deserve the benefit of the doubt here.
[1] https://arstechnica.com/gadgets/2023/11/google-chrome-will-limit-ad-blockers-starting-june-2024/
[2] https://arstechnica.com/google/2023/11/youtube-tries-to-kill-ad-blockers-in-push-for-ad-dollars-premium-subs/
Thanks for the education. The Racket and a few unsolicited (but sometimes interesting) Substacks are all I get on gmail. I can deal with spam and ads and personal security pretty well. Probably because I'm not well known or wealthy enough to attract really good hackers. What is most irritating are corporations that should be totally obsessed with database security don't seem to give a damn. My mortgage servicing company notified me two weeks ago that my personal information in their system had been compromised. Who has more personal information than a mortgage company? I've gotten similar notices from insurance and banking companies.
I've had credit cards compromised at a Wendy's and at a Mexican restaurant. As a result, I had several thousand dollars in bogus charges at a Dollar Store in Marietta. One of my wiseass golfing buddies joked that the crooks must have cleaned out the store's entire inventory. They also charged over $11,000 at some business in Chicago and $900 at a porn shop in Germany. I caught it and notified my bank in time for them take stop loss actions. The public pays for credit card fraud just as they do for shop lifting and mob invasions of retail outlets.