Is this really effective for the users' privacy? Won't AdTech networks simply migrate to browser fingerprinting, perhaps with a bit of server-side tracking?
I'm not arguing to give up. Rather, I'm more convinced in investing in privacy NGOs like noyb.eu and make it expensive to toy with my privacy.
> Won't AdTech networks simply migrate to browser fingerprinting, perhaps with a bit of server-side tracking?
they don't even have to. Just store two (or N) sets of cookie trails as they already do. This will waste a few MB of storage on the client side and do nothing to Ad/privacy.
Sites never shared the ID anyway, specially since GDPR-et-al.
AD tech works like this: you send a hash of one ID and on the backend attach all the profile info (nobody will ever share that with partners, because that is gold), then the other side just assign their own hash of their ID and also keep all their targeting info on their backend. The only thing that matters is that party A ID123 is known to match party B IDabc. Note that those IDs are transient and set at random, because party A and party B doesn't want to give up their secret info by matching IDs from multiple sites. That is called cookie match. it does NOT depend on a single cookie jar. It doesn't even depend on cookies! why do you think most Ads (and google search result links -ha!) have those weird hashs appended? zero cookies needed)
Another thing that helps even more than 3rd party cookie is multi-site referrer, but google killed that on both chromium and firefox a long time ago (firefox still have the about:config way to disable/set to single-site, set to multi-site-domain-only, but good luck finding a single human who changes that setting by selecting magic numbers)
This is wrong: third party cookies are still widely used in the ad industry. Among other things, the cookie matching that you describe is dramatically more effective with third-party cookies than first-party only.
(Disclosure: I work on ads at Google, speaking only for myself)
never said it is not widely used or not effective.
Just saying that it won't matter much if removed from the equation.
I mean, if something makes your life easier, you would be a fool to not use it. but that is like saying not having a ferrari prevents you from driving to the store.
Third party cookies are not simply a matter of making adtech developer's lives easier. Imagine you visit shoes.example and are now on news.example. Both of these sites work with ads.example, and the shoe site would like to show you a shoe ad.
With third party cookies this looks like (simplified MVP form):
1. When you visited shoes.example, it loaded a pixel from ads.example. That pixel automatically sent your ads.example cookie, and put you on a remarketing list.
2. When you visit news.example, it sent an ad request to ads.example, which also automatically sent your ads.example cookie. Now the ad tech vendor knows to include the ad from the shoe site because it recognizes the third-party cookie.
On the other hand, without third-party cookies or any replacement browser APIs, how do these identities get joined? Very occasionally someone will follow a link between a pair of sites, and then you can join first party identities, but you probably don't have a chain of identities that connects a news.example first-party identity to a shoes.example identity.
>On the other hand, without third-party cookies or any replacement browser APIs, how do these identities get joined?
1. When you visit shoes.example, it has an iframe to show an ad from ads.example. This iframe runs some JS to compute a browser fingerprint and then nests an iframe to hxxps://ads.example/?target=shoes.example&client=$fingerprint . The ads.example server records that this fingerprint has visited shoes.example
2. When you visit news.example, it has an iframe to show an ad from ads.example. This iframe runs some JS to compute a browser fingerprint and then nests an iframe to hxxps://ads.example/?target=news.example&client=$fingerprint . The ads.example server recognizes the fingerprint, knows that the client visited shoes.example earlier, and returns a shoes ad.
I do agree this is possible to do with fingerprints, though (a) all the browsers are trying to prevent fingerprinting and (b) a reputable ad company would not use fingerprints for targeting. This is my understanding of why Google is putting so much effort into https://github.com/WICG/turtledove
(Still speaking only for myself)