Cookies: How Ad Platforms Steal Your Mind (Part 2)
Download MP3Technology Blows Episode 14: Cookies (Part 2)
===
[00:00:00]
Theme music
---
Dan Slimmon: Cookies. Cookies. Welcome friends to Technology Blows, the one and only Techno Pessimist podcast hosted by Dan Slimmon, which is me. But you already know that if you've listened to part one of this two part episode on cookies, which you probably should, uh, 'cause you're not gonna understand what cookies are if you don't go listen to part one.
So please do that. Um, and you get to, you get to spend another, uh, whole hour with me and, uh, [00:01:00] CJ here. This is my guest and friend, CJ Horton. Cj, thank you for being here again.
CJ: Thank you for having me back though. I, I admit it would be kind of weird to have me on like only one part of the two part
Dan Slimmon: Yeah.
CJ: that would feel very pointed
Dan Slimmon: Yeah.
CJ: I was replaced halfway.
Dan Slimmon: Get the new, get the new person to be like, fucking keep up. The last guest knew all about our FFC 2109.
CJ: No time to to to tell you any of the background here. We just gotta dive right into it now.
Dan Slimmon: yeah. So, so just to refresh your memory, in case you have spent, it's been a while since you listened to episode one, cookies are the web protocol that lets Mark Zuckerberg see into your very dreams and even become part of them. that's right. If, if Mark Zuckerberg has ever shown up in your dreams in like a sexy Batman costume, that was because of cookies and, and certainly not anything else going on with you that you might need to examine about your mental state, that was cookies.[00:02:00]
Personal brushes with the ad-tech industry
---
Dan Slimmon: Um, cj I, uh, have you ever worked in ad tech?
CJ: No, thankfully, uh, mostly, uh, limited my, my exposure to that part of the industry to like working with the fallout of, uh, um, occasionally having to put the tracking cookies into a website, but
Dan Slimmon: Yep. Yep. You, uh, same. I've never worked in the actual industry, thank God. Uh, but I, but I've worked at like marketing, um, digital marketing companies where you, there's, there's con, there's this constant, um, arms race between you and your customers who wanna do more increasingly more unethical things on your platform, which is great.
Really fun job,
CJ: Have been party to some back and forth between, like we want to understand what our users are doing, but our users don't want to let us track them for
Dan Slimmon: right?
CJ: They keep blocking the, [00:03:00] like the, um, uh, we were using like an outta the box, um, click tracking type thing, uh, which is blocked by a lot of ad block blockers because, you know, it's click racking. Uh,
Dan Slimmon: Yeah, as it should be
CJ: great. Um, totally understandable. but we were, we were losing, um, we, we, we learned through, through this process that approximately 25% of our users used an ad blocker because that was the 25%, um, that we didn't know anything about.
Dan Slimmon: 25%. That's pretty good. I mean, good for them. some, some very fun and interesting engineering, uh, goes on when you're trying to circumvent privacy protections. but, you know, it's, it's too bad that that is, um, their incentives for people to do that. We, when I, I worked at a company where we were trying to get past spam filters, so I don't remember if we ever actually, um, implemented this, but we, so sometimes, uh, the spam lists would create like a honeypot email address that would actually [00:04:00] go to their server and then it would get, you'd get in trouble for sending email to that address 'cause it didn't sign up for your list.
And, uh, they would they send you back like a partially obfuscated copy of the email that you sent them to prove that you sent to their, you know, they'll, they'll be like, here's the text of the emails you sent, but they'll, they'll redact some of the headers. Um, but we, we were. Tasked with trying to figure out is there some way that we can encode like the ID of the email that we're sending into the order of the headers so that you can pull it back out from the order that the headers are in when they get sent back to you as a, as a copy.
Right. yeah.
CJ: pretty sneaky. I.
Dan Slimmon: Pretty sneaky. Pretty sneaky. yeah. I, but I've never worked directly in ad tech. I did interview at an ad tech company, I think in 20 10, 20 11. Um, I was, I was pretty burnt out, uh, on my. The job I was just describing you, uh, to you, but I don't think I realized why. [00:05:00] And I, I, I don't think I realized like where, what my, what was causing me to burnt out, burn out.
So I was applying for a bunch of jobs, you know, I was just like burnt out and depressed. And I was like, oh, I'll, I'll apply for all these jobs locally. I was also commuting over an hour into, from Worcester into Boston, uh, each an hour each way. So I was like, oh, well, let's see if I can get something local.
And this was kinda my first experience being burnt out at a job. So I, I overreacted and I was applying to all sorts of companies, uh, as long as they were close to where I lived. And so I, I got, I get an interview, I put on my exactly one ill-fitting suit that as a software professional I felt obligated to own.
And I, yeah, I have one, I have exactly one suit. Do you, do you, how many suits do you have, CJ? Yeah. Okay. Well good for you. Uh, I got one and it looks bad, but uh, you never know. You never know what the attitudes of the person interviewing [00:06:00] you're gonna be about suits. So I put it on and, uh, I drive out to this sad gray office park, uh, and on the outskirts of Worcester, I think the address was on like Computer Boulevard or some shit.
And, uh, and it's an ad tech startup, which should have been the first red flag. But like I said, I'm very depressed. So they kick off the interview, uh, with what's basically an IQ test, you know, look at this diagram count. Have you ever had an interview where you're like, basically like, you know, count how many squares are in this picture.
Figure out the next number in this pattern to see how smart you are.
CJ: Yes, yes,
Dan Slimmon: Yeah,
CJ: Um,
Dan Slimmon: yeah. Uh, I don't know how well I did. They didn't tell me, but apparently I passed that part. Uh, 'cause they brought me onto the next part, which was mostly like l33t code questions. You know, um, so lead code listeners is a thing where in coding where you write, they write like a series of 16 punctuation marks on the whiteboard.
And they say like, this is a bash, this is a [00:07:00] command in a programming language called bash. Like what does this command do? And you have to try to like figure out what, how, what this obfuscated code does.
CJ: fun times.
Dan Slimmon: it su
CJ: like
Dan Slimmon: sucks.
CJ: test. Um,
Dan Slimmon: Yeah. Kind of. Yeah. Yeah. Very similar vibe. Yeah. They want you to be, it's very funny 'cause they want you to be like the smartest possible person and yet the code, the co problems they give you to, they actually want you to solve at the company or like brain dead bullshit. And first like, plug this cable into this other server.
Shit you don't need to be at anyway. Um, so finally they send me into this conference room to be interviewed by a by another guy. And this guy doesn't even seem to be, have been told he was gonna be interviewing anyone today. So we basically just shoot the shit for half an hour. And he tells me, this guy says, like I do, I do a lot of web development work and, uh, I market myself as the green web developer, right?
So I, I, I try to find companies that'll hire me because I have experience with [00:08:00] environmentally friendly development techniques that use less power, you know, have a lower carbon footprint. And I'm like, oh, that's, that's cool. That, that sounds cool. What, like, what kind of eco-friendly techniques do you use?
And he goes, what? Oh no, I don't actually have any green web development techniques. I said, that's just how I market myself. It works great. Like I get hired all the time.
CJ: Oh man. I did have a, have a, uh, when, when you, when you started, uh, when you mentioned the, the green web developer. for some reason my mind went instead of too eco-friendly to, uh, more of like a Power Rangers situation. Um, I think this is the green web developer, but my, my fellow web developers are the blue whale developer and the yellow.
Dan Slimmon: Yeah, I got my ass kicked by the pink web developer. Uh, that's, yeah. Uh, I'm, I specialize in situations where, um, you need to write code to defeat a giant monster that's been made giant by [00:09:00] an evil wizard. Uh, it's really fun work
CJ: It's really good
Dan Slimmon: anyways.
CJ: a lot of pressure, but you know, you get to, you get the, the payoff of having to feed it.
Dan Slimmon: Yeah, you gotta be, you, you do have to be on call sometimes You gotta suit up and then go boopty, bty boop at a keyboard, kill a giant squid or some shit.
CJ: to go code.
Dan Slimmon: Yeah, yeah, yeah. Otherwise, coding can be pretty dangerous. Anyway. Ultimately I did not get hired by this company. They said, like they said, they said, they replied to me saying I didn't, didn't show enough passion, was the phrase that they used.
So I think I kind of dodged a bullet there.
CJ: yeah. Passion for, for, uh, false marketing for, um.
Dan Slimmon: Yeah. Passion for advertising. If you have a passion for advertising, I think the state should just subsidize your, your life. So you don't have to work if you, if you love advertising, you should just not have a [00:10:00] job.
anyway.
Google starts buying up the whole ad-tech industry
---
Dan Slimmon: So let's get back to these mouth watering, freshly baked cookies that hold up so much of the worldwide web. Just like grandma's cookies used to do. So, uh, so last week we wrapped up by talking about RFC 29 64 from the year 2000, which the was published by the internet engineering task Task force.
Right. And this was a follow up to their earlier cookie spec. Um, and it stated that in no uncertain terms, all caps, the cookies must not be used to leak information about the user or the user's browsing habits to third parties without the user's explicit consent must not do that. And as we all know, that was the end of it.
Isn't it crazy how it, that it's been like 25 years since cookies were last used to leak our browsing data to third parties?
CJ: Yeah, it's so nice that, you know, we don't have to worry about that
Dan Slimmon: It feels like just yesterday. Yeah. Yeah. I'm browsing all day. Nobody knows. Nobody knows who I am.
CJ: for just a moment at the dawn of the [00:11:00] internet. And then, um, quickly legislated away. Um,
Dan Slimmon: Nip that one in the bud.
CJ: Um.
Dan Slimmon: Uh, no, of course. As, as usual, nobody paid any attention to the IETF and everyone just kept on doing what they were doing and things got worse and worse. So in 2008, um, search Giant Google, Google purchased the uh, AD platform, double click. For a cool 3.1 billion smackarooneys.
And in 2009, the year after Google bought a mobile ad pla ad platform called AdMob for another 750 million smackarooneys. Um, and in their, in their, I read the press release about this ad mob, uh, or their various press releases about this ad mob acquisition. Google was focusing mainly on the benefits to developers, publishers, and advertise Advertisers were the main ones gonna benefit from this acquisition, but at the end of every article, they'd say something like, last, but certainly not least, We believe users will benefit from this deal through [00:12:00] more mobile content and through better mobile ads that deliver useful information. And that's good for all of us. Um, that is just like, fuck off, leave, leave me out of it. I understand. I, I know why you're doing this. Like, don't, don't,
CJ: Don't have to
Dan Slimmon: don't.
CJ: up, don't have
Dan Slimmon: Right.
CJ: that there's a noble motive here.
Dan Slimmon: Right. Yeah. Uh, I, it's, it's, it's, I'm gonna use the websites anyway. I cannot use the websites. Just like, tell, be honest, be honest about what you're doing.
CJ: I wonder if there is somebody, um, who, who is responsible for writing that language, who actually like, believes it on some level. Like we, are
Dan Slimmon: it probably is.
CJ: best for users.
Dan Slimmon: Yeah. I mean, if you, if you look, if you're, if you're close enough to the problem, it, it makes, it kind of makes sense to say. Um, but, but then the, the problem is like doing targeted ads. Doesn't mean that you like the ads, the targeted ads have a better [00:13:00] yield. People are more likely to click on 'em.
Right. But doing target ads doesn't mean you now get to do fewer ads. Right. It's, it's not like, oh, we can reach, we can reach the people we need to reach better. So now we don't have to have as many ads. 'cause the ones that we do show count. Right. It's like, well, we're gonna show the same or more amount of ads and get that much more money for them.
Um, that's marketing.
CJ: that's marketing. And that's also, um, the, the pressures of capital that work.
Dan Slimmon: Right, right.
Um,
CJ: do more and get more money, even if it makes everything worse?
Dan Slimmon: yeah. More money You say to let's, I'm, I'm listening. I'm all ears. Um, but, but of course, you know, if anybody wants to advertise on this podcast, please let me, let me know. Uh, I'll target this shit out. I'll, I'll, I'll email my, all my 50 listeners directly and tell them to buy your product if you wanna pay me for that.
CJ: Now that's real [00:14:00] targeted advertising. Oh.
Dan Slimmon: That's right.
CJ: Oh.
Dan Slimmon: Um, I'll, I'll, I'll, I'll eng I'll ingratiate myself with them and become part of their alive so I know more about them so that I can target ads to them
CJ: You listen to all of their podcasts. Um,
Dan Slimmon: yeah.
CJ: so then
Dan Slimmon: Right, right. Yeah, so, so, uh, so by 2009, Google was well on its way to becoming an ad tech monopolist, which, which a court did rule that it was later. So I'm, I'm not just editorializing there. Uh, but In the meantime, web surfers, like you and me are getting wise to the role of cookies in the continual degradation of their privacy, and many of them start using ad blockers.
the first ad blocker to be released was ad block plus for Firefox, which came to market in 2002, and they became super, super popular. Did you use it
CJ: Vaguely. Um, I think I, I think I, um, I, I definitely remember using Firefox somewhere in that vicinity of time, specifically for, um, for, for the ad blocking capabilities. But,[00:15:00]
Dan Slimmon: Yes.
CJ: I don't really remember many details beyond that. Um.
Dan Slimmon: It was good. It was great. Um, uh, well, they do a lot of things, ad blockers, do a lot of things, um, like not show, to not show you the images to prevent the website from blocking access if you don't have the ads loading. And then, uh, it, they'll also, some of them will intercept the request that your ma that, that your browser is making to the ad, domain so that you don't even make the request and they can't give you a cookie.
Right. Um, which is cool.
CJ: Um, it's like an
Dan Slimmon: Uh,
CJ: Oh,
Dan Slimmon: it is, unfortunately. Yeah, it, it, it's, mar marketing is like the, the, the definition of an arms race. It's like nobody would have to spend so much money on it if everybody else wasn't spending so much money on it.
CJ: yeah. Yeah. Um, and especially the, the part where it's like, how can we, if we, if we can like circumvent, um, you know, a little [00:16:00] bit of, uh, a few users ad blockers for a few days, that translates to enough money
Dan Slimmon: It's totally worth it. Yep.
CJ: that it's completely worth it, which is an insane, uh, set of, incentives.
Dan Slimmon: So, so we got ad blockers. Ad blockers are, are good on pro ad blocker and by 2009, around 20 million devices have an ad blocker installed, which is still not that many, um, a lot more devices than that browsing the internet. But hey, it at least shows that these ideas about privacy are becoming part of the public discourse.
20 million is enough that they can't all be like, privacy nerds. These, like, a lot of these have to be normal people who would just prefer not to see ads. So that's good. And, and also there was a new, a lot of new browser features like core browser features developed, uh, to that are privacy related.
But the browsers all have different approaches to cookie management. And universally, or almost universally, the default is still to accept third party cookies. [00:17:00] Um, which, which, uh, it flies in the face of the I ETF's recommendation that that third party party cookie should be disabled by default. And the I-I-E-T-F doesn't have, you know, police to go around enforcing their RFCs.
If they did have police, they'd probably spend all their time at the precinct high having long arguments over what crime means. And, uh,
CJ: is
Dan Slimmon: you know,
CJ: I feel like this is, this is the real backstory of the, the, the Web developer Power Rangers, um, group. They just go around enforcing high ETM,
Dan Slimmon: uh, yeah, yeah, that QR code isn't the right, isn't it exactly the right shape? How.
CJ: him
Dan Slimmon: I guess that's, I, I triple E, not IETF, but you get it. Um, yeah, I would, I would read that comic book.
CJ: be a very
Dan Slimmon: Um,
CJ: but
Dan Slimmon: yeah. But Sure. But that's, that's great. Right in my wheelhouse.
Real-time bidding
---
Dan Slimmon: So, uh, so, so what exactly do the ad networks [00:18:00] do with these sophisticated user profiles?
Right? What, what's the, what's the alchemical process by which your love for, you know, painting or Hitchcock films or Mexican hairless dogs gets transmuted into profit for Google? so the main thing that happens is, is a thing called real time bidding, uh, or, or RTB for short. This is a way that publishers, so for example, like newspapers, websites, um, sell off empty rectangles on their webpage that in, in real time to advertisers.
So as you're loading, like as you're loading the page, there's like a little micro auction that happens where you are, um, those rectangles that you're about to load, it gets sold to advertisers to put their ads in. It took 'em a while to build. This is pretty complicated, pretty difficult stuff to build to be able to have this whole act auction happen in time for you to load the page.
Right. But that's what has come to exist [00:19:00] over the last, you know, 10 years or so, since until 2009 or so. Um,
CJ: the page to not, you know, turn into a nightmare of, uh,
Dan Slimmon: yeah.
CJ: this happens a
Dan Slimmon: Yeah.
CJ: but,
Dan Slimmon: Yeah. I don't know about, not a nightmare.
CJ: it, it's, it's sort of, it mostly sort of works as in like the page still renders and like the
Dan Slimmon: Totally.
CJ: not like, completely demolished by the ads. Um,
Dan Slimmon: Totally. Um, but they, they built that, they've had to build that into it too. Uh, it's, it's, it's a, it's a serious infrastructure and so it has a lot of steps, but it's worth understanding. So I'm gonna run through it. Try to, try to bear with me here. It's pretty complicated. Okay. But I know you, you, you, you, you got it.
Cj you'll, you'll, you'll stay with me. Um, okay, so, so I'm browsing the web and I see a link to an article on my favorite website, golf pervert.com, the number one place on the web for perverts who love golf. And of course, I click on the link 'cause like, oh my [00:20:00] God, I just love golf. And also other reasons. So my browser connects to golf pervert.com and requests the page.
And now golf pervert happens to have an empty rectangle on the top of its webpage that it's about to send me empty rectangle, just sitting there burning a hole in its pocket, you know, taking up space. and so, you know, they could just like, not put it there, but it's on the page. They gotta fill it up with something.
So before they show me this article, golf pervert.com now runs some JavaScript on their web webpage. That's sort of a, um, that's part of what's called a supply side platform. This, this JavaScript, it's a software development kit that gets, that gets installed into the webpage and it's part of a an SSP or a supply side platform product.
Um, supply side, meaning supply of empty rectangles. Right? Right. So like the publisher has the supply of empty rectangles to sell to advertisers. So that's why it's supply side platform. Strange way to think about it, but that's how they think about [00:21:00] it. Google owns several of these companies, these SSPs, uh, including AdMob, the one we mentioned earlier, uh, which, which is by far the one with the biggest market share.
Uh, but there's a whole ecosystem of them, of these things. You know, Verizon has one, Amazon has one. and anyway, so the SSP gathers all the information it can from my web request, and it sends it off to a server to figure out who I am, which, you know, so I have such and such cookie, and I have such and such an IP address, and I'm using such and such a browser.
Maybe I, maybe I'm on my smartphone so I can get my location data from the, my smartphone, right? And, and then the SSP plugs us all into their database and like. And they go like, ah, this is Dan Slimmon. Let's see, he's, he's American. He likes Christian Rock. He's into leprechaun statues. Uh, he's, he's recently been comparison shopping for electric scooters.
You know, they know all this stuff about me 'cause if they've been watching my, my web, my web traffic,
CJ: Yeah, I
Dan Slimmon: um
CJ: you love, uh, leprechaun [00:22:00] statue. Oh,
Dan Slimmon: mm-hmm, mm-hmm.
CJ: oh.
Dan Slimmon: I had to take them outta my Zoom background 'cause they were creeping people out. Uh, but they're all, look, trust me, they're right here under the camera. I got 'em facing. They're all staring at me while I am delivering this podcast lecture to you.
CJ: David Bowie is sort of leprechaun esque.
Dan Slimmon: He's, yes, he's, uh, that's right. He's the, that's what they called him. They called him the mu
CJ: Oh.
Dan Slimmon: the musical leprechaun. Um, So, uh, now, so, okay. All right.
So it knows everything. So the SSP knows who I am and they, um, this is great. And they said they send that information to a thing called an ad exchange. Um, so an ad exchange is a, a different kind of company that holds, that holds the auctions. They're the ones that actually like run the auction for my attention.
And they don't actually buy or sell ads themselves. It's they're, they're just, they're just facilitating the purchase of rectangles.
CJ: rectangle facilitators. [00:23:00] Um,
Dan Slimmon: yes. Yeah, they're rectangle brokers.
CJ: so they don't actually control the ads themselves or or the process of selling or like the, the, the, the actual content of the ads. They're purely, uh, so what information do they, do they actually get, are they like this? There's a, this size rectangle and uh,
Dan Slimmon: Yeah, so the SSP says, we have, we're selling a rectangle of this, of these dimensions on, um, and we're selling it to a person loading this website, and here's what we know about that person. so, like, does anybody wanna, does anybody wanna bid for this page load to show a person an ad on this page?
This, this person, an ad of yours on this page load? Google owns one of these also. It's called adx. Uh, and that accounts for about 66% of the market share in this, in this business. They, they've, Google's like, uh, you know, they're, they're, they're basic. They're basically the entire, uh, web [00:24:00] ad industry or, or close, close to it.
CJ: I recognize the names of most of the companies you've mentioned purely because I do enough, like poking around in, um, like my browsers dev tools that I
Dan Slimmon: Oh yeah,
CJ: the, the, the URLs that the, the trackers are requesting. And so I'm like, oh, double click.net. That's a, that's a familiar, familiar one. I've seen, seen requests to that one go by.
Dan Slimmon: you're gonna have to do a TikTok about the guy that started double click. 'cause he's a real piece of work. Uh, and, but I, I, I didn't, I had him in the script initially, but, um, I took him out 'cause I didn't have time. I gotta talk about these fucking cookies
CJ: Oh man, another time. Um,
Dan Slimmon: another time. uh, just, just little, little quick fact about him.
He once called in, he once bragged in an interview that he called in a fake, uh, fire alarm. It was either a fire alarm or a gas alarm to [00:25:00] his office to um, as a, as like a prank.
CJ: just
Dan Slimmon: thought that would be fun. Just for fun. Yeah.
CJ: for funsies. Uh,
Dan Slimmon: Yeah.
CJ: yeah, it's
Dan Slimmon: Anyway, uh,
CJ: personality type. Oh,
Dan Slimmon: probably a really, probably a really fun boss.
CJ: um.
Dan Slimmon: Um, so, so the ad, so the ad exchange, so right you says the SSP sends to the ad exchange. The ad exchange sets up an auction for the right to fill this empty rectangle at the top of golf pervert.com that my browser is still waiting to load. 'cause all this is still happening within like. Dozens of milliseconds.
Um, and the participants, the people who are, who are trying to buy the rectangle are companies called Demand Side Platforms or DSPs, um, demand for rectangles, right? So these are, these are companies with names like quant cast ad roll, ad ad-lib, they represent the advertisers that wanna fill that rectangle with their crap.
So maybe Quantcast, you know, I'm loading this page and maybe Quantcast bids a hundredth of a cent to show me an ad for a new [00:26:00] electric scooter that blasts DC talk songs while I'm riding. And lib bids two hundredths of a cent to show me an ad for a new collection of leprechaun figurines. And so, after some number of milliseconds, the ad exchange closes the auction and they accept one of the bids, one.
And the ad exchange then replies to the supply side platform saying, okay, here's the URL of the ad that goes in the rectangle, golf pervert drops the, that, that link in the page. And finally my article loads. and that's the end of it. No, it's not, because there's another, yet, yet another party involved, which is called the ad server.
Uh, this is what double click mainly is? I think so. So the ad server's job is to actually serve me the image of the ad where the, you know, the image of a leprechaun riding an electric scooter or whatever it is. And so my browser now has to make yet another request this time to double click to fetch the image and double click will also take some of my headers because, you know, it's previously given me a cookie [00:27:00] and it forwards those headers to the ad exchange to prove that I loaded the ad and, you know, laid eyes on the little mischievous green elf guy.
CJ: They can deliver their hundredth of a cent. Oh, I'm as promised.
Dan Slimmon: Right, right. All for a little hundredth of a cent.
CJ: uh, impressions, I think is the, the
Dan Slimmon: Yes,
CJ: is the, the industry term.
Dan Slimmon: yes. Impressions. Uh, each impression counts is supposed to count for two eyes, seeing the ad. And, um, they count. They're very, they're very, you know, serious about their record keeping with the impressions. They really want to know that they're getting those eyes on the, the crap. so did you get all that?
Did you get all that cj
CJ: So we got, uh, so, so, so, so we got our, our, our rectangle, our empty rectangle. We've got our, uh, supply side, something or other, um, that's making a request
Dan Slimmon: Correct?
CJ: broker, is making a request once, once. It's sort of like, well, I guess I was gonna say the only verb I have [00:28:00] here is brokers the request,
Dan Slimmon: Mm-hmm.
CJ: brokers the request and, fires it off to an actual ad serving company.
It sends back, I presume, the URL to the actual ad, and then your
Dan Slimmon: Yep.
CJ: requests the actual image and shows it to you.
Dan Slimmon: That's right.
CJ: an impressive amount of infrastructure that all happens very quickly before the page is fully loaded. Um,
Dan Slimmon: It's incredible.
CJ: evil. Um.
Dan Slimmon: Yeah. I mean, that's the best reason to build this much infrastructure. So Saruman wasn't trying to build a fucking hospital, right? Yeah.
CJ: like as a, as a, as a person who is interested in software, I find it fascinating.
Dan Slimmon: It, it, it's amazing what they, what they realized, what they realized they needed to do. They were like, oh, we need to, we need to build. I mean, it, it's, it's evolved over all this time. Um, but, but like, they re they kept realizing over the course of like 15 years, we could squeeze, you know, we can squeeze a little more out of this by making the [00:29:00] infrastructure a little bit more complicated.
And also with, it's a moat of complexity for, um, to, you know, prevent other companies from infringing on Google's, uh, turf. Right. really cool, really cool stuff. and, and so it's actually not, It's actually not just for advertising, right?
How ICE and CBP use ad tracking data
---
Dan Slimmon: So in the, in the, in 2020, the Wall Street Journal reported that since 2017, immigration and Customs Enforcement, or ice, as well as uh, customs and Border Protection CVP, have been purchasing licenses from at least one of these companies.
And it's, it's, it's more, it's it's many more company now from a bunch of these companies, uh, that have been using cell phone location data to find people crossing the border so they can arrest and, and deport them.
CJ: Of course. Um.
Dan Slimmon: Of course.
CJ: You know, I feel like maybe, maybe my memory is faulty, but I feel like around that time is, is sort of like when also when privacy kind of went mainstream. Like it was no longer this sort of like fringe interest of [00:30:00] like, you know, for, for a while there, I feel like you were, you were kind of like, if you were somebody who was worried about privacy, you were kind of outing yourself as like a dork,
Dan Slimmon: Yeah. Yeah.
CJ: people were like, yeah, so the ad companies know everything about me, but what harm does it really do?
And sometime around that time it started being like, oh, I see, I understand the harm that this is doing. Um,
Dan Slimmon: Nobody will ever abuse that massive library of information about who I am and where I am and what I do all day.
CJ: exactly. There's, there's
Dan Slimmon: yeah.
CJ: Like, sure, sure. The ad companies know about my, you know, unfortunate fondness for, leprechaun statues, but what can they really do with that information?
Dan Slimmon: Yeah. Yeah. It seems neutral, but no, they'll make it evil. yeah, so, so there, so, so these government agencies that are, that are like horribly immoral, are buying location data from all these companies. And, but they don't actually need warrants for this because they [00:31:00] say an individual has no reasonable expectation of privacy under the fourth Amendment and information voluntarily disclosed to third parties. Right. You see, you gave it up, you gave up your information when you loaded that webpage. So it's not, it's not protected by the fourth Amendment, is the argument.
CJ: But yeah, um, all of the authors of, uh, that I-E-T-F-R-F-C, um, had some extremely strong feelings
Dan Slimmon: Cohen Holman must just read the newspaper every morning, like, Hmm hmm.
CJ: Who would've thought, 1994 or whatever, um.
Dan Slimmon: yeah. Yeah. It was, uh, yeah. Sad.
Google "doesn't sell your data"
---
Dan Slimmon: So, so, uh, so this ridiculously complicated art realtime bidding system is what allows Sundar Pichai the CEO of Google to say, as he said in the New York Times, op-ed in 2019, quote, Google will [00:32:00] never sell any personal information to third parties, and you get to decide how your information is used, right?
Because. Even though Google makes hundreds of billions of dollars by facilitating all these exchanges, they can say, we are not selling your data. The the publishers are selling your data. The exchanges are using it to place the ads. The advertisers are buying the ad space. They're not buying the data.
Nobody's selling your data. Come on.
CJ: We're not selling your data, we're just using it to sell, to, to sell advertisements.
Dan Slimmon: We're just giving access to your data to other people for money.
CJ: Yeah. For we're it's, they're, they're not directly buying your data. They're just getting your data as a side effect.
Dan Slimmon: Yeah. Right. Exactly. Don't worry about it.
CJ: I am selling you things. It's fine. It's totally fine.
Dan Slimmon: You want things, right? You've, you've gotta have things. incidentally, um, [00:33:00] this is also the reason why this realtime bidding system is also the reason why sometimes you'll be on a website and you'll go to click a link and the link will move out of the way. Right. When you go to click it.
CJ: the most infuriating part of the modern web, uh.
Dan Slimmon: Yes. Uh, yeah. And then that's, that's saying something,
CJ: Huh. Well, now I don't know if that's right. The most, the most infuriating part of the modern web is when you go to click on something and a popup happens directly in between, like
Dan Slimmon: fucking hell.
CJ: click something and
Dan Slimmon: And then you.
CJ: So then you click the pop pop instead, and the website thinks that you meant to clicks pop up. And
Dan Slimmon: Yeah, probably a few times a month I am, I end up like, I, I close my browser and I close my phone in frustration because I accidentally clicked an ad and then I load up my phone later in the ad and add there and I'm like, oh god dammit again. Um, and it'll never get fixed because sometimes it results in you accidentally clicking an ad instead of the link that you wanted to click.
And that's good, that's good for the advertisers. So why [00:34:00] would they, why would they fix it? Yep.
CJ: Um.
Dan Slimmon: Um,
Do-Not-Track
---
Dan Slimmon: now in 2009, two privacy advocates fed up with the lack of progress on this cookie exploitation issue. Created a simple plugin for Mozilla Firefox that would add a new HTTP header to all your outgoing requests.
Uh, and that header was called Do Not Track. So the idea of the idea of do Not Track it was based on the do not call list, which, which. Spoilers didn't work.
CJ: exists.
Dan Slimmon: So,
CJ: Um,
Dan Slimmon: so maybe you can guess what's gonna happen with do not track. Uh, yeah, no, it's still, it does technically still exist. Um, yeah, but it didn't, did, not, did, didn't pan out.
but the idea was similar to do not call. If you request a page and you send a do not track header with a value of one, it means don't collect my data and don't use it to track my activity on the web. And if you send a value of zero it, I guess it would mean yes, please. I do want you to collect my data and use it to track my activity on the web.
But I don't know why you [00:35:00] would do that.
CJ: um.
Dan Slimmon: I guess if you're testing advertising software, you might wanna do that. I, I don't, yeah. Maybe for people with some kind of domination kink, I, I don't know. Um.
CJ: fuck my shit up though.
Dan Slimmon: Yeah, yeah. Fuck, fuck. Fuck me up fam. So what you got? yeah, it's silly. anyway, so this, this do not track idea. Um, everybody started, all the browsers started implementing it because it was, um, first of all, it's easy to do. You can implement, you can add a header to the browser and make a config variable in your settings.
That's, that, that's trivial to implement. but more importantly, it caught on because it was a way for the browser makers to signal that they care about privacy, right? you know, they couldn't turn off third party cookies by, by default, um, like the RFC says they should do, even if they wanted to 'cause, because by, by 2009 there were lots of like legitimate business models that depended on third party cookies because you could use third party cookies. So why wouldn't, so like for example, if you got a website with articles on it and you [00:36:00] wanna add a commenting functionality underneath the articles, there'll, there are companies that'll be like, yeah, just drop our code into your page and we'll handle all the login.
We'll log in the user to make sure they're always the same person and they're log logged in when they're commenting. And that involves setting cookies from, for one domain, from a different domain. Um, stuff like that. Billing. There's like billing systems that that use that function at that use third party cookies that way to, um, right.
So the browsers couldn't just be like, no third party cookies. 'cause then all these legitimate business models would fall over. but they could just add to, did you not track header? That's easy to.
CJ: It's, uh, it's, it's a really nice way to, to be able to say like, yes, we are taking action on
Dan Slimmon: Exactly.
CJ: uh, of, of
Dan Slimmon: Yeah.
CJ: without actually having to really do anything. Which I'm sure was a huge, uh, you know, some of the browser companies I actually care about, about privacy. But,
Dan Slimmon: Yes. But it enables, it enables a company like Google to say, we care [00:37:00] about your privacy and that's why we're doing, which, um, if Google ever says they care about your privacy, you know what, you know, you know what's going on. Um, yeah. Yeah. But gee, you know, we can call out Chrome. I don't, I'm, I'm using Chrome right now.
We'll talk, we'll talk about that. Um,
CJ: She can hear you. Oh.
Dan Slimmon: Uh, it, you know, probably, I don't know. I, I, I don't wanna be, I don't wanna be paranoid, but I do, I do admire paranoia when it comes to privacy. Um, web, web privacy, uh, 'cause these, these, these, these fuckers will try anything. now, so, so of course at, at the time that this do not track plugin launched, um, the do not track header didn't actually do anything because no web web server supported it.
They could read it and just ignore it, right? Um, but the idea was if we make this a standard, then, uh, support. We'll come, we can, we can, you know, create support on the server side later. And it, and it almost looked like it was gonna work. so by, by 2011 there, the [00:38:00] Federal Trade Commission was making noises about turning, do not track into a regulatory requirement.
They, they were, they were talking about like, well, this do not track header seems pretty good. So if we can get the authority from Congress to, to, um, regulate ad tech companies, then we can use this, do not track header to enforce them to, um, not track people with the cookies. the, the World Worldwide Web Consortium, the W three C, which is another standards body like the ITF, but they regulate more higher level web, web type things rather than protocol level.
Like computers talking to each other, things, they're kind of overlapping,
CJ: other. Oh.
Dan Slimmon: right? Yeah, they sometimes, that's right. Which is always fun for us as developers, as software engineers to feel like, will you guys just fucking make up your minds? yeah. So the WWC forms a working group to define. What supporting Do Not Track was gonna look like, to answer questions like, you know, how should websites behave if the app, the header's absent, or, um, [00:39:00] should, should people be able to whitelist some domains that are, they're like, these domains are allowed to give me third party cookies when, when other ones aren't.
how can they measure compliance at the, how can they measure whether servers are actually complying when the header is, is sent? Things, things like this. and, and surprisingly the ad tech people, for example, Google sends people to the table on this. They, they wanna be in this conversation, maybe not that surprising.
Like they're the f they're like, well, we might be regulated by the FTC here, so we should show that we're participating in the conversation and we, we wanna make sure we don't get like, totally hosed on, on whatever the rules end up being. Right. Um, like they, they don't want
CJ: bit less, um,
Dan Slimmon: Yeah, yeah, yeah, yeah, yeah. Or at least we can trick 'em into regulating us and, yeah, exactly.
Um. Yeah. Which is, which is the way you handle getting your industry, getting regulated. They didn't want the FTC to set rules like cookies can't be set during unverifiable transactions or, um, or some other, you know, dagger aimed at the heart of our [00:40:00] business. Right? Uh,
CJ: if only there had actually been a dagger aimed at the
Dan Slimmon: oh my God.
We need more daggers aimed at the more hearts of more businesses.
CJ: Can I get, how do I, can I get into that industry? The aiming daggers at the hearts of businesses?
Dan Slimmon: Yeah. Sign me up. I'm not really a knife guy, but I'll become a knife guy. I,
CJ: specifically.
Dan Slimmon: yeah. Sorry. You're right. Sorry. You're right. You gotta, if you, if you're really gonna get into Dagg, you're gonna need some daggers. Yeah, so, so pretty soon, the, a lot of the working group members are saying, well, let's see.
It kind of seems like these ad tech people are trying to draw out the negotiations and they're like going back and forth and trying to make the, this negotiation last a really long time. Um, probably because the longer they participate in the negotiations, the more they can go to the media and the government and be like, look, look how participating in the working group we are, we're, we're, we're taking privacy seriously.
Self-regulation is working, [00:41:00] right? Um,
CJ: our users. We're spending all this time arguing about, uh.
Dan Slimmon: yes, just think how much engineering time, how much, how many engineering dollars we're, we're spending. Just sending people, sending our, our valuable engineers to these meetings. We must really care about privacy. Boy, to be a man. Imagine, imagine you work for Google and what you're just, you're just trying to make, like, you're just trying to make a protocol to send that data from one database to another, and your boss is like, Hey, you gotta go.
Uh, we're picking you to go to the worldwide web consortium meeting and tell them that, um, Google should regulate itself. That's your job. Now,
CJ: I mean, I feel like that, the, the, the like attending standards committee meetings does appeal to a certain kind of person,
Dan Slimmon: that's probably true. There's probably lots of them who wanna do it.
CJ: that actually genuinely enjoy that kind of thing.
Dan Slimmon: so to make matters worse though, in 2012, Microsoft decides to take an even bigger step than just supporting, do not track an internet explorer. They, they say they're gonna turn [00:42:00] on do not track by default in Internet Explorer. Right.
CJ: big move, bold move,
Dan Slimmon: Big
CJ: dunno.
Dan Slimmon: y. Yeah. A bold move as, as Kerrigan would say, in, in StarCraft.
and this would sound
CJ: Oh.
Dan Slimmon: 2012. 2012,
CJ: Oh, oh
Dan Slimmon: yep.
CJ: wow. That's early than I would've thought. Oh,
Dan Slimmon: Yeah.
CJ: oh,
Dan Slimmon: So it sound, it sounds, it sounds great, right? It sounds like it would big matters, not worse. you know, but that's of course, and Microsoft wanted everybody to say, oh, that's great. Good for Microsoft, right? Uh, but what ends up happening is. The ad tech companies who had been claiming that their, like their, their whole justification for coming to the table on Do Not Track was that, oh, this is a way for cust consumers to express their preferences about being tracked.
Uh, right. Automatic way to say, I do or dot don't want to be tracked. If you turn it on by default, then it's like internet explorers putting words in its users' mouths. Right. It's dictating how users are feel about [00:43:00] getting tracked. So ultimately they, they walk away from the table over this and instead of improving privacy, Microsoft accidentally just grenades the whole process.
CJ: Oh man. There's a negotiation lesson in there somewhere like.
Dan Slimmon: Mm-hmm.
CJ: Um, you ask for a little bit too much and, uh, you know, the other party can, you know, part, part, part of negotiating is, is keeping the other party at the table. Um, and
Dan Slimmon: We don't even,
CJ: oh,
Dan Slimmon: it's like, we don't even wanna be here. We're right. Like, uh.
CJ: we don't care about user privacy. We're here trying to, look like we're doing the right thing, but, um,
Dan Slimmon: Yep.
CJ: just totally undermine our whole business. We're just going to leave.
Dan Slimmon: It's very cool. It's very cool. Oh, gotta get some of those daggers. Um, a and anyway,
CJ: daggers is clearly what wove and wrong, um.
Dan Slimmon: if you're worried, if you're worried about Google in this process, don't be worried. Everything worked out [00:44:00] great for the ad tech industry here. Uh, 'cause the FTC never got the authority they needed to regulate them anyway. Uh, because the ad tech people turns out ad ad companies are very good at lobbying.
Um, who, who knew,
CJ: would've thought?
Dan Slimmon: right? Um, 'cause like muddying discourse is their whole thing. They're very good at it. Um, and they lobbied like hell and killed this. Killed this initiative. they, they said, they said the FTC would become judge, jury and executioner against their industry. which, like, don't threaten me with a good time.
That sounds kind of rad.
CJ: I mean, I thought the whole dagger image was a little bit over the top, but
Dan Slimmon: Yeah. No, no, no. Um, there's no such thing as over the top.
CJ: this is advertising, I guess. Yeah, there's, there's
Dan Slimmon: Yeah.
CJ: that's over the top.
Dan Slimmon: yeah. So sadly, do not track died on the vine and eventually all the major browsers remove the do not track header, uh, over the next few years. And this is fun. Do you [00:45:00] know why the, the browsers main justification for removing the the do not track header? This is interesting. Like why not just leave it.
CJ: do anything, because none of the ad companies were respecting.
Dan Slimmon: they could just leave it, right? I mean, if it didn't, if it does, if it's neutral, they can just leave it. But the, but the, but the way they, they, what they said is, um, you know, do not track has three possible values and different browsers are gonna send different values. So this just makes it one more header that the supply side platforms can use to fingerprint your browser and track you with.
CJ: So ultimately, um, contributing to the problem they were trying to solve, huh?
Dan Slimmon: Hmm.
CJ: Oh, that's fun.
Dan Slimmon: It's really fun.
CJ: Oh.
Dan Slimmon: Um, it's only like one and a half bits of entropy, right? But why keep it if nobody supports it anyway? It's just extra tracking, tracking entropy.
CJ: Extra information about that you can, uh, use to correlate somebody's activity
Dan Slimmon: It rules. So, so meanwhile, in mean, meanwhile in [00:46:00] 2011, um, while all this shit with the do not track is going on, the IETF finally walks back, it's by now totally irrelevant. 16-year-old recommendation that browsers disabled third party cookies by default. they, they publish RFC 62 65, which obsoletes the previous one and basically just says browsers can do whatever they want with respect to third party cookies.
That's up to them.
CJ: but you do in the privacy of your own browser is between
Dan Slimmon: Right, right. We need to respect the privacy of the browsers.
CJ: Yeah.
Dan Slimmon: Uh,
CJ: what's being insulted here is
Dan Slimmon: yeah. Yeah. That's what matters. Um, as an engineer, I care about the feelings of software. You know, I don't, I don't wanna, they, they. Standards are hard. They tried. and especially standards are hard when you have to deal with bad faith actors. Like it's hard enough to have a standard among a group of people who agree that there should be a standard.
Right?
CJ: yeah, yeah. That are actually engaging in [00:47:00] good faith with the process of, of, uh, standard settings. Oh.
Dan Slimmon: Right.
Personal privacy attitudes
---
Dan Slimmon: Now, most of the time what we're talking about in these episodes is the effect of cookies on privacy. So, um, I, I dunno, are you, are you, uh, somebody who thinks about your online privacy a lot? Are you one of these like VPN people with the special browser and the shit.
CJ: You know, I kind of go back and forth. Um, I go through phases where I like try to, uh, disable all third party cookies by default. And then, you know, discover that I can't do anything on the web and then slowly start relaxing it website by website and then get sick of that. And then I just turn it, and then I turn it off and, uh, you know, then, uh, and kind kind of ignore the whole problem for a little while.
And then, uh, you know, hear something about like how, uh, ICE is, uh, using ad tracking tape to deport people. And then, [00:48:00] then the cycle starts all over again. It's, uh, yeah. so I would, I would, I would, I would I guess classify myself as, um, Concerned but lazy.
Dan Slimmon: That is the best way to, man. I was trying to think of a good way to describe my attitude about it, and that's exactly it. I'm gonna steal that cj. Uh, yeah, yeah, basically same. I, I respect the tinfoil hat stuff a lot. Um, but I, I don't, I don't worry about all I, I, I understand that like my, that it's a, it's a matter of privilege for me to, to be not that concerned about privacy.
There a lot of people out there to whom privacy has like very concrete implications for their health and safety and, um, so like I recognize the importance of preserving privacy as a, as a society, but personally, I kind of just use Chrome and don't fucking worry about it too much.
CJ: Yeah, I am, I am, I am currently in the phase where I am. I'm using, uh, like a weird experimental [00:49:00] browser that locks a bunch of stuff. Um, and which has, uh, you know, make, kind of, kind of makes me feel better about my browsing habits. But now, um, you know, say I wanna go just like, at a recipe I'm searching for recipes for, for something, and I'm go like, clicking around recipe blogs and half of them won't load because
Dan Slimmon: Yeah, the recipe. I don't know how the, I should do, I figure out, uh, the recipe website story. Like they've, they've become somehow the worst ones. I don't know why it is.
CJ: Yeah, I think that's, um, I, I, I wonder if it's just that you have a lot of, um, people recipe blogs who are not like, particularly technologically sophisticated. Um, so they just kind of like accept all the recommendations of like, whatever, um, they're using, which is, you know, trying to, skim the maximum amount of money off of their recipe.[00:50:00]
Dan Slimmon: And the platform. And the platform tells them like, Hey, if you, if you tell your entire life story in 2000 words before every recipe, then that's more space on your page where we can show people ads and they have to scroll through all the ads to look at the ads.
CJ: Exactly. And they're gonna scroll through the ads and you're gonna make more money from your recipes, which is, you know, already not an incredibly profitable, um.
Dan Slimmon: Yeah.
CJ: of
Dan Slimmon: don't,
certainly don't blame the, the people writing the recipes for this. I love recipes. Food is delicious.
CJ: but it's
Dan Slimmon: Um,
CJ: the only way you can make money from it is from these incredibly, predatory schemes to, um, harvest user data. Oh.
Dan Slimmon: it sure is messed up cj. It sure is.
Non-privacy reasons that cookies are a pain in the ass
---
Dan Slimmon: But I think where cookies really come into people's day-to-day existence. More than thinking about privacy issues, uh, this is probably true for people, privileged or not, is less that they're a risk to privacy and more that they're like annoying, [00:51:00] distracting, bullshit that I sometimes have to deal with.
Like, for example, I was trying to see if my local library had a particular book about the imperial examination in China. And so I go to go to my library's website and first of all, this has nothing to do with cookies, but so on my library's website, you have to enter a username and password to log into the, to the website.
And your username is your library card number, which okay, sure. Whatever. your password, and this is what baffles me. Your password is the last four digits of your library card number.
CJ: Classic.
Dan Slimmon: Uh, and you can't change it. You can't change it. Um.
CJ: that's, that's a, that's a fun twist. I was gonna say that sounds like, uh, the, the, a very classic, work around that, some poor, uh, you know, city IT worker was like, okay, we have to, uh, you know, populate username and password, like initial username and passwords For everybody who, who uses the [00:52:00] library, what's it gonna be?
Okay. Um, you know, we'll, we'll make the, username, your library card number, and we'll make the password by default, you know, part of your library card number, and then you can change it. Um, but no,
Dan Slimmon: Nope. Nope. Yeah. Um, I don't even think this should count as, like, forget two factor authentication. I don't even think this should count as one factor to ha To build both these fields together. Shouldn't count as even one factor of authentication.
CJ: I hope your library is otherwise, um, uh, something I, I, I, I used to, I, I used to work in public library. I don't, I, I don't know if you know
Dan Slimmon: I
CJ: about me, but,
Dan Slimmon: dunno that I didn't know that.
CJ: one thing that, that librarians generally are, is like very averse to, um, collecting information about their users. like the library I worked at didn't even, our, our software didn't even like, keep any records of the books that you had checked out unless you like, specifically opted in to, um, allowing us to, to, to keep track of the, the books you, you had. because librarians are [00:53:00] like super concerned about free speech, and if you, the, the less information that you have about somebody, the less you can be made to reveal in a lawsuit. Um, uh, so hopefully, hopefully your, your, your librarians are also, um, you know, purists in that area.
Um.
Dan Slimmon: As, as far as I know, they're not, they're not selling the data to, to um, fucking ice or whatever. But, uh, what do I know? I mean, the more the more libraries are strapped for cash, the more they have to go to third party, third parties to handle, uh, record keeping responsibilities of various sorts. and those third parties can do what they want largely, especially the ones backed by ai.
So, um, I don't know, uh, anyway, they didn't have the book, fucking book that I needed, so it was a, it was a zero, it was zero sum. Anyway, alright, so I enter my very secure username and password on the library website, and that was a long [00:54:00] tangent. And, uh, and it starts loading the card catalog page. And then, I'm back on the login page.
I try logging in again and same thing, I'm back on the login page,
CJ: oh,
Dan Slimmon: So, so now I have to go find the clear my cookies page in my browser and I use Chrome, so they hide that shit like way in the back. Uh, and to, to try to clear my cookies for this website so I can log in. Like I don't think my WI local library is trying to like sell my voiceprint to Palantir or whatever, but cookies are still directly involved in this and it's a pain in the ass,
CJ: Oh man. I feel like I want to shake a finger at whatever, uh, library web developer,
Dan Slimmon: right?
CJ: and it's just set that.
Dan Slimmon: yeah, you know. Software. Software has bugs. They don't have a lot of money to spend on this stuff. Uh, but you know, this is one of the ways I feel like, that's the most common type of experience that people have with cookies day to day, at least up until maybe five years ago when [00:55:00] all these, like, do you accept these cookies?
Boxes started popping up everywhere.
CJ: I was
Dan Slimmon: yeah.
CJ: were gonna enter this story, the cookie banners that we all all know and, mostly ignore.
Dan Slimmon: Yeah. That, I'll start with. We care about your privacy, right?
CJ: Yes, I definitely, I definitely am reading every word of those banners and not
Dan Slimmon: Yeah.
CJ: kind of clicking, whatever, whatever the minimum, uh, I can, I can click, in, uh, without having to actually go to a separate page and, uh, specify which cookies that I care about.
Dan Slimmon: And they, and they, yeah, and they set 'em all up so that they, they're all, they're all different. They set 'em all up so that your browser can't automatically parse the banner and just set the
CJ: Exactly. Exactly. You have to click through each one of them, which means you don't actually read the,
Dan Slimmon: Yep.
CJ: the banner. Oh.
Dan Slimmon: It's really cool. Um,
CJ: It's fun.
Safari and Firefox block 3rd-party cookies
---
Dan Slimmon: do not, do not track falls apart, which, uh, which seems [00:56:00] on its surface like a bad outcome for privacy, but there's a silver lining in this, which is that, from that point on, it's obvious to everyone. The browser vendors, the government, the privacy advocates, the, the ad platforms are not going to engage in good faith over third party cookies and tracking, which, I mean, we can say that they were naive for thinking that a good faith engagement was possible back when they back in 2010.
But you have to remember, these are like slick, charismatic Don Draper admin. They're very persuasive. Uh, you know, they, they're, they're, they'll, they'll trick you. Anyway, so, uh, at the ad, the company, um, that applies itself with the most gusto to the task of banning third party cookies for my money is Apple which I don't, don't take any of this to mean that I'm like pro Apple in any particular way.
If you wanna hear some of my other opinions about Apple, listen to the wireless headphones episode. But, in 2017, apple introduced a suite of features [00:57:00] called Intelligent Tracking Prevention, uh, to confuse and frustrate the third party trackers. And in 2018, they popularized a new standard called storage access API.
Uh, that's a, that this is a way to give like legitimate third party applications, the ability to set cookies or to store things on your browser, while denying access to illegitimate. Add trackers and, and stuff. Um, which is, which is pretty cool. So the browsers like the, the, the website's allowed to ask like, do I have access to store things?
And if so, like how much am I, how much of what kind of data am I allowed to store for this browser? work pretty well.
CJ: That's an interesting that I, I, I hadn't realized it was quite that early that Apple got into the business of being like the, the privacy respecting company.
Dan Slimmon: yeah,
CJ: yeah. Yeah, because at some point that, that became so much of Apple's brand, you know, like
Dan Slimmon: Mm-hmm.
CJ: we're, uh, um, uh, [00:58:00] they were. They, at some point they, they realized that this could be, you know, a market rotator for, for them. Huh? I'm like, we are not going to mine your data and we're going to like, try to prevent other, finally, somebody in the story has some incentive to like not,
Dan Slimmon: Right.
CJ: um, I maximize the, um, the ad company's reach, um,
Dan Slimmon: Yeah. Uh, it's probably a positive development. Uh, a and, and, and, and so in 2019
CJ: appear to be respecting privacy. Sorry. Um,
Dan Slimmon: they, they, they, I mean, yeah, I mean, respect it, like, can a company respect anything really? They don't have, they don't have souls. like, uh, but yeah,
CJ: they're
Dan Slimmon: it is,
CJ: but they're not, um.
Dan Slimmon: it happens to currently be in their interest at this point in history to take actions that a person who was respecting your privacy would take.
So that's pretty good. That's [00:59:00] okay.
so in 2019, safari finally disables third party cookies by default across the board. Um, 20 20 19 Fi Firefox actually beats Safari to the punch on this by about three months. Um, but I would argue only because Apple laid so much of the groundwork for them by coming up with this storage access API and a bunch of other experimental work they did to make it possible to, to do this.
CJ: 3% of people who were using Safari were, uh,
Dan Slimmon: yeah,
CJ: we're very excited about it, I'm sure.
Dan Slimmon: and it only took 21 years, so, hooray.
Google contorts itself into a privacy-hating pretzel
---
Dan Slimmon: Google on the other hand, uh, has like kicked and screamed like a toddler at Bathtime about this, uh, third party cookie thing, which, which makes sense. They, they have, they made a, they have a hugely popular browser with more than 65% market share, and they also have an enormous stake in this real time bidding business.
Uh, and which would get much smaller if you can't do third party cookies. So, uh, and so they're, they're trying [01:00:00] to have their cake and eat it too, right? They want people to keep using Chrome, so they, they have to pay, pay lip service to the idea of privacy. If they don't do that, then, then people switch to other browsers.
But at the same time, privacy is like an existential threat to their $200 billion a year business model. right. It's a, it's a, it's a dagger. So they, so they stall. They've been stalling, trying to like hold it onto their market share as long as possible by, by pitching a series of half measures and compromises that make it look like to the casual observer as if they're taking privacy seriously.
But that just run up the clock on, on and, and never go anywhere. I they, they've done some like pretty innovative engineering that would not need to be done if they hit, were simply willing to not allow third party cookies, but they've, they, they're placed in the engineering, the r and d department is placed in this position where like the company's business model depends on this having third party [01:01:00] cookies.
And they're like, okay, well how do we, how do we act like we're, how do we like
CJ: How
Dan Slimmon: enable privacy?
CJ: bad?
Dan Slimmon: Right. yeah, interesting challenge that I wish didn't, didn't have to exist for engineering teams. in August of 2019, Google announces the thing, this thing called Privacy Sandbox for Chrome Privacy Sandbox is a collection of experimental Chrome features, um, many of which have been subsequently phased out, that aim to make, uh, ad targeting less intrusive, uh, phased out.
You know, they say was, they say, well, these were experimental. We picked the ones that that worked and we didn't pick them. But, you know, it was also, it's also an excuse to just not do, like, say you're gonna do something and then not do it later. 'cause Oh, it didn't, it didn't work. Uh,
CJ: It
Dan Slimmon: Google's just,
CJ: for some reason.
Dan Slimmon: yeah, I don't know.
But it, the, the users liked it. The, the browsers, it was not that hard to implement in the browser, but for some reason it just, we just couldn't make it work. I don't know. I, um.
CJ: who can say [01:02:00] why? Um.
Dan Slimmon: Right. Uh, uh, the manager, the product manager said, no, it's not gonna work. So it's, it disappeared. Um, product managers are cops there.
I said it. and so Google's justification for most of this privacy sandbox stuff is that to quote a, to quote a blog post of theirs from January, 2020 by undermining the business model of many ad supported websites, blunt approaches to cookies, encourage the use of opaque techniques such as fingerprinting, which can actually reduce user privacy and control.
We believe that we as a community can and must do better
so that's, that's bullshit. Uh, what, what they mean by fingerprinting is, that like instead of you. You know, instead of the browser, instead of using like voluntarily surrendered cookies to identify you voluntarily, uh, right. In quotes, a ad platforms are instead gonna use the, the behavior of your [01:03:00] browser.
Right. They can, they can figure out what version of Firefox you're running, the dimensions of your browser window. Um, they can even use stuff like your, if your laptop has an accelerometer that the browser has access to, they can, they can use the, you can use like, let the least significant bits on your accelerometer readings to figure out who you are.
Uh, yeah.
CJ: Um,
Dan Slimmon: Which, which is like, which sounds like fun engineering to do, but for a shitty reason.
CJ: yes. Another one of those, like, um, you're solving a very interesting technical problem. Um, but why?
Dan Slimmon: Yeah. Right, right. Yeah. A tale is old as time.
CJ: The, the
Dan Slimmon: Um,
CJ: for a, for a software developer. Oh, this is
Dan Slimmon: right,
CJ: job description says like, you'll be working on these like, cutting edge, fascinating, um, technical problems and you'll make a lot of money doing it as long as you don't look too hard at what they're [01:04:00] actually doing with the results
Dan Slimmon: right. Don't ask too many questions about that. It's interesting, right? We nerd sniped you.
CJ: oh, exactly. Um, now you're, now you're really interested in how to, you know, use, bits of information from, uh, your browsers, accelerometer to identify somebody
Dan Slimmon: It's pretty cool. Um, but it sucks. And, and so Google's argument is like, well, we can't just disable third party cookies because then the ad networks. IE us will have to resort to fingerprinting techniques, which would be even more invasive. And like, first of all, many ad networks, they're, they're also, they're doing it anyway.
Like men, the ad networks are gonna do the fingerprinting anyway and have been doing it for years by this time. So, you know, this is no reason not to disable third party cookies. But more importantly, this is like saying, uh, Hey man, we know you hate getting kicked in the head. You know, we empathize with that and we respect your decision to put on a helmet, but put yourself in our shoes, right? If you wear a [01:05:00] helmet, then we're gonna have to start using a jackhammer on your skull,
CJ: The head kicking has to happen. There's
Dan Slimmon: right?
CJ: that.
Dan Slimmon: What are you gonna kick your own head?
CJ: Oh,
Dan Slimmon: You are not flexible enough for that.
CJ: are you saying you just wanna like, walk around without getting kicked in the head All the time. Um, inconceivable.
Dan Slimmon: Then you might not buy things. You're, you're, you're missing the point. Uh, so let's, let's talk about some of Chrome's privacy sandbox features. 'cause they're pretty interesting and cool despite being a, a bad idea. Um, one of them, right?
CJ: oh.
Dan Slimmon: One, one of them is called attribution reporting, which is a way for advertisers to track how many people clicked on an ad, how many bought something after clicking the ad and stuff like that, all without cookies.
Uh, this has been ditched. There's another system in Privacy Sandbox called Privacy Budget, which is supposed to let a site access a quote, reasonable amount of data about your [01:06:00] browser before getting locked out of further access. Um, which is there a reasonable amount of data that I want them to access about my browser?
I don't know. Uh, but that's the idea. So like a third party could maybe fetch your window size, but after it's fetched your window size, it's used up its privacy budget and it, it's locked out from further requests for information that might, that it might use to fingerprint you. Right,
CJ: Yeah, the, the, the whole concept of a privacy budget is funny just 'cause it's hard to imagine what is the, what, what is the, the legitimate use case, the legitimate not evil use case for, um, requesting things like size of your browser window or, you know, the most recent
Dan Slimmon: right,
CJ: clicks that you made or something.
Dan Slimmon: right. But you know, it's a moot point 'cause they ditched this one too. Uh, and then there's a function called protected audience, protected audience is a way to show ads to a user based on their interests without revealing that user's identity [01:07:00] to advertisers. So, um, this hasn't been ditched, but it's been replaced with another thing called FLoC or federated learning of cohorts Have you heard of FLoC?
CJ: Heard of it. I don't actually know what it is. Um,
Dan Slimmon: So this, this system, it's this system where like Chrome keeps track of your browsing activity and assigns you, uses some opaque algorithm to, to assign you to a numbered cohort of browsers that are, that have roughly the same kind of things as you, that are, you know, doing roughly the same kinds of things as you.
And then it, it's up to the ad platforms to figure out, uh, what the, what the cohorts mean and how to target ads to them. Um, FLoC has also been ditched.
CJ: you know, talking about this, uh, reminds me of, a semi. I, I was, I was, you know, talking a little bit earlier about like, well, what is the really, like, legitimate use case for knowing any of, any of this stuff? Uh, there
Dan Slimmon: Right.
CJ: one like semi legitimate, uh, use case that I, that I know of, which is, uh. Caps, [01:08:00] um, trying to, to detect automated traffic. Um, there's this interesting thing that, that Google came up with, called invisible caps, um, where you don't actually, like, they don't actually, ask the user to, you know, solve a puzzle or select some images or anything. Like, the user doesn't actually have to a, have to interact with it. Google just like, looks at your browser activity and, you know, your, um, uh, what, what, how you're, how you're like interacting with the website, um, and assigns you a score of like likelihood of being, being an automated,
Dan Slimmon: So they like cer, they certify that you're not a bot, basically.
CJ: Yeah. Yeah. The kind of guess like, okay, this is, um, this, this, this like, person is like clearly kind of like moving slowly around and like not, entering stuff program programmatically into forms. Like this is definitely a human. Or like, um, you know,
Dan Slimmon: Yeah.
CJ: uh, a lot of, a lot of wiggle room between there.
But, you [01:09:00] can actually get a pretty decent sense of, of like, or not this is a human versus, you know, somebody with, running with a, a fleet of like running in
Dan Slimmon: Mm-hmm. I mean, that's, that's
CJ: in your website. Uh.
Dan Slimmon: pretty cool. I guess
CJ: so there's,
Dan Slimmon: I kind of like that.
CJ: a slight semi, uh, like, not, not evil application of this technology. Um, or at least defending against other evil instead of, um, making the evil,
Dan Slimmon: Bots are definitely as a, as a, as a person who's worked in, worked for multiple software as a service platforms, I totally appreciate the importance of identifying bots. So I think that's kind of cool. yeah, but with, but with, but with FLoC, it's like, how about we, I've got an, I've got an idea. How about we like track what you do and then we sell it on an anonymized form of it to the advertisers, so they can't track you as an individual.
And it's like, I've got an idea. How about [01:10:00] you don't, how about you just,
CJ: do that? Uh.
Dan Slimmon: Uh, well, you know, it's important to compromise. Um, I, I mean the, the amount of technical contortion that, that Google has been willing to endure just to keep tracking cookies enabled, it would really be impressive if it wasn't so pointless.
anyway, in January of 2020, Google stated on the chromium blog, which is the open source, um, like core of Chrome, that quote, once these approaches, and they mean privacy sandbox components. Once these approaches have, have addressed the needs of users, publishers, and advertisers and advertisers, and we have developed the tools to mitigate workarounds, we plan to phase out support for third party cookies in Chrome.
Our intention is to do this within two years. So, so two years. Let me, so let's see here. That would mean that, uh, carry the four, so third party [01:11:00] cookies will be phased out of Chrome by January of 2022. Ah, shit.
CJ: definitely a thing that happened. Um,
Dan Slimmon: Uh, yeah. No, no, no dice. Uh, they, they keep, they keep stall. They keep pushing it back further and further. Um, stalling installing the rest of the browsers already disabled. Third party cookies way back in 2019. but finally in 2025, Google made the exciting announcement that they will not be disabling third party cookies by default ever.
CJ: well, you know, we all suspected as much I think.
Dan Slimmon: Oh, sure. Of course. This is, this is how they played the game as far back as 2012 with the, with the W three C conference. in, in announcing this change, uh, VP of Privacy sandbox, Anthony Chavez wrote that, uh, since 2019 quote, the adoption of privacy enhancing technologies has accelerated new opportunities to safeguard and secure people's browsing experiences with AI have [01:12:00] emerged and the regulatory landscape around the world has evolved considerably.
So, isn't that great news? The, the problem has solved itself and we get to keep our precious third party cookies that we love so much. What a relief.
CJ: Yes, we've somehow, we've solved the problem without really doing anything about it. Um, uh, just by kind of letting it go on until everybody got used to this being the default state of the web,
Dan Slimmon: We solved the problem that we thought more people might leave our browser. Um, problem solved.
CJ: share that, uh, which would compromise our ability to my data about you. Oh.
Dan Slimmon: Great news. Great news.
See ya
---
Dan Slimmon: Uh, alright, well, having learned about all of this, I'm gonna try, I've already switched to, to safari on my phone. Um, I might try switching to Safari on my, [01:13:00] uh, laptop. I, you know, I don't know. I got a lot of cookies in, in my, in Chrome, so I might, but I'm gonna give it a shot. but I, you know, I'm just so sick of, I'm sick of playing different kinds of keep away every year with the vampire of the ad industry and having to like, you know, you have to like, stay informed of what all, what all the evil shit all the browsers are doing.
Uh, in order to control your own, all I want to do is have a browser that I can use to go to a website. Right.
CJ: I will say as a,
Dan Slimmon: I.
CJ: as a safari user, um, uh, one fun thing that you'll get to learn is what all websites don't really work very well on Safari.
Dan Slimmon: I just tried to load, I just tried to load this to record this podcast and because I, my microphone wasn't working in Chrome at first, so I tried to load it in Safari and it said it doesn't work in Safari.
CJ: Yeah, yeah. Uh, safari hates this website, um,
Dan Slimmon: Sweet. Uh, but
CJ: hates Safari, [01:14:00] I guess.
Dan Slimmon: yeah, I don't know. I mean, it does store 15 gigabytes of cookies, so who can blame it? I feel like, I don't know this, tell me if this is crazy. If I load a page, if I load a webpage and there are empty rectangles on the webpage, what if I could have like right of first refusal on the rectangles, right?
Like I, I could tell my browser, I'm willing to spend a certain amount of. Money per website per month. Right. I say I'm willing to spend this much money on, on like the Verge and this much money on TechCrunch or whatever. and then, you know, it'll, it could just buy the rectangles before the ad. Uh, the ad networks have a chance to sell them and I could fill them with pictures of whatever I want.
Like I could tell my browser, send cute pictures of my dog or like art or whatever I want and just like had display that instead of the ads or just leave them blank. That'd be fine too. Right? Wouldn't that be cool?
CJ: that would be cool. [01:15:00] Um, I, I'm, I'm, I'm honestly really sad that like, micropayments never really kind of hit, like had had had a sort of like, implementation that actually makes sense because I would, I, I, I have, I have this, this kind of back and forth a lot when, when it comes to, um, like disabling third party cookies and using ad blockers work. I'm like, I do want to, you know, if I'm, uh, you know, going to find a recipe for, chicken tortilla soup or whatever, like, I wanna, I want that person to recipe I use to, to make money off of it. Like
Dan Slimmon: Absolutely.
CJ: it's, it's, it sucks that the only option I have for doing that is, um, is, is, is through advertisements.
Like,
Dan Slimmon: I, I'd love to be able to send that person to Microtransaction to replace the ad at the top of the page with a right. They get the money, I get the content. That's all that needs to happen. Uh, you know, why, why do you have to have this extra [01:16:00] middleman in the process? I would love to be, in fact, I would love to be able to send money to the recipe website to replace the top rectangle on their page with a link to the anchor of the actual recipe text so that I don't have to scroll down 50 pages.
CJ: I, I feel, feel similarly a little bit bad. I, I started recently using like a recipe manager, um,
Dan Slimmon: Mm-hmm.
CJ: grab, grab the recipe from the website and import it into, into the software. And then kind of like got myself, thinking like, oh man, this is actually kind of mean to like the rep recipe website producers, because I'm not going to the website every time I use the web, the recipe, and giving them
Dan Slimmon: Absolutely. There's no ethical consumption under capitalism. CJ, I am sorry to inform you.
CJ: my, my, uh, I feel like all my examples are very recipe centric.
Dan Slimmon: I mean, yeah, uh, recipes are a great, I I use paprika also, the, um, which is a recipe management tool. And, um, it changed. It changed, you know, it makes it so much easier to [01:17:00] cook now. Uh, 'cause I have ADHD and, and I can't, I, I can't be constantly like dealing with moving the page around when the different ads load or like moving it up or down.
If there's a particularly distracting one, then I can't cook, right? I lose track of what I'm doing in the kitchen.
CJ: Renders and now the ingredients are, you know, um,
Dan Slimmon: Right.
CJ: several inches away from where they were. Uh,
Dan Slimmon: Jesus fucking Christ. It's, it's, it's awful. well that's that for cookies. The reason, one of the many reasons that we can't have nice things on the web. Um, I
CJ: was a recipe for, um, privacy cookies. I'm just gonna keep using this metaphor until it just won't hold up anymore.
Dan Slimmon: bake it, bake it at three 50 until it stops smelling like shit.
CJ it's been a pleasure to talk shit about technology with you. As always, I, uh, I, I love that you're on this show. Thank you.
CJ: Thanks for having me. I learned so [01:18:00] much about cookies, uh, and, uh, even the, the, the, the bad kind of cookies are, fascinating little bits of technology.
Dan Slimmon: Yeah, I agree. Um, it's, it's too bad. They're, they're used for evil. Alright, well, if you like this show, uh, and, and I know you do like this show because you wouldn't List, have listened all the way to the end of a two-parter on Fucking Cookies. If you didn't like this show, uh, then please go ahead and give us a five star review on your podcast app.
Or if you're watching on YouTube, uh, smash that like, and subscribe as they say. Thank you so very much for listening to me and CJ talk shit about cookies. Uh, and that's it. catch you next week listeners, when I tell you all about fucking Keurig pods on technology blows.
[01:19:00]
