This is the transcript to my YouTube explainer video on the browser changes underway to replace the functionality of third-party cookies when it comes to authentication services. Likes and subscriptions are always welcome.
There are several web features out there that support critical, basic security features like logging in and logging out. Those same features enable tracking individuals as they surf the web. Unfortunately, fixing this is not as simple as turning those features off for trackers. From a purely technical perspective, whether these features are used for authentication-related purposes or tracking, they are indistinguishable from the web browser’s perspective.
Still, of all the features described in a previous post that serve legitimate and clandestine purposes, third-party cookies are one of the more tractable problems to resolve. So, let’s look at where the work is happening, one of the new mechanisms being developed, and what the changes will look like.
The Role of the W3C in Browser Changes
The World Wide Web Consortium (W3C) is where most of the work happens between browser vendors and various other stakeholder groups to standardize functionality on the web. This global community effectively shapes the web, ensuring it’s secure, efficient, and open for everyone. Their work is crucial for the standards we rely on daily.
Diving into the details of how the W3C works is beyond the scope of this video, but feel free to reach out if you’d like to learn more!
Federated Credential Manager (FedCM)
Now, onto FedCM. Developed by Google and incubated within the W3C, this API represents a significant shift in managing privacy and online authentication. As I mentioned earlier, a browser’s biggest challenge is distinguishing between acceptable use and hidden tracking. The purpose of the FedCM API is to help the browser determine whether a transaction is happening with the individual’s knowledge and consent. Let’s delve into how it works and why it matters.
Rather than acting like one of those annoying cookie banners, FedCM is designed to be called when an individual clicks on the login or sign-in button on a website. Before the website (the relying party, or RP) and the site responsible for authentication (the identity provider, or IdP) share any information, FedCM exists to mediate the transaction and make sure the individual is aware and ok with what’s happening.
Again, though, it’s not that easy. The FedCM developers must find a way to support some conflicting goals. For example:
- Of course, the IdP needs to know what RP is asking for an authentication request! Our IdPs don’t talk to just anyone!
- Of course, the IdP shouldn’t know anything about the RP! The IdP might track the sites the user visits!
Both statements reflect use cases that are 100% valid. There’s a reason this problem hasn’t been solved yet.
Other Initiatives
FedCM is just the tip of the iceberg. Google, Apple, Mozilla, and others are all innovating under the W3C’s umbrella, working together towards a more private web. These initiatives are reshaping our online experience. Some of their work focuses on enabling ethically targeted advertising (that’s happening in the Private Advertising Technology Community Group. The Privacy Community Group, on the other hand, has more than a few efforts in incubation, including one that’s focused on link decoration, known there as navigation-based tracking.
Each browser vendor also has their own internal projects that influence (and are influenced by) what’s happening in the W3C. Google’s Privacy Sandbox is the most public of these efforts and describes various tools they’re trying to build a more privacy-preserving web experience.
Google’s Cookie Countdown
Coming back to third-party cookies, a major milestone is approaching. In Q1 2024, Google begins turning off third-party cookies for 1% of Chrome users. This test run is critical for their long-term privacy strategy. They are years behind Apple, a company that turned off third-party cookies in 2017 for Safari users. Firefox turned off third-party cookies by default in April 2023. Any changes Google makes, though, impact far more people. The Chrome browser has, by far and away, the largest market share of desktop browsers. They are also part of a much larger company, Alphabet, which still has several products that require third-party cookies to be available.
Real-world Impacts and Preparations
This shift on Google’s part to turn off third-party cookies by default for just a tiny fraction of their users might seem minor, but its implications are vast. Organizations must prepare for potential challenges and educate their people on these evolving technologies. Support desks already know to check to see a browser’s settings, but not everyone can or will call support. Companies should start turning third-party cookies off by default now to develop their plans, including testing out FedCM, to adapt to the changes.
Proactive Organizational Strategies
It’s time for businesses that aren’t browser vendors to be proactive in helping the web develop. Develop strategies, train your teams, and help define the solutions. It’s not just about reacting; it’s about being prepared for a new era of the web. I’ve had this conversation with individuals representing dozens of organizations in the last three years, and the biggest challenge is the executives who are entirely focused on their bottom line. And I get that. These executives want to know what to do and when to do it. Until they have answers to those questions, they are not inclined to assign resources to help other organizations figure out solutions.
But if these organizations want to make sure the web works the way they need it to, they need to invest in that bit of speculation. They need to assign people to test the proposed APIs and offer constructive feedback on how the code might be changed to suit their use cases.
Viewer Engagement and Further Learning
Eager to learn more about upcoming browser changes or get involved? There are links in the show notes to where the work is happening and how you can find out more. Your participation can influence the future of web privacy.
Wrap Up
We’ve covered a lot today, from the W3C’s vital role to the specifics of FedCM and beyond. Remember, these changes are shaping a safer, more private web for us all. Stay curious, stay informed. If you have questions, go ask Heatherbot on my website at https://sphericalcowconsulting.com.
Don’t forget to like, subscribe, and share your thoughts!