Menu

Improving privacy and security on the web

May 7th, 2019

In 2008, we launched Chrome with the goal of building a speedy, simple, secure and stable web for everyone, everywhere. Ten years later, user experience is still at the core of everything we do.
We’ve received consistent feedback from our users about the importance of transparency, choice and control when it comes to data privacy on the web. That’s why today, at Google I/O, we announced our plans to update how cookies are handled by Chrome.

Cookies and privacy

Cookies play an important part of the web experience today — they are used to keep you logged into email, save shipping addresses on a retail site, and remember your preferences on the websites you’ve visited. And they can also be used to track your browsing activity across the web to serve personalized content and ads.

Unfortunately, to browsers, all of these different types of cookies look the same, which makes it difficult to tell how each cookie is being used — limiting the usefulness of cookie controls. For instance, when you clear all of your cookies, you’re logged out of all sites and your online preferences are reset. Because of this, blunt solutions that block all cookies can significantly degrade the simple web experience that you know today, while heuristic-based approaches—where the browser guesses at a cookie’s purpose—make the web unpredictable for developers.

Improving cookie controls in Chrome

We announced at I/O that we will be updating Chrome to provide users with more transparency about how sites are using cookies, as well as simpler controls for cross-site cookies. We will preview these new features later this year.

We are making a number of upcoming changes to Chrome to enable these features, starting with modifying how cookies work so that developers need to explicitly specify which cookies are allowed to work across websites — and could be used to track users. The mechanism we use builds on the web’s SameSite cookie attribute, and you can find the technical details on web.dev.

In the coming months, Chrome will require developers to use this mechanism to access their cookies across sites. This change will enable users to clear all such cookies while leaving single domain cookies unaffected, preserving user logins and settings. It will also enable browsers to provide clear information about which sites are setting these cookies, so users can make informed choices about how their data is used.

This change also has a significant security benefit for users, protecting cookies from cross-site injection and data disclosure attacks like Spectre and CSRF by default. We also announced our plan to eventually limit cross-site cookies to HTTPS connections, providing additional important privacy protections for our users.

Developers can start to test their sites and see how these changes will affect behavior in the latest developer build of Chrome.

Protections against fingerprinting

Making changes to how the browser treats cookies requires us to consider the broader web ecosystem. Blunt approaches to cookie blocking have been tried, and in response we have seen some user-tracking efforts move underground, employing harder-to-detect methods that subvert cookie controls. These methods, known as ‘fingerprinting,’ rely on various techniques to examine what makes a given user’s browser unique.

Because fingerprinting is neither transparent nor under the user’s control, it results in tracking that doesn’t respect user choice. This is why Chrome plans to more aggressively restrict fingerprinting across the web. One way in which we’ll be doing this is reducing the ways in which browsers can be passively fingerprinted, so that we can detect and intervene against active fingerprinting efforts as they happen.

Continuing to build a better web

We believe these changes will help improve user privacy and security on the web — but we know that it will take time. We also recognize that both cross-site cookies and fingerprinting have uses other than tracking. We’re committed to working with the web ecosystem to understand how Chrome can continue to support these positive use cases and to build a better web.

We launched Chrome ten years ago with the objective of building a better web and improving the user experience. While our browser has evolved since 2008, our objective remains the same.

Ben Galbraith – Director, Chrome Product Management
Justin Schuh – Director, Chrome Engineering