The years of argument about third-party cookies — Google’s deprecation timeline, the privacy advocates, the ad industry’s resistance — have always had a slightly unreal quality to me, because the underlying tracking capability that cookies enabled was already being replicated by other means before the cookie conversation started.
Browser fingerprinting is the main one. Your browser, in the course of normal operation, exposes enough information to identify you with high reliability: the combination of your browser version, operating system, screen resolution, installed fonts, timezone, language settings, hardware capabilities reported through WebGL and Canvas, and dozens of other signals produces a fingerprint that is, in practice, unique for most users. Unlike a cookie, it requires no storage on your device and leaves no trace you can delete. You can’t opt out of it in any meaningful way using standard browser controls.
The techniques are well documented and have been for years. The Electronic Frontier Foundation’s Cover Your Tracks tool will show you your fingerprint and how unique it is. For most users on most browsers, the answer is: very unique.
The practical implication is that the privacy gains from blocking third-party cookies are real but limited. The tracking infrastructure that uses fingerprinting — and that uses first-party cookies set on third-party domains through redirect chains, and that uses device graph matching across logged-in services — doesn’t need third-party cookies to function. Deprecating them raises the cost of tracking slightly and changes which companies can do it effectively, but it doesn’t change the underlying dynamic.
This isn’t an argument for fatalism. Tor Browser and Firefox with the right configuration do meaningfully reduce fingerprinting surface. The point is that single-mechanism solutions to a multi-mechanism problem tend to shift the problem rather than solve it.
Doug Alexander 