The Cookiepocolypse will end privacy on the web

Admin on 11/07/2020

Cookies days are numbered. Ignored by users, blocked by browsers, disliked by regulators. How will websites track users once the cookie has crumbled?

Almost every website you visit drops cookies onto your device so that your behaviour on the website can be tracked and analysed. Cookies enable the website analytics software to identify you, not by name but by IP address which on the internet is as good (better, in fact) as a name. Which pages you visit, how long you were on them, the buttons you click, all of it is tracked. Those cookies remain on your device after you leave the website so that ads can be served to you on other sites in an attempt to get you to return. Many people consider the way cookies are used to be an invasion of privacy, and this is leading to cookies no longer being a viable option for website analytics.

Under the Privacy and Electronic Communications Regulations, which are enforced by the ICO, websites are supposed to allow users to choose whether they accept cookies or not, and adhere to that choice. In fact, the majority of websites completely ignore the cookie selection made by their users and drop tracking cookies regardless of users clicking the accept button. They do this for a combination of reasons including the ICO not enforcing the regulation, technology from before the law came into force that hasn’t been replaced, and knowing that it’s the only way to track sufficient numbers of visitors.

Website visitors ignore the cookie banner. Only 11% of website visitors accept cookies. This means that any organisation that wishes to comply with the regulations, or treat its visitors with some respect and give them the choice of whether to be tracked, is going to find it impossible to understand user behaviour using cookies. That doesn’t sound like it should be a tough choice; adhering to the regulations and treating users with respect versus being able to report of website metrics, but people have different priorities.

And browsers are blocking cookies. Firefox blocks third-party tracking cookies and cryptomining by default and Google is to ‘phase out’ third-party cookies in Chrome, but not for two years. This move by the browser companies is being talked about as about achieving privacy for users, which might be the case for Firefox, but it isn’t for Google.

Regulators don’t like cookies, website visitors don’t like cookies, tech giants don’t like cookies, and in a sense, I think all for the same reason; they don’t have any control over them. Anyway, all of this means that using cookies as a technology for tracking users on a website doesn’t have a future. If your business relies on cookie technology to serve ads and bring customers to your website, you might be worried. If you are a media buying agency that offers advertising services, you might be worried. If you are a major provider of online ads and make billions of dollars a year from advertising, you might be worried. No longer using cookies to track users is going to have considerable impact on businesses and how every user experiences the web. This is why it has been called the cookiepocolypse.

Of course, humans have ingenuity. They find ways around these kinds of problems. 

Visit the New York Times website in a desktop browser and you’ll be presented with a cookie acceptance banner. Visit the New York Times website in a mobile browser and you’ll be asked to login using your google account. Signing-in to a website replaces the need for anonymous tracking using cookies, now the website knows who you are and can track the usage associated to your account. The signin was so easy, just a click of a button, you barely even noticed doing it. You didn’t set up an account in an explicit and obvious way as you might on other websites, but you now have an account with this website. 

We’re seeing it now, but in the future we will see far more websites force users to sign-in before they can read content on the site. It offers them a solution to be able to track users more than they currently can and without the need for third-party tracking cookies. 

This will have two major impacts on the web as we know it: Google will get more data about what we do on the internet, and websites will have to get much better at providing value. 

Google already knows loads about what you do on the internet and on your mobile if you have an android phone. If you don’t believe me go to My Activity and login to your Google account (of course). The reason Google knows so much about you is because you’re logged into your Google account for so many of the activities you do on the web. As you go from Google search results into a website that isn’t owned by Google, Google hopes that they can continue to track you with Google Analytics, which uses cookies dropped on your device by that website. That’s an imperfect way to track users because cookies are non-proprietary technology, which means other companies can also use cookies to track users, and that’s a problem for Google, no market dominance. 

That’s why Chrome isn’t going to start blocking for cookies for two years (around 2022), to give Google time to build up its capabilities in social login and convince businesses to use it to power Google Analytics. Google is in the business of tracking and understanding users. They don’t want internet usage to be private, they want it only available to them. They are using the end of cookies to drive users to login to websites using their Google account so that they can track their usage in third-party websites on an individual level as they do with their own websites.

Once websites have got used to, and got their users used to, using social logins, those that want to monetise their site will turn that login into a paywall where payment is taken as via the users Google Pay account, which of course Google will take a cut of, creating a new revenue stream for them.

The other impact is going to be on the websites that implement login to their site, whether it is enabled by Google or any other provider. These websites will become subject to the economics of information goods. They’ll need to be able to communicate the value of the content before they reveal it to their users, just as you can’t read an ebook until after you’ve bought it. Once users have accessed the webpage that information will become non-excludable, meaning that even though it’s behind a login or paywall, we should expect that other businesses will offer better ways for users to access it. 

Take my website for example, the one you’re reading this on. If you had to create an account before you could read this, would you really have bothered? All that extra time and effort, and more of your data going who knows where, just so you can read the ramblings of someone who late one night convinced himself he’d reached a sufficiently insightful understanding of how websites will track users when they can’t use cookies that he decided to write a blog post about it. Let’s be honest, we’re both surprised you’ve got this far.

If you run a charity website (which is my particular area of interest) there are some things you could try (I say try because there are no tried-and-tested solutions so these need to be viewed as experiments) as the Cookiepocolyse takes away your ability to track users. 

  1. Stop tracking users – Visitors to your website will have a slightly nicer experience because they won’t have another cookie banner to click, and you might be able to get some good PR from taking a stance of putting your users privacy ahead of the organisations need to track and report. There are lots of other ways to understand the experience visitors have of a website, including user research groups and surveys, which will provide a much deeper understanding than some unreliable analytics data.
  2. Only track those that allow it – If you are still tied to using cookies, and you’re going to adhere to the choices your visitors make, but you want to try to increase the number of people that allow themselves to be tracked on your website, then try turning tracking into a way to support the charity. Change the messaging on the cookie banner to something like, ‘We’d like to track your visit to our website today because it helps us show our funders that people need the work we do” (good luck with the legal team). Push the message that user’s data has value and that they can do good things with it.
  3. Create such high value that users will want to login – Make the login super easy (not a lengthy sign-up form to try to collect lots of information) and have tough discussions about the ethics of using social logins vs a means within your control, and then make it worth their while. Decide whether there are some parts of the site that don’t really need to be tracked and so can be outside the login-wall, and then work really hard to make sure that everything behind the login, whether its content to read or a service to be accessed, is worth so much more to them than having to login (and it won’t be every time they visit because those essential cookies will be used for what they were intended for).

Weeknotes #199

Admin on 23/05/2020

This week I did some stuff…

Online mentoring

I’ve been working how we can use Microsoft Teams to facilitate online mentoring. Fundamentally, Teams is built as an enterprise collaboration platform with certain assumptions built-in, things such as everyone in the organisation knowing who each other is, which don’t always meet the needs of mentoring where safeguarding and privacy is really important. Our challenge is that Teams is the tool we have, and we won’t let not having the right tool stop us from enabling mentors to support young people, so we have to find ways to make it work. 

One of the things I like about my role is that I get to do a lot of zooming-in and zooming-out, so I move my thinking from almost philosophical ponderings about the value young people get from one-to-one mentoring to the technical details of how Teams handles permissions for certain types of users, and the organisational stance on safeguarding and the volunteers experience of using Teams in between. I think finding the best solution to a problem comes from being able to hold all those different and sometimes conflicting perspectives and figuring out which parts trade-off against which other parts. 

Teachers using Teams

Microsoft wants to get Teams into 27,000 schools across the UK. Lots of people don’t like MS Teams, and it certainly has its product peculiarities, especially if you are used to ‘one-product-one-function’ approach like using Slack for messaging, but Teams is a far more complex product, and I wonder if the hate comes from not taking the time to learn how it works and how to use it. I’m sure this is something all those teachers will go through as more schools introduce Teams.

If the schools had good IT people to teach the teachers, or if Microsoft provided really good onboarding, then Teams would make a huge impact on digitising schools, but I worry that it’ll come up against the same old problem of expecting the tech to solve/change everything and not do enough for the people using the tech. When Teams is used as part of an ecosystem with other MS products it could take a huge chunk of what schools do onto the internet. Teams and Sharepoint could be a far more effective intranet than lots of companies have. Timetables could be managed in Shifts. All school work could be done within documents in Teams, allowing teachers to provide fast feedback and students to iterate on their work. Lessons delivered via video could be recorded so that students can watch them again later if they missed anything or was absent. Chat between students and teachers would be secure and monitored for safeguarding issues. There are so many benefits schools could get from Teams and I can see a future of education where location is irrelevant and rather than attending a school because they live near it, students will attend ‘the school’ because it will be the one and only online education platform.

Anyway, back to real life. We’re using Sharepoint to build a content repository for teachers working with young people outside of mainstream education. Sharepoint can be used to produce some quite interesting public facing websites, but the question of whether Teams is the right frontend is an interesting one. On one hand, if teachers are using Teams in their school then they will be familiar with how it works and can switch accounts to access our content easily. One the other hand, it doesn’t look like a marketable product and something that will encourage adoption, especially if teachers have had a bad experience with their Teams. So, as with so many product decisions, deciding what to make trade-offs between is part of the challenge.

Cookies

I’ve become a bit obsessed with cookies (the website tracking files, not the confectionery) and how websites handle them. GDPR and the ICO say users should be given the choice about whether to accept non-essential cookies (those used for analytics, advertising, etc.) but the vast majority of websites don’t do this. I think it’s an interesting moral choice; should you respect your visitors enough to not track them without their permission, or as you own the website should you be able to implement things that work for your business objectives? 

It makes me think back to my old ‘hierarchy of compliance’ that says comply with laws first, e.g. GDPR, then industry specific regulations e.g. PCI-DSS, then your organisation’s policies, e.g. security, then your organisation’s procedures and practices. Should morals be first and above laws, or does it belong alongside every layer?

Browsers don’t differentiate between essential and non-essential cookies. If you block them all, some stuff on the site won’t work, and then you have to allow all cookies again. Browser controls are too blunt a tool. When Chrome shows that cookies are blocked on a page it uses a red square with an X in it, the universal sign for something bad or wrong. Interesting, but not surprising that Chrome tries to signal to us that blocking cookies is bad given Google advertising business model. 

But the Cookiepocalypse is coming. Before too long cookies won’t be a means of tracking users on a website. Some browsers block third-party cookies by default already. And Google looks like it’ll follow suit in time, but probably not before they’ve introduced a means to track users without cookies and so lock-in websites to using Google Analytics.

There’s so much to those little cookies, if I get time I’d like to write up all the stuff I’ve learned.

User Guides

I wrote some more for my Whiteboard product user guide, and tested how formatting in Google Docs renders as an ePub file. I’m keen to make my little shop of user guides the next project I put my time into after I’ve finished this term for my masters.

I’ve also started thinking about how this might evolve into online courses for using products more effectively, and how a course could be delivered by email, perhaps with a button in the email that triggers the next part of the course so that learners can control their own pace.

And studied some stuff…

Reinforcing business design decisions

An effective business model is made up of “business design choices that reinforce one another” (Osterwalder, 2005). This week’s lecture was about business models. Something that lots of people talk about and very few can explain. I like Osterwalder’s definition. It helps us understand that a business model isn’t a finished, discrete thing that exists ‘over there’, but actually is made up of lots of choices that in order to be successful need to reinforce each other. Lots of organisations, that probably don’t do enough business model thinking, seem to make choices that have them competing internally or one department requiring a level of support from another department that they don’t have the skills or people to do. A business with a good business model makes choices that makes the parts work together.

There are no rational agents

I listened to the recording of last week’s lecture about the nature of digital goods. It was about the nature of different types of goods and how defining them along the lines of excludability and rivalrousness leads to four types of goods: Private, which are things that a person can own and so prevent another from using and can only be used by one person at a time, e.g. a car, Public, such as street lighting which anyone can use and using it doesn’t stop anyone else from using it, Common-pool resources, which anyone can use but if they are that prevents anyone else from using them, and Club goods, like television which requires particular access and you watching a show doesn’t prevent anyone else from also watching it. It’s a bit of a revelation to me to think about the model for providing a product or service being driven at the micro level from the nature of the goods themselves and not from the marco level of whether the government or the commercial sector should provide it. Internet access (see Cassie’s tweet below) is an interesting example of this. Currently my access to the internet is somewhere between a private good and a club good, because I can prevent anyone else from using it, and has some technical limitations on how many people can all use it at the same time. To shift internet access to being a public good would require tackling the technical limitations that then mean everyone could access the internet and no one accessing it prevents anyone else from accessing.

As lectures this term have been digital, starting as video meetings with the lecturer presenting the slides and moving to recorded lectures for pre-watching and then group exercises and discussions over video calls, it has made me consider the format of lectures as a means of providing information. I got a lot more out of listening to the recording of the lecture and listening live, perhaps because the lecturer was more focused. Lectures often seem to have tensions between providing information because it’s part of the curriculum, providing some context and real-life examples to aid with learning, but not biasing the content. I have to sometimes remind myself not to get lost in exploring ideas.

The economics says that Public Goods shouldn’t work because a rational agent should free ride as they get all the benefits without any of the costs, but people aren’t rational agents they are social creatures which is why we have Public Goods paid for indirectly through taxes.

Bigger and better

Worked on my analysis of Shopify’s business model, digital product offering and pricing strategy. Shopify announced its partnership with Facebook and their stock price jumped up. I saw a tweet that said investing in Shopify after their IPO would have given you better returns than investing when they were at Series A funding, which is usually not the way those things work, and perhaps shows . Anyway, it’s been interesting to work on something that feels so ‘now’ but still uses economic thinking from the seventies.

And thought about a few things…

The business of charity 

Over the years there have been a few occurrences of business people thinking they can apply business thinking and techniques to make charities work more efficiently. It never works because charities are obviously different to businesses in lots of ways. Having been thinking about the nature of economic goods I wondered whether part of the reason for this misunderstanding is that the nature of the services charities provide are excludable and rival, like many commercial services. Being excludable means the services provided by a charity aren’t available equally to everyone, and being rivalrous means that if the service is already being used by someone it can’t be used by anyone else.

In contrast, a service that is non-excludable and non-rivalrous (the classic examples are lighthouses and streetlights) can be used openly by anyone regardless of whether anyone else is also using it. So I started thinking about how charity services could be public goods. The closest example I could think of was Citizens Advice, whose services are available to anyone via their website. They came from, and still have a rivalrous & excludable aspect in the face-to-face advice sessions that they provide, and I’m not suggesting that any charity should get rid of the face-to-face work they do if its meeting a need, but most service delivery charities haven’t figured how to make the shift, and arguably because most charities tackle issues that affect a small segment of society, but it’s interesting to think about the thinking of how they would scale services as public goods if they need to.

New news

I’ve got into email newsletters lately. Email, and so email newsletters seem to be making a come back. The idea that web messaging was going to kill email didn’t happen, instead email evolved, and I think for the better. I’ve mentioned before the trend of emails becoming more like an editable document that passes between people, so that’s one trend of improvement. The other trend is in improving how people use email, something hey.com is working on solving. And then the third trend is in the quality of content that utilises email’s unique features. Emails aren’t limited in size like a tweet, and can either contain all the content for the reader or links to more content. They can be read at a time that suits you and are easier to find later if you want to go back to something interesting.

Email newsletters are also a great means of building an audience as even if you took a no-tracking approach you’d still know how many people are sign-up to receive your newsletter. If email could solve the problem of being able to select which content you want to read before you get it (usually informational products problem) then I would definitely rather have the ‘our content/thoughts/opinions sent to me’ approach rather than ‘we put our content on our website and expect you to find it if you search hard enough. Also, an idea for a product, imagine getting search results by email rather than websites. Describe in greater detail what you are actually looking for and get a high-quality curated list of links emailed to you for you to read at any time. That’s pretty much how I search for things, it’s just that I do the work of copy-and-pasting into my notes.

And some people tweeted…

Internet for everyone 

Cassie Robinson tweeted, “Digital infrastructure should be considered a vital 21st century public good “We need to build a digital landscape that provides world-class connection to all, is sustainable, privacy-enhancing, rights-preserving, innovative & democratic by design.” Having studied public, private & club goods, and common-pool resources, it makes sense to me that access to the internet should be a public good (in the economic sense) that is available to everyone. If Raymond Coase was right when he wrote The Lighthouse Economics then existing purely for the good of society is enough of a justification for making a good public, and it would be hard to argue that internet access isn’t good for everyone. 

Limiting meetings in progress 

Woody Zull tweeted “Heuristic: If you spend “too much time in meetings”, it is likely that you have too much work in process. Limit WIP for a week and see how it affects your meeting time. Adjust accordingly.” ~@duarte_vasco

One of the replies to the tweet was about how many problems vanish when work in progress is reduced. I think this is because it reduces complexity across the whole system of work rather than just allowing individuals to focus more.

Fluid office 

The Verge tweetedMicrosoft’s new Fluid Office document is Google Docs on steroids”. Microsoft is getting into blocks in a similar way to tools like Notion, where a document (if there will even be such a discrete object in the future of work tools) is made up of lots of blocks from different sources that pull content and functionality into the ‘document’ you are working on. 

I think it’s another step in the journey of information moving from being centralied to be decentralised and distributed in an internet-y way, and the next step will be in how content is made discoverable to pull into a document, so the author doesn’t have to write original content that becomes locked into the document if someone else has already written it or the data is already available. Rather than having to go and find last year’s sales data and create a chart to then create an image to be embedded in the document, you would import the live data into the document and the chart would be up-to-date in real time.