We removed advertising cookies, here's what happened(blog.sentry.io) |
We removed advertising cookies, here's what happened(blog.sentry.io) |
Similarly, visiting https://try.sentry-demo.com I got cookies "sentrysid", "sc", and "sudo".
I also got a player.vimeo.com cookie at some point, but wasn't able to reproduce.
If you're running a complex modern site and decide to do away with cookie banners, you generally need to pair this with browser automation that crawls your site and verifies that you (and your dependencies) are in fact not setting any cookies.
I don't see why it's necessary that that these cookies be set before I actually log into the page? Or, if it is necessary for a non-obvious reason, I don't see why they need to be sent when visiting other pages under sentry.io instead of being scoped to /auth/login/ ?
Correction: any cookies which are not technically required for the basic operation of the site (such as a shopping cart ID).
if I'm a shopping cart website, how do I keep track of you as a user/session enough to identify you and pair you to the contents of your cart on my backend without a cookie?
Cramming a sessionId into localStorage/sessionStorage seems kind of like the same thing? Am I missing somehting?
Is not about cookies, is about their content and purpose.
While the GDPR has added additional restrictions, the basic framework is still in force: you can't store information client-side (cookies, localStorage etc) unless (a) it is "strictly necessary" to fulfill a user request or (b) you get user consent. All the cookies above look to me like they don't meet that bar; the site seems to still fulfill my requests with cookies disabled.
(Not a lawyer.)
It looks like this mostly happens because they lose the conversion signaling which is the most important input to their bidding model, making them pay for 4x as many impressions which still only concert to 1/10th the sales.
Is this the experience that all Google AdWords customers will be waking up to later in 2024? It sounds like Sentry is being pro-active and getting ahead of the curve, and not just cutting their advertising performance for purely benevolent anti-tracking reasons.
When this happened to FB they lost tens of billions of dollars. Will the impact to Google be even greater? If there’s anything that could truly disrupt Google, destroying AdWords ROI has got to be their #1 existential risk.
It’s not like their search experience is even that decent anymore. It would make me quite happy to see Google peak as a company due to internet privacy initiatives winning out over invasive corporate panopticons.
https://gizmodo.com/google-chrome-users-worth-less-money-coo...
Given how many people I know that still type google into the google search bar, I find this number to be extraordinarily high.
I think it's entirely fair that someone track me on their own web property, or within their own application. Cross-site tracking is not wonderful, unless it's between a collection of related products from the same product suite. But overall I think it's a huge misstatement to say that people who are against ads are also rabid anti-track-anything people.
Within product tracking is both useful and important for helping companies improve their products. And often it's crucial for security, to detect attacks and the like.
> 42.7% of internet users worldwide (16-64 years old) use ad blocking tools at least once a month
> 27% of American internet users block ads
...I still couldn't find the source for that. I believe it's a "Digital Trends Report" by Hootsuite but couldn't find it.
I think people might be shocked that access to this RCE backdoor is often given to non-technical roles and even outsourced marketing resources..With no controls in place at all.
Security nightmare.
Maybe try reading it, there's a lot of "what happened" in there.
Sounds like I made the right decision based on other comments.
It (probably) could've easily said, in say one to ten words, what actually happened, in the headline, so that I could decide whether I wanted to read into the details or whether it didn't interest me at all.
With the headline being "something happened" and you'll have to read multiple paragraphs before you find out anything at all, I'm immediately put off. I feel like my time is being wasted.
Entice me by describing an interesting outcome in the headline, that I want to read more about, or inform me, in the headline, that it's not an article for me.
Attempting to artificially drive more traffic and eyeballs to an article, by withholding details in the headline of what it is about, is the definition of clickbait in my book.
Then there are paragraphs like this one:
> We decided to rely on ad engagement retargeting (rather than traditional retargeting) on most of our ad channels which isn’t the same, but still gives us a semblance of a funnel. We tailored our ads that are focused on middle of funnel (MOF) and bottom of funnel (BOF) to this engaged audience.
Which for people like me is a big "WAT?" What does that even mean, what are consequences, why didn't they do this earlier? I am aware of "retargeting", which is really what I want companies to stop doing, I don't care if they do it without cookies.
But yes, this isn't for the technical or privacy focused crowd. This is for marketing people, about how they can adjust their workflows when Chrome starts blocking 3rd party cookies.
Apparently the move is already delayed until Q2 2024 (lots of pushback at the office) [1] However, it's still difficult to believe. Must be an utter nightmare for people who built their entire business stack on cookies.
[1] https://techcrunch.com/2022/07/27/google-delays-move-away-fr...
Performance tanked. Targeting and optimisation dwindled, measurement became directional last click. They still switched to solutions that leverage IP Addresses.
As they burned through their marketing budget, they focused on bogus metrics like dwelltimes and patted eachother on the back.
Fun times ahead.
And as marketing is less efficient, higher budgets are required to drive the same results. We can potentially expect to see these costs gradually passed on to the consumers and watch more businesses fail.
> for certain tracking technology like hashed offline passbacks
The hashed offline part probably refers to hashed email or other PII, so that we can exchange data without actually exchanging data.
Is there any way from preventing under/over reporting of how many referrals were sent? Or is that just implicit in having the hashed identifier
Ooh, they're going after that anti-marketer market. That's a huge market! Look at our research!
https://blog.sentry.io/introducing-the-functional-source-lic...
- Issues you're already having will get worse in 2024 - Cookieless performance marketing is achievable - You will need all your stakeholders aligned - You will need to reimagine how you do things
Here's one conclusion I grabbed, randomly:
"we saw around a 30% increase in our cost per click (CPCs) in Google search."
The average HN user thinks marketers (and MBAs) are stupid, and assumes they can master the industry if only they put it a few days effort.
Maybe you aren't the intended audience?
Is this complaint with GDPR and will it still possible in the future?
GDPR is about consent, not cookies, storage or anything. If you track a user then you need consents. Nothing about GDPR is tied to cookies. They are just one way to generate and keep PII (a tracking ID).
Now if the UTM only identifies the source (user coming from X, FB, ...) and does not identify or reveal the user then you are probably fine. It should even be fine as a cookie, although there have been talks about storing on a users device without consent. Not sure about the current exact legal status, so you might want to set it to never persist the browser close.
It might get a bit more complicated at sign up. You probably would want to disclose that you track and keep this information. But at this point GDPR is active for sure as you have a somehow identifiable user.
Consent is one of six different legal bases for processing personal data. Consent is important, yes, but it's not the be all and end all.
>It should even be fine as a cookie, although there have been talks about storing on a users device without consent
That will require consent, because the use of cookies is regulated not by the GDPR but by a different law (the ePrivacy Directive).
Under the ePrivacy Directive all cookies[0] that aren't strictly necessary to provide the service require consent.
[0] In fact it's even broader than cookies as the law covers storing any information on the user's device, so it includes things like the local storage API and indexed DB.
----
It's fascinating to me how this org (and so many others) are hard at work, day in and day out, basically shovelling garbage into peoples' faces. They produce absolutely nothing of value (other than, arguably, the parasitic relationship which allows Free Content), but so much money flows through them.
I wonder what effect the exclusion of third party cookies will have on the dark patterns that are so prevalent -- but I doubt it will be much. We may have "free" access to so much information online, but we pay a terrible place as the quality of discourse has devolved into antagonistic feces-flinging in most of the big walled gardens, and majority of the open forums. It seems only the domain-specific, niche places still maintain a quality noise-to-signal ratio.
I think this is a grey area: I can't find any explicit official guidance on whether using cookies to detect bots fits within the e-Privacy exemptions. (I had thought it didn't but that's not worth much!)
If you want to persist the cart for longer than the current session or a few hours, though, you need consent.
Of course they don't have to be stored, in fact they shouldn't be stored. They are session level naturally so belong in session level cookies not more permanent storage.
Also, while session tokens in cookies are usually fine to be defined as strictly essential for the main site, they are generally not for 3rd party cookies.
> localStorage/sessionStorage seems kind of like the same thing? Am I missing somehting?
No, those are more often used in equivalent ways to cookies though they don't do exactly the same job, extra logic is needed if your server-side needs to access the stored information. Cookie values are sent to the web server(s) with every request (except where certain flags are set), data in session/local storage needs to be explicitly read out and sent on in GET or POST parameters when needed.
That would fall on necessary cookies. If my cart is empty, you don't need to know what's in my cart.
Those are worse than cookies for a number of reasons but they are functionally equivalent.
Anyway, there is nothing wrong with cookies in general. Privacy-wise the problem are cookies used for tracking. Any other technology would have the same problems and would need an explicit consent from the user, if you are subject to GDPR and similar legislation.
You can find the full opinion text here https://ec.europa.eu/justice/article-29/documentation/opinio...
LGTM!
FML...
Also GTM can get fucked.
Traditional retargeting is done discriminatory. You visited a site, got enrolled in a list, etc. and they start targeting that. Ad engagement retargeting on the other hand waits until you "engage" with the ad, meaning that you have explicitly showed interest. Is another explicit vs implicit.
I skimmed the whole article, read your posting, and even though I know some of these words, I still have no idea if the decision was hurtful to the business, or if it did not move the needle at all, or if it even was a net positive, all things considered.
It took awhile but I finished the article. I don't see much self-gratification in phrases like:
> we saw around a 30% increase in our cost per click (CPCs) in Google search.
Or this:
> This took a TON of back and forth, basically building logic that an out-of-the-box attribution solution already has in SQL, but we finally got to a place where we could salvage around 50% of attribution data.
The self congratulating I saw was
* they decided to try this before it was foisted on them by externalities.
* they worked their asses off to make it work.
* they have a competent BI team.
I don't understand why they also eliminated most first party cookies though. I respect that level of respect for user privacy but it goes beyond my personal expectation for privacy.
That’s why chat GPT is to produce marketing copy that is as good or better than the best ad people can do.
"We at [...] understand that being able to accurately manage [...] while fielding is essential to a successful project."
The entire text was two more sentences and a video. That's just taking the piss. Just say "watch the damn vid." if you really want to add text.
In the early days of the internet, few enough companies wanted to advertise on the internet - advertisers viewed it already as targeted at a certain segment of society - so advertisements were generally very low value i.e. crap. Tracking technology let advertisers know that they could actually find the people didn't realise were using the internet. But nowadays we all know everyone is on the internet, and we tend to use the same sites regularly, so you could get adequately targeted ads (as a set of eyeballs - not necessarily as an advertiser) just by using the internet.
I'm a software developer so of course 90% of the ads I see on fb are for developer courses and no-code solutions to develop software…
On youtube there's often the "meet east european single women" above the list of suggested videos.
Maybe I'm being dense, but I don't see CSRF risks with a login form?
> once you go to a login page I'm pretty sure you will log in
That seems very reasonable to me, but I don't think it's what the e-Privacy directive says?
(I'm in general very sympathetic, and wish the directive set a lower bar than "strictly necessary" for functional client-side storage.)
All our forms have the same CSRF protection, that goes for login and other things too.
You will have a hard time browsing the web, including this site ;)
No, HN works even js disabled.
I did this experiment a while ago, blocking google in my hosts file. Usually fonts break (arrows, icons), and javascript breaks (reddit and stackoverflow need google ajax jquery to uncollapse collapsed messages).
But in general most of the web is usable.
In theory it should be possible to host fonts and jquery locally, but I wasn't able to manage that.
Unless you always browse with the network inspector open I don't really see how that would be the case.
If the website does not work without something like Google fonts or tag manager or whatever other bloat, it means, that it is shoddy-made, by an either uninformed or ignorant entity. It probably is illegal according to EU law as well, since I never gave consent to being tracked by third parties. I do not use that website. Browser tab closed.
In the cases, in which an external entity forces me to use crap websites, I isolate them in browser profiles and/or container tabs.
In cases, in which the content is only available on that website, I can try reader mode. Or try to find some other frontend, like Invidious for YouTube.
So in most cases I can do something to reduce the toxicity of the cocktail, that modern web development practices have cooked up for me.
[1] And yeah most of those useful snippets are for tracking, but actually several privacy solutions like cookie management platforms can be held inside a tag manager as well. To me it's still worth it because if I block those CMPs along with GTM it means no banner and no agreeing to any tracking.
You make it sound like we should all be grateful. Like ads are adding value to our lives. They don't. Outside of marketing, nobody cares about ads. We train our cognition to cancel out ads. We avoid them. The only people looking at ads and appreciating them are the ones, like yourself, who find them useful for things nobody asked for. I'd much rather you DON'T track me and --gasp-- DON'T show me an ad either. "But then you'll see worse ads!" Good. I'll ignore those too.
In my lifetime I've probably been shown $10,000 worth of ads on the internet, and I've probably spent $12 on them. Ironic that the only people who think that ads matter are the ones who's job it is to buy them with other people's money. Keep spending your bosses money, and I'll keep wasting it for you.
Anyway like many other humans on the internet, I've been tracked for decades now and somehow the junk thrust on me is still not even close to relevant for my demographic, and it's usually like they don't even know my gender or age group within 20 years. Except of course surely FANG have figured that out, so are they just routinely defrauding people that buy "targeted" ads and throwing them at any random eyeballs they have access to? It sounds paranoid to think that a crime on that scale would exist since it seems hard to pull off or keep quiet, so I guess we just keep listening to self-reported statistics that every dollar spent on ads wins $8 in sales. But.. I'm glad it's not my dollar
Anecdotally, I've noticed that with Reddits latest addition of allowing users to highlight posts yellow with a "super upvote" that, without thinking about it, my eyes immediately ignore those posts.
We are absolutely trained to ignore ads.
Mate I've already bought the thing, I'm not making a collection, and I'm not buying a $200 ham every other week either, that was a christmas gift you goof.
It's incredibly hard to tell. For us the goal of eliminating Cookies was important given the stance we have on privacy so everything went from there. The folks working in marketing for sure were not happy with the directive as it makes their job much harder.
But the world is still spinning, even without cookies. That's enough to call this a success.
Heh, that's very much like the old "... and nothing of value was lost" then.
(Spitballing: a standard way to implement CSRF protection with no cookies at all is when you generate the form you include a nonce. Then when the form is submitted you check whether it's a nonce you generated, which you do either by having stored it or generated it by hashing information you've stored. Implemented naively on a login form this would allow the attacker to fetch your page, extract the nonce, and include it in a cross-site request. But you could require it to be from the same IP. Alternatively I think you could fix this by having your login form set a custom header, which then browsers won't allow a cross-site POST for without a CORS preflight which you'd reject. But at this point I'm brainstorming and please don't take any of this very seriously!)
https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Re...
(It's also not clear to me that cookies are required, if there are other technically sound options that do this without setting cookies.)
This allows storing data such as the CRSF token value to check against the one in the hidden form element or X-CSRF-Token without inserting in a DB every time someone loads up a form.
That's how e.g Rails does it by default:
https://guides.rubyonrails.org/security.html#cross-site-requ...
https://api.rubyonrails.org/classes/ActionController/Request...
Note that to prevent session fixation, the session ought to be reset on a successful login (and logout), so it would require additional code to perform tracking across a successful login.
https://guides.rubyonrails.org/security.html#session-fixatio...
Session cookies are also used for Rails flash messages, commonly used to display errors in forms (including login forms), which often do HTTP redirects to GET routes in their non-GET controller actions.
https://api.rubyonrails.org/classes/ActionDispatch/Flash.htm...
https://api.rubyonrails.org/classes/ActionDispatch/Flash/Req...
https://stackoverflow.com/questions/24877244/rails-is-the-fl...
The underlying subtext is that these session cookies can be a necessity of securing the provided service, and thus can fall under valid "strictly necessary" usage, as long as they are not abused for tracking (by default nothing in the session cookie is stored nor logged anywhere)
Agreed! But without this guidance we're just stuck guessing what "strictly necessary" means.
- Cookies weren't doing a whole lot for them to begin with, and removing their use had negligible impact.
- The other work their marketing department did to try and compensate for discontinuation of cookie usage interfered with the test, making the results useless for evaluating the value of cookies.
I'm leaning towards the second one based on the response above you.
Laws like ePrivacy in the EU do indeed have specific provisions regarding cookies but e.g. the GDPR is much broader than that and would still apply. How truthful is it that eliminating cookies is motivated by a strong stance on privacy rather than just getting a head start in marketing instead of having to scramble when Google pulls the plug? It doesn't sound like you reduced the tracking and behavioral analysis beyond what was technically unavoidable?
I mean, based on my interactions with marketing people, they often don't really know if much of what they've done has helped the business at all, and the majority of their work (apart from actually creating marketing copy and interacting with customers) seems to revolve around figuring out how to attribute booms in business to their previous campaigns while building plausible deniability for inevitable busts. Don't get me wrong, not ALL of it is completely incomprehensible: email and referrer links are pretty straightforwardly calculable in terms of their impact; but things like "brand awareness" campaigns are nigh impossible to actually gauge the impact of.
But lets not forget, that we are all part of a human society. Almost no ones, if anyone's behavior has no effect on others. By using the Internet like I do, I am also acting in a responsible way regarding my effect on society. We need more people resisting big tech surveillance and daily violation of privacy. I hope some day more of us can look beyond immediate personal benefit.
> "I avoid ads... companies that I don't trust"
> "I feel more comfortable..."
> "...my personal data...""
> "I don't have to sit through..."
> "I get what I came for, then I leave"
> "I hope some day more of us can look beyond immediate personal benefit."
Look, I'm ok if you want to be individualistic and say "screw the creators, content producers, journalists, and everyone else I'm freeloading their work for MY personal benefit". It's immoral in my book, but it's certainly not illegal.
But at least be honest with yourself, and stop pretending you're doing this for the greater good of human society.
If the point is to quantify the value of cookies then you need to measure that as an independent variable. Attempting to compensate with other actions, each of which you also don't know the independent value of, means you will be unable to quantify the true value of cookies or the value of your other actions.
What if none of the tools they're using, including cookies, provide any measurable value? How would you know? What if the value of cookies (X) and item A is positive in terms of impact, but B and C are both negative, but not enough to offset A so it comes out in a wash?