Back in January 2020, Google had mentioned its intent to phase out third-party cookies from Google Chrome within the next two years. Initiatives like the Privacy Sandbox are believed to be the drivers of a healthy, ad-supported web that would render third-party cookies obsolete. While we are still far from reaching that goal, Google is now showcasing its proposed alternatives to third-party cookies: trust tokens.
A cookie, in the context of the Internet, is a piece of data that is stored on the user’s device when the user accesses a website. The cookie stores data related to the user’s interaction with the website, such as items added to a shopping cart, login data, form data, and much more. First-party cookies are cookies that are created by the visited website itself and are necessary for the website to track your activity as you move from page to page. Third-party cookies, on the other hand, are cookies that are created by a party other than the visited website or the user; these usually refer to cookies created by external content, such as advertisements. Since average users often have little or no control over the advertisements that providers can serve them, they inadvertently allow these ad providers to track and build the user’s profile based on their browsing history across websites that have ads from the same provider. For an ad provider, tracking the user is an important task as it allows them to serve users with ads that are more relevant to the user’s taste, and therefore, have a higher probability of attracting the user’s attention and interaction. While this goal sounds reasonable on the surface, in practice, third-party cookies have been used for much more nefarious purposes, trampling upon user privacy with little concern.
Unlike cookies, trust tokens are designed to authenticate a user without needing to know their identity. The idea behind a trust token is to differentiate between a user and a bot, and not to track every individual user. As Google mentions, the web ecosystem heavily relies on building trust signals to detect fraudulent or spammy actors, and this coarse segmentation is crucial for the ad-industry which receives a large amount of invalid, fraudulent traffic. Trust tokens are non-personalized and cannot be used to track users, but they are cryptographically signed, so they cannot be forged by bad actors either.
Google’s announcement does not go further into the workings of trust tokens, but there is an explainer document available if you are interested in further details and implementation. Trust tokens are available for testing by developers through the API. If all goes well, we should see them become popular on the web before Chrome’s migration away from third-party cookies.