We’ve published many takes on the classic treat over the years, but these are the ones our readers return to again and again.
Filled with coconut and dried cherries, these breakfast treats from Frenchette Bakery are wholesome enough for breakfast, and sweet enough for dessert.
While we’ve written about attempts to build alternatives to cookies that track users across websites, Google says it won’t be going down that route.
The search giant had already announced that it will be phasing out support for third-party cookies in its Chrome browser, but today it went further, with David Temkin (Google’s director of product management for ads privacy and trust) writing in a blog post that “once third-party cookies are phased out, we will not build alternate identifiers to track individuals as they browse across the web, nor will we use them in our products.”
“We realize this means other providers may offer a level of user identity for ad tracking across the web that we will not — like [personally identifiable information] graphs based on people’s email addresses,” Temkin continued. “We don’t believe these solutions will meet rising consumer expectations for privacy, nor will they stand up to rapidly evolving regulatory restrictions, and therefore aren’t a sustainable long term investment.”
This doesn’t mean ads won’t be targeted at all. Instead, he argued that thanks to “advances in aggregation, anonymization, on-device processing and other privacy-preserving technologies,” it’s no longer necessary to “track individual consumers across the web to get the performance benefits of digital advertising.”
As an example, Temkin pointed to a new approach being tested by Google called Federated Learning of Cohorts (FLoC), which allows ads to be targeted at large groups of users based on common interests. He said Google will begin testing FLoCs with advertisers in the second quarter of this year.
Temkin pointed out that these changes are focused on third-party data and don’t affect the ability of publishers to track and target their own visitors: “We will continue to support first-party relationships on our ad platforms for partners, in which they have direct connections with their own customers.”
It’s worth noting, however, that the Electronic Frontier Foundation has described FLoCs as “the opposite of privacy-preserving technology” and compared them to a “behavioral credit score.”
And while cookies seem to be on the way out across the industry, the U.K.’s Competition and Markets Authority is currently investigating Google’s cookie plan over antitrust concerns, with critics suggesting that Google is using privacy as an excuse to increase its market power. (A similar criticism has been leveled against Apple over upcoming privacy changes in iOS.)
Sometimes, indulging a whim results in the finest of dinners. For David Tanis, that means a luxurious baked pasta and cookies for dessert.
Mozilla has further beefed up anti-tracking measures in its Firefox browser. In a blog post yesterday it announced that Firefox 86 has an extra layer of anti-cookie tracking built into the enhanced tracking protection (ETP) strict mode — which it’s calling ‘Total Cookie Protection’.
This “major privacy advance”, as it bills it, prevents cross-site tracking by siloing third party cookies per website.
Mozilla likens this to having a separate cookie jar for each site — so, for e.g., Facebook cookies aren’t stored in the same tub as cookies for that sneaker website where you bought your latest kicks and so on.
The new layer of privacy wrapping “provides comprehensive partitioning of cookies and other site data between websites in Firefox”, explains Mozilla.
Along with another anti-tracking feature it announced last month — targeting so called ‘supercookies’ — aka sneaky trackers that store user IDs in “increasingly obscure” parts of the browser (like Flash storage, ETags, and HSTS flags), i.e. where it’s difficult for users to delete or block them — the features combine to “prevent websites from being able to ‘tag’ your browser, thereby eliminating the most pervasive cross-site tracking technique”, per Mozilla.
There’s a “limited exception” for cross-site cookies when they are needed for non-tracking purposes — Mozilla gives the example of popular third-party login providers.
“Only when Total Cookie Protection detects that you intend to use a provider, will it give that provider permission to use a cross-site cookie specifically for the site you’re currently visiting. Such momentary exceptions allow for strong privacy protection without affecting your browsing experience,” it adds.
Tracker blocking has long been an arms race against the adtech industry’s determination to keep surveilling web users — and thumbing its nose at the notion of consent to spy on people’s online business — pouring resource into devising fiendish new techniques to try to keep watching what Internet users are doing. But this battle has stepped up in recent years as browser makers have been taking a tougher pro-privacy/anti-tracker stance.
Mozilla, for example, started making tracker blocking the default back in 2018 — going on make ETP the default in Firefox in 2019, blocking cookies from companies identified as trackers by its partner, Disconnect.
While Apple’s Safari browser added an ‘Intelligent Tracking Prevention’ (ITP) feature in 2017 — applying machine learning to identify trackers and segregate the cross-site scripting data to protect users’ browsing history from third party eyes.
Google has also put the cat among the adtech pigeons by announcing a planned phasing out of support for third party cookies in Chrome — which it said would be coming within two years back in January 2020 — although it’s still working on this ‘privacy sandbox’ project, as it calls it (now under the watchful eye of UK antitrust regulators).
Google has been making privacy strengthening noises since 2019, in response to the rest of the browser market responding to concern about online privacy.
In April last year it rolled back a change that had made it harder for sites to access third-party cookies, citing concerns that sites were able to perform essential functions during the pandemic — though this was resumed in July. But it’s fair to say that the adtech giant remains the laggard when it comes to executing on its claimed plan to beef up privacy.
Given Chrome’s marketshare, that leaves most of the world’s web users exposed to more tracking than they otherwise would be by using a different, more privacy-pro-active browser.
And as Mozilla’s latest anti-cookie tracking feature shows the race to outwit adtech’s allergy to privacy (and consent) also isn’t the sort that has a finish line. So being slow to do privacy protection arguably isn’t very different to not offering much privacy protection at all.
To wit: One worrying development — on the non-cookie based tracking front — is detailed in this new paper by a group of privacy researchers who conducted an analysis of CNAME tracking (aka a DNS-based anti-tracking evasion technique) and found that use of the sneaky anti-tracking evasion method had grown by around a fifth in just under two years.
The technique has been raising mainstream concerns about ‘unblockable’ web tracking since around 2019 — when developers spotted the technique being used in the wild by a French newspaper website. Since then use has been rising, per the research.
In a nutshell the CNAME tracking technique cloaks the tracker by injecting it into the first-party context of the visited website — via the content being embedded through a subdomain of the site which is actually an alias for the tracker domain.
“This scheme works thanks to a DNS delegation. Most often it is a DNS CNAME record,” writes one of the paper authors, privacy and security researcher Lukasz Olejnik, in a blog post about the research. “The tracker technically is hosted in a subdomain of the visited website.
“Employment of such a scheme has certain consequences. It kind of fools the fundamental web security and privacy protections — to think that the user is wilfully browsing the tracker website. When a web browser sees such a scheme, some security and privacy protections are relaxed.”
Don’t be fooled by the use of the word ‘relaxed’ — as Olejnik goes on to emphasize that the CNAME tracking technique has “substantial implications for web security and privacy”. Such as browsers being tricked into treating a tracker as legitimate first-party content of the visited website (which, in turn, unlocks “many benefits”, such as access to first-party cookies — which can then be sent on to remote, third-party servers controlled by the trackers so the surveilling entity can have its wicked way with the personal data).
So the risk is that a chunk of the clever engineering work being done to protect privacy by blocking trackers can be sidelined by getting under the anti-trackers’ radar.
The researchers found one (infamous) tracker provider, Criteo, reverting its tracking scripts to the custom CNAME cloak scheme when it detected the Safari web browser in use — as, presumably, a way to circumvent Apple’s ITP.
There are further concerns over CNAME tracking too: The paper details how, as a consequence of current web architecture, the scheme “unlocks a way for broad cookie leaks”, as Olejnik puts it — explaining how the upshot of the technique being deployed can be “many unrelated, legitimate cookies” being sent to the tracker subdomain.
Olejnik documented this concern in a study back in 2014 — but he writes that the problem has now exploded: “As the tip of the iceberg, we found broad data leaks on 7,377 websites. Some data leaks happen on almost every website using the CNAME scheme (analytics cookies commonly leak). This suggests that this scheme is actively dangerous. It is harmful to web security and privacy.”
The researchers found cookies leaking on 95% of the studies websites.
They also report finding leaks of cookies set by other third-party scripts, suggesting leaked cookies would in those instances allow the CNAME tracker to track users across websites.
In some instances they found that leaked information contained private or sensitive information — such as a user’s full name, location, email address and (in an additional security concern) authentication cookie.
The paper goes on to raise a number of web security concerns, such as when CNAME trackers are served over HTTP not HTTPS, which they found happened often, and could facilitate man-in-the-middle attacks.
Defending against the CNAME cloaking scheme will require some major browsers to adopt new tricks, per the researchers — who note that while Firefox (global marketshare circa 4%) does offer a defence against the technique Chrome does not.
Engineers on the WebKit engine that underpins Apple’s Safari browser have also been working on making enhancements to ITP aimed at counteracting CNAME tracking.
The Brave browser also announced changes last fall aimed at combating CNAME cloaking.
“In version 1.25.0, uBlock Origin gained the ability to detect and block CNAME-cloaked requests using Mozilla’s terrific browser.dns API. However, this solution only works in Firefox, as Chromium does not provide the browser.dns API. To some extent, these requests can be blocked using custom DNS servers. However, no browsers have shipped with CNAME-based adblocking protection capabilities available and on by default,” it wrote.
“In Brave 1.17, Brave Shields will now recursively check the canonical name records for any network request that isn’t otherwise blocked using an embedded DNS resolver. If the request has a CNAME record, and the same request under the canonical domain would be blocked, then the request is blocked. This solution is on by default, bringing enhanced privacy protections to millions of users.”
But the browser with the largest marketshare, Chrome, has work to do, per the researchers, who write:
Because Chrome does not support a DNS resolution API for extensions, the [uBlock version 1.25 under Firefox] defense could not be applied to this browser. Consequently, we find that four of the CNAME-based trackers (Oracle Eloqua, Eulerian, Criteo, and Keyade) are blocked by uBlock Origin on Firefox but not on the Chrome version.
The Girl Scouts are also using virtual cookie booths and drive-through pickup sites to promote social distancing.
At the darkest time of year, we bake our pain and loss into something to pass to others when it becomes too much to carry.
Microsoft -owned GitHub today announced that it is doing away with all non-essential cookies on its platform. Thanks to this, starting today, GitHub .com and its subdomains will not feature a cookie banner anymore, either. That’s one less cookie banner you’ll have to click away to get your work done.
“No one likes cookie banners,” GitHub CEO Nat Friedman writes in today’s announcement. “But cookie banners are everywhere!”
“At GitHub, we want to protect developer privacy, and we find cookie banners irritating, so we decided to look for a solution. After a brief search, we found one: just don’t use any non-essential cookies. Pretty simple, really,” Friedman writes.
To be fair, for a service like GitHub, it may be a bit easier to do away with cookies than for most sites — and especially content sites (and yes, I’m well aware that you probably had to click away from a cookie popup when you came to TechCrunch, too. Feel free to tell me about the irony of that in the comments). GitHub, after all, has a paid product and an audience that likely uses extensions to block trackers and unnecessary cookies anyway. Because of this, the tracking data it gathered was probably not all that useful anyway. GitHub is one of the first large sites to make this move, though, and may be able to set a bit of a trend.
The brand’s strategy is stunning in its simplicity.
If you’ve got time on your hands, these recipes are a joy to make.
Caramelized shallot pasta, the perfect chocolate chip cookies, sour cream and onion chicken: These are the recipes that kept readers coming back for more.
France’s data protection agency, the CNIL, has slapped Google and Amazon with fines for dropping tracking cookies without consent.
The regulator carried out investigations of the websites over the past year and found tracking cookies were automatically dropped when a user visited the domains in breach of the country’s Data Protection Act.
In Google’s case the CNIL has found three consent violations related to dropping non-essential cookies.
“As this type of cookies cannot be deposited without the user having expressed his consent, the restricted committee considered that the companies had not complied with the requirement provided for by article 82 of the Data Protection Act and the prior collection of the consent before the deposit of non-essential cookies,” it writes in the penalty notice [which we’ve translated from French].
Amazon was found to have made two violations, per the CNIL penalty notice.
CNIL also found that the information about the cookies provided to site visitors was inadequate — noting that a banner displayed by Google did not provide specific information about the tracking cookies the Google.fr site had already dropped.
Under local French (and European) law, site users should have been clearly informed before the cookies were dropped and asked for their consent.
The law on tracking cookie consent has been clear in Europe for years. But in October 2019 a CJEU ruling further clarified that consent must be obtained prior to storing or accessing non-essential cookies. As we reported at the time sites that failed to ask for consent to track were risking a big fine under EU privacy laws.
Google and Amazon are now finding that out to their cost, it seems.
We’ve reached out to Amazon and Google for comment on the CNIL’s action.
This story is developing — refresh for updates…
Nina Compton, Alice Waters and Enrique Olvera are among the chefs contributing to the Resy Cookie Box.
Baking experts show how to transform simple sugar cookies into dazzling treats.
For years, Melissa Clark has been on a quest to make the most delicious cookie box to gift to loved ones, logging her triumphs and failures along the way. Here’s what she’s learned.
The best holiday cookies are the ones you’ve made yourself. Here are tips for assembling gift boxes and getting them to loved ones.
For months, I’ve wanted to spend time with the central character of the Armand Gamache series. Since I can’t, I made these cookies for him instead.
The British pastry chef Ravneet Gill ran countless tests to arrive at her version of the classic recipe.
My Cookie Dealer, a bakery that delivers and ships orders placed through Instagram, has fared well in the time of socially distant dining.
Restaurants might be slowly reopening, but that hasn’t stopped chefs and bakers, stuck at home, from starting their own side gigs.
These bars taste like Key lime pie but they’re so much easier to share (and easier to make).
We may think that we turned a corner on healthful eating habits with all that sourdough baking we did, but the food industry isn’t about to let us off its hook that easily.
For a crowd-pleasing treat, pack them with dried fruit, nuts or a chopped up chocolate bar.
Serve this summery pair with crunchy cookies instead of soft biscuits.
Yet another stake through the dark-patterned heart of consentless online tracking. Following a key cookie consent ruling by Europe’s top court last year, Germany’s Federal Court (BGH) has today handed down its own ‘Planet49’ decision — overturning an earlier appeal ruling when judges in a district court had allowed a pre-checked box to stand for consent.
That clearly now won’t wash even in Germany, where there had been confusion over the interpretation of a local law which had suggested an opt-in for non-functional cookies might be legally valid in some scenarios. Instead, the federal court ruling aligns with last October’s CJEU decision (which we reported on in detail here).
The ‘Planet49’ legal challenge was originally lodged by vzbz, a German consumer rights organization, which had complained about a lottery website, Planet49, that — back in 2013 — had required users to consent to the storage of cookies in order to play a promotional game. (Whereas EU law generally requires consent to be freely given and purpose limited if it’s to be legally valid.)
In a statement today following the BGH’s decision, board member Klaus Müller said: “This is a good judgment for consumers and their privacy. Internet users are again given more decision-making authority and transparency. So far, it has been common practice in this country for website providers to track, analyze, and market the interests and behaviors of users until they actively contradict them. This is no longer possible. If a website operator wants to screen his users, he must at least ask for permission beforehand. This clarification was long overdue.”
There is one looming wrinkle, however, in the shape of Europe’s ePrivacy reform — a piece of legislation which deals with online tracking. In recent years, European institutions have failed to reach agreement on an update to this — with negotiations ongoing and lobbyists seeking ways to dilute Europe’s strict consent standard.
Should any future reform of ePrivacy weaken the rules on tracking consent that could undo hard won progress to secure European citizens’ rights, under the General Data Protection Regulation (GDPR), which deals with personal data more broadly.
vzbz’s statement warns about this possibility, with the consumer rights group urging the EU to “ensure that the currently negotiated European ePrivacy Regulation does not weaken these strict regulations”.
“We reject the Croatian Presidency’s proposal to allow user tracking in the future on the legal basis of a balance of interests,” added Müller. “The end devices of the consumers allow a deep insight into complex emotional, political and social aspects of a person. Protecting this privacy is a great asset. We therefore require tight and clear rules for user tracking for advertising purposes. This may only be permitted with consent or under strict conditions defined in the law.”
In the meanwhile, there will be legal pressure on data controllers in German to clean up any fuzzy cookie notices to ensure they are complying with consent requirements.
“As the implementation of these new requirements are easily visible (and technically identifiable) on the website, incompliance bears a high risk of cease-and-desist and supervisory procedures,” warns law firm TaylorWessing in a blog post commenting on the BGH decision.
Separately today, another long running legal challenge brought by vzbz against the social networking giant Facebook — for allegedly failing to gain proper consent to process user data related to games hosted on its app platform, back in 2012 — is set to get even longer after the BGH sought a referral on a legal question to Europe’s top court.
The German federal court is seeking clarification on whether consumer protection organizations can bring a lawsuit before the country’s civil courts seeking redress for data protection breaches. “This question is controversial in the case law of the instance courts and the legal literature,” the court notes in a press release.
We’ve reached out to Facebook for comment on the CJEU referral.
This delicious and simple icebox cake uses French biscuits dipped in espresso. But you can use whatever cookies you have on hand.
With a crunchy shortbread crust and tangy curd filling, this rhubarb-filled confection is perfect for spring.
Can’t find all-purpose flour? Out of whole-wheat? Here’s what you can use instead.
Bake your way to these sweet snacks using ingredients you’re likely to have on hand.
I tried to make her cachkitas — savory cookies full of butter and cumin, and topped with sesame seeds.
Google today announced that it will temporarily roll back the changes it recently made to how its Chrome browser handles cookies in order to ensure that sites that perform essential services like banking, online grocery, government services and healthcare won’t become inaccessible to Chrome users during the current COVID-19 pandemic.
The new SameSite rules, which the company started rolling out to a growing number of Chrome users in recent months, are meant to make it harder for sites to access cookies from third-party sites and hence track a user’s online activity. These new rules are also meant to prevent cross-site request forgery attacks.
Under Google’s new guidance, developers must explicitly allow their cookies to be read by third-party sites, otherwise, the browser will prevent these third-party sites from accessing them.
Because this is a pretty major change, Google gave developers quite a bit of time to adapt their applications to it. Still, not every site is ready yet, so the Chrome team decided to halt the gradual rollout and stop enforcing these new rules for the time being.
“While most of the web ecosystem was prepared for this change, we want to ensure stability for websites providing essential services including banking, online groceries, government services and healthcare that facilitate our daily life during this time,” writes Google Chrome engineering director Justin Schuh. “As we roll back enforcement, organizations, users and sites should see no disruption.”
A Google spokesperson also told us that the team saw some breakage in sites “that would not normally be considered essential, but with COVID-19 having become more important, we made this decision in an effort to ensure stability during this time.”
The company says it plans to resume its SameSite enforcement over the summer, though the exact timing isn’t yet clear.
Wondering how you can make the most of your freezer and your food? Melissa Clark can help.