SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Google Chrome postpones changing cookie policy in wake of COVID-19
Tue, 7th Apr 2020
FYI, this story is more than a year old

Google Chrome has announced it is delaying a privacy update which was aimed at altering its cookie policy in the wake of COVID-19.

Google says it began enforcing secure-by-default handling of third-party cookies with its release of the Chrome 80 update in February this year in its ongoing effort to improve privacy and security across the web.

However, the work has been postponed due to the unprecedented pandemic the world is now facing.

“We've been gradually rolling out this change since February and have been closely monitoring ecosystem impact, including reaching out to individual websites to ensure their cookies are labeled correctly,” says Google Chrome director of engineering Justin Schuh.

The new cookie policy, called SameSite Cookie, aimed to enforce secure-by-default handling of third-party cookies, effectively blocking third-party tracking on Chrome.

Third-party tracking has become an increasingly mainstream issue and talking point within wider conversations about internet security, with user backlash sparking efforts by many other browsers to block this type of tracking by default.

Both Safari and Firefox block third-party cookies by default, using Apple's Intelligent Tracking Prevention (ITP) and Firefox's Enhanced Tracking Protection (ETP), respectively.

Google says its motivation to postpone the security update revolved around websites who may not have been prepared for the changes that banning third-party cookies would have brought.

“While most of the web ecosystem was prepared for this change, we want to ensure stability for websites providing essential services including banking, online groceries, government services and healthcare that facilitate our daily life during this time.”

Google says the rollback of secure-by-default handling of third-party cookies would ensure organisations, users and sites ‘see no disruption'.

Google also says that it will provide regular updates as to when the rollout would resume, with the company aiming for the summer (northern hemisphere).

This timeframe may change, however, due to the rapid and unpredictable proliferation of COVID-19's spread, especially now in the United States.

ESET cybersecurity specialist Jake Moore says while the halt on the key privacy update on one of Google's most popular products isn't ideal, it may be beneficial for some websites.

“This extraordinary pandemic has made the industry realise that the gold standard in security is difficult to adhere to in the current situation, and things have inevitably had to change,” says Moore.

“The argument will have been on the balance of which is more important: the functionality of the browser or its security – and, sadly, functionality won.

“As it happens, this delay may give more websites the time they require to better prepare for the changes.