Sep 02, 2024 06:00:00

What is Chrome's 'Related Website Set (RWS)' that continues to infringe on user privacy with third-party cookies?

Brave , a web browser known for being privacy-focused, has conducted research into Google's Relevant Website Set (RWS) in collaboration with researchers from the University of St. Andrews, Imperial College London, and the Hong Kong University of Science and Technology, pointing out that users' privacy is being violated in unintended ways.

Chrome is Entrenching Third-Party Cookies For Some Sites In A Way That Will Predictably, Inevitably Mislead Users | Brave
https://brave.com/blog/related-website-sets/

Google has announced that it will phase out third-party cookies in 2020 because they have a negative impact on privacy and security . Firefox blocks third-party cookies by default, but Google has repeatedly postponed its plans to phase out third-party cookies in Chrome, and finally withdrew the plan in July 2024.

Google withdraws plans to remove third-party cookies from Chrome - GIGAZINE

Google, which has been developing its third-party cookie abolition, has released RWS as part of its preparations. Google explains that RWS is 'a way to re-enable third-party cookie-like behavior where it benefits users, without reintroducing the widespread privacy violations of third-party cookies.' Specifically, RWS is a function that declares that sites in different domains (e.g. facebook.com and instagram.co.jp) are operated by the same organization, which allows browsers to access third-party cookies and enables information sharing between sites.

However, Brave pointed out that RWS is intended to allow Google to link videos you watch on YouTube to your Google profile, even if you are not logged in to YouTube, even after third-party cookies are phased out in Chrome.

'RWS undermines the web's privacy model to the detriment of users,' said Peter Snyder, chief privacy scientist at Brave. 'RWS is designed to benefit websites and advertisers, at the expense of user privacy. Google argues that RWS benefits users because it allows them to remain 'signed in' across related domains.'

Brave criticized Google and RWS, writing, 'The motivation behind RWS is to benefit advertisers at the expense of users. RWS is designed to ensure that Chrome continues to meet advertisers' needs first, even after Google has shamefully phased out third-party cookies.'

Brave and the research team examined the impact of RWS on user privacy by testing whether the basic premise of RWS is correct: whether users can accurately determine whether two different sites are related to each other. The research team recruited 30 web users through social media and presented them with 20 pairs of websites and asked them to determine whether each site was operated by the same organization. Each pair of sites presented to the user was adjusted to be different.

The results revealed that average web users cannot accurately judge whether two sites are related to each other. 73% of the users who participated in the survey made a mistake about the relationship between two sites at least once, and almost half of all users' responses, 42%, were wrong. Furthermore, for combinations of websites where RWS works, users made the wrong decision 37% of the time. In response to this result, Brave pointed out that 'users will think that Chrome is protecting their privacy, but in reality their privacy will not be protected at all.' In addition, Brave also pointed out that 'RWS causes problems completely similar to the privacy violations caused by third-party cookies.'

Brave plans to present details of its RWS research findings at the 2024 Internet Measurement Conference , which will be held in Spain from November 4, 2024.