This thread was archived. Please ask a new question if you need help.
Why Google can log me in on all of their websites even with third cookies turned off?
I’ve been using firefox for a long time. I can’t enumerate all the great things this software brings. I care about privacy, and there is a particular thing I love about firefox: it is how it let me have a control over the web that appear in my little window. So, if a website doesn’t care about privacy, I can apply it myself, by tweaking it thanks to this highly configurable, privacy-caring software. There has been tons of issues and debates over the years, and it is perfectly normal. FF guys are doing a great job to improve the software and I can’t thank them enough for that.
However, among all these little annoyance, something truly disturbs me. Back in the days, I remember struggling with privacy windows. If I opened multiple private windows, why the websites still can recognized me? Until I understood privacy windows are a SINGLE other profile (erased at startup), which, of course, share the same local space. Why is it called private windows? It isn’t. Not at all. It is the same thing as opening a different browser next to firefox, but doesn’t improve my privacy more than standard windows, especially for a user like me, used to remove all private datas once in a while. Call it “side profile”, make a different colored windows, I don’t know, but it has the wrong name: it’s not true “private windows” from a web perspective, and it bother me because I still think it is a trick, not understandable by common users.
Then, a few months ago, I’ve been really annoyed several times: when I log in to my gmail account, I’m automatically logged in to youtube. I don’t have a youtube account. Google made one for me. Everytime I discovered google was watching me watching videos, I felt betrayed. Of course, this in particular is not your problem. But I trusted my favorite web browser to defend me against this forced mercantile attempt to bargain with my life. I tried several plugins. Google is smarter. I used the “cookie exception” blacklist to remove youtube.com. It works but the list is destroyed everytime I clear local datas or update the browser. So, I set “Accept Third Party Cookies” to never. It’s drastic. And, above all, it doesn’t work with google! As if there was a king of the internet. I’m stunned... Somehow, it still succeed to share cookies between different domain names. Am I the only who thinks this is a giant security hole? Unless there is an internal whitelist somewhere...
I don’t want SSO. I don’t want to exchange parts of my life to have a little more convenient web. I just try to keep control and this time I have the feeling I’m doomed.
How google can gather cookies from its domains, with third party cookies turned off? Is that a bug? Is it because I’m doing something wrong? How come I make great efforts to protect my privacy, and my firefox, the most privacy caring browser out there, fails me on this specific point? How can I disable this behavior once and for all?
Sorry if it’s long, but I also think it’s needed for you to have my feedback, because I know some people don’t understand why it’s important to me. Thanks for your help.
All Replies (4)
I use private browsing all the time, so I fully understand your problem. But this behaviour comes from practical reasons. Let us suppose for a moment that each tab or window is totally independent in private browsing. In a tab, you are log in to an account, for example a webmail. You are reading an email and want to write an other, but keeping the first open. You have to open a new tab and log in again into. Now you want to display the 2 tabs side by side. You need to detach one tab of the current window to get 2 separate windows. If temporary cookies were not shared, you should have to log in to the same website several times. I think there are many cases where users need to have several tabs/windows of the same secure website, even in private browsing, so independent tabs/windows would be annoying.
If you are interesting in this topic, have a look at this bug. You will see that it is an old debate.
Since a couple of years, Google forces everybody to be connected to all its services as soon as you are log in to one (YouTube, Gmail, Drive, Google+… the list goes on). Cookies are an official way to track users, but who knows if Google, Facebook… don't use too IP addresses for the same thing (actually Google already does it for security reasons)
Thank you for your answer.
You are telling me this is a long standing debate. I understand the example you are giving. To me, private browsing is private. A little annoyance is a price to pay. Actually, the behavior you are describing is exactly what I expected when I first used private browsing. On the other hand, I understand all users don’t use this feature the way I imagine. I’ll dive a little more into it, to see how it goes.
Unfortunately, they are. I already de-registered of some g-services, but Google keeps subscribing me back. Apparently, visiting youtube while connected to gmail is sufficient for them to consider you want to subscribe.
Appart from that, I don’t think they uses IPs. Let’s imagine a company, with dozen of people connecting to gmail with the same IP (and the same browser signature). Google can’t take any risk if they are security friendly. For information, a famous french internet Provider did that for years, and it was a security mess. Moreover, I took a screenshot showing that cookies from .youtube.com and google.com are read by the website (which is mail.google.com)! It should not be possible: I don’t accept third party cookies at all. Even on developer Q&A websites, they don’t seem to have an adequate answer to that. To my point of view, Google is doing some magic trick that looks like a security hole, and no one seems to worry because it’s just this comes from good old uncle G.
I just came across this recent article on the Mozilla Blog: New Experimental Private Browsing and Add-ons Features Ready for Pre-Beta Testing in Firefox.
It is not exactly what you want, but this is along the same line. If you are interested in testing this feature, you should consider to install Firefox Developer Edition. Beta testers are always welcome!
I just tried this new private browsing. It’s not quite what I expected, but I must admit it goes in the right direction. The blog post also states something important: “All major browsers offer some form of experience that is labeled ‘private’ but this is typically intended to solve the “local” privacy case, namely preventing others on a shared computer from seeing traces of your online activity”
This is the dissonance I had and I’m glad they try to make private windows more private on the servers side.
Regarding third party cookies, I also tried private badger, a new extension by EFF. It permits me to fine-tunes third party cookies. So, I it solve my problem concerning single sign-on (however, the question remains).
EDIT: after more testing, it Google is still able to recognize me.
Modified by dFranck