#125: Modern Browsers and the Destruction of the Analyst's Dreams with Cory Underwood

Are you down with ITP? What about ETP? Are you pretty sure that the decline in returning visitors to your site that has everyone in a tizzy is largely due to increasingly restrictive cookie handling by browsers? Do you really, really, REALLY want Google, Apple, Mozilla, and even Microsoft to get on the same page when it comes to cookie handling and JavaScript subtleties? So many questions! Lucky for us (and you!), Measure Slack legend (and L.L. Bean Senior Programmer/Analyst) Cory Underwood has some answers. Or, at least, he will depress you in delightful ways.

UPDATE: Cory’s Thoughts on ITP 2.3

When we last left our heroes, they were discussing the pending storm that was Safari’s Intelligent Tracking Prevention 2.2. Originally rolled out in May for iOS devices, it was expected (at the time of recording) to be rolled out to desktop users with the Mac OSX October release of Safari 13. In a surprise move, Apple released the upgrade earlier than expected and the weekend of September 20th 2019 was when the surge of Safari 13 users became widespread and showed up across analytic dashboards the world over. As you may remember, this reduced the client-side storage of cookies under specific conditions from 7 days to 24 hours and now, in a united ecosystem, desktop and mobile users running Safari 13 will for the first time since May once again behave the same in regards to cookie processing.

Alas, Apple was not done, for on the 23rd of September, a forecast was given for Intelligent Tracking Prevention 2.3 and the warriors of #measure slack convened to discuss the dire warnings that lay ahead. A storm unlike any other, it marks the coming of the end. The council of warriors could only reaffirm what was long suspected; ITP 2.3 has come for all non-cookie client writable storage mechanics on the client, and with that, massive far-reaching effects are expected as client side tools everywhere brace for the pending required refactoring. The storm has landed. The waves shall wash over all the land. The end has arrived.

For as the end bringer of storms, ITP will, in accordance with it’s policies, remove all stateful non-cookie client-writable storage. The effects are massive. Client-side A/B testing platforms will see that traffic face re-allocation between the cells more often. Recommendation engines will lose any client-side mechanic of preserving history, leading to a less relevant recommendation assortment. Any client-side exclusive software such as (but not limited to) analytics, surveys, GDPR consent forms, marketing tags (even in a 1st party context) could be struck down by this change.

What is the solution? What will save us?

Sadly, dear friend, ‘tis not to be so easy. To ensure your tools continue to work, state must be set via the cookie header on the server request, it must be set in 1st party, it must not talk to a known tracker in view of the client, and it must set the correct SameSite attribute value served over Transport Layer Security. This is the way to safely navigate the waters.

Still, rocks remain; Safari’s ITP and Firefox’s ETP will wreck many a ship seeking advertising attribution – for no easy relief can be found here. Chrome’s pending SameSite cookie (slated for February) changes will wreck the platforms of even some of the strongest of us for those unprepared.

So for those who wish to brave the distant shores of analytics, I can only offer this advice.  Befriend the development staff, show them the way, and together you will find fortune. Seek out your vendors for council, but be prepared to part ways over disagreement. Test your configurations upon the beta of the browsers – for early warning may save you from an unwise outcome. Lastly, be ready to invest in refactoring and infrastructure, for exclusively client-side plug and play tools will likely meet a grim end before much longer.

Is this the final storm? Sadly, dear friend, I say not – more will come, just as the tides change.

People, Places, and Things Reference in this Episode

Episode Transcript

00:00 Michael Helbling: Hi folks, as luck would have it, after we finished recording this episode Apple went ahead and released Safari 13 early and also announced ITP 2.3. So while those aren’t covered in the show, those happened after we recorded. However, our guest, Cory Underwood was nice enough to write up a summary of those and we’ve included those in the show notes on our website at analyticshour.io. Enjoy the show.


00:30 Announcer: Welcome to The Digital Analytics Power Hour. Tim, Michael, Moe and the occasional guest discussing digital analytics issues of the day. Find them on Facebook at facebook.com/analyticshour and their website analyticshour.io. And now The Digital Analytics Power Hour.


00:53 MH: Hi everyone, welcome to The Digital Analytics Power Hour. This is episode 125. You know, a long time ago, we needed to remember what links on a page we had clicked so that we could make those previously clicked ones purple and the un-clicked ones still blue. And you know what? All was right with the world. A cookie, isn’t that a fun word? You know, Lou Montulli came up with that when he was writing some of the first internet browsers. Now this is the point in which you insert the ominous heavy metal guitar signifying something bad is about to happen because just 25 short years later, we are in some deep shit and the browsers are going crazy. Nobody accepts cookies anymore. Great job Lou. And there are three main players in the browser game: Apple, Mozilla and Google and unlucky for us, they’ve all decided to have different ideas about what it means to handle cookies in 2019 and beyond. Hey Moe, who’s your favorite cookie-handling browser?

02:00 Moe Kiss: I feel like that’s a trick question.


02:02 MH: That’s… I just… I had to introduce you some way.

02:07 MK: Yeah. True and very odd. I feel like they get odder with time.

02:11 MH: Yeah. Oh so, you don’t have a favorite yet. No consensus. You’re holding judgment until we get into this conversation. Very wise. Tim, you’re a man of strong opinions though. Surely you’ve got a favorite browser that handles cookies a certain way.

02:25 Tim Wilson: Oh, the chips ahoy browser, absolutely.

02:27 MH: Mm-hmm?

02:28 TW: Yeah.

02:28 MH: I like it. Actually that’s a missed opportunity. Yeah, in corporate. Ah, I’m Michael Helbling. I’m gonna have to say I’m a fan of the Apple method. Just burn ’em all to the ground.


02:39 MH: No, I was just kidding.

02:41 TW: Burnt cookies.

02:42 MH: Yeah, burnt cookies. It really burns my cookies. So we have been trying to keep up with all these changes and challenges and we even did an episode on ITP, which is what Apple’s been doing back on episode 114 but even then we struggled with all the details. So we turned to the one person we’ve all been turning to on measures like this here, our guest, Cory Underwood. He’s a Senior Programmer Analyst at LL Bean and for some reason, he spent a ton of time this year becoming one of the most expert people on this topic in our industry and we are super glad to have you on the show. Welcome Cory.

03:19 Cory Underwood: Thank you. Glad to be here.

03:20 MH: So it turns out you’re pretty popular on the Measure Slack these days because you have managed to keep all this stuff straight. So maybe just to get us kicked off, what the heck are you doing up there in Maine? And why has this become a topic that you decided “Hey, you know what? I probably better get to the bottom of all this.”

03:37 CU: I have a strong developer background and just naturally, I keep news feeds of like the different browser updates. I like read the patch notes, craziness because I like to know what’s gonna break. And with the cookies being the different privacy policies and the handling a state change and with all the different browsers, you start realizing “Hey, I actually understand how that tech works and what that might mean for reporting and modeling,” and then you’re thinking, “Wow, if that changes then that might break or it might not break but the data that it displays might not actually reflect the reality.”

04:12 MK: Okay. So it seems like the rate of changes… Like, I get that you’re super across this stuff, but for me, I’m kind of like, “Ah, what’s happening now?” And it just seems like there is just… I don’t even actually know how you keep up other than reading all the notes.

04:28 CU: Twitter helps because all the different browsers like to advertise when you’re doing something for privacy, it’s a big topic right now especially with all the legal changes going on in various parts of the world and they link to documentation or news articles about what they’re doing. Although, I have to admit, we’re at like 16 or 18 something changes since January so it’s getting to be a little bit crazy trying to keep up with everything, especially when there are different concepts of what they feel they should be doing.

05:00 TW: I feel like we should say that one of the things Cory you did was kind of rattle off a list of the changes just kinda prior to recording. I think we should throw that in our show notes that that’s crazy. And it seems like it’s all browsers are… Are they all kind of iterating kind of in a little bit of a privacy one-upmanship arms race on this topic? Like, it seems like all the big three are all kinda going berserk with this all of a sudden.

05:29 CU: Well, I would say, Mozilla has, who creates Firefox, they’ve traditionally tried to put a lot of light on this subject, so several years ago, they came up with Lightbeam that would do a data visualization of all the third-party tracking as a tool. And they’ve tested different things over the time. Like, they were the first to implement the “Do Not Track” header specification that ultimately fell through and they’ve tried to do different things in a way that preserves privacy but it still leaves it up to the user, but additionally, doesn’t break the internet when they do it.

06:03 TW: The “Do not Track”, am I right that “Do Not Track” was… They implemented it. It did kinda fail because it was still up to sites to honor “Do Not Track”. Like, why did “Do Not Track” fail?

06:13 CU: The actual specification if you… They leave it up. You can go read it. And they are like, “We’re gonna stop development in part because people haven’t fully implemented it yet. It’s been held for years and we’re not seeing a lot of support from outside vendors and sites to honor it.” And so, they just kind of said, well, it doesn’t have any legal backing, so even if the browser says don’t track me there’s nothing compelling whatever the browser is talking to you to honor that.

06:42 TW: Your all take you’re punishing the good actors and the bad actors are gonna ignore it. So, If anything you’re somewhat making it worse.

06:49 CU: Right. And so with that so far is like, “Well we’re gonna remove to Do Not Track, support because that’s just gonna allow people to do fingerprinting, which we’re against, and they actually have taken a much more drastic view because what they’ve done is they’ve come down with a set of standards in their intelligent tracking prevention and they’re doing things that cause a fault in how the JavaScript will actually execute on the browser compared to Firefox. So in the case of Firefox it still allows everything to run whereas in Safari it will run but it won’t run quite like you think it will, and depending on how your site works that might actually be a problem. Google has come into this more recently in large part, I think, because Mozilla and Apple, have really gonna up the envelope, and I kinda consider Google to be in a hard place here because they obviously drive a lot of their revenue from advertising, so they’re trying to do things, but they’re also not going quite as far as, I think the privacy activist, would want them to.

07:54 MH: Yeah, They’re like, “Hey let’s pretend to do a bunch of stuff and hope everybody leave us alone so We can keep advertising.

08:01 CU: The one thing that Google really does that I actually appreciate is they don’t just decide to do it and risk breaking things. They do… Think it’s more like Mozilla does where they try to give a lot of advance notice, and they put out proposals and they try to get other browsers to adopt them rather than going off kind of on their own path.

08:22 MK: That’s surprising.

08:22 CU: Because one thing with tech is even if you get someone to adopt the standard today there’s all the legacy of all of the other people that don’t auto-upgrade and things like that, that you still have to support.

08:36 MK: But so chrome is still… That is the most used browser.

08:40 MH: Mm-hmm.

08:41 MK: Yeah, I guess I’m surprised what are Google doing at the moment because yeah, oh god is this topic every time I feel like I need a beer and a rant every time I think about it.

08:53 TW: I think it’s really… I think it’s kind of dangerous to point to what the most use browser ’cause I think it really does wind up varying, based on where you’re operating in kind of desktop versus mobile, the whole stat counter site, which I don’t know whether that’s… I think that’s fairly credible data and you start slicing it and you see all sorts of different… So I think that’s a true statement from a global macro everywhere, but if you’re looking just at mobile sometimes all of a sudden mobile Safari bounces to the top. But that depends on where it is, I think.

09:28 MK: And I have to say, one of the really interesting things about my role now is that I’ve always worked on businesses that are as Shari New Zealand very western focused and when You start looking at device usage in different countries, ’cause obviously Canada’s a global business, it is totally different, like you always presume iOS is gonna be higher than Android and then you go to, I don’t know, Indonesia, or Brazil or something and it complete opposite way. And so, yeah, I do agree with your point that you need to be careful about just generalizing that whatever is the most used.


10:03 CU: But to answer your question, the one thing that Google has done right now is they rolled out back earlier this summer some changes to how they process cookies and basically they proposed a change to the cookie specification, where there’s a extra attribute that they put on the cookie and that determines by default who gets to access that data when it’s viewed in a third-party context. And what I like about that is it actually closes a specific type of attack, known as cross-site request forgery. So, their solution while it was more limited, actually eliminates an attack at the same time.

10:47 MK: Yeah wow. But it’s interesting, I’m dealing with all of this, I suppose, more from an attribution perspective. And yeah Google still has stakes in trying to help people identify clicks and all that sort of stuff, for their marketing platforms, I suppose, Safari and the rest of them, they don’t really have a stake in that game right so for them it’s just not as important.

11:13 CU: Right. So Google’s main revenue stream is mostly advertising like some huge percentage of their money comes from advertising. Apple does hardware and they also, get a huge amount of commission off the iTunes and the app store, etcetera.

11:27 MH: Yeah, they just take money off of transactions in the iOS store.

11:32 CU: Right. Mozilla’s interesting in that it’s technically a non-profit. So they’re not trying to earn a ton of revenue they’re trying to stay in business, but it’s not like they have a product that they’re really trying to push for pay, they get a lot of money for donations and as part of their contract for default search engine placement.

11:51 MK: And we haven’t even talked about Microsoft yet.

11:53 CU: Microsoft is so late into these discussions, they are doing a couple different things right now. They decided to stop supporting Edges custom back end that they built, and they’re adopting the link, which is the rendering engine that Google created for Chrome. Now, in addition to that, they are also… They’ve outlined a plan where they want to follow the same sort of mechanisms Mozilla’s done with Firefox for anti-tracking but it’s still in the beta releases, and I’ve seen really inconsistent reports on what actually gets blocked and what’s allowed through and what that means, at least in the previous release that I reviewed. So they’ve announced plans but we have yet to get actual details on how that’s gonna shake out.

12:40 TW: It feels like with these different changes and you kind of mentioned this already Cory that Google with Chrome is sort of saying, “Hey we’re gonna take the concept of a cookie and we’re gonna try to create new standards that extend the functionality of it by adding these different things, whereas the other browsers are like, “We’re gonna take cookies that we’re really gonna mash them down and not… I’m gonna block a lot of what they do.

13:04 TW: It feels like that would have the effect of pushing advertisers and others further into the nooks and crannies of the browser into like device fingerprinting and local storage, and all these other shenanigans that are even… Not… Even worse, so to speak. I don’t know if that’s… It’s not really like there’s no morality with any of this, it’s just more like what you do with it. But I don’t know, like, so does that also come into it? It’s just sort of like… Is that just a better way of thinking about it? I hate to give Google any credit honestly, but here they are.

13:38 CU: I think so. This is actually a interesting thing. So if you look at Safari’s tracking prevention policy, this is a quote from it: “We treat circumvention of shipping anti-tracking measures with the same seriousness as exploitation of security vulnerabilities. And if a party attempts to circumvent our tracking prevention methods, we may add additional restrictions without prior notice and these restrictions may apply universally, algorithmically, classified to specific targets or parties engaging in the circumvention.”

14:06 TW: But I think they forgot to just @zuckerberg before they wrote like, for that. Right?

14:12 CU: Possibly.

14:13 TW: No, you’re absolutely right, that’s a… That is crazy, honestly to me for them to say that.

14:20 CU: But to your point, you can still do a lot of the same tracking, you just don’t do it on the browser. You do it on the server.

14:28 TW: Right.

14:29 CU: And it’s kind of like, “What’s the easiest way to not be injured in a fight?” Well, you don’t get into one. And so, if you’re not fighting with the browser but you’re still able to do everything that you were doing, well then it might work to as an acceptable degree, and you don’t have to worry about Safari ’cause if it’s not happening within view of the browser, it’s harder for them to prove that you’re doing it to begin with.

14:49 MH: Nice.

14:49 TW: So how does that… How succinctly can you explain how that works server-side from a simple of… I wanna identify somebody when they return to the site as a returning visitor, how does that happen purely server-side?

15:06 CU: It doesn’t happen purely server-side, but it can typically. So what happens, as far as Safari is concerned, they really are coming down hard on cookies that are set on the client. So, any cookies that get loaded by like tags but it has this unfortunate side effect of actually breaking some site functionality too. So for example, say you have a consent dialog ’cause you’re concerned about GDPR. Maybe you store that in a cookie and it was just client-side logic that displayed the dialog and you didn’t see any reason to come all the way back to the server to set the cookie, etcetera, Safari can’t determine what the intent is. And so, from a security perspective, this makes a lot of sense. If you can’t determine the intent, you classify it as bad and based off other conditions and what version of ITP the person’s on, that cookie will get set for seven days, even if it’s originally intended for like two years, or it’ll get set for 24 hours, even if it’s originally set for 30 days. So the user experience in that situation would be getting that pop-up way more often.

16:14 CU: But to what Tim was talking about, how would you do that? You can set the cookie on the server to identify the visitor, and then the server would call the third party as opposed to the client. So, with how most tag managers work the tag managers load the JavaScript code and then you can actually look in the developer tools in the network panel, and you can see all those calls go out. And on a server-side implementation, those same calls go out but it’s not in view of the browser. So as the page is loading those calls get issued. Segment, I believe has a model where it’s server-side out of view with the client. And so something like that could potentially still work…

16:51 MK: And… Yeah, except it’s a massive pain in my backside that I’m dealing with right now, because when you send it and I think I’ve got this right because it’s sending server-side when it’s pushing to our analytics tools, I don’t have any of the user’s browser information. So basically, in an analytics tool, all of this traffic is coming from Segment basically.

17:15 CU: And you have to pass that through for Segment to pass it to the analytics system.

17:20 MH: You’re literally going back to the beginning of analytics where we used to put all kinds of URL parameters in to show what was being tracked.

17:29 MK: I need to have a little bit of a rant. So when all of this stuff happened with privacy, and people were obsessed with their call logs getting recorded by telephone companies. And it’s like, I don’t want to have my phone in my pocket, and it’d be pinging off a telephone tower, and then suddenly a telephone company knows where I am, and I’m like, “You have to have that to make your phone work.” You have to connect to a telephone tower. That’s kind of essential for the technology and I feel like this is the exact same discussion is like, there is some portion of like, you need to have cookies to make the internet work. So I don’t know. Anyway, I’m off the soapbox now.

18:09 TW: So it seems like in some cases, there’s really clever constructs that work. Like when cookies were initially conceived and somebody with a lot of foresight said the only site that can read this cookie will be the site that set the cookie. Like, that was one that was… Seemed like kinda genius. If that hadn’t been there, oh my God, we would have been having this discussion in about the first year of the Internet or the first year of invention of the cookies, right? So it seems like that’s part of what everyone’s trying to get around to is how is a way that you can enable functionality that’s reasonable while blocking off the tracking? And the fact is, data has to be collected and stored in order for the functionality to work.

18:53 CU: Right. And to what Moe was saying, cookies are absolutely essential because that’s what allows the session to happen between your web browser and the remote server. So things like e-commerce and banking and all of that good stuff that people do on the Internet, logging into their social media, that only works because there is a cookie that says on every page load, “Hey, I’m still this person that you just authenticated last page.”

19:19 MH: So let me be clear. So what you’re advocating for is a blockchain-based identity system for the web?


19:26 MH: I’m sorry, that was just… You know, I just saw it hanging there and just had to take a swing at it.

19:34 CU: Simo actually did point out in Measure Slack recently though that the Apple engineer who was responsible for ITP has put forth their proposal for authentication, and to get that to work on a separate sort of system that isn’t involved with cookies. But as a interesting aspect of what he has proposed is when they’re not logged in, all the temporary storage is erased, which would be like cookies and local storage and IndexedDB and… ‘Cause he is right in that that stuff does not expire, but I think that is probably a little bit heavy-handed, ’cause there are legitimate use cases for keeping that around longer term.

20:15 MK: So sorry, why delete it?

20:18 CU: I can show you the specification if you really wanna read it, but it is largely because the data does not expire by itself. In the case of cookies, it can have an expiration date, but in like local storage and session storage and IndexedDB, once you set that, it’ll sit there forever. And you’re thinking, at least this is my interpretation of it, they’re not logged in anymore, maybe we shouldn’t persist all that data.

20:44 TW: Well, so at a macro level, we’ve got different players, they all want to own the solution. Whoever figures out the solution, and they’re little, a million little point startups saying, “We’ll be the solution,” that they’re gonna struggle mightily to ever get enough scale to be adopted as the solution. It just feels like it’s so big and complex. You can drill down into the details of Firefox or Safari or Chrome, and they’re all different flavors of the same thing, you can point out limitations, you can point out how the analyst is getting screwed. It just feels intractable. The job of the analyst is back, like Michael was saying, it’s like 10 or 15 years ago, where there’s a need to just understand way down in the weeds of what’s going on, and the weeds have gotten a lot messier and more complicated than they were 10 or 15 years ago. There’s my rant.

21:41 CU: And I would definitely agree with that. And that’s why when things go through the standardization for browser adoption, that’s why that takes years, because all the different parties that wanna be involved argue it out, the specification, before it finally gets ratified. And then even after it’s ratified, it’s months before browsers actually implement in a lot of cases.

22:04 MH: Yeah. Well, and the crazy thing here is it seems like these changes are happening much faster and without very much warning, and there’s not really much clarity at all on where this will actually end up.

22:19 CU: And I agree, because Safari’s done a lot of things. I’m just like, wow, that’s gonna break all kinds of different things. And in fact, on their policy that they say, “Here’s unintended impact that this could affect. And the list is: Funding websites using targeted or personalization for advertising, measuring the effectiveness of advertising, log on using a third party log-in provider, single sign on to multiple websites controlled by the same organization, embedded media that uses the user’s identity to respect their preferences, like buttons, federated comments, or other social widgets, fraud prevention, bot detection, improving the security of client authentication, analytics and scope of a single website, and audience measurement.” All those things could break by what they’re doing, and they’re going to consider fixing them on a case-by-case basis based off what they consider the severity is.


23:17 MK: What?

23:18 CU: Yeah.

23:21 MK: But… Okay, so what worries me the most is… So even from the last time we did a show where we talked about ITP 2.0, and you can correct me if I’m definitely wrong, Cory, that was seven-day cookie expiration, and now 2.2 is 24 hours? Is that…

23:37 CU: Right, that’s correct. And a couple of conditions have to happen. So 2.2 is already on mobile if the device was capable of it uploading to mobile with their update in May. Based off what we’ve seen, it’s likely to come out in macOS X’s October release with the desktop version. Now, for the 24-hour timer to kick in, as opposed to seven days, a couple conditions have to be met. One of them would be the referring domain must be classified as a known tracker based off whatever Safari’s machine learning algorithm has determined. And the second half of that is it has to have a query string or fragment on the URL. So if you have any name-value pairs such as advertising name value pairs because you care about channel definition, then potentially your look back window just got cut from seven days to 24 hours.

24:32 MK: I just don’t think… I think what worries me is marketers have no fucking idea about this. These… People in companies are spending millions of dollars every week, and I genuinely don’t think they know how much this is affecting the numbers that they’re reporting back to a business. That scares me.

24:51 TW: You already see this where advertising companies and agencies are already saying, “We do not recommend targeting Safari-based audiences.” They’re just already being like, “Yeah, we don’t even know what to do with them anymore.”

25:05 MK: But it’s just like, do you know what, it’s making my life way easier, because people keep asking me for a custom data-driven attribution model, and I can just be like, “Computer says no, we have to do last click, like 24-hour last click. That’s all you got, kid.”

25:22 MH: Good luck with those year-over-year channel comparisons.

25:25 CU: So if you’re not bringing all that data in and storing it server side, and able to have some sort of deterministic event to link two separate visits longer than 24 hours apart, you can’t basically reconstruct that look back window.

25:38 MH: Yeah, which is an unrealisable hurdle for most anybody.


25:44 MH: Alright, conversation’s going great so far, but we’ve gotta get to our sponsors, with another multi-touch moment. Alright, Josh, I’m super excited about this one. So, you remember, we talked about the great folks that brought us whatisagoodbouncerate.com, right?

26:02 Josh Crowhurst: That’s actually my browser home page.

26:03 MH: As it should be. But get ready to open a new tab, and make that one a default, [chuckle] ’cause they’ve done it again. They have now launched whatisagoodconversionrate.com. Josh, how lucky do you feel to be working in our industry, at a time when websites like this are coming out?

26:21 JC: Man, you know, this really just solves all of my problems logging into a Adobe via the Experience Cloud. I’m never gonna use it again.

26:29 MH: Exactly. It’s just so simple now. All you do, go to that website, type in your URL, accept the Terms of Service, and click the next button, and it’s gonna tell you what a good conversion rate for your website is. I’m blown away. They’ve done it again, and they’re doing it with science and data. And that’s what’s so great about it. I mean, when you look at what your conversion rate should be, especially for marketing channels like display advertising, and social media, I mean, what can you expect? And this website’s finally gonna give you the answer.

27:02 JC: Bookmarks.

27:03 MH: Excellent. Well, I’m sure I will be using it all the time. It’s making my job so easy. CMOs come to me all the time, and ask me this question. “Michael, what should my conversion rate be? Or what’s my competitor’s conversion rate like?” And now I know I can say, “Let’s go check it out together on whatisagoodconversionrate.com”. Okay, I wanna do something. Because last time we tried to get into this topic, we did a lot of talking in this kind of thing, but we got to the end of the podcast that we started hitting some really good detail. So I wanna start sooner. And I just wanna ask you Cory a bunch of questions, browser by browser, to give our listeners an understanding of exactly how they’re treating cookies.

27:49 CU: Sure.

27:49 MH: Right? ’cause a lot of people have some idea, but it’s wishy-washy. They don’t really know. So we’ll call this sort of the cookie deletion lightning round, if you will.


27:58 MH: Okay. So let’s start with the first mover in this space, or at least in this current iteration of the hell that we live in right now, which is Apple. So Apple ITP 2.1, ITP 2.2. We just covered it. Basically, 2.2 is already on mobile and is coming to your desktop soon, and that’s the one where a cookie, even if it’s first-party, set by front-end code, will be deleted either in seven days, or 24 hours, depending on whether Apple thinks it’s kosher, or not?

28:27 CU: Correct.

28:27 MH: Okay. Anything else that people should know about that?

28:30 CU: There’s some things with third-party cookies regarding how long that they’re allowed to stick around for, and when they can be accessed. Even though the script has loaded in a third-party context, it can’t access the cookies from a third-party context, unless like something on the page has engaged with that, in order to invoke the storage API for Safari. So in that case, the third-party tags that you may have may not have access to their storage mechanisms, which could be problematic if this tag needs a concept of history to do what it’s supposed to be doing.

29:01 MH: Right. And then, the only work around here is basically server-side cookie setting?

29:07 CU: That is basically what I think is the key here, because they have come back, and said, “We don’t want tags that you may not be aware of doing this, but if you specifically go out of your way to set them on the server, then we are going to assume that you know what you’re doing about it.”

29:24 MH: Well, hold on. Let me ask. So this… ’cause Apple’s… And some of… I am an iPhone user, and I know there’s another kind of messy world. But if I’m in Facebook, the whole embedded browsers… If I’m in Facebook, and click on a link, and it winds up loading the mobile browser, Is that loading like a Safari light, or is that a Facebook developed browser? I know it’s given analysts fits for years on all sorts of fronts, but where does browsers embedded in other apps… Where do those come in?

29:54 CU: My understanding for iOS is it’s like a light version of Safari. So it’s not loading the ITP code, what it is doing the web view for the rendering of the markup. The one thing I wanted to say though is part of the reason that you would probably have issues with that, is as they cross between the native app, and the web pages, if you don’t have some sort of linking system in place, then you double-count everything.

30:19 MK: Oh…


30:21 TW: Okay. Browser technology.

30:24 MK: I really wanna leave marketing analytics and go back to product analytics. I think it’s weirdly now seeming easier, which I never ever have said before it.

30:33 MH: Alright. Moe, we’re still in the lightning around. This is the cookie deletion lighting round.

30:36 MK: Yeah. Sorry, go ahead.

30:36 MH: Alright, Firefox. They rolled out enhanced tracking prevention. What does it do? What are marketers and analysts need to know about this?

30:45 CU: Alright. So starting in June, it was for only new installs, starting a couple of weeks ago, it was for all installs. By default, it will not allow cookies that do cross-site tracking, fingerprinting, etcetera, from accessing their storage. And what I’ve been observing is the cookie gets set, but then if you look at the network call, the cookies not parsed. And a good example of this would be… And at least in the current version that’s coming out in October, double click sets an IDE cookie… That’s the name of the cookie. I don’t know what it is. It’s encrypted. And if you’re not… If you have enhanced tracking prevention turned off, all of the clicks, the double click contain that cookie, and they pare it. Turn that on, you can still see the cookie in your browser, but all those network calls well go through without that data. So in that case, what it’s doing is it’s not stopping the network calls, unless they’re doing crypto mining, or something of the sort, but what they’re getting is none of the state. And if the tag needs the state to do something specific, quickly… You know, a recommendation engine has a cold start problem, and as you interact with it, it gets more refined, but if every time you view the recommendation engine, you’re a new person, because this is basically what that’s making that do, it’s never gonna get more accurate. It’s still gonna be like a random assortment.

32:08 MH: Yep. Take that RichRelevance. [chuckle] Right? Which, like innocent bystander. Totally. Like the people who provide recommendation engines for e-commerce providers, Monetate, RichRelevance, all those guys. They’re just getting jacked.

32:25 CU: Now, I wanna say, one other thing about Firefox, if they decided to turn it on strict, which is different than default, that’s an option for them and that stops things at the network level, like the third party code that’s classified as one of these tracking domains from their list they look at, doesn’t even load. And that can break your site if it’s dependent on that functionality.

32:45 MH: All right. And now, lightning round still, Tim. Don’t even, don’t the lightning round. I know I violated it this time too. But now, now Chrome ’cause Chrome so far is mostly just talking but hasn’t done anything or where are they at and what’s happening with cookies and Chrome?

33:02 CU: So, Chrome added support for the SameSite attribute on their cookies to both eliminate the cross-site request forgery attack in Chrome as well as limit who naturally gets given access to cookies when they load in specific contexts. Now, they also have expressed interest in making it so you can’t access cookies at all unless you are on TSL, so [33:26] __ support for your site. They haven’t done that yet, but I know that’s on their plan. And they’ve recently come out with basically a policy stance much like Mozilla and Safari have detailing five different proposals that they have for where they wanna take it. Now, they’ve stopped just short of implementing those to this point because they’re trying to get some more discussion before they go ahead and just do the things. But if any of those get significant advancement then they would probably implement those as well.

33:58 MH: And it’s probably worth mentioning that as of this recording, the analytics.io website is fully secured under HTTPs. And actually, that is directly because of Tim’s good friend Jason Packer and now my really good friend. Because I had to give him a login to my hosting provider to be able to do it. Huge shoutout to Jason. Thanks so much for your help getting that and now just in the nick of time so we could keep setting lots of tracking cookies in safety on Chrome. Okay, last of the not-so-lightning lightning round, we did talk a little bit about Microsoft Edge. Is there anything that the people need to know? Does anybody care? I feel like we’re always just been trying to get around IE and Edge. Nobody uses it.

34:46 CU: Well, for IE, they actually don’t want you to use it.

34:49 MH: Yes.

34:49 CU: And they’ve come out on record and actually said that. For Edge, they have plans to do something with blocking request and/or access to the storage, but it’s not clear what storage or how the blocking list will work and get populated, et cetera. And it’s been fairly inconsistent in the last release build I looked at. So, more to come on that on how big of an impact that would actually be. And between all the different browsers, you may have to care about more than the other based off your respective browser mix and then just because you have a high percentage of traffic from that browser, doesn’t actually mean you have anything to worry about. It would actually depend on your specific tech stack and how it works.

35:35 MH: So, what you’re saying is that… Corey, you are now available for consulting work at $500 an hour to help people sort this out.

35:44 TW: What’s interesting is I feel like this is another thing where everything old is new again. Like all of a sudden it becomes… It does start to seem like it’s kind of urgent to take some very basic metrics and put them side by side by browser type, be that bounce rate, conversion rate, new versus returning visitors. Not ’cause you’re necessarily gonna get great insights but I guess, Corey, ’cause you’ve said a few times that it could break your site in some cases and it seems like that’s one. It’s seldom gonna break your tracking outside of flat out Java Script blocking, is it gonna… It won’t generally screw up. None of these are gonna screw up your session cookie, are they? Like I’ll be able to generally capture page to page to page in a session. Or is even that at risk?

36:35 CU: I think by default you should be able to get session level traffic. It’s cross-session that really starts to break down.

36:43 TW: Which Moe likes to say, so we should stop doing attribution. I’m like, well, no, you still get last touch attribution.

36:48 MH: Yeah.

36:48 CU: You do.

36:49 MK: Yeah, but who wants to do last touch attribution?

36:52 TW: Who wants to do last touch attribution? Well, when it’s…

36:55 CU: All you have.

36:56 TW: When it’s all you got.

36:58 MK: Yeah. That’s pretty much it. That’s the point is. That’s why I’m so depressed. I’m like, we might as well just spend the money, throw it to the wind, who knows what happens with it?

37:08 TW: No. God, you’re killing me.


37:11 TW: After an episode on ad fraud and then this, I think Mo, that’s right. You just throw the money into the void and hope something good happens.


37:21 TW: You know, just be creative. Just, you know, go straight back to the Mad Men era.

37:27 MH: Great product, a great creative. Don’t need to measure. You just feel it.

37:32 CU: So, a good example of this though is you have a system that measures history essentially. And, hey, this person came and then within X time but slightly longer than the previous time they came back. They’re identified as new both times. Now, what does that look like in your reporting? Well, maybe your retention tanks. But you have all these new users. And as an analyst, if that doesn’t ring any bells for you, then maybe you say, hey, we have to start giving our retention people discounts or what have you to hold them, when maybe their buying behavior hasn’t actually changed.

38:09 MH: Yeah.

38:10 TW: Which, I mean, the same is… I mean, it’s funny. Like I’ve just always steered away from visitors or users versus sessions or visits unless there’s a really, really good reason and I can tell that story, believe me I’ve told, I know the story of why those are so awesome, but so much stuff gets really messy. Even without all the cookie deletion issues, so many things get messier and harder to interpret. I’m finding myself more and more now when it comes to visitors and users, oh my God, if it’s business per visitor, and even new versus returning, which is kind of just this default thing to look at, really trying to steer clients away, say, “Look, this isn’t reliable.” And let’s think about are we really prepared? If this really matters and we’re really ready to take, make a decision on it, then we need to really understand all the limitations of it. ‘Cause more often than not, it’s just like this simple idea that people kinda like and they kinda wanna report on it and…

39:13 TW: But I think that’s this other piece of it to say, know which of these metrics are gonna be potentially really at risk and for P traffic is definitely one of them. And look for ways where you can live without that understand the limitations of it when you are looking at it.

39:33 CU: Right, and so if you want to mitigate it, then you have to understand both what the browser’s doing as well as how that data is ingested, and see if those things are compatible and if they’re a not, then you have to figure out another way, can you still source that data in doing in a way that the browser is not going to fight you on it.

39:50 MK: It’s way too early to make this stuff first.


39:53 TW: But the other things to look at it, if you don’t jump to a, wow, we broke down our new versus returning by browser type and oh my God, edge. They’re so much more oil these edge ones we have so many more returning users. And you’re like, “Wait a minute.”

40:08 MK: I wonder who’s gonna do that. Somewhere in the world someone is gonna do that.

40:11 TW: Double our bing spent.


40:17 MH: Okay, we are… This show episode is not about solutions, it is just about enunciating the problem more clearly.


40:28 MH: But as always, we got a little bonus in there, but we do have to start to wrap up. So one of the things we like to do is go around the horn and share a last call, and I know Moe, that you’re super depressed right now but maybe it’d make you happier if you shared a last call. You wanna share your last call?

40:45 MK: Yes, because actually this is a great segway. My first of my last calls is about something that makes me really happy. So the CEO of Canva recently bought everyone this thing called the “Five-Minute Journal”, which I’m not gonna lie like I’m really skeptical, I know I shouldn’t be but I’m kind of skeptical about positive psychology and meditation and yoga and I try it and I roll my eyes but I’ve been doing this thing called the Five-Minute Journal and it’s legitimately so positively impacting my life in terms of… I don’t know, I just seemed to be happier and more grateful in looking around with a bit of a bump in my step. It is also like going into spring here, so it could be related to the weather and I’m just thinking if the journal when really it’s not. But I’ll send a link in the show notes because… Yeah, it’s basically you spend two minutes every morning or three minutes everyone, two minutes at night, kind of reflecting on your day and yeah, I don’t wanna give it away, but there’s a little introduction and yeah, it’s really putting a bounce in my step.

41:45 MK: But the other thing that is actually analytics-related, which surprises me where I found it. It was a blog post from Moe, which is like a DataViz sequel tool thing but it was really interesting ’cause it’s called the problems with hands-off analytics and basically the article makes a comparison of if you were a person that works in security and someone has a policy, you don’t just go like, “Oh there’s the policy you should do that now.” Security teams tend to hold people’s hand and walk the stakeholder through why it’s important, help them set it up and that we should really be doing the same with analytics and with dashboards like if someone wants a number, you don’t just go, “Oh, hey, there’s a number over there”. You actually hold their hand through the process and talk about how you can interpret it and the right way to look at it and what it would be useful for. And I just thought it was like a really cool comparison, and kind of made me think a little bit differently about [42:38] __ relationships with clients.

42:40 TW: You’re gonna stop just dumping out numbers and say “Oh, somebody asked me your business users no more, you’re gonna say, Oh, here’s a number over there.

42:47 MK: Yeah but.

42:48 TW: I created my career on doing that.

42:50 MK: I think it was a really cool comparison, to make you think about like yeah, you can’t… Literally someone yesterday was like, how many sign-ups did we have for organic traffic, yesterday? And it’s really easy to just be like, We had this many and you should actually be going back and being like, “Okay, can I get some context around this? Why is it important?” And it turned out actually if they’d asked me for direct and then I’m like, actually you mean you wanna be looking at organic ’cause that’s a totally different thing, anyway, I’m off the box, I’m down. Okay, I’m down.

43:19 TW: And neither one of them are reliable because the browsers and next thing you sucked into a vortex.

43:24 MK: Well, thankfully, where you didn’t the laughed attribution, so it’s fine.

43:28 TW: Yeah. Alright, Cory, what about you? You’re our guest and do you have a last call you wanna share?

43:35 CU: I do, and this is actually related to Moe’s comment about time zones, earlier. There are two links that I’m gonna provide one is called The problem with time and time zones and it’s related to what happens when you compare time zones and compare different clocks, and the things that a programmer or an analyst that doing time series data might have to pay attention to. And the text link that I have to go with that is UTC is enough for everyone, isn’t it?

44:04 MK: Oh, I’m really excited.

44:06 CU: And it goes into the history of time, and why it is actually so difficult to work with.

44:11 TW: Oh my God, like the whole railroads. And then there are two professors who are out promoting that everybody should be on just on UTC right? There’re… There’s actually, there’re proposals out there that are like, let’s just wipe them out entirely.

44:25 MK: Well, to be honest, that’s how we handle it here, everything’s in UTC and yeah, so I’m very, very excited about this. I can’t wait to rate it.

44:32 TW: But it doesn’t solve, unless everybody starts living on your, it doesn’t solve everything, right, ’cause there’s still day time versus…

44:42 MH: Time-based equivalent of flat earth-ers come ‘on, No I’m just kidding.


44:49 CU: You haven’t lived until you’ve seen the same day go by twice.

44:53 TW: Alright. Michael, you wanna go next or you wants to go last?

44:58 MH: You know what, I do wanna go next. Thanks, Tim. So my last call may or may not be completely invalidated by, “No I’m just kidding.” [chuckle] So a recent announcement that’s kind of a big deal in certain places and different vendors kind of dominate the marketplace and so Adobe, for the longest time has been a set of different products that you would create tagging for, like analytics and target and audience measurement, so on and so forth. And they recently wrote a blog post on Medium, talking about how they’ve begun the process of combining that all into one SDK. And the only reason I think that’s a big deal is ’cause there’s lots of people like me out there who go and implement these things and talk to clients about them and having them all sit in the same code base is potentially very powerful, and a good thing.

45:56 MH: So little things like having to wait for some sort of audience segment become available, you create it in one tool, become available in another tool, used to take a day, and this is at the forefront of what they’re doing to make that be like almost instantaneous which is about freaking time, ’cause Tealium’s been doing that for a while. [chuckle] No, I mean, that’s the truth, right? So anyway, that’s my last call. Here’s a great little article about it. The best thing about that article is it seemed like from some of the responses I saw from Adobe people, they didn’t necessarily mean to write that so quick. So it might also be a little early too, I don’t know. [chuckle] Alright, Tim, what is your last call, sir?

46:42 TW: I’m gonna do it too, but it’ll be quick. One is totally inspired by this episode ’cause I was curious when you dropped the old Lou Montulli reference. And so this is an old post but you guys ever listened to the Internet History podcast? Ever heard of it?

46:58 MH: Nope.

46:58 TW: No? They basically get people who were doing various things in the history of the internet and that’s the podcast. But back in April of 2014, April of 2014, they did a On The 20th Anniversary: An Oral History of Netscape’s Founding. So this is… Maybe I’m gonna sound like an ass of some sort, but, so Lou Montulli’s got, they basically went to a bunch of these people who were there when Mosaic and Netscape were created, but my cousin is referenced or he is quoted multiple times, Chris Wilson and then his best friend growing up was a guy named John Jon Mittelhauser and he wanted go into Netscape. But overall, it’s kind of just a thinking back to where 25 years ago, sitting around what was going on at University of Illinois, Champagne Urbana, and how that evolved. Always kind of a fun fun little nostalgic walk down memory lane, I guess for those of us who were not xennials. My other one completely unrelated, and I guess I got this from a millennial at the Search Discovery offices, but it’s been circulating internally at Search Discovery and it’s actually a fun little tool. It’s regxcrossword.com. It’s basically just think Regex meets Sudoku.

48:17 MH: Oh!

48:17 MK: Huh!

48:18 TW: And you basically get different Regex expressions where you would normally have numbers and then you have to figure out what the Regex has to match the whole row and the Regex to match the whole column. And it is incredibly humbling, but I think it’s totally fine to have Regex101 up, while trying to work through it. And there’s some of them are simple little like two by twos but Shira Swarovski, I’m sure I’ve butchered her last name.


48:46 MH: Keep going.

48:47 TW: How do you pronounce Shira’s last name?

48:50 MH: Just how you did. I’m sure, Tim.

48:52 TW: I’m sure. Well, she’s the one who kind of posted it internally, and it’s been causing a lot of joy and frustration at the same time, but it’s also a good way to practice your Regex.

49:02 MH: And Cory, please wait till the end of the episode before you load that. No, I’m just… [chuckle] Cory is like, I’ll check that out.


49:10 MH: No. We have video. No, that is obviously a really good last call and I refuse to go to that website, because I do not engage in games that I cannot win.


49:21 MH: So, anyway. Okay, you’ve probably been listening to this episode and you’ve been thinking like Moe, “Oh no, we’re screwed”, or like me, like, “Yay, we don’t have to do attribution anymore.”


49:32 MH: Or like, “How do we get to the bottom of all of this, and really solve the problem for the marketers and the analysts out there?” But no matter where you landed, I think you’ll agree, Cory’s brought some pretty good light to this, but you may have additional questions, and you’re in luck ’cause Cory is actually pretty easy to get a hold of on the Measure Slack. And he’s been pretty open with sharing his knowledge there, although I’m sure he’d be happy if you wanted to pay him too.


49:57 MH: No, I had… I keep saying that but like, Cory’s like, looking at me like, “Dude, just shut up.” Like, what… No, anyways, so, please do reach out to us, we’d love to hear from you on the Measure Slack or on Twitter or on our newly secured https: //analyticshour.io where we will continue to post shows and show notes. So if you’re ever looking for a link to something that was discussed on the show, you can find it right on analyticshour.io. Cory, once again, thank you so much for taking the time. Your knowledge in this area is something that we have leveraged, I think all three of us and all a lot of our listeners have leveraged, so it’s great to finally get some definitive answers. I really appreciate you taking the time to come on the show.

50:47 CU: Thank you so much for having me. I had a great time, and it was good to see how the show worked from the other side of it.

50:53 TW: Respect has culminated.

50:54 MH: Yeah. [chuckle] Not impressed.

50:55 MK: Okay, I, totally terrified and running, screaming in the other direction.

51:00 MH: That’s right, so yeah, that’s right, it’s always good to not meet people who do podcasts. Okay. Anyway, I know that I speak for both Moe and Tim, my two co-hosts, when I say to you, even if you can’t get your cookies to persist, you gotta keep analyzing.


51:26 Announcer: Thanks for listening and don’t forget to join the conversation on Facebook, Twitter, or Measure Slack group. We welcome your comments and questions, visit us on the web at analyticshour.io, facebook.com/analyticshour or @AnalyticsHour on Twitter.


51:46 Charles Barkley: So smart guys wanted to fit in, so they’ve made up a term called analytic. Analytics don’t work.

51:51 Tom Hammerschmidt: Analytics, oh my God! What the fuck does that even mean?

52:02 TW: That was one of those to say we recognize this is needed, but we’re gonna put a hard definition around it… TOBIE! [chuckle]

52:11 MH: But there are a lot of players that are gonna really push ’cause… Ah, the funniest part is your reaction, Tim. [chuckle] I say, leave the dog in. Wow! That is an impressive bookshelf, sir. I’m very impressed.

52:32 CU: That’s one of five I have.

52:33 MH: Yeah. Okay, yeah, this is starting, there’s some connection starting to be made here.

52:39 MH: Yeah.

52:40 MH: This is a guy who once he get into a topic he kinda sticks with them for a while. [chuckle] Do you play the Dungeons and Dragons?

52:52 MH: Tim is all about like doing tons of preparation and I’m sort of the antithesis of time and so that’s like the yin and the yang. There’s never been a presentation that I have not prepared for.

53:06 MK: Yes, but your form of preparation is like, “Meh!”.

53:09 MH: No, that’s not true, I prepare intensely and I’m one of the top five rated speakers at…

53:16 TW: And I came back on for that.

53:18 MH: Yeah.

53:21 MK: Fuck you and the microphone you rode in on.

53:24 MH: Well… [laughter]

53:26 MK: What kind of a popsicle stand are we running here?

53:30 MH: I don’t know. This is our, this is… We’re really trying to up our game Cory, so we’re really apologetic.


53:37 MK: We have no shame, actually.

53:40 MH: We don’t. Okay, this is how the podcast works. We get together. We make fun of each other. We drink, we cuss a little bit and then somehow a show happens.

53:51 CU: Apparently I’m still trailing Simo by quite a bit but I’m in second place on Measure Slack.

53:58 MH: Oh really, well, that’s not a healthy goal, honestly. It’s not. Yeah. Tim, Tim, just… I need to stop here, just one second. Hey, Moe, did you have your microphone muted there?

54:11 TW: That is not… We’re not going there today.

54:14 MH: It’s an honest question.

54:16 TW: Another story goes down the drain because of you.

54:18 MH: Oh, look, we got an outtake in our test audio. Rock flag and we’re all screwed.

2 Responses

  1. […] by now, and, yet, the reality is incredibly unsatisfying. Since we’ve recently covered how browsers are making the analyst’s lot in life more difficult, and since multi-touch attribution is affected by those changes, we figured it was high time to […]

  2. […] Analytics Hour Podcast: Modern Browsers and the Destruction of the Analyst’s Dreams with Cory Underwood […]

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Have an Idea for an Upcoming Episode?

Recent Episodes

#247: Professional Development, Analytically Speaking with Helen Crossley

#247: Professional Development, Analytically Speaking with Helen Crossley

https://media.blubrry.com/the_digital_analytics_power/traffic.libsyn.com/analyticshour/APH_-_Episode_247_-_Professional_Development_Analytically_Speaking_with_Helen_Crossley.mp3Podcast: Download | EmbedSubscribe: RSSTweetShareShareEmail0 Shares