Third-Party Cookies and EdTech
In a recent article, Jan Ozer provided an overview of the Cookie Apocalypse and raised the question of why it has received so little attention. The article focused on FAST and other ad-supported business models, for which the end of third-party cookies poses a grave threat. In edtech, the situation may be even more dire, since course websites are typically designed with third-party integrations that deliver crucial elements of the curriculum and traditionally rely on cookies to allow seamless crossdomain integration.
These cross-domain, third-party cookies are essential for the operation of single sign-on (SSO) and Learning Tools Interoperability (LTI) authentication methods. Many course webpages contain a video player in one I-frame and an interactive quiz in another to enable students to learn the material and formatively test their learning as they proceed in the video. The stu dent would be logged in to both of those embedded websites for legitimate educational pur poses: The two embedded websites should be sending personalized learning analytic data to a schoolmanaged learning record warehouse using Caliper or xAPI standards so the student and teacher both have evidence of the work that was performed for the course, and the institution can aggregate the data to infer optimal study practices toward which incoming students can be directed. That data collection scheme is exactly what a crosssite track ing cookie does, except here, the purpose is solely to benefit the student and the school.
Safari was the first major browser to disable third-party cookies by default, at substantial cost to its popularity on school campuses. Chrome was scheduled to follow suit in October 2024, but changed course late in the summer, due partially to the lack of urgency on the part of many vendors. Savvy and forward-thinking edtech companies have pursued at least two strategies to survive the eventual Cookie Apocalypse utilizing new web browser standards. The first uses a new type of limited scope, third-party cookie, and the other doesn’t use cookies at all.
The first postthirdparty cookie privacy strategy relies on Cookies Having Independent Partitioned State, or CHIPS. These cross-domain replacements for standard cookies are accessible only when embedded under a specific domain.
Our school’s learning management system (LMS) sets a session cookie so a student can stay logged in to the many pages in their course website. One of those pages embeds a video playlist widget, and that widget sets a session cookie for the VMS domain partitioned under the LMS domain so the student can load dif ferent videos without reauthenticating. If the student goes to any other website using re sources from the VMS—even the VMS website—they need to reauthenticate, since the session cookie for the VMS partitioned under the LMS is not accessible anywhere other than with that specific embedding.
Although partitioned cookies are supported in the WebKit engine used by Chrome and Edge, Safari dropped them from its variant of WebKit. However, the reasoning for removing them was because Apple had unsuccessfully explored heuristically partitioning thirdparty cookies in the browser and probably did not ex pect them to catch on since partitioned cookies don’t allow crosssite tracking. They could be restored to Safari if this strategy achieves uni versal support from the other major browsers. The other strategy that has traction despite its unfortunate name is an addition to the LTI specification called LTI OIDC Login with LTI Client Side postMessages.
Strictly speaking, this strategy piggybacks on two different but very useful LTI specifications. One is LTI Client Side postMessages, which allows a thirdparty activity to, among other things, resize its Iframe height to remove extra scroll bars in the middle of a page. The other is LTI postMessage Storage, which allows the embedded thirdparty activity to store and re call data in the localStorage property of the toplevel window object. This strategy makes cookies entirely unnecessary, but it has conse quences that may be undesirable. For example, the VMS session state would not necessarily be shared across browser tabs.
Related Articles
For some publishers, third-party cookies enable the targeting that differentiates web-based ads from broadcast ads. If you lose the ability to target, you lose the benefit that delivers greater efficiency to marketers and increased CPM on your ad inventory. In this article, I'll cover Google's proposed actions regarding third-party cookies, the status of those plans, who this impacts, and what advertisers and publishers can do to mitigate this impact.
09 Sep 2024
By the time students finish their sophomore year of high school, they should know how much they have yet to learn about financial literacy and maybe even have a good idea of what they want to do in life. This is where streaming media comes in: Online video and books can provide for rich, specialized independent study to any community with motivated students.
31 May 2024
The revolutionary change over the past 10 years has made production technologies accessible to teachers and even students. And 4 years ago, of course, almost everyone was forced to rely on educational video to keep schools asfunctional as possible. Today, we can identify several use cases of teacher-produced educational video that are particularly effective.
26 Jan 2024
Software developers are trained in accessibility issues for front-end development and basic concepts like labeling control elements and reporting state changes to assistive technology—screen-readers—are part of a professional developer's code testing procedures. Despite this progress, two very different forces are swirling with the potential to push back on the trend towards better technological inclusion of the disabled.
04 Oct 2023