Yeah… I was told by someone that if everyone started blocking 3rd-party domains, the advertisers would start figuring out how to deliver their content through the server-side of the 1st-party so that it would be even less clear this was happening. In other words, there's already a way to hint at the plugin that something is needed: deliver it from the primary domain. This is obviously a complex battle for the long haul.

As someone who has built and exited an adserving SaaS in the past, I get asked this question almost never -- the advertisers that spend the most money never want to abuse the law.

The same goes for the SuperCookie; everyone knows the technology exists, but it's only the rotten apples in the industry ruining it for everyone else by actually making use of it. I got asked whether we would support this a few times, but it was always asked by the most shadiest of our customers, and a simple "we want to listen to the visitor's intent" sufficed.

The only real risk I see for online privacy is that this sort of stuff will happen en-masse and there will be a powerful lobby to illegalize this behaviour.

We do seem to have to worse of all worlds at the moment. It is very difficult for users to exercise control over good sites, and it is practiaclly impossible to control bad sites.

I wonder if a solution would be to tie third party cookies to the parent page. So that by default a Facebook cookie on a Guardian page could only be retrieved when the user is on the Guardian website. You could then have options within ther browser to explicitly allow cross domain cookies if the user wants (and send the actual Facebook domain cookie).

There is no reason limiting adservers from doing what you describe using first party cookies: they all make use of Javascript, so it is trivial to just set a first-party cookie.

We actually took that approach to be compliant with the EU's cookie law; if a visitor rejected third party cookies, we fell back to first party cookies.