April 20, 2014

avatar

If You're Going to Track Me, Please Use Cookies

Web cookies have a bad name. People often complain — with good reason — about sites using cookies to track them. Today I want to say a few words in favor of tracking cookies.

[Technical background: An HTTP "cookie" is a small string of text. When your web browser gets a file from a site, the site can send along a cookie. Your browser stores the cookie. Later, if the browser gets another file from the same site, the browser will send along the cookie.]

What’s important about cookies, for our purposes, is that they allow a site to tell when it’s seeing the same browser (and therefore, probably, the same user) that it saw before. This has benign uses — it’s needed to implement the shopping cart feature of e-commerce sites (so the site knows which cart is yours) and to remember that you have logged in to a site so you don’t have to log in over and over.

The dark side of cookies involves “hidden” sites that track your activities across the web. Suppose you go to A.com, and A.com’s site includes a banner ad that is provided by the advertising service AdService.com. Later, you go to B.com, and B.com also includes a banner ad provided by AdService.com. When you’re reading A.com and your browser goes to AdService.com to get an ad, AdService.com gives you a cookie. Later, when you’re reading B.com and your browser goes back to AdService.com to get an ad, AdService.com will see the cookie it gave you earlier. This will allow AdService.com to link together your visits to A.com and B.com. Ad services that place ads on lots of sites can link together your activities across all of those sites, by using a “tracking cookie” in this way.

The obvious response is to limit or regulate the use of tracking cookies — the government could limit them, industry could self-regulate, or users could shun sites that associate themselves with tracking cookies.

But this approach could easily backfire. It turns out that there are lots of ways for a site to track users, by recognizing something distinctive about the user’s computer or by placing a unique marker on the computer and recognizing it later. These other tracking mechanisms are hard to detect — new tracking methods are discovered regularly — and unlike cookies they can be hard for users to manage. The tools for viewing, blocking, and removing cookies are far from perfect, but at least they exist. Other tracking measures leave users nearly defenseless.

My attitude, as a user, is that if a site is going to track me, I want them to do it openly, using cookies. Cookies offer me less transparency and control that I would like, but the alternatives are worse.

If I were writing a self-regulation code for the industry, I would have the code require that cookies be the only means used to track users across sites.

Comments

  1. golden says:

    I was looking for a Firefox plugin when I ran across this: a plugin called BetterPrivacy.

    https://addons.mozilla.org/en-US/firefox/addon/6623

    It turns out that the latest way that sites track you is to use “silent” flash movies that write a “flash cookie”. These are not managed by the browser. The BetterPrivacy plugin allows you to manage and delete these cookies.

    Once I installed this, I was quite shocked to see the number of these cookies that are being set. I have it set to delete all of them every time I close my browser, and tell me what it is doing. All kinds of sites that should be reputable are setting these, including Google.

    • Khürt says:

      Firefox has a privacy setting that allows your to delete cookies and other data when the broswer closes. Is the Better Privacy plugin just for the “flash cookies”?

      • golden says:

        Yes. Firefox doesn’t know anything about the flash cookies, since they’re created and managed by the flash plugin, which is not actually part of Firefox. If you download and install BetterPrivacy, you can see all of them, and it has settings much like Firefox’s to allow them to be deleted when the browser closes.

    • Anonymous says:

      Cute. Too bad for them I’ve been using FlashBlock for years. ;)

      It occurs to me that a simple way to make a browser very privacy-protective would be:

      1. All page elements other than simple still images and text appear as placeholders with “play” buttons, requiring user input to activate. This includes animated GIFs. If there’s an audio file a play button for that appears at the bottom of the page, or at the top.
      2. All cookies other than from the domain in the address bar are silently ignored. So if you go to xyz.abc.com you get only cookies from *.abc.com, none from e.g. ad.doubleclick.net.
      3. Javascript from other domains is likewise ignored. (So much for Google’s “urchin.js”)

      This might break the odd site but it will heavily defend the user’s privacy and allow all normal surfing, and most interactive use (e.g. forums, webmail). It would be something you could turn off on a per-tab basis for those rare occasions that you needed it turned off (possibly Akamai-hosted sites?)

      For extra protection from spammy but non-privacy-invading content, it could also replace all off-site images and iframes with placeholders that the user could click to activate. That will kill most banner ads and even Google AdWords, but also require the user to click to see embedded images in forum posts and suchlike. (Flashblocking already does this to embedded YouTube videos and their ilk.)

      Of course, the placeholder elements should have mouseover text to indicate what site they came from, perhaps showing “Show third-party page element: ” in the status bar when entered by the mouse pointer.

      • Anonymous says:

        Hey, who altered the text of my post? I had said that the status bar should show “Show third-party page element: url” but the last word of that text was mysteriously deleted.

        That unauthorized edit significantly degraded the meaning of what I said.

        Don’t do that again.

  2. Khürt says:

    I have my browser (Safari) set to allow cookies “only from sites I visit”. This blocks cookies from third parties and advertisers.

  3. BertBert says:

    Saying that there are worse methods to track people than cookies, but then not saying what those are, kinda defeats the argument.

  4. Tom says:

    Many people do not like cookie because this is their private informations and they don’t want another people “see” it.

  5. James Lester says:

    I am very interested in some of the alternatives to using cookies for tracking user data.

  6. Miral says:

    I’d rather people didn’t list alternative methods. We don’t want to give them ideas.

  7. Arthur Clune says:

    The Targeted Advertising Cookie Opt-Out (TACO) add-in for Firefox is also really good. It’ll opt you out of all of the reputable ad agencies tracking:

    https://addons.mozilla.org/en-US/firefox/addon/11073

  8. jules polonetsky says:

    the other good reason to rely on cookies – is that they are fragile and imperfect, and thus less reliable as a stable long term tracker. Only a certain number of certain size can be maintained by browsers and they are often being over-written or corrupted.

  9. trsm.mckay says:

    Just like cookies, there are legitimate reasons for web sites to track using other methods. I’m thinking of internet-banking applications (not an expert in this area but I attended a couple of seminars at RSA 2009). The idea is that the banks would like to use anomaly detection to feed into their anti-fraud logic. You can grasp the scope of their problem when you think about all the Phishing sites trying to grab passwords.

    There are both active (cookies, etc.) and passive (device/browser finger printing) methods. If it all works as planned, you may find your self having to do extra verification the next time you transfer money while traveling and using an internet cafe; but won’t notice much effort when banking from home.

  10. rp says:

    All mechanical? Some by people who get paid a pittance for getting comment past spam filters? Some by people who really would like to say something but just don’t have anything to say?

  11. Chris says:

    Surely using cookies alone to track anything relating to orders / carts etc would not be a good idea. A cookie is just a piece of text on my computer. I can change that piece of text any time. So possessing a cookie with any value does not tell you anything about who I am. If you need to validate that with something like my ip address, then why not store that information for the duration of the transaction. I understand that ip addresses may change between sessions (although far less frequently than they used to when most people were on dial up) and this is where cookies can be useful. But please don’t trust anything at your end based on any value you think you stored on my computer!!!!

  12. access consultant says:

    Being simple pieces of text, cookies are not executable. They are neither spyware or viruses, although cookies from certain sites are detected by many anti-spyware products because they can allow users to be tracked when they visit various sites.