Web cookies have a bad name. People often complain — with good reason — about sites using cookies to track them. Today I want to say a few words in favor of tracking cookies.
[Technical background: An HTTP "cookie" is a small string of text. When your web browser gets a file from a site, the site can send along a cookie. Your browser stores the cookie. Later, if the browser gets another file from the same site, the browser will send along the cookie.]
What’s important about cookies, for our purposes, is that they allow a site to tell when it’s seeing the same browser (and therefore, probably, the same user) that it saw before. This has benign uses — it’s needed to implement the shopping cart feature of e-commerce sites (so the site knows which cart is yours) and to remember that you have logged in to a site so you don’t have to log in over and over.
The dark side of cookies involves “hidden” sites that track your activities across the web. Suppose you go to A.com, and A.com’s site includes a banner ad that is provided by the advertising service AdService.com. Later, you go to B.com, and B.com also includes a banner ad provided by AdService.com. When you’re reading A.com and your browser goes to AdService.com to get an ad, AdService.com gives you a cookie. Later, when you’re reading B.com and your browser goes back to AdService.com to get an ad, AdService.com will see the cookie it gave you earlier. This will allow AdService.com to link together your visits to A.com and B.com. Ad services that place ads on lots of sites can link together your activities across all of those sites, by using a “tracking cookie” in this way.
The obvious response is to limit or regulate the use of tracking cookies — the government could limit them, industry could self-regulate, or users could shun sites that associate themselves with tracking cookies.
But this approach could easily backfire. It turns out that there are lots of ways for a site to track users, by recognizing something distinctive about the user’s computer or by placing a unique marker on the computer and recognizing it later. These other tracking mechanisms are hard to detect — new tracking methods are discovered regularly — and unlike cookies they can be hard for users to manage. The tools for viewing, blocking, and removing cookies are far from perfect, but at least they exist. Other tracking measures leave users nearly defenseless.
My attitude, as a user, is that if a site is going to track me, I want them to do it openly, using cookies. Cookies offer me less transparency and control that I would like, but the alternatives are worse.
If I were writing a self-regulation code for the industry, I would have the code require that cookies be the only means used to track users across sites.