A non-technical look at third-party HTTP cookies and online privacy.
There’s been a refreshing surge of online privacy related awareness of late. More people are concerned about their privacy online than ever before. On the flip side, the number of ways in which your privacy is compromised online has gone up considerably. Just awareness isn’t going to help. More action is required and a little more technical knowledge goes a long way. So here’s the first in a series of posts I plan to write on online privacy. These are aimed at my students, so I’ll start at a very basic level and build on this information in future articles.
One of the casualties of the recent surge in privacy awareness is the humble HTTP cookie (or Internet cookie or web cookie). Cookies have been around longer than advertising has on the web (in the dominating state that advertising is in now anyway). A cookie is a tiny bit of information, saved on your computer by websites, to identify you the next time you visit the site. The premise behind cookies is not malicious and when used well, can provide a slightly enhanced user experience.
For example, a cookie can be used to store your login information on a website, so that you don’t have to login every time you visit the site. Ever notice the Remember Me or Keep me logged in option on many login pages? That works because when enabled, your authentication data is saved on your computer in a cookie. Next time you visit the site, it checks if that cookie is present and if it is, you will be logged in automatically. You can see why it’s a really bad idea to enable that feature when you’re on a public computer/device that anyone else might access. In general I think it’s a bad idea anyway. Signing in takes just a minute and not having that feature provides an additional layer or security. I personally try to avoid having that on any of my sites and client websites, unless the client refuses to understand the implications for the user.
Cookies can also be used to store less sensitive data, like your preferences on a site. Maybe the items in your shopping cart (usually when you haven’t signed in to the site yet and have already added stuff to your cart). Cookies can be used to store information between page visits. For example, if you viewed a product on one page, that information can be stored in a cookie and when you visit another page on that site, the stored information can be used to give you recommendations based on what you saw earlier. Spooky, but still acceptable.
Say hello, cookie
So cookies are not inherently bad. It’s how you use them that matters and that brings us to the reason why cookies get a bad rap now and rightly so.
Somewhere in the mid 2000s, advertising started to take over the web. No longer a, somewhat geeky, way to communicate and consume information, the web started becoming mainstream and commercial. Online shopping and other paid online services started becoming more common. Also more common was online advertising. Online advertisements had been around for a while, but now advertisements started driving the web. Many people and organisations made websites and blogs, not because they wanted to communicate and share, but because they could possibly make money by showing advertisements on their website. I won’t say it’s a totally bad thing, but things got worse and now here we are, in a web that is mostly driven by a selected few advertising companies. The Internet cookie is at the core of how advertising works.
Let me elaborate on that a little. Online advertising has evolved from being just ads that were randomly placed on a website, to contextual advertising where the kind of advertisements automatically placed on a website depended on the contents of that page, to what it is now - behavioural advertising. Behavioural advertising does not bother with the context in which it is placed. Instead it tries to serve advertisements that serve you, the user, as an individual. How does it do that? By tracking you. You spend hours a day browsing the web, jumping from website to website. You login to your social network(s) of choice regularly to see what your “friends” are up to. You like and dislike stuff that others post. All this information is tracked by these advertising companies.
Let’s have a (third) party
How do they do that? Third-party cookies. These are cookies stored on your computer by a site that you haven’t visited, via a site you have visited. Sounds nefarious and it is. Let’s take a look.
Cookies have some basic security features built in. Every cookie has an expiry date. Cookies from a website can be set to expire as soon as you close your browser or they can be persistent and be set to expire years later. More importantly, a website cannot save a cookie on your computer unless you visit it. That’s fantastic. How do third-party cookies work then? This is best explained with an example.
Imagine two fictitious tech companies that rely on online advertising for a major chunk of their revenue. Let’s call them Gargle and Farce-book. In addition to being advertising companies, Gargle and Farcebook also offer several “free” services. Gargle has a search engine, email, web analytics, a web browser and a host of other services, all free. Farcebook is totally into social networks. (Any resemblance to existing companies is purely intentional).
You visit a different site, let’s say a travel planning site where you can book air tickets and make hotel reservations. Let’s call this site Trip Organiser. Now, Trip Organiser uses Gargle web analytics for measuring the analytics for their site - number of visitors, their location etc (mostly anonymous data). But since this service is provided by Gargle, the browser has to make a request to Gargle to enable that feature on the Trip Organiser site. In addition to doing its work, Gargle also sends a cookie, which the browser saves on your computer. Even though you did not visit Gargle’s site. The same Trip Organiser site has Like and Share buttons from Farcebook on their page. When those buttons are loaded, the browser makes a request to Farcebook, which also stores a cookie on the your computer. These are third-party cookies. Now Gargle and Farcebook know that you are planning a trip. They probably also know where you plan to go and when.
Now, you visit another site, let’s say a shopping site. If this site also uses services from Gargle and Farcebook, they now know that you are planning to buy something. Maybe you will very conveniently, get suggestions for something you might need for your trip. Maybe you buy that and some other products on the site. G and F now know what you bought.
It’s like Gargle and Farcebook are now stalking you and following your every move online. Creepy! Why would they do something like this? Simple. In the name of better advertising. They can now use this data to serve you advertisements that are personalised to your taste instead of just based on what you’re reading or watching (that’s contextual). When you log into Farcebook, you will be shown advertisements that not only suit your personality based on your profile (information you have voluntarily given to them by adding your personal information, likes, dislikes and by your other actions on their site), but also based on which websites you have visited, what products you have purchased and more.
One argument I hear often is, “If I am forced to see advertisements, they might as well be relevant to me.” I think that’s being short sighted. First of all, being forced to see advertisements should not be the way the majority of the web works. Secondly, the long term effects of this are much worse than a few targeted advertisements. Are these companies using your data maliciously? Probably not. Can they sell your personal information to other companies that might be interested to know who to target for their product or service? Maybe. Should you trust an organisation with your personal behavioural data like this? Definitely not.
One rule to block them all
What is the option then? Simple. Block third-party cookies in your browser. Mozilla Firefox and Apple Safari are doing this by default now and you really should switch to one of these if you haven’t already. I have been using Firefox for a couple of decades now and it has never let me down. If your browser supports blocking third-party cookies, do that right away.
The good news is that third-party cookies might be on their way out soon. Browsers like Firefox and Safari are leading us down that path. The bad news is that Google is contemplating implementing an alternative way of tracking your behaviour in Chrome. I’ll get to that in my next post.
For now, just remember that the cookie itself isn’t a bad thing. I wouldn’t call it an extremely important technology, but it can be used for things other than third party tracking. Next time you visit your favourite website or social network, open your browser’s settings to see what kind of cookies are being served. If the site is filled with loads of third-party cookies, run like hell or block them in your browser’s preferences.
How to check the cookies being set by a website
In most browsers, you can right click on an empty area of the page and select Inspect Element or Inspect to bring up the developer console.
In Firefox and Safari, click on Storage and then Cookies in the developer console to see the cookies being set by different domains on the current website. In Chrome, click on Applications in the developer console and in the list, under Storage, click on Cookies to expand it and see cookies being set by different domains on the current website.
Firefox and Safari also show you blocked third party cookies when you click on the shield like icon near the address bar. Chrome also shows cookies when you click on the lock icon in the address bar.
I don’t have any use for cookies on my site, so this site is cookie free. I prefer biscuits (po-tay-to, po-taa-to?) and those aren’t online, yet. For an entirely different reason, I don’t even have web analytics enabled on this site. Enjoy your total anonymity, stranger :)