Introductory Thoughts on Cookies

What’s this all about?

During my internship at MSRC, I’ve been focussing on how we can visualise cookies to help people better understand what they’re doing and how they work. But there are other issues tied into this: Privacy (and what it means for that to be undermined, and who has the ability to determine whether an action undermines an individual’s privacy), Technical Issues (how can we help guard against “abusive” tracking cookies and cookies that really are needed, without breaking things?) Legal issues (particularly around data protection, EU privacy directive and what informed consent is) and even some Economics (how do cookies support content-providers via ad networks, and how do you balance that against user privacy or make content worth the privacy risk).

I think there are a few issues that keep coming up, no matter which way you approach cookies: The technical insolubility of preventing an ID from being used for several purposes, knowing what an ID is being used for, balancing the needs of websites to track users internally to optimise content versus users’ right not to have their browsing history across multiple sites snaffled by advertising networks.

Why selectively blocking tracking cookies might backfire

I’d be interested to see whether one could differentiate between “types” of cookie with accuracy good enough for general use – There’s no technical distinction, so I think it would be far from easy. The P3P approach, in which cookies are delivered with a machine-readable privacy policy, seems like it might address some of the problems with categorising cookies, but (from experience of trying to implement P3P policies for websites) it’s pretty complicated and feels out of place alongside the simplicity of HTTP itself.

But if we could tell “this is a cookie that keeps you logged in” and “this cookie is just for targeted advertising”, would that help?

Sites that set multiple cookies generally seem to do so out of convenience (easier for eg product teams to have their own cookie) – A single cookie would probably suffice technically for the overwhelming majority of sites that currently use multiple cookies – There may be a downside to widespread categorisation of cookies as “authentication” and “tracking”, in that sites start consolidating into fewer multiple-purpose cookies that are harder for users to control individually and removing any shred of transparency that currently exists. I suspect also, that rather than reduce the lifespan of that single cookie to reflect the often limited lifetime of the current cookies, companies would just give the single cookie the lifetime of the longest-lived cookie at the moment, which undermines privacy further.

Knowing what cookies are for: A policy problem?

There could be a policy response that insisted on a certain level of atomicity in cookie use (not using a single identifier for technically-necessary identification like authentication and non-essential uses like tracking). Implementing that seems like it would either a) have a lot of side-effects for eg companies (like Facebook) that operate advertising only within an authenticated environment (differentiating the ID of the user and the advertising recipient makes little sense) or b) have a lot of loopholes to accommodate them.

Which cookies do I even want to control?

Contexts seem to play a role in the idea of privacy – I don’t care so much that the Guardian knows which stories I’ve read, but I do care that an advertising network knows which stories I read on the Guardian and which stories I read on the Telegraph and which product I looked at on Amazon – A third-party that doesn’t respect the “natural contexts” in my browsing is more troubling to me.

Applying contexts to the Cookie Jar

I think contexts could be implemented in the web browser. Sites could, by default, operate in a “sandbox” – A cookie for Facebook set in a first-party scenario (I’m on a Facebook URL at the time) can only be seen by Facebook. A DoubleClick cookie set in a third-party context while I’m on Guardian.co.uk can only be seen by DoubleClick when I’m on the Guardian – When I’m on the Telegraph, DoubleClick sets/sees a different DoubleClick cookie. This wouldn’t interfere with analytics on the site itself, and would still allow sites to track return visits without bothering the user for all the largely-innocent cookies.

HTTP cookies already have a couple of properties that can be specified at creation (to eg restrict them to HTTPS connections or prevent access from client-side scripts) – A new property could allow cookies to break the sandbox and become global, accompanied by a user confirmation, perhaps using a P3P-like policy to tell the user what the cookie is for, like you get when adding an App on Facebook.

“Facebook.com wants to a set a tracking ID on your browser. It will be used to:
– Keep you logged in to Facebook services provided on other websites
– Track your browsing activities for the purpose of behavioural advertising
Do you want to accept this tracking ID?”

Sandboxing the browser cache in a similar manner would help to prevent some of the other tracking mechanisms, like caching a unique image and then reading that back using a javascript canvas. I think that prevents large-scale tracking of a user’s browsing across many websites, but still allows cookies for legitimate cross-domain purposes (Like Facebook comments on blogs) to work. The policy response then just needs to deal with companies that misinform users about the purpose of the cookies that they’re requesting are un-sandboxed and possibly require that sites use separate global cookies for different purposes, so that the user gets some granularity in what they allow.

A social nudge?

There’s space for a social nudge here, I think. I sometimes feel like if I don’t accept eg an app’s permission request I’ll miss out (possibly coupled with a strong cultural influence to avoid saying no at all costs!) “3000 people have said no today” lets people feel like rejecting this cookie/request a) is socially acceptable and b) won’t disadvantage them, at least with regard to this big number of other people.

If DoubleClick wants to incentivise the user to accept a global tracking ID by giving them something in return, then great!

Leave a Reply

Your email address will not be published. Required fields are marked *