OK, I’m arriving a bit late to the discussion about browsers beginning to block 3rd party cookies by default, however, I was on the fence of this initially. And more to the point, I thought this would be just a trend that will come and go — but it seems that I was rather wrong in that aspect, as the number of browsers blocking 3rd party cookies by default is on the increase.
Hopefully everyone knows by now that Apple’s own Safari, by default blocks 3rd party cookies — and you all probably read the (in)famous Mozilla blog post about the release of Firefox which introduces the same thing. (Granted, that was initially pushed back by a few weeks — which ironically got it more attention in the press than if it went live right away!)
And as such you probably all understand by now the concept behind this “blocking 3rd party cookies” — but it’s worth I think re-iterating it, to avoid confusion; I will quote from Jonathan Mayer’s blog post (see the original here: http://webpolicy.org/2013/02/22/the-new-firefox-cookie-policy/) who describes this better than I possibly could:
Roughly: Only websites that you actually visit can use cookies to track you across the web.
More precisely: If content has a first-party origin, nothing changes. Content from a third-party origin only has cookie permissions if its origin already has at least one cookie set.
OK, so read the first part again: “only websites that you actually visit can use cookies to track you across the web”! This should ring alarm bells to everyone who is actually genuinely concerned about their online privacy. And I’m going to explain why.
First of all, as a full disclosure, I DO work (and have done so for numerous years now) in the online advertising segment — as such, most products I work(ed) on do employ the usage of cookies — sometimes these would be 3rd party cookies, sometimes they are 1st party cookies. I also have to admit that I have never worked for the likes of Google, Facebook, Twitter, Amazon and such. (I have to admit also that I haven’t tried to work for most of them either 🙂 lol)
Now, getting back to the 3rd party cookies and online privacy issues, here’s the thing: as a web user, on each website you visit you’ll have somewhere in between 3-10 3rd parties cookie-ing you and gathering data about you. Typically that data consists of pages you visit and interactions on the page (things like pressing a “Like“/”Star“/”Favourite” etc button, adding something to your wish list or to do list and so on). Typically this information gets aggregated and ends up building a profile about you — in terms of things you like, dislike, things you bought or are interested in buying…. This data can be extrapolated to imply more data about you. If you bought for instance car insurance online we can safely imply that you owe a car — and if you owe a car there’s a whole segment of car-related adverts we can show you! If you bought a baby pram we can guess you are probably married and have an infant in the family. If you bought a flight to Las Vegas, we’d be safe in guessing you’re travelling there. And so on…
At no point really is an advertiser interested in exactly WHO you are — that information tells us hardly anything we want to know: we want to know things that will make us show you something that you would be interested in consuming / buying / trying out — because, in case that you didn’t know it, that’s what brings the money in advertising. I couldn’t care less about someone’s full name and date of birth because that doesn’t tell me what type of music they like for instance; however, tracking their movements on the itunes website and their purchases lets me understand what music they’re into such that when the Kaiser Chiefs release their next album I’ll present them with an advert right away, safe in the knowledge they’ll click “Buy” and I’ll get my cost-per-acquisition paid to me.
All of this information is gathered via 3rd party issues gathered from sites the users are browsing — typically (though not necessarily), the advertiser or the advertising platform will place a transparent pixel on each page on the website such that they can cookie each user which visits a page and once cookie’d they can track user movements across the site. Now the big problem with this approach is that in most cases this is done without users being aware of it — because it’s a transparent pixel you won’t even notice it on the page (and even if you do, without tracking the HTTP communication browser/server you won’t know what company that pixel belongs to!), and because browsers were historically configured by default to accept cookies (including 3rd party ones) they automatically accept the cookie and you are getting “profiled” in the background without your knowledge. Even in the case of advertisers which use visible indicators of being present on the page (buttons for Like, Add to Wishlist, whatever) it’s still not obvious to the user that data is collected from them by these “widgets”.
The EU, in their huge wisdom (ahem!) decided to overcome this problem by forcing each site to show a popup which informs the user that this site uses cookies and ask them to confirm or otherwise that’s ok with them. Not only does that create a rubbish user experience, but also, because of this reason, EU was forced to actually make amendments to this such that a website can show a banner informing the user about their cookie policy and ask them to accept it or not — but also, in order to avoid corrupting the user experience, it is now accepted that if the user hasn’t taken any action and navigates on your website, you can assume that they agree with your cookie policy and start cookie-ing them. In other words, it’s only if the user clicks on “No” you are not allowed to cookie them. And I haven’t seen stats yet about this but I bet you most users just ignore that or click on the Yes button just to get rid of the annoyance and continue to the website — so I don’t think the EU way of doing things is the right way to deal with this, though I do like a bit their approach of trying to educate the public about this (which is part of the purpose of the notice presented to the user). I just don’t think that’s the best way of getting that information in front of the user…
There have been other attempts at this, Do-Not-Track perhaps being one of the more notable ones — however, this is again a case of having to educate the user into web-related mechanisms and things like HTTP headers, cookies and so on — and then finally based on that have them make a conscious decision about using the DNT header. For your average internet user this is a no go, I’m afraid — I can bet good money on the fact that it’s only techies or tech-savvy people using that!
As such, I can see how browser developers can be a bit annoyed by the fact that there is no easy way — it seems — to make the public more aware of these 3rd party cookies and implications of guarding your online privacy. And I can also understand how all of a sudden someone said: “you know what, sod it! rather than have users opt out of tracking let them opt in to be tracked — and turn off by default 3rd party cookies“! That approach I could understand because it is ultimately a kick in the balls of the whole advertising industry and would be a huge push for a bit of revolution in this area.
However, if only they did that! But no, they didn’t! Looking back at the excerpt from Jonathan’s blog post, what that says to me is this: “we’re going to allow the big guys track the hell out of you, but not the little guys, thus ultimately destroying a bit of the competition in the online advertising segment”. How’s that? Well, let’s remind ourselves: “Only websites that you actually visit can use cookies to track you across the web“.
- Do you visit Google every day — or regularly? Of course you do — and guaranteed you visit it logged in with your username/password so you benefit from their customized services and as such they know exactly who you are. This means that you’ll have at least a cookie from Google — and this also means they can 3rd party track the hell out of you on any website you go to!
- Do you visit Facebook every day — or regularly? Most people do — which means Facebook can 3rd party track you too!
- Do you visit Twitter?
- Do you visit Yahoo?
- Do you visit Amazon?
… DO YOU GET THE PICTURE?
Now let me ask you about some little known companies that you probably don’t know but you would have definitely seen their ads as their online penetration factor is quite high:
- Do you visit cogmatch.net? (That’s the serving domain for Cognitive Match‘s advertising platform.) I bet you don’t even visit that often www.cognitivematch.com which is our main website.
- Do you visit intellitxt.com? (That’s the serving domain for Vibrant Media‘s IntelliTXT platform.) You probably haven’t visited even www.vibrantmedia.com .
- Do you visit www.fusepump.com?
- Do you visit www.saymedia.com?
Each one of these companies would have definitely served you advertising over the last 2-3 months and would have some profile data about you, built as I explained earlier by tracking your visits to various websites. Now, even if in the cases of Cognitive Match and Vibrant Media they unify all of their domains into one, you can still bet good money on the fact that people visiting their main websites are advertisers and publishers trying to engage in business with the company, and before doing so finding out more about their platform capabilities. In other words, the users they put adverts in front of are not the same people who visit their websites — I’m sure there’s a small crossover but I emphasize the word “small” here!
As such, according to Mozilla’s doing (and Apple as well — and unfortunately probably many other browsers to follow), these guys will NOT be able to collect data about users anymore. That’s perfectly fine, if the whole exercise here is to actually disallow data collected from the user without their knowledge. However, should that be the case, then why the double standards? Why is it ok for the likes of Facebook to gather my data, but it’s not ok for the likes of Cognitive Match to do the same? Has there been some brown envelopes exchanged down some dark corridors here? Why not be brave enough to say NOBODY’S 3rd party cookies will be accepted rather than have this segregation based on … well… what? previous visits? Is that really relevant? What if I haven’t actually visited that website (and I’ll come back to this idea shortly because I think this is the Pandora’s box we’re opening here) but instead I got a popup window from them on a different website I went to? According to Firefox’s new policy that automatically allows that website to track me from there on, right? I mean if on the popup window they cookie me, that’s a direct visit, I get a cookie from their domain and from there to eternity I’m subject to accepting (transparently) their 3rd party cookies. Wouldn’t you say that’s a different scenario to someone who logs into Facebook every day? And even if you log into Facebook every day — are you ok with the fact that they will track your movements on other websites or just put up with it because, well, it just makes it easier for the occasional time when you “Like” something?
My issues with this policy is that it promotes 2 things — none of those nice:
- It definitely, absolutely, totally favours the “big guns” (Twitter, Facebook, Google and the likes) — this will lead in smaller startups losing market share to an oligopoly guarded by these giants. To the point where you want to do advertising you can only do so by dealing with these guys and paying whatever fees they want to charge for their user data because there is no other way?
- On the other hand, I fear it favours the return of the dreaded pop-ups and pop-unders! Think about it: the only way I can gather (3rd party) data about users is by ensuring a cookie from a direct visit to my website in the first place — once they have that cookie I can track and cookie the shit out of them. So how do I trigger that first visit? Simple: I pay some huuuuuuge amounts to some company which will specialize in bypassing all the blockers and what-not and force a popup which opens up a page from my website in front of the user — that will be a direct visit since the user lands on my website! And since it’s a direct visit, I can drop a cookie to the user — it’s a 1st party cookie, which I doubt will ever be rejected by any browser, since that can have terrible effects on the user experience on a site. And once that cookie is there I can 3rd party the hell out of that user and track him/her left-right-and-center, right? Thing is, do we want to back to the 90’s with an average of 2-5 popups on each visit???
As you can gather from my blabbering above, I feel passionately about this — I work in online advertising so I’m quite aware of a lot of the privacy implications that comes with it. I’m also aware of a lot of ways to block it, bypass it, as well as tricks employed to still gather data about the users and bypass things like firewalls, ad and popup blockers and the likes. I think we are still way far from figuring out what’s the best way of protecting users online privacy — part of it it’s because the concept of data we store about the user is still evolving and will keep doing so for a while (how can you protect something if you’re not certain yet what it is?!) — but I understand that some of the steps on this journey will be small steps whereas others will be rather big leaps. As such I accept that sometimes such steps will shake a lot of companies and products and even standards in the industry. And based on this, I would have accepted a really harsh approach were say by default DNT header is turned on and/or ALL the 3rd party cookies are being discarded — as I said before, this might have triggered a lot of smart minds to get together and come up with some new standards perhaps to do with web and HTTP? But I am utterly disappointed to see that instead we are now putting our (open source!!!) projects right in the hands of the big guns — people who have come under scrutiny multiple times about the way they acquire and deal with user data (PRISM rings a bell????). We’re literally surrendering a whole army of smaller companies to them and hand them over the detonator to blow this thing up. The cynic in me is definitely convince at this point this is a case of dark corridors and brown envelopes — someone keep an eye on who’s going to buy a Ferrari next from the Firefox team, that’s our Judas…
Shame on you!