Is the cookie web tracker dying?
The internet’s original data collection tool is still ubiquitous, even as the web moves away from it
What is a cookie?
Simply, it’s a small file that tags website visitors to recognize them later. When you browse a website with cookies, the file is stored on your computer. Later, websites and tracking companies can look at that file to see who you are and determine certain things about your behavior, like whether you return to the site frequently or put certain shopping items in your cart on the site the last time you visited.
In one commonly used analogy, it’s like a coat check. You hand over your coat and get a ticket in exchange, so the attendant can determine what belongs to you when you return.
So when you visit, say, a shopping website, a cookie might determine what products you look at. Another cookie might be used to remember your login information so you don’t have to reenter your password every time you visit.
Cookies come in different flavors. There are first-party cookies—ones that come from the site you’re visiting—along with third-party cookies, which load when you visit a site but aren’t necessarily from the site you’re visiting. You may be shopping for shoes on a retail store’s site, for example, when a Facebook tracker starts to follow you around.
The trackers can either be “session” cookies or “persistent” cookies. Session cookies, as the name suggests, expire when you end your session, by closing your browser, for example. But persistent cookies can stick around until they reach an expiration date, possibly months or even years later.
What’s the problem?
For one, the information collected by cookies can be extraordinarily sensitive. To build a profile of you, cookies can track information about your browsing history to guess your demographics and interests. If you’re a 45-year-old woman who frequents websites for soccer scores, for example, that’s a data point that could be valuable to advertisers looking to sell soccer jerseys.
Using data obtained from cookies, advertisers can then target ads directly to people they think might interact with them. They can also check whether someone has seen an ad, or interacted with one already. Eventually, they can build a dossier that works out your age, interests—and even, with some effort,potentially identifyexactly who you are.
All of it happens in a way that’s invisible to most people.
“Your browsing history could be shared with dozens of different companies that you’ve never heard of,” said Bennett Cyphers, a staff technologist at the Electronic Frontier Foundation (EFF) who has followed recent changes in web-tracking technology. “It’s very difficult to figure out that it’s happening at all, and then it’s almost impossible to figure out what happens to that data after it leaves your computer.”
An investigation by The Markup using Blacklight uncovered just how sensitive that information can be. Last yearwe founduser data being tracked for advertisers on more than 100 websites offering services for undocumented immigrants, domestic and sexual abuse survivors, sex workers, and LGBTQ people.
And there are few laws that strictly regulate the use of cookies. Implemented in 2018, Europe’s General Data Protection Regulation, orGDPR, requires website operators to have visitors consent to being tracked through cookies. But in practice, Cyphers said, people rapidly click “consent” without thinking much about what they’re agreeing to.
In the United States, there’s even less protection. One state law, the California Consumer Privacy Act, orCCPA, requires disclosures about how data is collected and stored but does not require consent for cookies.
There are some cookie-blocking options built by third parties. Tools like the browser extensionuBlockor the EFF-builtPrivacy Badgercan stop unwanted cookies from loading, but they often also block ads, which means that websites try to block users of those tools.
What’s next?
The good news is the internet seems to be trending away from the cookie. Cyphers said consumer awareness of web tracking and more ways for those consumers to opt out have led to diminishing returns for advertisers. “Most people don’t want to go around sharing their browser history with random strangers,” Cyphers said.
Bowing to that consumer demand, Mozilla’s Firefox and Apple’s Safari both moved to block third-party tracking by default on their popular browsers in the past few years, and Google has pledged to follow suit with its Chrome browser. The changes have led to uncertainty for companies who have built their businesses around advertising based on user behavior. Some havetaken to calling itthe “cookiepocalypse.”
But even if the cookie meets its demise, there are hints that the tracking tech of the future may introduce its own concerns.
Google, for example, has proposed a series of technologies like FLoC, short for Federated Learning of Cohorts, which, instead of allowing advertisers to use third-party cookies to track visitors, would effectively track user behavior on the Chrome browser directly, then sort users into groups and share that information in bulk with advertisers. Googledescribes itas a “privacy-first future” solution, but privacy advocates aren’t so certain.
“FLoC is based on large anonymous groups, not tracking individuals across the web as third-party cookies do today,” Vinay Goel, privacy engineering director for Chrome, said in a statement. “Chrome has also built into FLoC robust measures removing groupings/classifications that may be more strongly associated with sensitive topics such as race, sexuality, or personal hardships, without learning specifically which sensitive topics.”
Cyphers, for one, has been skeptical of Google’s plan, recently describing it ina blog postas “a terrible idea” and simply trading one form of surveillance for another.
Telang, the Carnegie Mellon professor, said he’s encouraged by the push for improved privacy—but that it’s not clear whether changes made by companies will ultimately lead to a better future for consumers. “Right now, we only know that, hey, they’ll stop the private information being shared,” said Telang. “But will it lead to improved security? That’s a question that I don’t know the answer to right now.”
As Cyphers pointed out ina recent blog postfor the EFF, some smaller advertisers are also pitching their own plans to continue tracking users in a post-cookie world, possibly by pressing them to more frequently share unique IDs like email addresses.
Cyphers said changes like that would be relatively transparent for users—but would also mean handing over personal information closely tied to your identity that could be used to track you for years into the future. “It’s better and it’s worse,” Cyphers said. “I think it’s mostly worse.”
Whether one, or none, of the ideas gain steam, the future of the internet beyond the cookie is at a clear turning point.
“It’s still the most common way that people are tracked on the web,” Cyphers said, “but I think that over the next few years, that is going to change.”
This article by Colin Lecher wasoriginally published on The Markupand was republished under theCreative Commons Attribution-NonCommercial-NoDerivativeslicense.
Story byThe Markup
Get the TNW newsletter
Get the most important tech news in your inbox each week.
