Understanding the Privacy Implications of Web ‘Cookies’

Peter A. McKay

For better or worse, cookies are an integral part of the modern web, enabling many features that users consider essential.

But cookies also carry major – and, for the most part, poorly understood – implications for privacy.

In short, cookies are small files stored in your web browser with information about the sites you visit. The browser uses them to manage what programmers call “state,” or the quality that allows an application to pick up where it left off previously in an ongoing task.

Cookies, thus, enable in-browser features like shopping carts that “remember” which items you added to them.

But cookies can also be used to capture information to target you with advertisements, an activity increasingly frowned upon by users because of its privacy implications.

“There have definitely been some unintended consequences to cookies,” since their original implementation in the 1990s to add application-like utility to the web, Jonathon Sampson, a web developer at the browser startup Brave, told Digital Privacy News.

“There are all sorts of ways your privacy can be violated on the web, but cookies give you the most bang for your buck.”

In the user-support documentation for its popular Chrome web browser, Google makes a distinction between two types of cookies:

First-party cookies: These are created by a site you’re actively visiting, the one whose address is in the browser’s address bar. A cookie that remembers your password over multiple visits to a particular site may fall into this category, assuming you’ve logged directly into the site previously using your email address or a screen name.

Third-party cookies: These are created by sites other than the one you’re actively visiting. They’re often generated by scripts included in the active site’s source code. (Which you’re almost certain not to look at.)

Advertising networks’ cookies invariably fall into this category and, in many cases, can track a user across multiple sites running the same “tracker” scripts. 

Third-party cookies enable Facebook or the Google-owned ad network DoubleClick to log a user’s browsing history, even when that user isn’t visiting those services’ actual sites.  

As user privacy has gained greater attention the last few years, browser makers have added options to  manage or block cookies altogether, especially the third-party kind.

“That’s really where the problem comes in,” said Sampson, whose company’s browser blocks third-party cookies by default. “The general consensus among developers is that there’s really no problem with first-party cookies, since the user is visiting those sites directly.” 

No Fool-Proof Solution

However, even if a user blocks cookies using browser settings, it’s important to realize that it still isn’t a fool-proof solution to the broader issue of online privacy, which encompasses workarounds on the advertiser’s end as well.

The Electronic Frontier Foundation in San Francisco highlighted this more holistic threat in a report last year on corporate surveillance technology, “Behind the One-Way Mirror.”

Regarding the tracker scripts that make use of information stored in cookies, the report said:

“Often, a tracker can’t rely on a single identifier to act as a stable link to a user. IP addresses change, people clear cookies, ad IDs can be reset, and more savvy users might have ‘burner’ phone numbers and email addresses that they use to try to separate parts of their identity.

“When this happens, trackers don’t give up and start a new user profile from scratch,” the document continues. “Instead, they typically combine several identifiers to create a unified profile.

“This way, they are less likely to lose track of the user when one identifier or another changes, and they can link old identifiers to new ones over time.”

EFF also noted that particular privacy considerations involve mobile apps, where the distinction between first-party and third-party cookies “doesn’t exist.”

“You can’t grant a privilege to an app without granting the same privilege to all the third-party code running inside it,” EFF noted.

Peter A. McKay is a technology writer and consultant in Florida.