Busting the cookies and privacy myth

I am going to try and make today’s post as simple as possible. Note some explanations maybe a little too simple for my technical audience.

I was referenced in the WSJ article- Google’s iPhone tracking regarding my cross-domain cookies post.

For my technical audience, here is a detailed version of how my code was actually used.

So let us begin from scratch… what are cookies?

Cookies (data on your computer used to identify you) are stored whenever you visit a site. Usually, this data is used to keep you logged into a site or to figure out if you are a repeat visitor.

This is fine and in-order for the web to function in it’s current state, in many ways, essential.

In the above diagram, when you visit siteA.com, a cookie is set for siteA.com on your computer.

When you visit siteB.com, a cookie is set for siteB.com on your computer.

But siteB.com, CANNOT read the data from the cookies set in siteA.com and vice-versa. Thus siteB.com does not know if you ever visited siteA.com or what you did there.

Let’s introduce the ad-companies

Ad-companies started displaying ads on sites depending on the content of the page. So, if you are a webmaster, you add a line of JavaScript code and a neat looking advertisement is displayed on your site page.

But the information on the page is not enough to generate targeted ads. So the ad-companies wanted to know where you’ve been before.

Now here is where the privacy issue unfolds.

Tracking your moves

Inorder to track you, as you moved from one site to another (both displaying sites ads from the same ad-company), the companies need to store cookies.

Cookies of one site cannot be accessed by another

The problem is that cookies set on one site CANNOT be read by another site. In other words, cookies set on siteA.com cannot be read by siteB.com.

So the work-around used is to store a third-party cookie (i.e. a cross-domain cookie). When a user visits siteA.com, a cookie is not only set for siteA.com but also for a common domain which is accessed by all sites that use the ad-company’s code.

siteA.com and siteB.com set cookies for their domain as well as for adsite.com

Thus, siteA.com, siteB.com and all other sites displaying ads from adsite.com, store and access the same third-party cookie.

So when you visit siteA.com, a third-party cookie is created on adsite.com. When you visit siteB.com, the same cookie is read.

siteA.com and siteB.com access their own site cookies and the cookies of adsite.com

Thus adsite.com now knows that you have been to siteA.com before going to siteB.com. On the basis of this knowledge, a targeted ad can be shown. For an ad-company which provides ads to only two sites, this is not very useful. But imagine if you have 70% of the sites using your code.

Then, nearly most of the times, the same cookie can be read and your movements can be tracked as you browse through the internet. So now, the ad-company knows exact what kind of sites you are visiting and serve ads accordingly.

But why does the WSJ article only talk about Safari?

Safari, by default, does not allow third-party cookies to be created.

However, most major browsers- Firefox, Internet Explorer (using the correct header tags), Chrome etc. do ALLOW setting third-party cookies.

Where does your technique come in?

The technique I posted two years ago, allows setting third-party cookies for Safari as well. This helps in offering a consistent user experience irrespective of the browser used.

Note that other browsers already allow creation of third-party cookies. So Safari is the only exception.

How was this discovered?

A Stanford researcher, Jonathan Mayer found that many large companies like Google, MIG, PointRoll etc. used a variation of my technique to circumvent Safari’s policy.

Infact, Facebook’s official developer best practices article linked to my post (the page has since been removed).

You must remember that this issue affects Safari users ONLY.

Other browsers already allow third-party cookies and thus they CAN track you as they do NOT have any such policy.

How do I protect myself? Should I disable cookies?

NO. Do not disable cookies altogether. This will cause most of your sites (which have a login system) to stop working.

Third-party cookies also have a number of other uses like logging in users to third-party sites and are NOT always used for tracking. They cannot steal your data (a myth noted by some users in comments).

If you want, you can disable third-party cookies in browsers. Dennis O’Reilly has written a guide on how to disable third-party cookies for major browsers.

You may also want to use incognito/private browsing modes when using a public PC.

Questions/Suggestions?

If you have any questions about how this affects you or need further explanation, feel free to post a comment or contact me.

Miranda Miller
Hi Anant,
I have a few questions for you, for an article I’m working on about the Google/Safari cookies issue. Specifically, I’m finding a lot of hyperbole and misinformation out there about how your technique was used and whether Google’s intentions were truly “evil.” Isn’t it quite common for advertisers to use cookies this way? It seems, from what I’m hearing, that the real problem was in Safari’s “quirk” that allowed the respawning of the cookies. I’m wondering if you had any communication with Apple since your first post two years ago and whether Apple might have been aware of this workaround?
I appreciate any insight. Please email me with any answers you have. Thank you!
Miranda
- Anant Garg
  @Miranda You must note that third-party cookies (cross-domain cookies) are allowed in most browsers without the use of any special techniques. So it is fairly common to use cookies in this way. There are also various other uses of third-party cookies; one of the most important being maintaining state of a third-party component e.g. any sort of embed (like footer bars, chat bars, video embeds).
Cristiano Lombardi
Thank you!
You’ve explained it all in a very simple way, without the technical yada yada. Congrats! =)
Garmon Estes
I was able to find a cached version of Facebook’s “Best Practices” page and yes, it links to Anant’s cross-domain cookie technique. Hilarious!! Sorry for the long URL.
http://74.6.117.48/search/srpcache?ei=UTF-8&p=https://developers.facebook.com/docs/best-practices/&fr=yfp-t-701&u=http://cc.bingj.com/cache.aspx?q%3Dhttps://developers.facebook.com/docs/best-practices/&d=4959437846022691&mkt=en-US&setlang=en-US&w=c63c3f6e,98e4a522&icp=1&.intl=us&sig=29ZzOS3fqwj9ihwBdeEObw–
google.com/accounts/o8…
Here’s the Best Practices doc:
http://www.scribd.com/facebook/d/34603412-Platform-Best-Practices-Handling-Issues-Gracefully#outer_page_12
koti
Hi Anant
I wanted to know what harm the cookie tracking can do to us what happens a little bit of our searched terms gt shared and ads are shown whay are people so serious about it….
is there anything i am missing
Boll Nelson
You say, regarding third party cookies, “They cannot steal your data (a myth noted by some users in comments).” That statement is technically true. However, if one defines one’s data as information about where they browse on the internet, that statement is spectacularly misleading, even false. In that case, although it is true that cookies themselves are probably unable to steal your data (cookies themselves lack motive) the PEOPLE programming and placing the third party cookies ARE stealing your data.
http://www.cbumr.com
Hello! I’ve been reading your blog for a while now and finally got the bravery to go ahead and give you a shout out from Houston Tx! Just wanted to mention keep up the fantastic work!
Freddywang
UPDATE: As today with the release of Safari 7, not only 3rd Party cookie is being blocked. Local Storage as well as WebDB, any kind of website data are being blocked. When you go to Safari Preferences (CMD+comma), Under privacy tab, on Safari 7, it now says : “Block cookies *and other website*”, originally was “Block cookies”. That confirms the changes.
- Frederick Begbeder
  SiteA and SiteB can sniff an adversting displayed to user and show own Adversting for this “cookies keywords’