Cookies: The Secret to Online TrackingIn an era where consumer technologies generate massive amounts of data, it’s important to know the type of data you’re creating as well as how it’s collected and used. While we’ve talked about developments like the Internet of things and even Big Data to some extent, we haven’t really gone too in-depth about how online tracking works and the ways you can counteract it. To help you can learn how to reclaim aspects of your privacy, we’re detailing cookies and other related methods of Internet tracking.

What are cookies?

You might have heard the term “cookie” used before in relation to web browsing, but you may not know what exactly it refers to. Cookies are the method by which websites identify individual users and provide them with personalized features. For example, if you’ve ever closed a tab containing your Amazon cart, it’s because of cookies that you can rest assured that when you return to Amazon’s site, your items will still be in your cart. Keeping this in mind, it’s important to note that cookies aren’t inherently bad. However, because different types of cookies exist, and various techniques exist for tracking users online, cookies can be used in ways that might unknowingly be costing your privacy.

How do cookies work?

While cookies can be used to track you, they generally don’t contain any identifying information, nor are they executable – meaning cookies cannot see what’s on your computer or act as malware because they don’t contain any code that can run on your computer. They’re essentially text files that websites issue to your computer, and it’s through these files that a given website “recognizes” you. Cookies are how your preferences and login sessions are “stored” by the pages you visit. It is worth noting that cookies can be tampered with and used in very specific types of hacking, but on a secure and well-configured website, this isn’t an issue.

What are the different types of cookies and how can they track me?

So far we’ve given a basic overview of how cookies work, but in order to explain the hidden dark side of cookies, we’ll have to go over the various different types of cookies.

  • First-party cookies: These are cookies issued by the sites you’re currently on. For example, if you’re visiting Amazon.com, a first-party cookie would be one issued by Amazon.com Keep in mind that “first-party” is a broad term which simply refers to the origin of a cookie.
  • Third-party cookies: Third-party cookies are those issued by a site other than the ones you’re currently on (for example, an advertiser placing ads on the page you see). Keep in mind that similar to “first-party,” “third-party” is a broad term that simply refers to the origin of a cookie. As such, any of the cookies described below can be issued by first or third party websites.
  • Session/transient cookies: These are cookies set to expire after your browser closes. The information stored by these cookies disappears once your browsing session ends, as the cookie is deleted.
  • Persistent/multi-session cookies: These are cookies designed to last beyond your initial browsing session on a site. They normally terminate on a date of their creator’s choosing. In the Amazon example mentioned above, a persistent cookie is what allows you to retrieve your shopping cart even after leaving Amazon’s website or closing your browser.
  • Tracking cookies: These are persistent cookies used by third parties to track and remember your activity across a range of websites. Generally, these cookies are used to create personalized ads, usually of items you’ve searched for recently, but they can also be used to build a behavioral profile of you, among other things.
  • Supercookies/zombie cookies/evercookies: These cookies are sometimes considered freaks of nature because, for one reason or another, they cannot expire or be removed from your browser. It’s worth noting, though, that the FTC took legal action against Verizon for its use of these cookies, discouraging other companies from using them.
  • HTML5 cookie/local storage: Increasingly, more developers are relying on HTML5 features like local storage, which stores information through a user’s browser, rather than through cookies. These aren’t cookies, but they could fall into a related category.
  • Device fingerprinting: Moving beyond cookies, modern forms of tracking are starting to rely more on identifying the unique attributes of specific devices (e.g., looking at the device’s operating system, location, time zones, etc.).

What are the limitations of cookies?

One of the most important things you should know is that cookies can’t record information you don’t actively share. Furthermore, with the exception of supercookies and their ilk, all cookies can be blocked or deleted. Beyond these technical limitations, many sites now show cookie disclaimers so that users are made aware of the presence of cookies on the sites they use. This allows users who don’t like the idea of cookies tracking them to avoid cookies whenever they can.

How can I combat cookies?

Every browser has a settings menu where your browser’s behavior toward cookies can be controlled. You should consult your individual browser’s support documentation for information on how to do this, but below we go over some of the settings you should expect to see.

  • Disable all cookies. Nearly all browsers have this option, but it’s not ideal because as discussed above, first-party cookies are integral to a normal browsing experience. You’d probably only want to activate this if you were planning on only doing light browsing on your device that didn’t require you to log-in anywhere.
  • Disable third-party cookies. This is a feature offered by most browsers and focuses on disabling cookies not issued by the domain you’re on. This is a way to preserve your browsing experience, while blocking tracking cookies and other more privacy-invasive trackers.
  • Cookie lists. Many browsers offer you the ability to examine cookies one by one or to customize your browser’s response to cookies by site. These options are for more advanced users who either know the domains they’d want to block cookies from, or who recognize the threat level of individual cookies.
  • Clear cookies. Every browser allows users to delete cookies, along with the entirety of their browsing history. This will, of course, log you out of all your accounts, as cookies are used to store your passwords and settings online.
  • Do not track (DNT). DNT is a feature that nearly every modern browser has which effectively requests that the websites you visit don’t track you. Unfortunately, respecting DNT requests is up to a website’s own discretion, which some, but not all sites do. Keeping this in mind, DNT is best used in tandem with disabling third-party cookies.

Other tools for combating cookies

Aside from your browser, there are other resources you can use to minimize tracking. These mainly take the form of browser extensions you can download like ad blockers, cookie managers and script blockers, as well as web services, like the tracking-free search engine Duck Duck Go, which provide an alternative to traditional websites that rely on tracking. We’ve briefly discussed some of these tools in our post about online anonymity. Keep in mind that a lot of websites, especially free ones, rely on advertising revenue to provide content, so you might want to whitelist these web pages from your privacy tools if you enjoy their materials.

For more information about protecting yourself and your identity online, continue reading our privacy blog.