LinkedInFacebooktwitter

Cross Site User Tracking - Cookies and Online Privacy

Cookies and privacyBy Richard Griffiths - Director.

In the relatively short space of time since Sir Tim Berners Lee invented the World Wide Web it has pervaded our lives to such an extent that it has become an everyday tool for people of all walks of life. Part of the reason for this is that so much of the web is free to access to anyone with an Internet connection. Building and running a website is far from free however, and for sites that are not selling a product or service another source of income is required which very often comes in the form of advertising.

Advertisers understandably want their advertising campaigns to be as effective as possible and, for that to happen, the right adverts need to be displayed to the right people at the right time. An advert for car insurance is unlikely to appeal to someone who does not own a car, so the chances that this person will click on the ad and make a purchase are slim. Taking this a step further, showing an ad for car insurance to a car owner is far more likely to result in a sale if that person’s insurance is due for renewal. This fact has led to a clamour for data, and to advertising companies intruding more and more into web users’ online privacy by tracking their movements online.

Tracking the browsing habits of users requires a method of identifying them, and this is where cookies come in. Cookies allow websites to store small amounts of textual data on a users’ device and to retrieve that data whenever they visit the site. The need for cookies arises because web browsers do not maintain a persistent connection with the web server. When a user visits a website their browser sends a request for the web page to the server, the server responds with the content of that page and the connection is terminated. Without cookies, if the user visits another page on the same website, the site has no accurate way of knowing this is the same user. However, if a website issues a cookie, the browser will send that cookie to the website each time it sends a request, so the server can use cookies to check if a user has visited the site before. A website will often write a unique identifier to the cookie which can then be used to store information on the webserver about the user’s preferences and browsing habits.

Standard HTTP Cookies

The term Cookie has come to mean any method of storing information locally to identify a website user but Standard Cookies are small text files that the browser saves to the local file system. These cookies can only be accessed by the website that issued them and they can be set to be automatically deleted after a certain period of time. They are managed by the browser and most browsers provide methods of deleting and blocking them.

Cookies are Good

Cookies are a useful tool for websites, allowing them to provide a tailored browsing experience to the user. This in turn is beneficial to the user as they are provided with relevant information and with an improved browsing experience through features such as automatic login.

Cookies do not provide any personally identifying data to the website. In fact, all cookies do is store information that the website provides to the browser – they do not provide any information to the website that it has not previously known.

So What is all the Fuss About?

You may have missed the significance, but one of the features of Cookies I noted above is that they can only be accessed by the website that issued them. This is a good privacy feature as it means a website cannot access a cookie issued by another website – if they could, they’d be able to very quickly build a picture of your browsing habits by checking which websites have issued you with Cookies.

This however is not infallible. You’ve probably seen the Facebook Like button plastered all over the Internet on all sorts of websites. This button is a JavaScript plugin loaded directly from Facebook and allows Facebook to issue and read a Cookie. Because the Cookie is issued from Facebook, they can read it from every website that has the Like button installed. In this way, Facebook can monitor which websites you visit and build up a profile of your online browsing habits.

In a similar way to this, most online adverts are delivered by third-party advertising agencies and these agencies can track your browsing habits in the same way. The more websites the agencies ads are displayed on, the more data they gather about you and the more accurate they can be in serving ads. This can be good as the adverts you see as you browse the web will be more relevant, but it is also an invasion of privacy.

This kind of advertising and data collection has been going on since the early days of the web. One of the early players was a company called DoubleClick who were founded in 1996, and were sold to Google in 2008 for $3.1 billion. This gives you an idea of how much this data is worth…

The invasion of privacy becomes worse when companies are able to connect your browsing history with personally identifying information, which is a big possibility when companies like Facebook and Google are involved (For an insight into the types of data Google collects about you, read this Moz article). In fact, the information that these sorts of companies can gather about you is staggering as the Telegraph explains in an article on Acxiom, one of the other big players in this area.

It Gets Worse – meet the SuperCookies

So far I’ve talked about Standard HTTP Cookies which are built for a specific purpose and managed by the browser but there are other types of Cookie that can also be utilised to track users online.

Flash Cookies

Local Shared Objects, aka Flash Cookies, are a type of Cookie issued by the Adobe Flash Player browser plugin. They can store up to 100KB of data by default and are not controlled by the browser, which means they aren’t deleted or blocked using the browser settings. Instead, to manage these types of Cookie you need to use the settings for the Flash Player. Since version 10.1, Flash Cookies do conform to private browsing sessions.

Flash Cookies were designed to allow Flash applications to store and retrieve relevant information, for example your progress in a game, however any website using flash can store data and this has become a method for online tracking that bypasses the safeguards of Standard Cookies. Companies such as MSN were caught using this technique back in 2011 as explained in this Mashable article.

HSTS Super Cookies

HTTP Strict Transport Security (HSTS) is a security feature that allows websites to signify that they should always be accessed via a secure connection. The first time a user visits a website, it sends a bit value (true or false) which the browser stores to remember whether it should connect via HTTPS. This is a security enhancement as it ensures the browser always connects via HTTPS even if the user types or clicks a link for HTTP.

Ironically, this security enhancement has become a privacy flaw as Sam Greenhalgh of RadicalResearch has developed a method of using these flags to create a Super Cookie. The technique involves sending a request to 32 URLs which each return a true or false value that is stored by the browser. Combining these 32 values gives a binary number that can uniquely identify up to 2 billion browsers. This number can also be read by any website, not just the issuing site, and will also work in private browsing mode on some browsers.

Internet Explorer is immune to this technique as it doesn’t currently support HSTS, although it is in development. Chrome, Firefox and Opera will delete these Cookies if Standard Cookies are cleared and the latest version of Firefox does not pass the same Cookies from normal to private browsing modes and vice versa. Chrome does pass the Cookies from normal to Incognito mode but not in the other direction. Safari does not provide any way of clearing these cookies and does pass the same values between normal and browsing modes. Even more worryingly, the cookies are also uploaded to iCloud so will be sync’d with other devices.

The HSTS Cookie technique was developed recently but was actually highlighted as a potential issue by Mikhail Davidov back in 2012. For more information on HSTS Cookies read Sam’s article at http://www.radicalresearch.co.uk/lab/hstssupercookies

Evercookie

Evercookie is a JavaScript application developed by Samy Kamkar which attempts to create a persistent Cookie. The application writes the Cookie value to multiple forms of storage (including Standard and Flash Cookies) and then recreates any version that has been cleared by the user. As long as one version of the data remains, every other version will be recreated whenever the user visits a site and so these cookies are extremely difficult to remove.

The whole purpose of this type of cookie is to make itself as hard as possible to remove, which makes it a huge risk to users’ online privacy.

What can you do to Protect Your Privacy?

Protecting your privacy online is becoming increasing difficult, but there are steps you can take that will help.

Choose your Browser Carefully

You should do some research about the web browser you choose to use and ensure you know how they treat your security and privacy. Once you have chosen a browser you should also ensure that you keep it up to date by installing newer versions as they are released. You may also consider installing multiple browsers and vary your use, maybe even keeping one browser specifically for private browsing mode.

Use HTTPS Whenever Possible

You should use a secure connection whenever possible to connect to websites. This is particularly true if you are sending personal information to the website – you should never send personal information over an unencrypted connection. If you are connected on a secure connection you will see HTTPS in the URL bar and your browser will display a padlock icon.

Clear Cookies Regularly

By clearing Cookies, you will remove a website’s ability to remember you, which will help maintain your privacy - Learn now how to delete Cookies. By deleting Cookies you will lose their benefits, including any remembered data and personalised content, so there is a trade-off between privacy and convenience.

It is possible to delete Cookies individually by accessing the folder they are stored in – Cookies are simple text files and so can just be deleted in the usual way. Remember however, that Flash Cookies are issued in a different way and need to be managed through the Flash Player Settings.

Logout of Websites Before You Leave

Often when you login to a website a Cookie is issued to identify you. Sometimes after you leave the site, if you do not logout, this Cookie will persist and can be used to better identify you and your browsing habits, so always logout before leaving a site.

Logging out is especially important on a public computer or if other people have access to your device, as they will be able to access the site and use your profile if you do not logout. Closing the browser window is not always sufficient to log you out.

Use Private Browsing Mode

Make use of private browsing mode whenever you want an extra level of privacy. Private browsing mode will ensure your cookies are deleted, your browsing history is not stored and content is not cached locally on your device, making it harder for companies to track your movements online.

Private browsing mode is another way of staying safe when your device is accessible by others as there will be no trace of where you have been on the web, and password, form data and searches will not be saved.

A Final Word on Privacy

Remember to be vigilant with your data at all times. Companies such as Acxiom, mentioned above, aggregate data from all sorts of sources, both online and offline. Every time you fill in a questionnaire or enter a competition think about where your data will end up – checking privacy policies will help you decide whether you can trust a company to keep your data private.

Remember also that Cookies are not always bad, they can help provide a better online experience but sometimes this will mean we have to trade-in a little of our privacy.

Back

You might also like...