Cross Site User Tracking - Cookies and Online Privacy
By Richard Griffiths - Director.
In the relatively short space of time since Sir Tim Berners Lee invented the World Wide Web it has pervaded our lives to such an extent that it has become an everyday tool for people of all walks of life. Part of the reason for this is that so much of the web is free to access to anyone with an Internet connection. Building and running a website is far from free however, and for sites that are not selling a product or service another source of income is required which very often comes in the form of advertising.
Advertisers understandably want their advertising campaigns to be as effective as possible and, for that to happen, the right adverts need to be displayed to the right people at the right time. An advert for car insurance is unlikely to appeal to someone who does not own a car, so the chances that this person will click on the ad and make a purchase are slim. Taking this a step further, showing an ad for car insurance to a car owner is far more likely to result in a sale if that person’s insurance is due for renewal. This fact has led to a clamour for data, and to advertising companies intruding more and more into web users’ online privacy by tracking their movements online.
Standard HTTP Cookies
The term Cookie has come to mean any method of storing information locally to identify a website user but Standard Cookies are small text files that the browser saves to the local file system. These cookies can only be accessed by the website that issued them and they can be set to be automatically deleted after a certain period of time. They are managed by the browser and most browsers provide methods of deleting and blocking them.
Cookies are Good
Cookies are a useful tool for websites, allowing them to provide a tailored browsing experience to the user. This in turn is beneficial to the user as they are provided with relevant information and with an improved browsing experience through features such as automatic login.
Cookies do not provide any personally identifying data to the website. In fact, all cookies do is store information that the website provides to the browser – they do not provide any information to the website that it has not previously known.
So What is all the Fuss About?
You may have missed the significance, but one of the features of Cookies I noted above is that they can only be accessed by the website that issued them. This is a good privacy feature as it means a website cannot access a cookie issued by another website – if they could, they’d be able to very quickly build a picture of your browsing habits by checking which websites have issued you with Cookies.
In a similar way to this, most online adverts are delivered by third-party advertising agencies and these agencies can track your browsing habits in the same way. The more websites the agencies ads are displayed on, the more data they gather about you and the more accurate they can be in serving ads. This can be good as the adverts you see as you browse the web will be more relevant, but it is also an invasion of privacy.
This kind of advertising and data collection has been going on since the early days of the web. One of the early players was a company called DoubleClick who were founded in 1996, and were sold to Google in 2008 for $3.1 billion. This gives you an idea of how much this data is worth…
The invasion of privacy becomes worse when companies are able to connect your browsing history with personally identifying information, which is a big possibility when companies like Facebook and Google are involved (For an insight into the types of data Google collects about you, read this Moz article). In fact, the information that these sorts of companies can gather about you is staggering as the Telegraph explains in an article on Acxiom, one of the other big players in this area.
It Gets Worse – meet the SuperCookies
So far I’ve talked about Standard HTTP Cookies which are built for a specific purpose and managed by the browser but there are other types of Cookie that can also be utilised to track users online.
Local Shared Objects, aka Flash Cookies, are a type of Cookie issued by the Adobe Flash Player browser plugin. They can store up to 100KB of data by default and are not controlled by the browser, which means they aren’t deleted or blocked using the browser settings. Instead, to manage these types of Cookie you need to use the settings for the Flash Player. Since version 10.1, Flash Cookies do conform to private browsing sessions.
Flash Cookies were designed to allow Flash applications to store and retrieve relevant information, for example your progress in a game, however any website using flash can store data and this has become a method for online tracking that bypasses the safeguards of Standard Cookies. Companies such as MSN were caught using this technique back in 2011 as explained in this Mashable article.
HSTS Super Cookies
HTTP Strict Transport Security (HSTS) is a security feature that allows websites to signify that they should always be accessed via a secure connection. The first time a user visits a website, it sends a bit value (true or false) which the browser stores to remember whether it should connect via HTTPS. This is a security enhancement as it ensures the browser always connects via HTTPS even if the user types or clicks a link for HTTP.
Ironically, this security enhancement has become a privacy flaw as Sam Greenhalgh of RadicalResearch has developed a method of using these flags to create a Super Cookie. The technique involves sending a request to 32 URLs which each return a true or false value that is stored by the browser. Combining these 32 values gives a binary number that can uniquely identify up to 2 billion browsers. This number can also be read by any website, not just the issuing site, and will also work in private browsing mode on some browsers.
Internet Explorer is immune to this technique as it doesn’t currently support HSTS, although it is in development. Chrome, Firefox and Opera will delete these Cookies if Standard Cookies are cleared and the latest version of Firefox does not pass the same Cookies from normal to private browsing modes and vice versa. Chrome does pass the Cookies from normal to Incognito mode but not in the other direction. Safari does not provide any way of clearing these cookies and does pass the same values between normal and browsing modes. Even more worryingly, the cookies are also uploaded to iCloud so will be sync’d with other devices.
The HSTS Cookie technique was developed recently but was actually highlighted as a potential issue by Mikhail Davidov back in 2012. For more information on HSTS Cookies read Sam’s article at http://www.radicalresearch.co.uk/lab/hstssupercookies
The whole purpose of this type of cookie is to make itself as hard as possible to remove, which makes it a huge risk to users’ online privacy.
What can you do to Protect Your Privacy?
Protecting your privacy online is becoming increasing difficult, but there are steps you can take that will help.
Choose your Browser Carefully
You should do some research about the web browser you choose to use and ensure you know how they treat your security and privacy. Once you have chosen a browser you should also ensure that you keep it up to date by installing newer versions as they are released. You may also consider installing multiple browsers and vary your use, maybe even keeping one browser specifically for private browsing mode.
Use HTTPS Whenever Possible
You should use a secure connection whenever possible to connect to websites. This is particularly true if you are sending personal information to the website – you should never send personal information over an unencrypted connection. If you are connected on a secure connection you will see HTTPS in the URL bar and your browser will display a padlock icon.
Clear Cookies Regularly
By clearing Cookies, you will remove a website’s ability to remember you, which will help maintain your privacy - Learn now how to delete Cookies. By deleting Cookies you will lose their benefits, including any remembered data and personalised content, so there is a trade-off between privacy and convenience.
It is possible to delete Cookies individually by accessing the folder they are stored in – Cookies are simple text files and so can just be deleted in the usual way. Remember however, that Flash Cookies are issued in a different way and need to be managed through the Flash Player Settings.
Logout of Websites Before You Leave
Often when you login to a website a Cookie is issued to identify you. Sometimes after you leave the site, if you do not logout, this Cookie will persist and can be used to better identify you and your browsing habits, so always logout before leaving a site.
Logging out is especially important on a public computer or if other people have access to your device, as they will be able to access the site and use your profile if you do not logout. Closing the browser window is not always sufficient to log you out.
Use Private Browsing Mode
Make use of private browsing mode whenever you want an extra level of privacy. Private browsing mode will ensure your cookies are deleted, your browsing history is not stored and content is not cached locally on your device, making it harder for companies to track your movements online.
Private browsing mode is another way of staying safe when your device is accessible by others as there will be no trace of where you have been on the web, and password, form data and searches will not be saved.
A Final Word on Privacy
Remember to be vigilant with your data at all times. Companies such as Acxiom, mentioned above, aggregate data from all sorts of sources, both online and offline. Every time you fill in a questionnaire or enter a competition think about where your data will end up – checking privacy policies will help you decide whether you can trust a company to keep your data private.
Remember also that Cookies are not always bad, they can help provide a better online experience but sometimes this will mean we have to trade-in a little of our privacy.