Guide to cookies, cyber treats that profile users
What are cookies
Web cookies, or more simply and par excellence cookies, are identifying trackers used by server-side web applications to save and retrieve information on the client side through an additional header present in a request (Cookie:) or response (Set-cookie:) HTTP.
Technically, cookies are small text files containing unique data that identify a computer on the Web, and typically include a unique identifier and a site name-sometimes it may also contain personally identifiable information such as name, address, e-mail or telephone number, if the user has provided such information to a Web site.
In practical terms, they are small text files, which generally contain letters and numbers, created by the websites visited and stored on every type of technological device connected to the Network (desktop PC, mobile device or Internet of Things tools) for two main reasons:
- Store users’ preferences and improve their experience of using a site or an app, saving browsing data.
- Analyze traffic to that site and track the browsing behavior of users.
When we visit a website, the browser provides a cookie to be stored in a special file placed in the folder on the hard drive: on the next visit to the same website, the browser will return the cookie to identify the user, thus loading the website with a personalized experience.
A simple and common example of a cookie is the automatic filling of account fields (username and password) on a site, or even the storage of products placed in a shopping cart even after closing the browser (to find them again later).
The meaning of computer cookies
Going down a bit in technical explanations, a cookie is a piece of data stored in the browser that is used to maintain the status and other information needed by a Web site to perform its functionalities. This little one is stored on users’ computers, and the information it contains travels back and forth between the browser and the Web site.
Cookies are thus guarantors of a user’s online experience, because they can make websites more personalized and functional and thus improve the users’ browsing experience. As mentioned, in fact, they can be used to remember a person’s preferences, such as language or location, so that he or she does not have to set them again each time he or she visits the website, but also login status (to check if the user is already logged in, for example) and browsing information (such as pages visited or searches performed).
Despite their minimal size, these cookies therefore play a crucial role in the functioning of the web as we know it: without them, just to say the least, we would be treated as new visitors every time we visit a website. And that would mean, as a result, having to re-enter credentials every time we visit a site, or having to fill our shopping cart from scratch every time we return to an e-commerce site.
But cookies do more than just make our online lives more convenient: some are necessary for security reasons, such as authentication cookies, and others help Web sites to be informed about users’ preferences and choices. In this sense, they play a key role in providing personalized content, because they can store our language preferences, the products we have viewed or the content we have read, allowing sites to ensure a more personalized and relevant experience for each visitor.
What cookies are for
The first task of cookies is to keep a user connected to the site: thanks to these trackers, personal preferences can be stored for each site visited, previous interactions can be saved, previous account logins can be identified, sites can be made more operational, pages can load faster, statistical data on visitor behavior can be collected, and locally relevant content can be offered.
These digital cookies are capable of storing personal data-such as IP address, user name, unique identifier, or email address-but can potentially also contain other non-personal data, such as language settings or information about the type of device used by the user. In addition, cookies can also contain tracking Ids such as advertising Ids and user Id.
More specifically, there are various types of computer cookies that perform specific functions, and in particular to manage sessions, personalization, and tracking.
These cookies allow website activity to be associated with a specific user, thanks to a unique string (a combination of letters and numbers) that matches a user session with data and content relevant to that user. In this way, they allow the site to recognize users and remember their individual login information and preferences. If user Max, for example, logs into her account on an e-commerce site, the site’s server generates a unique session cookie and sends it to her browser; this cookie allows the site to “remember” Max by automatically loading her account content and welcoming her with a warm “Welcome back, Max.”
But the role of cookies does not stop there: when Max visits a product page, her browser sends a request to the site, including her session cookie. This allows the site to recognize Max and keep his session active, avoiding the need to log in again.
Cookies not only “remember” us, but they also “remember” our actions and preferences, and so allow websites to personalize our experience by providing us with targeted content and advertisements.
For example, if Max views certain products or sections of a site, cookies can use this information to create targeted ads that he might be interested in; and if Max logs off, his username can be stored in a cookie, allowing the site to welcome him with “awareness” (and username) on his next visit.
Cookies not only “remember” who we are and what we do, but also where we go. Some cookies, known as tracking cookies, record the websites we visit and send this information back to the server that originated the cookie; with third-party tracking cookies, this process happens every time the browser loads a website that uses that tracking service.
For example, if Max previously visited a site that sent a tracking cookie to his browser, this cookie might record that Max is now viewing a product page for jeans. This could lead Max to see denim ads the next time he visits a site that uses the same tracking service.
Tracking cookies are not just used for advertising: many analytics services use them to anonymously record user activity, providing websites with valuable information about user behavior and site performance.
How cookie storage works
Basically, each browser stores cookies in a designated file on the users’ device-for example, if we use Google Chrome, all cookies are stored in a file called “Cookies,” and we can view the cookies stored by our browser by opening Chrome’s developer tools, clicking on the “Application” tab and then on “Cookies” in the left-hand menu.
Local storage of cookies is not only beneficial for us, but also for web developers, because it frees up storage space on website servers and thus allows websites to personalize content without having to invest in expensive servers and storage space, saving money on server maintenance and storage costs.
Not all cookies, however, are necessary or desirable. Third-party cookies, for example, are used for advertising and analytical purposes, tracking our online movements and Internet searches. Although they are not as harmful as a virus, we may not like the idea of our privacy being compromised and our information sold to advertisers. To protect our online privacy, we can disable third-party cookies or adopt other small “workarounds” to prevent companies from tracking our online usage, providing greater protection for our privacy.
The types of web cookies: how many and what they are
There are various types of cookies, then, which are distinguished on the basis of their characteristics. The biggest difference is between proprietary and third-party, depending on who makes the installation request.
To be precise:
- Proprietary or first-party cookies are set by the domain of the host site, the one that the user is visiting and displays in the address bar; only that site can read them, and they are usually used by page owners to save details such as users’ passwords, which will then give them easier and faster access to accounts later. Generally, these cookies are safer, provided that you are browsing on reputable Web sites or that they have not been compromised by a recent data breach or cyber attack.
- Third-party cookies are created by a different site and hosted by the one the user is visiting; the domain that sets the cookies owns some of the content, such as ads or images, which uses them to deliver targeted advertising. Third-party cookies allow advertisers or analytics companies to track an individual’s Web browsing history on any site that contains their ads; following the legislative crackdown on data protection, allowing third-party cookies to access your browser is now optional in many countries and states. Today, most third-party cookies have no direct impact on our browsing experience, as many browsers have already begun to phase them out (Google announced the end of third-party cookies in Chrome by 2024), and many websites still function effectively and remember user preferences without using third-party cookies.
Some experts add two more categories, namely:
- Zombie cookies, which are a form of persistent third-party cookies permanently installed on users’ computers. Sometimes also called “flash cookies” or “supercookies,” they are extremely difficult for the average user to detect and remove: in fact, they have the unique ability to reappear after being “deleted” from the computer because they create their own backup versions outside of a browser’s typical cookie storage location and use these backup copies for even after deletion (much like the zombies of literature and horror movies). Like other third-party cookies, zombie cookies can be used by web analytics companies to track the browsing history of unique individuals (or to prohibit them from accessing content), but they are more commonly used by unscrupulous advertising networks and even cyber attackers, who use them to infect the system with viruses and malware.
- Essential cookies are currently synonymous with the pop-up that asks us to set or confirm cookie preferences when we first visit a website. These are proprietary session cookies, which are needed to run the Web site or services requested online (such as remembering login credentials).
Another important distinction is between:
- Persistent cookies, which are saved on the user’s computer until they expire as originally set or are manually deleted. Through these trackers, sites automatically recognize users accessing the site (or any other users employing the same computer), who nonetheless have the ability to manage preferences and possibly reject cookies through browser settings.
- Session cookies, which are deleted when the user closes the browser and therefore are not stored persistently on the device. These are temporary cookies, strictly limited to the transmission of session identifiers that are necessary to enable the safe and efficient exploration of the site, without therefore having to resort to other computer techniques that could be potentially detrimental to the privacy of users’ browsing.
What are the main cookies on the Web
The list of these valuable trackers is then completed with an even more specific classification, which identifies at least a dozen variants, divided into two broad categories:
- Technical cookies, required by some computer systems and necessary for the user to authenticate, take advantage of multimedia content, or set a navigation language.
- Non-technical cookies, used for profiling and marketing purposes, which in turn can be grouped into:
The complete list of computer cookies is therefore divided into:
- Authentication cookies, which help to manage user sessions; they are generated when a user logs in to an account through their browser, ensuring that sensitive information is provided to the correct user sessions by associating user account information with an identifying cookie string.
- Functionality cookies, which allow users to use the core functionality of a website (such as language preference, displaying local news, and so on). They generally improve the performance and functionality of a website, and even some website features may not be available without the use and acceptance of such cookies.
- Analytics, cookies used to collect and analyze statistical information on access and/or visits to the website, measuring parameters such as number of visits to a page, time spent on a page, or time to leave the site. Also called performance cookies, they collect data that, combined with other information (such as credentials entered for access to restricted areas), can in some cases serve to profile the user (particularly personal habits, sites visited, content downloaded, types of interactions performed, and so on).
- Widgets, graphical components of a program’s user interface, which facilitate user interaction with the program. Examples are Facebook or Twitter cookies.
- Advertising, cookies used to advertise within a site. Also called targeting cookies, they create a profile of the user based on the user’s interests, search history, and items viewed, then share that information with other Web sites so they can send the person relevant products and services. This is why, if we search for example sneakers online on Google, after not too long we will be “bombarded” with ads on social media or in banner ads related to this type of shoes or relevant items such as socks and so on.
- Web beacons, code snippets that allow a site to transfer or collect information by requesting a graphic image. They can serve multiple purposes, such as analyzing site usage, monitoring and reporting activities on advertisements, and personalization of advertisements and content.
Finally, to always limit ourselves to only the best-known and most useful types for our purposes, we mention the existence of magic Cookies and HTTP Cookies
- Magic cookies is an expression from old computer science, predating the modern concept of “cookies” that we use today, which refers to packets of information sent and received without any changes to the data. More precisely, they are data tokens that allow servers and Web browsers to communicate, especially within an internal corporate network, and originally served Unix programmers to authenticate and track users in a system. data stored in magic cookies are encrypted and, under normal circumstances, only the server that created the cookie can read the data.
- HTTP cookies are the more modern version of the “magic cookie,” created for contemporary Internet browsing, designed specifically for the Web and progenitors of all the cookies we have discussed.
On the technical side, however, trackers can take the form of browser or HTTP cookies, or use lesser-known tracking technologies, such as local storage objects (Lso) or flash cookies, software development kits (Sdk), pixel trackers (or gif pixels), “like” buttons and social sharing tools as well as fingerprinting technologies.
Fingerprints in particular are believed to be one of the most aggressive forms of tracking cookies: they are small snippets of information that vary depending on the characteristics of the user (from the device owned to the fonts installed) and allow a unique identifier to be generated that can be used to match a user across websites. In addition, unlike with classic cookies, users cannot delete passive fingerprinting-related activities, and thus have no control over how their information is collected.
The history of web cookies and applications in digital marketing
The history of cookies begins in the 1990s, at a time of rapid evolution and innovation in information technology. To be precise, according to the most reliable reconstructions, the “daddy” of this technology would be Lou Montulli, an engineer working for Netscape Communications, who in 1994 in-ut that the Web needed a way to keep track of user interactions (and in particular to check whether readers were new or returning), so as to make the online experience smoother and more personalized
The term “cookie” comes from “magic cookie,” which as mentioned in programming describes a packet of data that is sent and then returned unchanged, and this is exactly what cookies do: they are sent from the website to our browser, which stores them and returns them to the site each time we visit.
After their introduction, cookies quickly gained popularity, and over the past thirty years they have enabled websites to “remember” users, making it possible to create online shopping carts, personalize content, and authenticate users. They are therefore an integral and fundamental part of the Web system, and indeed according to Ratko Vidakovic, founder of the consulting firm AdProfs, “without cookies, the advertising ecosystem we see today would not exist.”
The use of all trackers for advertising purposes has been one of the most profitable ways for the industry to date, because because these data packets allow them to fuel the delivery of targeted ads within seconds of a user opening a website and, more importantly, allow them to specifically monitor the content that users access and how they behave by tracking their dynamic device Ip addresses or other similar information.
From this tracking, a profile is created that allows the user to be classified within a specific cluster, so that profiled and targeted advertising can be directed. In short, this information is valuable because it enables demand creation, “causing consumers to want products and services they did not know existed.”
But with the growing popularity of cookies, privacy concerns have also emerged, putting third-party cookies in particular, which are often used to track user behavior across different sites, under close scrutiny, towards which data protection and online privacy concerns and critical issues have been raised.
The limits of cookies: not just security and privacy risks
Cookies are an integral part of the Web and continue to play a key role in making the online experience smoother and more personalized. Yet, it is impossible not to mention the concerns surrounding their use that, despite their undeniable benefits, make it important to assess the range of limitations and critical issues, especially in terms of privacy and security.
Then there is another technical issue concerning the evolution and technological limitations of cookies: with the advent of new technologies and the evolution of the web, the role of cookies is changing, and, for example, the rise in popularity of the mobile web has made cookies less effective for tracking users. At the same time, new technologies such as Local Storage and IndexedDB are offering alternatives to cookies for client-side data storage.
Far more pressing is the security issue: although cookies cannot carry or install malware on computers, they can be exploited by cybercriminals. For example, in November 2010 the Koobface worm exploited Facebook-related cookies to steal credentials and gain access to victims’ accounts, while in May 2011 an Internet Explorer zero-day bug was used to hijack session cookies through social engineering tactics, and again, in July 2011, an attack on several e-commerce sites used malware that sought Internet caches, cookies, and browsing histories to steal login credentials and other data.
Finally, there are the (complex) privacy implications for users, and choruses have long been raised about the possible criticality of using cookies in relation to the transmission of personal data and the tracking of browsing habits; for example, between 1996 and 1997, cookies were the subject of U.S. Federal Trade Commission hearings, and the Internet Engineering Task Force (IETF) formed a special working group to address cookie specifications, subsequently determining that third-party cookies were not allowed, or at least enabled by default. The most recent standard, updated in 2011, allows third-party cookies, but users can choose not to accept them.
To address privacy concerns, a “Do Not Track (DNT)” header mechanism was introduced for browsers that, when enabled, warns that users do not wish to be tracked and that any tracking or tracing of users between sites should be disabled. Mozilla Firefox was the first browser to implement this feature, followed by Internet Explorer, Safari, Opera, and Google Chrome.
But how do cookies affect user privacy? As described above, cookies can be used to record browsing activity, including for advertising purposes, and users often do not have (or at least did not have) awareness or control over what tracking services do with the data they collect. Even when cookie-based tracking is not tied to a specific user’s name or device, with some types of tracking it may still be possible to link a record of a user’s browsing activity with their real identity. This information could be used in a variety of ways, from unwanted advertising to tracking, stalking, or harassing users-obviously, this is not the case with all uses of cookies.
Cookies and Google: the latest developments
For 30 years, practically, cookies (especially third-party cookies) have been the cornerstone of Internet advertising and have allowed companies to net huge profits, but the situation is changing (more or less) suddenly.
The first signs came in 2017, when the Safari browser began blocking third-party tracking cookies, followed in 2019 by Firefox, until Google’s decision earlier this year to permanently stop these trackers on Chrome, the world’s most widely used browser (about two-thirds marketshare).
It was Justin Schuh, director of Google Engineering for Chrome, who clarified Mountain View’s moves to block cross-website trackers in order to provide greater privacy protection and security for users’ browsing.
In Schuh’s words, the company is deploying a “strategy to redesign the standards of the web, to make it a privacy default. There’s been a lot of focus on third-party cookies because certainly they are one of the tracking mechanisms, but this is just one tracking mechanism and we call it that because it’s what people pay attention to.”
In addition, Google is actively working “across the ecosystem so that browsers, publishers, developers, and advertisers have the opportunity to experiment with new mechanisms, test whether they work well in various situations, and develop supporting implementations, including ad selection and measurement, denial of service (DoS) prevention, anti-spam/fraud, and federated authentication.”
The first concrete effect came in 2020, when Chrome began limiting “cross-site tracking” and unprotected data sharing by introducing a new tagging system that integrates the SameSite label to make explicit how cookies should be considered and treated, requiring that those labeled for third-party use be accessible only via an HTTPS connection. Without indication of the attribute, Chrome considers such trackers to be first-party only and therefore not distributable via external sites.
Google’s Privacy Sandbox
This is the first step in the Privacy Sandbox project, a broader initiative that aims to replace cookies with a credible and workable “open web” API technology for targeting and conversion tracking, created to protect users’ privacy and, at the same time, to allow advertisers to track them within the browser without sharing their data.
Thus, it is a system that puts an end to individual targeting to promote user group targeting, so as to prevent abuse of various kinds and safeguard the display of advertising content.
Before understanding what companies can do in this new context, however, it is good to clarify what the effects of Google’s decision may be.
The first, crucial point is not all cookies are disappearing: first-party cookies, created by the domain visited by a user to remember shopping carts or user accounts, are not affected by the abandonment and, indeed, see their value increase as a source of data to tailor ads to people.
Within the advertising market, this could result in a further shift in power, as the Financial Times also notes, “we would move from the open Internet, where adtech once thrived – and cookies tracked user activity between sites – to more closed domains that have detailed data on their direct users.” Such a closed world extends from small retailers or publishers, which might ask users to register or pay subscriptions, to large platforms such as Facebook or Google, which hold huge amounts of data about their users.
And there is no shortage of those who highlight the role played by Google, which should go a long way toward strengthening its market power, making Chrome an almost indispensable intermediary for advertisers who need data to accurately target ads and monitor their effectiveness.
The three paths to a cookieless future
Having to find new solutions in view of the obsolescence of third-party cookies over time are advertisers, vendors, ad tech companies focused on retargeting, and anyone whose business relies on performance, plus of course those who have relied on insecure third-party cookies or fingerprinting.
An Engage article identifies three possible scenarios for those who need to change strategy and still acquire prospects and connect with their target audience.
- Using other data sources
It is quite predictable to think that the end of third-party cookies will make other data sources, such as second-party data (or login data), more important: this means that advertisers “will have to rely more heavily on publishers and tighten relationships with premium publishers even more to ensure that brand safety standards and contextual targeting needs are met.”
In this scenario, “brands will need to take back control and better leverage their first-party data by incentivizing user authentication on their site or app through valuable content, loyalty programs” and more, “assigning the consumer a unique user ID at the time of authentication” to get “a clear view of that user’s cross-session and cross-device behaviors and actions.” In addition, it becomes critical to analyze trends and insights for planning one’s campaigns.
- Developing partnerships with “big tech”
Big companies such as Google, Facebook and Amazon (which together swallow more than 70 percent of digital advertising revenue) will be increasingly necessary for brands in an environment constrained by new privacy regulations because they offer the best proprietary data sets. Thus, “identifying and targeting these channels will enable brands to continue to innovate and deliver targeted and engaging advertising to the right audiences.”
- Contextual Targeting
The last avenue indicated by the article is the use of contextual targeting “to match ads to keywords and thus place them in a context relevant to your product.” Such a solution is aided by the use of Machine Learning and AI-based technologies, which “provide a more accurate understanding of content and allow for greater granularity by targeting video metadata, titles descriptions, keywords and even to comments inside and outside of content,” and allow contextual targeting “to go deeper into what consumers are actively looking for when they are hunting for something,” so as to deliver more personalized messages.
The case of Dutch state TV
After the introduction of the GDPR launched by the European Union to protect personal data and privacy, the Dutch TV decided that “visitors to its sites would no longer be forced to say yes or no to cookies,” and, unlike in almost all cases, “skipping the privacy notice would not be considered an okay to tracking, but a no.”
Ninety percent of users chose no, either indicating it directly or skipping the option, but this did not spell disaster for Npo’s advertising revenues-despite a Google study claiming that “opting out of cookies would have reduced ad revenue by 50 percent”-and in this 2020 decided to opt out of cookies altogether, relying no longer on programmatic advertising through Google, but on contextual advertising served by local agency Ster.
The result, the story of the past few months, is that the company’s advertising revenues have risen sharply, even after the shock of the Coronavirus, and Npo found “the advertisements served to users who rejected cookies had brought in the same or higher revenues than the advertisements served to users who said yes to cookies.”
In concrete terms, since the beginning of 2020, visitors to Npo’s sites have not been tracked: in January and February alone, “digital advertising revenues grew 62 and 79 percent, compared to the same months in the previous year, and even during the following Coronavirus months they grew in double digits.”
The explanation is simple: now Nederlandse Publieke Omroep “collects everything that advertisers spend to publish on its pages, whereas before it left a major chunk of revenues in the hands of a bunch of middlemen, the group of intermediaries (data management platform, demand-side platform, supply-side platform).”
Toward a cookie-free future?
We are still in an evolving situation and it is still unclear how the abandonment of tracking cookies will take place and what impact this change will have, and Google’s Privacy Sandbox itself has undergone many changes and slowdowns from initial intentions.
Certainly, the time has come to start looking at data differently and prepare for this cookieless future: in order not to lose ground, brands will need to develop new skills, program systems to measure audience and campaign effectiveness, and be able to engage consumers as effectively as possible.
Who cookies are for and how to use them on a site
Digital marketing companies are among the largest users of cookies, which are used to track users’ online behavior, understand their interests and browsing habits, and then deliver targeted advertisements. This process, known as “behavioral targeting,” is the basis for much of online advertising.
Search engines, such as Google, also use them to provide more relevant search results, while e-commerce platforms use them to track products in users’ shopping carts and offer personalized suggestions.