Cookies are placed on your machine by websites, but often more websites than you realize. We'll review cookies and how third parties can use them.
In two other questions, What can a website I visit tell about me? and What are browser cookies and how are they used? I discussed some of the information that websites get, and techniques that they can use to collect and remember more.
And thus we have “tracking” and “third party” cookies to talk about.
First a quick review: a cookie is just some data that is placed on your computer when you visit a website that is simply sent back to that same website (and only that exact same website) the next time you visit it.
So when you visit askleo.com the web site might place a cookie on your machine that says “this person has seen the newsletter pop-up”. A week later when you visit askleo.com again that cookie is automatically and transparently sent to the web site, so that it knows that you’ve already seen the newsletter pop-up – presumably so that it won’t annoy you with it again.
That’s all cookies are – a way for websites to remember stuff between visits. What they remember is completely up to the website itself and what it chooses to place in the cookies it might leave on your machine.
Next we need to talk about how most advertising works on a website.
Most advertising on the internet is performed by services that connect large numbers of advertisers with large numbers of websites that have signed up to display or carry ads.
So when you visit http://example.com you might well see ads that have been placed there by http://ads.somerandomservice.com. (To be clear, all URLs are fictitious examples.) Later, when you visit some other site, maybe http://reallybigbookstore.com, you might also see ads that have also been placed there by that same advertising service – http://ads.somerandomservice.com.
And when I say “placed there” I do mean that the page you’re loading contains direct references to the ad service provider http://ads.somerandomservice.com. That means that when your browser loads the page from http://example.com, the HTML on that page says, in effect, “place an image here, and get that image from http://ads.somerandomservice.com/…” at which point your browser dutifully goes out to ads.somerandomservice.com and gets the image, which happens to be an ad.
This is where cookies enter into the picture.
Cookies + Advertising = Third Party
Whenever your browser fetches a URL – be it the page you asked for, or an element like an image within that page – the web site that it contacts to do so has the opportunity to place cookies on your machine.
So when you go to http://example.com, then of course example.com can place cookies. However, if that page also references another web site like http://ads.somerandomservice.com/ for an image on that page, then ads.somerandomservice.com can also place cookies as well.
These are called “third party cookies”.
- You are the first party
- The site you visit is the second party (example.com in our example)
- The site(s) referenced for additional content by the site you visit are third parties. (ads.somerandomservice.com in our example)
So far so good; you visit a site, it can place cookies, and the sites that provide additional content on that page can also place cookies.
Here’s where it gets interesting.
Let’s walk through a scenario step by step:
- you visit example.com
- example.com has ads that are loaded from ads.somerandomservice.com
- the first time you visit example.com, ads.somerandomservice.com puts a cookie on your machine that says “this is advertising visitor #12,345,678″
- you then go off to visit some other site – perhaps reallybigbookstore.com
- reallybigbookstore.com also displays ads loaded from ads.somerandomservice.com
- Since ads.somerandomservice.com already has a cookie on your machine, that cookie is sent to ads.somerandomservice.com when the request is made to display an ad
- ads.somerandomservice.com sees the cookie it put down earlier that says “this is advertising visitor #12,345,678″
- ads.somerandomservice.com now knows that you visited both example.com and reallybigbookstore.com
Ads.somerandomservice.com “knows” what sites you visit, but only those sites that happen to display ads from ads.somerandomservice.com.
It gets bigger
So far all I’ve talked about is advertising services. In reality this simple technology can, and does, span more services.
For example you may have heard of a small company called Google. They have their fingers in many, many different pies:
- advertising – Adwords for advertisers, Adsense for websites who want to make money from ads
- analytics – Google Analytics, a comprehensive analysis tool that allows websites to understand how people use their site
- personal productivity – Gmail, Contacts, Calendar and more
- cloud services – Google Drive, Picasa photo sharing, YouTube and more
- personal publishing services – Blogger
The list goes on.
The net result is that either by interacting directly with a Google service, or interacting with a site that uses a Google service1, you’re being exposed to many opportunities for Google to leave tracking cookies on your machine.
And it’s not just Google- they’re just a large, easy-to-understand and somewhat extreme example. The same may be true to varying degrees of other advertising networks and behind-the-scenes online service providers.
Now, naturally, you may feel that this is, or is not, a big deal.
My fervent belief is this:
Your actions as an individual are completely uninteresting.
No one is tracking you personally. Besides, most of these services collect way too much data to spend time looking at any one person.
The more interesting uses of this type of tracking are when the data is examined as a group, or in aggregate. For example, with this data the advertiser can determine things like “40% of the people that visit example.com also visit reallybigbookstore.com”.
Advertisers and website owners eat that stuff up.
The good news for the paranoid is that most browsers can identify third party cookies and can be configured to reject them. That’s fine, and you can do that if you feel so inclined.
I’ll caution you that there may be web sites whose functionality might actually rely on third party cookies, and you may find yourself needing to add exceptions somehow. Third party cookies are not evil, and can be used for more than just advertising and tracking.
The bad news, of course, is that if you do block third party cookies there are other ways that these services can still collect most of what they’re interested in. The only practical way to avoid this type of data collection is to simply not use the internet at all.