Cookie Law Is Stupid

Posted:

With the posting of this article I'm also releasing an update that has this website nagging users to accept cookies.  If you look closely, you'll notice cynicism in the prompt.  In fact, the more I worked on it, the more frustrated I got about the European Union's Cookie Law, and now I'll tell you why.

Cookie Law

First of all, what is the Cookie Law?  In a nutshell, it's a piece of privacy legislation that requires commercial websites to get consent from visitors to store or retrieve any information on their devices.  (You can read more about the specifics here.)  The law was put out by the European Union and is rapidly being adopted by its member nations.

This law has no jurisdiction over the rest of the world, of course, but then any non-EU-based commerical website wishing to interact with visitors residing within the European Union must follow suit or risk being fined or blocked by a digital iron curtain[1].  It takes extra—potentially expensive—effort to automatically determine from which region in the world a request is coming and thereby provide a specifically taylored presentation.  It's much easier for non-EU-based websites to just comply with the strictest privacy laws out there, so in practice the European Union is dictating internet policy for the entire world.

Why do I find this so upsetting?  Because, in compliance with this inane law made by a bunch of incompetent politicians with the weakest comprehension of technology, every time I visit a new website I have to click through some big, annoying prompt telling me what I already know:  The vast majority of the internet uses cookies to function.  In this day and age of dynamic digital content, it's actually quite difficult to find a website that doesn't use cookies.  I also have to click through these annoying prompts every time I use a new device, or a new web browser, or return to a website via private browsing, or I happen to have cleared my browser cookies, or the website's cookie has simply expired.

It's incredibly ironic:  Places like the United Kingdom are increasingly becoming surveillance states while their politicians are getting obsessively caught up with trivialities like browser cookies.  Cookie Law accomplishes nothing useful while doing absolutely nothing about the heart of the issue:  Websites are tracking and compiling people's browsing behavior and personal information for commercial purposes.

The Cookie Law currently doesn't apply to this website, but I thought I'd get ahead of the curve and be ready for when the E.U. eventually extends the law to require full compliance across the entire internet which is why I have started to nag my visitors.

Cookies

What are cookies?  “Cookies” is the arbitrarily, poorly selected name for “session data” stored on your machine by websites.  So then, what is a session, and what data does it entail?  When you visit a website and the website needs to remember an action you performed, whether it be logging into an e-mail account, or setting anonymous viewing preferences, or using a retailer's shopping cart, etc., this makes use of a session.  The primary purpose of the session is to record a randomly generated identifier, a session key, so that every time you click to a different page on the same website, the server knows that it's still you and not somebody else making the request.

This session data is stored in a “cookie” on your machine.  When the cookie expires, or is deleted, the session has ended and the next time you visit the website again it's as if you're visiting for the first time.  This is critical for any sort of account management.  Without a cookie, a website can't verify that you're the same person who just logged in, so it won't let you access the account.  (Note however that websites can log you out of an account without necessarily deleting the cookie; they can simply require that you re-enter your password after an arbitrary amount of time has passed or a “logged in” flag has been cleared.)

Websites can set their cookies to expire after any arbitrary amount of time.  Web browsers can override the expiration date by being configured to expire them early or automatically always delete them when closing.  Browsers can also be configured to right out block cookies, but, as mentioned above, many websites are rendered useless if they can't store a cookie on your machine to identify you as the person who logged into to the account you're trying to access.

Cookies can be used to store additional data, but they shouldn't be.  Their size and quantity are strictly limited, and anybody with direct access to your file system (e.g., via spyware) can snoop through your cookies.  A properly designed website will instead use cookies merely for session tracking, and store additional session data entirely server-side.

In any case, modern web browsers enforce same-domain access to cookies.  This means HomestarRunner.com can't access your Newegg.com cookies, and vice versa.

Tracking Cookies

So what's the big deal about tracking cookies?  Any website can embed a third-party tracking plug-in.  This means that when you visit such a web page, your browser will contact another website, such as Google Analytics, and report your activity.  Now you've got a tracking cookie!

Here's a simple example:  Let's say you visit ESPN, Fox Sports, and Sports Illustrated.  Now let's suppose each of these websites embed a call to Google Analytics, and their requests to the analytic plug-in look something like this[2]:

ESPNhttps://analytics.google.com/tracker.js?affiliate_id=espn
Fox Newshttps://analytics.google.com/tracker.js?affiliate_id=foxnews
Sports Illustratedhttps://analytics.google.com/tracker.js?affiliate_id=si

All three requests are to essentially the same web address, but with different paramters, all using the same cookie to identify your device, so Google Analytics now knows that you've recently visited ESPN, Fox News, and Sports Illustrated.  A pattern is observed:  You're most likely a sports enthusiest.  So what can Google do with this information?  Target you with sports-oriented advertisements whenever you do a Google search, or log into your Google Gmail, or watch a YouTube video, etc.

This example can be refined even further:  Suppose you browse mostly football articles on those sports websites, particularly articles about the Denver Broncos.  The tracking requests could reflect this by including a keywords parameter:

ESPNhttps://analytics.google.com/tracker.js?affiliate_id=espn&keywords=football,broncos
Fox Newshttps://analytics.google.com/tracker.js?affiliate_id=foxnews&keywords=football,broncos
Sports Illustratedhttps://analytics.google.com/tracker.js?affiliate_id=si&keywords=football,broncos

Before you know it, you might be seeing nothing but orange and blue advertisements for Denver Broncos merchandise everywhere you look.  At first it will feel like just a weird coincidence, but then you might start to feel like you're being spied on.

We can take this yet another step further:  Google could sell your browsing behavior to Amazon and eBay, then the next next time you visit those websites you get a barrage of “recommendations” for Denver Broncos merchandise.

(Since I initially finished writing this article, some websites have started allowing users the “manage” their tracking cookies, but you still have to manually opt out.)

You may feel inclined to say, “In that case, I'll just block cookies from analytics.google.com!  In fact, I'll use private browsing, block all cookies, and then for good measure I'll manually delete all cookies after I'm done using the web browser!  That should be good enough, right?”  Wrong.

IP Addresses

This is where Cookie Law starts to get really stupid for its misplaced objective:  A website doesn't even need cookies to track you and leverage your activity history; cookies just make it easier for a tracker to distinguish you from your spouse, roommate, sibling, co-worker, neighbor, or anybody else who might be using the same modem as you.

You ultimately connect to the internet via modem, and each modem gets assigned a public IP address by your internet service provider.  Put simply, your IP address is like a return address on an envelope sent through the postal service.  Without a correct IP address your data requests will never get sent back to you.  This makes IP addresses for the most part unique, nevermind that everybody on your same local-area network will share this public IP address[3], so trackers can still somewhat accurately track your browsing behavior without cookies.

“Well then, I'll just block the tracking site so that it can't even be accessed from my network!” you may say.

You could do that.  It still wouldn't stop a website from contacting the tracker if it really wanted to, however.  While EPSN.com is processing your request for a page, its server can contact analytics.google.com directly, sever-to-server, and tell Google that somebody at your IP address has requested an article about the Denver Broncos.

Proliferation of Browsing Activity

So commercial entities can track our browsing activity with or without cookies, and use that information to personally target advertisements to us.  Still, what's the big deal?  Let's look at a couple more real-world scenarios.

Suppose you want to take your family to Disneyland, and you want it to be a surprise for your kids.  You're planning a few months ahead, in fact.  After spending a lot of time browsing Disney's website and looking at different vacation packages, you finally purchase one.  To book travel to and lodging in California, you use a travel website.  Disneyland's and the travel site's servers you visit each contact Google and say, “Here's an IP address where somebody just requested a file from my server, and here are some keywords describing its content.”

A few days later, because you spent so much time looking at Disneyland-related websites, Google and its advertising affiliates decide that they're going to focus on showing you Disneyland-related advertisements, and they decide to just make all advertisements sent to your IP address be Disneyland-related.  Some might seem as innocuous as advertisements for Universal Studios' California theme park, but it's still Disneyland-related due to geographic proximity and the nature of the park.  Because of the overwhelming ratio of Disneyland-to-non-Disneyland advertisements viewed on devices in your household, and the fact that none of your kids recently looked at Disneyland's website, they figure out that Mom and Dad have planned a family trip to Disneyland and tell all their friends that they're going to Disneyland.  Surprise spoiled![4]

That seems mostly harmless, so how about something potentially embarrassing?

Let's suppose you recently wet the bed a couple of times, and one day you even sharted yourself.  You're not sure if you're losing your faculties, or if you've just been physically pushing yourself too hard, or maybe it's due to a passing illness.  These things happen to some people, but nonetheless you feel embarrassed about it, so you decide to privately investigate it on-line before consulting a doctor.

You spend an evening researching adult incontinence and irritable bowel syndrome.  You might even look into adult diapers.

Now imagine the next week is Christmas break.  The entire extended family has come to your house for the holidays:  Your parents and your spouse's parents, you siblings and their kids, your spouse's sibling and their kids . . . even Cousin Eddie has brought his family and parked their motor home in front of your house.  Everyone of these individuals has a personal, internet-enabled device, and they all connect through your wifi network, so they all share your public IP address.

It's at this time that the Spamvertisement Affiliate Network then decides to use your recent on-line research, as reported by each website you visited, to show personally targeted advertisements, and they decide to blindly target your IP address.  The majority of advertisements displayed on devices in your household include, “We can help you with your IBS!,” “Visit our clinic for a free incontinence consultation!,” and “Have we got a great deal on adult diapers for you!”  Understanding how targeted advertising works, all of your relatives will look at you and your spouse and wonder which one has something going on.  Somebody might even start an uncomfortable conversation.

VPNs

“What about VPNs[5]?” you may ask.  That would be an effective way to dodge trackers to some degree, but as long as your VPN session is active, all activity from that session can be connected to each other by trackers.  Also, don't forget that VPNs are best suited for regional lock-out circumvention or public anonymity.  If you use a VPN to log into your Gmail account, then watch videos on YouTube, do some Google web searches, and visit a bunch of sites that use Google Analytics, Google can just as well forget your cookies and IP address and associate all your web browsing activity with your Google Services account.

Canvas Fingerprinting

There's this other thing that can potentially track you even if you block cookies and use a VPN:  Canvas fingerprinting.  By generating a specifically crafted image with the HTML5 canvas element, the result can be analyzed to generate an identiable fingerprint, as results will vary depending upon the hardware you have installed.  There is potential for this fingerprint to not be entirely unique, but it can be refined by including additional browser information such as that discoverable by the User Agent String[6] your device sends with every request, or the javascript command navigator.  This command reveals details which are ordinarily innocuous, like your operating system and preferred language, but when combined with a canvas fingerprint it can be used to establish an identifiable profile[7].

Spying

Even worse then browser behavior tracking is the fact that many personal devices are spying on people's real-world activities via built-in cameras and microphones.  Friends of mine have reported suddenly getting advertisements related to things they were doing in the real world without having viewed or mentioned any such thing on-line.

Also, let's not forget that time Amazon's Alexa recorded a private conversation then sent it to a random contact, or when Amazon admitted that employees listen to conversations captured by Alexa.  (Apple and Microsoft have also admitted to listening to private conversations.)

So What?

Again, you may ask, “Why should I care that my personal data is being used to improve personally targeted marketing?”  Because it doesn't stop there.  Going back to the medical research example, suppose you search for something more severe like chest pains.  Through on-line tracking, your health insurance provider could infer that you have a medical condition and increase your rates[8].

Let's take a much darker look at tracking.  Governments can and do use browsing behavior tracking, even in the freest corners of the world.  Effectively spying on citizens is an important component for identifying anybody who disagrees with any particular political ideology and suppressing their voices; just ask the Stasi how well it worked for them![9]

With this simple technology, your government really can follow everything you do, including in the supposed privacy of your home, since internet usage is becoming so increasingly integral to modern life.

Cookie Law Is Assinine

On-line browsing behavior tracking clearly does not need cookies to be conducted, although cookies certainly make it easier to focus on specific individuals.  Cookie Law totally misses the mark, however, accomplishing nothing while also being extremely annoying.  Anybody who knows what browser cookies are doesn't need to be reminded about them, while anybody who doesn't know what they are just gets confused by the notice.  Instead of passing laws requiring that websites state the obvious, they should focus on more practical matters, like legislating how user tracking is allowed to be conducted and what may be done with collected data, requiring that websites simply make it easy to find the privacy policy within a few clicks of the main page, and encouraging basic internet education:

  1. Use effective passphrases to protect your on-line accounts.
  2. Don't plaster your personal information on-line as it can be used to steal your identity, hack your accounts, empower stalkers and hecklers, and ruin careers.
  3. Any unsolicited communique from a complete stranger is 99% likely a scammer trying to cheat you out of your savings.
  4. The majority of commercial activity, on- or off-line, is intended to exploit you.  “A sucker and his money are soon parted.”
  5. Websites use “cookies” to store session data on your machine so that you can log into your on-line accounts or shop on-line.  Oh, and the Spamvertisement Affiliate Network might well be using them to track your on-line activity for “market research.”
  1. This may sound harsh, but what else can you call an interruption of the free-flow of information similar to that of the Cold War?
  2. These may not be actual tracker URLs; they're just simplified examples.
  3. Individual devices on a local-area network are assigned distinct IP addresses, generally in the 192.168.*.* range, so that the local router can manage them, but to the outside world they still share the same public IP address.
  4. This is of course assuming anybody still gets excited about going to Disneyland.
  5. VPN = Virtual Private Network.  In a VPN, you connect to a chain of one or more computers that relay your requests to a website so that it sees only the IP address of the last computer in the chain instead of yours.
  6. See User agent.
  7. See Canvas fingerprinting, Canvas fingerprinting is tracking you, and you don't even know what it is, and Meet the Online Tracking Device That is Virtually Impossible to Block.
  8. See Device fingerprinting and the surveillance economy.
  9. I highly recommend the film, The Lives of Others (2006), which depicted an East German man whose job it was to spy on people and report their dissidence.