Skip to Content

The Cookie Crumb Trail: Website to Website Tracking

Most internet users are probably aware that the websites they visit may collect information on them. It is common practice for a website to record details such as how often a user visits the website, and even how a user spends time on the site -- tracking, for example, what articles a user reads or what books a user buys.

However, many users may not be aware that major advertising companies are aggregating this information together from many different websites. If you use your browser's default privacy and security settings, you are being tracked from site to site. With each additional site you visit, you give away another piece of information on who you are.

This is all made possible by "third-party cookies". While "first-party cookies" are are a fundamental part of many internet services -- it the primary technology used for maintaining login information on websites -- third-party cookies have fewer practical uses.

A third-party cookie comes from a different domain than the site you are visiting. As an example, I just opened up the Hotmail website (Windows Live), logged in, and logged out. Before the test, I had 0 cookies. After, I had 16! Four of these were first-party cookies, from "live.com" or its sub-domains (mail.live.com, login.live.com, etc). Most of the others were from advertising companies that place ads on the hotmail website. My one 5-second visit yielded cookies from advertising.com, adgear.com, adbureau.net, as well as Microsoft's own advertising company, atdmt.com.

To continue the example, I cleared my cookies and headed over to dictionary.com. I looked up "biscuit". The result? 24 new cookies, including at least one duplicate, from advertising.com. If I had not cleared my cookies after visiting Hotmail, adversting.com would now know that I have a hotmail account and am, at times, compelled to check the spelling of my words at dictionary.com. They would continue to compile information on me as I visit others of the many sites that display their advertisements throughout the internet.

There are a few uses of third party cookies that are beneficial to users. They can be used to help display embedded content, or to allow a user to login to multiple internet services at the same time (although even this can also be problematic, as a user may want to login to GMail but not Picasa at the same time).

However, most websites will continue to function perfectly if you disable third-party cookies entirely. Given the limited utility of third-parties cookies and the high risk to your privacy, it may be surprising that all popular web browsers, including Firefox, Internet Explorer, and Opera, all readily accept them.

This unfortunate reality isn't for a lack of trying on the part of some developers. In 2008, the Microsoft Internet Explorer team developed an effective third-party cookie blocking tool called InPrivate filtering. The basis of this technology is to block third-party content that turns up on more than 10 visited websites. However, once Microsoft's advertising teams got wind of the plans of the development team, the proposed privacy features were severely crippled (this is perhaps unsurprising considirng the 16 cookies installed by a 5-second visit to Hotmail, including one by Microsoft's own advertising company). Although some features of InPrivate filtering are available in Intenet Explorer 8, the features turn themselves off everytime the browser restarts!

There is still hope for Firefox to remedy the situation by providing reasonable and intelligent defaults for third-party cookies. Daniel White, responsible for development of the cookie module in Firefox, is well aware of the privacy concerns with third-party cookies and the Mozilla team is certainly not under the same pressure from advertising executives as the Internet Explorer team.

Broader initiatives also show promise for curtailing the tracking of your web habits and your identity. A call for some form of a "Do Not Track" flag, akin to "Do Not Call" list, is growing. One possibility is a browser setting that causes a "x-notrack" header to be sent with all requests. As long as servers abide by the request, this would make it simple for users to stop identity tracking. This not only work for cookies, but also for more subversive methods of tracking your identity such as flash cookies that circumvent user consent and browser fingerprinting.

The Wall Street Journal found that the top fifty most visited websites (in the U.S.) installed over 3000 cookies. Unless you've gone to the trouble to disable third-party cookies, you are being tracked and profiled from site to site. Tell your browser that it's not okay to let websites track you by bumping up that little privacy dial. Then tell your browser developers that it's not okay to so easily let adverting companies inspect your cookie identity crumbs.