Monday, February 12, 2007

Cookies will get you confused

Update 07/02/13: After receiving a comment from Stephane, I realized I didn't see the subtle condition where one would get a 1st party cookie from Google.com, and later that same cookie be used in a 3rd party context such as when you embed a Google Ad on your site. This obviously leaves room for litigation and abuse. In my opinion, as soon as you "abuse" your relationship and trust privilege, your asking for trouble...
A post on Lies, damned lies left me wondering about my own experience with cookies.

Unless I missed something in my years of experience using and developing on the Web, a cookie can only be set AND read either by the site, or the domain on which it was set (depending on the value of an argument when the cookie is set). So even the mighty Microsoft/Yahoo!/Google can't do anything about it.

Most ad networks models are based on the fact a banner is served by their own web server (the 3rd party), but included within another's web site (the 1st party). DoubleClick raised uproar a couple of years ago because as part of their ad network, they were using their own cookies collected trough the means of being included in other's web sites, to analyze specific user's behavior across hundreds of web sites. Self regulation and lawsuits caused by obvious abuse led to a point were in theory, ad networks use aggregated models and are not supposed to track that Mr.X is reading times.com during the day and something of another nature at night...

A trick someone could use to pass values from one site to another "partner" would be to use the URL Query String as a relay. This would certainly be viewed, in most cases, as an invasion of privacy. Some even use Flash ability to store data on the local drive without user intervention and knowledge as a replacement of cookies, which is, in my opinion, even less ethical.

My simple definitions:
  • 1st party cookie: set and read by the same server (for server-specific cookies such as host.domain.com), or on the same domain (for domain specific cookies such as *.domain.com)
  • 3rd party cookie: set and read by a server on a different domain, or on a different host (for server-specific cookies - host.domain.com embedding an image from some.ad.net)
  • friendly 3rd party cookie (or 2nd party): what would be a 3rd party cookie, but set trough a host on the first party domain which is a DNS alias of a 3rd party host. For example, stats.mydomain.com is a DNS CNAME of mydomain_com.2o7.net (2o7.net is the domain used by Omniture tracking). This technique is often used to avoid being identified as a 3rd party cookie.
In my humble opinion, any tricks used to bypass those definitions, be it by passing data on the Query String or using permanent storage techniques without the user's consent, is a blatant demonstration of privacy abuse. Do I have to strong an opinion? Am I missing something?

So I'm not sure I understand Ian's post, but if my reading is right, and if a company like Microsoft would even think of using their power to share information about my relationship with them without my consent, regardless of their honest intent, I would strongly argue against it.
Post a Comment