Cookies will get you confused


Bookmark and Share
Update 07/02/13: After receiving a comment from Stephane, I realized I didn't see the subtle condition where one would get a 1st party cookie from Google.com, and later that same cookie be used in a 3rd party context such as when you embed a Google Ad on your site. This obviously leaves room for litigation and abuse. In my opinion, as soon as you "abuse" your relationship and trust privilege, your asking for trouble...
A post on Lies, damned lies left me wondering about my own experience with cookies.

Unless I missed something in my years of experience using and developing on the Web, a cookie can only be set AND read either by the site, or the domain on which it was set (depending on the value of an argument when the cookie is set). So even the mighty Microsoft/Yahoo!/Google can't do anything about it.

Most ad networks models are based on the fact a banner is served by their own web server (the 3rd party), but included within another's web site (the 1st party). DoubleClick raised uproar a couple of years ago because as part of their ad network, they were using their own cookies collected trough the means of being included in other's web sites, to analyze specific user's behavior across hundreds of web sites. Self regulation and lawsuits caused by obvious abuse led to a point were in theory, ad networks use aggregated models and are not supposed to track that Mr.X is reading times.com during the day and something of another nature at night...

A trick someone could use to pass values from one site to another "partner" would be to use the URL Query String as a relay. This would certainly be viewed, in most cases, as an invasion of privacy. Some even use Flash ability to store data on the local drive without user intervention and knowledge as a replacement of cookies, which is, in my opinion, even less ethical.

My simple definitions:
  • 1st party cookie: set and read by the same server (for server-specific cookies such as host.domain.com), or on the same domain (for domain specific cookies such as *.domain.com)
  • 3rd party cookie: set and read by a server on a different domain, or on a different host (for server-specific cookies - host.domain.com embedding an image from some.ad.net)
  • friendly 3rd party cookie (or 2nd party): what would be a 3rd party cookie, but set trough a host on the first party domain which is a DNS alias of a 3rd party host. For example, stats.mydomain.com is a DNS CNAME of mydomain_com.2o7.net (2o7.net is the domain used by Omniture tracking). This technique is often used to avoid being identified as a 3rd party cookie.
In my humble opinion, any tricks used to bypass those definitions, be it by passing data on the Query String or using permanent storage techniques without the user's consent, is a blatant demonstration of privacy abuse. Do I have to strong an opinion? Am I missing something?

So I'm not sure I understand Ian's post, but if my reading is right, and if a company like Microsoft would even think of using their power to share information about my relationship with them without my consent, regardless of their honest intent, I would strongly argue against it.


at 2/12/2007 06:52:00 PM

Labels: , , ,

4 comments:

Stephane said...

Ian's point goes like this.

1) there might be significant legal differences in the treatment of 1st vs 3rd party cookies. Presumably, first-party cookies would be entitled with more rights than third party, because the user "should be aware" that he landed on the first party's site (whereas third party content may not be obvious).

2) In some cases, a cookie may be deposited on a client through direct access (e.g. I go to google to initiate a search, a cookie is left on my machine). BUT later on the cookie is accessed in third party mode (say, I see a page into which google embeds content).

3) The question is whether Google's cookie is

3.1 always considered as a first-party cookie
3.2 sometimes considered as a first party cookie (i.e. when it is sent/accessed in first party mode) and sometimes as a third party cookie
3.3 always considered as a third party cookie

--

I think that the question has merit.

I also think that cookies present a moderate risk to users if a piece of code is dropped and instructed to list cookies and "report" them to the host. I believe I have read about such exploits. I do not recall any actual damage being reported

2/12/2007
Ian Thomas said...

Stephane has it right. Only the site that set a cookie can read it, but a cookie could be set in a first-party context and read in a third-party context (through embedded code - or something as simple as a GIF - on the third-party site).

Thanks for getting into the debate. Any chance of a trackback to my original post so my readers can find your comments?

2/13/2007
S.Hamel said...

Ian: got it... didn't see this particularity at first, but it makes a lot of sense!

Regarding the trackback, it's strange because I'm linking to your friendly URL post
while the trackback is using a numbered post.
I'm now linked to both :)

2/13/2007
Anonymous said...

Don't get too bogged down in the technical details -- what's important is the kind of information being shoved around.

If I'm hosting across a bunch of servers in different domains, I might need to put information explicitly in query strings, instead of in cookies, but if it's not information that invades anyone's privacy, so what?

On the other hand, if I'm violating my P3P policy -- even if I'm using cookies in a perfectly normal fashion -- that's probably very, very bad.

I'm sure there's lots of other examples of these kinds of distinctions.

3/21/2007

Post a Comment