By now everybody has some basic grasp of what a cookie is or, at very least, heard of websites using cookies to track your online behaviour.
Some of the main uses of cookies:
Session Cookies: Because web pages themselves cannot store moment to moment information about your behaviour on a website, these session cookies enable a website to remember a previous action for a future time. This is used for activities like adding a product to a cart and then continuing your browsing on the website. Without this cookie, the website would not have “remembered” that you placed an item into the shopping cart.
Authentication Cookies: These remember your login information on a website and allow users to visit websites without having to login every single time they navigate to a new webpage. This information is heavily encrypted and shared only with the site they pertain to. Thanks to cookies, websites can authenticate you wherever you visit them.
Tracking Cookies: These cookies are the ones that track your preferences and behaviour on a website and can be used in marketing. Have you noticed how you often get product suggestions that follow you around the web once you have looked at certain websites?
The above cookies are all related to the specific website that you have visited and generally only share your information with themselves.
Cookies allow for some really insightful profiling on user preferences and behaviour – the kind of profiling that advertisers will pay top dollar for.
This has lead to advertisers incentivising websites to share this kind of information with them. This is done by placing their own cookie on a website and paying the website owner a small fee for every impression (visit) the site gets. These are known as third party cookies and have developed their own ecosystem with exchanges where brands can bid for this information. While these can be deactivated in most browsers, their default setting is to be allowed and blocking them is not widely mentioned.
While these cookies are largely benign, they can be used to profile a user as they do store personal information and can be hacked.
Grab your tinfoil hat and let's see how many cookies an average day of usage collects.
“Only scary websites push third party cookies, right? I only use my computer for work-related things, some light social media and browsing. I do not visit those nasty websites…”
Comments such as the one above I have heard from all manner of people, including some rather tech savvy ones. So, I thought it would be interesting to see what actually happens on an average day of internet usage.
Before we get the the results, I feel it is important to go through what I consider an average day online and my data collection approach.
Delete all the cookies.
First things first, we need a completely clean browser session, free of any cookie data. A fairly simple exercise and can be followed here.
Establish a routine.
To ensure that results are repeatable and to avoid skewing results with false positives by visiting a single website with millions of cookies on it, I needed to understand what an average day of web usage was.
I monitored my behaviour over a three day period while at work and noted repeated activities. This allowed me to create a set of tasks that would reflect average daily internet usage that I could repeat in order to validate my data.
This task list looks as follows, and I encourage everyone to repeat this to see who is following them:
1.Open your online email account. Mine is GMail.
2. Click through to the first 2 websites from promotional emails sent to you. For this example I clicked through to:
3. Visit Facebook and click on the first 5 stories that lead to an external website. These could be stories shared by friends or promoted posts. I clicked on the following:
4. Visit Twitter and click on the first 5 links that appear in your timeline. Mine were:
5. Visit LInkedIn and click on the first 5 links that appear in your timeline. The were:
6. For my daily news fix, I visit 5 sites throughout the day. This selection covered both my local and international news requirements:
7. I then visit YouTube for a quick video or 2 during the day.
8. I noticed that on a typical day I would Google between eight and 15 things. So I decided for the purposes of data collection and repeatability to do 10 random Google searches. To negate the scenarios where I do not find the information I require on the first result, I clicked on the top two search results for each query. The search queries and sites I clicked on were as follows:
a. Hotels in karoo
b. Golf 7 specs
c. Durbanville restaurants
d. How do I do a v-lookup
e. Weather cape town hourly
f. Celebrity news
g. New movies
h. New dance songs 2017
i. Smart Watches Cape Town
j. Hotels in karoo
9. Lastly, I covered some random browsing of three website that I regularly visit. I chose to visit:
Now that I had a set list of tasks to perform, I could easily repeat them to normalise my data. I had some other colleagues follow the same steps (with their own URLs) to compare numbers with.
Caught with your hand in the cookie jar
In this exercise I visited 57 unique URLs. The total tally of cookies this generated was 826. Yes, almost a thousand cookies for visiting 57 websites in a day. With the bulk of them being for ad serving networks.
It is important to realise that this is also only for desktop usage in an office environment and does not include the “browsing” many people do in their down time or any activity that happens on mobile devices. This is also for only one day’s worth of activities and would mean that we are exposing ourselves to many parties who are interested in our data.
What does it mean?
It is difficult to fully quantify the impact of these findings as it is quite difficult to decypher what all of the cookies share about your behaviour.
What is glaringly obvious is that our data is in high demand and that most websites we visit are sharing user data with advertisers – data that could be intercepted and potentially be utilised for nefarious purposes. It just depends on how tightly you are wearing your tinfoil hat as to how concerned you should be.
The reality is, there is not much we can do about this as, without cookies, much of the internet we rely on so heavily would simply not work.
If anything, I am much more security conscious about my online behaviour, disabled third party cookies and will start doing a browser purge more often.