Third-party Cookies

Last year was very significant for old good browser cookies. For those who don’t know what cookies are: they are small chunks of data stored on users hard disk. They contain mainly simple tokens and identifiers which allow websites to still recognize us as the same user even if we leave the page and return after some time.

Most of HTTP sessions are based on cookie files. They also may contain “soft” data like user preferences and customizations, like the level of sound volume in video players or prefered font size. Cookies became very famous recently. They were even taken under the protection of the european law and every website which uses them has to inform users about the fact.

 

First-party cookies vs. third-party cookies

There are two main types of cookies – first-party and third-party. First-party cookies can be set only by the website that we are currently navigating and only for that page domain. If we are visiting www.example.com website then every cookies that the page sets would be related to example.com domain. That is very natural situation. In that case user can be sure that every data stored on those cookies would be accessible only by example.com website.

 

Cookies make things happen

Third-party cookies are somethig else. If example.com has – let’s say – Facebook plugin in it then while navigating user generates HTTP traffic not only to example.com but webserver also to Facebook. If Facebook would set any cookie while processing that kind of request that would be third-party cookie. In other words, third-party cookies are created and maintained for other domain than we are currently visiting.

Obviously if we go to Facebook website then all of Facebook cookies become automaticly first-party for this particular context. Third-party cookies allow many useful services to exist. One of them is keeping cross-domain sessions like on Facebook or Google services. Thanks to them you can go to Youtube.com log in and then go to Gmail.com being already logged. Also if you are logged into Facebook, you can go to example.com website and click “like” button placed under some article and that action will be connected with your FB session because Facebook would recognize you just by cookie.

 

Psst… I know what you did

Like with many useful things, they may also be used for other less useful but rather selfish and intrusive purposes. Big advertising networks (which include Google and Facebook as well) use cookies for tracking user preferences and behaviours. Let’s consider some example. If you go to example.com website which uses Google Analytics for analyzing its audience then your browser generates network traffic not only with example1.com webserver but also with Google. Google handling your HTTP request could (and actually do) set some portion of data which will allow them to identify you next time. That portion of data is stored in third-party cookies.

At that moment Google knows “some guy just visited example1.com website I will give him some hash-name”. The next day you visit example2.com website which on its content has the “Google+” share button and the situation repeats. Your browser communicates with Google servers. They can now stand: “some guy just clicked on G+ button and he already has a name stored in cookie”. Now they don’t actually know what is your name and what is the size of your shoe but they do know that you are the same guy who visited example1.com a day ago. Two months after you decide to set an account on YouTube. You go through the registration process, everything seems fine, you give your name, your age etc and when you submit the registration form Google reads your cookies and then says: “Ah here you are, so you are the guy who likes example1 and example2 websites, it will be good to know…”.

There is nothing wrong with that as soon Google or Facebook or anyone else uses those data only to suggest you interesting content. Nevertheless they may without any problems just remember your browsing history in standard way while you are navigating on their services. The problem is when those big cookie collecting networks share databases with someone who you don’t want them to.

 

The end of third-party cookies?

Third-party cookies are very delicate issue but currently some of browsers started to consider third-party cookies as something wrong and privacy violating. Probably all of decent web browsers allow user to disable third-party cookies but there are still enabled by default. There is one main exception which is Safari browser which doesn’t allow to use that kind of cookies on Apple mobile devices like IPhone and IPad. Probably it’s a little punch directed to Apple biggest rivals – Google and Facebook which get very much of their market power from cookies data. Last year Mozilla Foundation planned to disable third-party cookies by default on Mozilla browsers but postponed that idea to 2014 probably due to advertisement lobby pressure which claim that it would be bad for economy. Also Microsoft has his own plans and is working on new privacy mechanism for Internet Explorer considering disabling third-party cookies. The last but not least – Chrome doesn’t seem to be interested in changing current status quo and it’s no reason to wonder since Google gets so many benefits from cookies.