Skip to content

Browser Cookies - What Are They and Why Should I Care?

Introduction

There’s no questioning that over the last several years the term “browser cookies” has become somewhat vilified over the last few years. Browser cookies, or tracking cookies, are those tiny bits of information that websites and their partners place onto your device to help make certain features and technology work. These things make the modern internet what it is, but that’s probably not what first comes to mind when you think about that term.

Depending on your generation, you probably conjure different images in your head. For my millennial-ass self, that image is one of pop-up digital advertisements and maliciously misleading page content. Indeed, the advent of browser-native pop-up blocking effectively relieved humanity from having to ever again experience the abject pain of 500 browser windows opening all at once after mistakenly clicking on what seemed like a harmless part of the web page.

But what’s been happening in recent years is something that folks of all generations of even the most rudimentary understanding of the internet can admit - some serious shit has been going on with browser cookies. And it shows - people are developing stronger biases against them too. If you consider yourself one of them, please read on.

For advertisers, or companies paying money to promote their business on the internet, the browser cookie has been a cornerstone of proving return on investment from paid digital advertising. So entrenched within the digital advertising industry are cookies that Google has recently given up on a multi-year long effort at effectively blocking them all together.

However, while a household name like Google is easy to associate with browser cookies, the reality is that there are a myriad of advertising technology (adtech) companies that rely on cookies in similar yet different but all encompassingly shitty ways from the perspective of the user. Paradoxically, cookies also help provide smooth experiences between our favorite websites and provide creature comforts that we take for granted today.

Let’s investigate the why, how and huh behind tracking cookies as we know them today.

 

Breaking Down Tracking Cookies

Let me start by stating that browser cookies themselves might be one of the most misunderstood pieces of the internet…on the internet. If we unfurl the figurative scroll documenting the early internet and locate the “cookies” subsection, we will find ourselves an explanation that defies the current narrative of how cookies are used (and why they are predominantly shite).

At their core, HTTP cookies (as they were originally called back when “Ice Ice Baby” was still in rotation) are benign pieces of code that could be used to help store certain pieces of information on a user’s browser. The decision to have certain pieces of a user’s session data stored within their browser was primarily out of utility but also out of necessity:

For sites with any significant amount of traffic, the operational load to send/retrieve user session data would be fundamentally unmanageable, even despite how incredibly simple websites were during the time cookies were invented. Web infrastructure was simply ill equipped for this task at the time. Instead, it was deemed that cookies would instead be used by websites to store user-specific data locally (aka on users’ machines) as opposed to storing this data on the organization's web server.

Retrieved from https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies

The need for storing user data on user machines grew increasingly necessary, and over the period of a few short years from the 90s into the new millennium cookies saw themselves become cemented into modern internet architecture. In parallel, cookies also became the focus instrument of what is now known as personalization. Back then, this would have simply been the website keeping you logged in even after closing out the browser, or maybe it would say “Welcome back, Meatbag!” upon returning.

 

Historical Context

Even before cookies made their debut, there were murmurs of concern within trade groups such as the Internet Engineering Task Force (IETF) about privacy implications of enabling 3rd party websites access locally stored user data. This was formalized through the group's issuance of RFC 2109, and you may be keen to learn that 2109 was co-authored by a man by the name of Lou Montulli - the cookie man(ster) himself. However, because of the nature of the IETF as a standards organization whose adherence is merely voluntary and not compulsory, advertising companies and even browser companies (including Netscape, Google’s hegemonic predecessor) themselves ignored the group’s guidance. 

 

The era of “tracking for me but no privacy for thee” officially executed on the 13th day of October, 1994 where cookies made their formal debut as a feature within the Netscape Navigator browser known as Mosaic Netscape back in the day. The seemingly innocuous, almost innocent use-cases for locally stored cookies turned out to be one of the greatest technological trojan horses ever. And I’m not talking about the type of malware that totally borks your cpu - I’m talking about this kind of Trojan Horse…

 

How to Make a Sh*tty Cookie

As the internet grew in popularity, so did the ambitions of the capital markets and financiers. They saw the internet as a new means of commerce, and investment into information technology infrastructure rapidly accelerated. The commercialization of the internet had an outsized impact on how cookies were being used. As users poured into the internet via the likes of America Online (recent nostalgic bummer) and MSN, there was very little understanding of what made the internet tick and tock, and this unintentional ignorance allowed adtech companies to effectively make unhinged data collection the norm at the expense of user privacy and consent.

Unfortunately, there’s no means for investigating what cookies were like back way back when, so we’ll use a contemporary example by examining Honda of America’s website and check out some of the information that they collect using Firefox’s developer tool.

The orange arrows call out some examples that are relatively easily deciphered just based on the parameter name in the left column of the table.

  • countryCode: this collects what country the user (me) is located in
  • siteReferer: this collects how I got to HoA’s site
  • state: the state I’m located in
  • zipVault: the approximate location of my device

These are fairly innocuous pieces of information to collect, and more than anything help Honda’s website determine how to personalize its site for me, such as what dealers to present when clicking into the dealer locator or showing the availability of certain vehicle models/trims based on the country I’m in. The information is benign, doesn’t identify me personally, and allows Honda to show me vehicles that someone like me can purchase based on where I live. There’s just one problemo:

I didn’t consent to provide any of that information, despite its innocuousivity (#brandnewword). This information was gained, extracted and utilized without any prompt or notice.

 

What’s A To User Do?

Now I mentioned earlier that I used Firefox to perform this exercise. My instance of Firefox also has an extension developed by the Electronic Frontier Foundation called Privacy Badger. This baby blocks nearly all browser cookies. If you want to see just how effective it is, here’s a screenshot of the same page we looked at within Google Chrome without any added extensions.

 

Each of these cookies from each of these adtechs is collecting enough data from you that’d make your own mother blush. This is precisely the point that the founding architects of the modern internet took issue with, and continues to be a confounding issue that pits users vs. advertisers against each other with every single page view.

So while adtechs are using cookies to hoover up as much data they can, websites also need cookies to literally make their site enjoyable to use. It’s an ongoing paradox, where the application of cookies spans the tight spectrum of necessary evil to unnecessary evil. Websites need to use cookies for all the reasons I mentioned at the head of this post, but how do we preserve a website’s functionality while reconciling our desire for anonymity and privacy?

The answer is more basic and draws from existing societal norms hinging on the concept of consent. Just like we all learned in our formative years when navigating the awkward expanse known as dating, consent is a must-have item before you even dare to think about first base. Thanks to legislative artifacts like Europe’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA) web technologists have become legally-required to remember that pesky covenant of consent from their teenage years and became bound to provide it for internet users. Assuming they don’t want to be fined six ways till Sunday that is of course.

Retrieved from https://blog.internxt.com

Thus, the last several years has brought on an onslaught of consent banners, consent pop-ups, and other vehicles designed to give users the means to opt in or out of cookies on the sites they visit. While the user experience of constant consenting is lacking, the fact that the choice (or notification at minimum) is now provided is a huge step towards the direction of privacy and anonymity. 

On the other end, browsers like Firefox have implemented Global Privacy Control which essentially allow users to input their consent preferences once and have them be honored within any website they visit. This empowers users to set their personal preferences for what types of tracking they want to allow or disallow, using browser-based settings as their true north for such preferences.

As my colleague TAFKA_13 recently wrote about, there are additional steps that anyone can take right now to limit the information that can be collected from them by large adtechs. But even if you did absolutely nothing today, there is still a multi-pronged effort at reshaping the internet to become less reliant on cookies, to better instill user choice and consent when it comes to any kind of tracking mechanism and increase anonymity. This topic will be unpacked in a future post, so please subscribe to our newsletter to get notified when this content drops.

 

Tread forwardly,

balding_e4gle

 

Research Source Pile