Internet users are becoming increasingly savvy and familiar with the environment in which they work, socialise and play, demanding increased functionality, convenience and relevance, whilst also displaying fickle browsing behaviours and insisting increased privacy.
Cookies are defined as being; “commonly used to ‘maintain the state’ of the session as a user browses around the site. The shopping cart is an example. You can place an item in the cart, switch to another page or even another site, and when you come back, the site knows who you are, and you can continue with the order, [see amazon.com or ebay.ca]. Without cookies, the site would not be able to identify you automatically because the Internet is ‘stateless’”, (thefreedictionary.com). [iv] A more technical description is “An HTTP cookie consists of a piece of information stored on a user’s computer to add statefulness to web-browsing”, (Wikipedia, March 30th 2008). [v]
– First-Party Cookies
The default settings in your Web browser typically allow “first-party” cookies, but not “third-party” cookies. First-party cookies are created by the web site you are visiting and are necessary to keep track of your preferences and the current session, (thefreedictionary.com). [vi]
– Third-Party Tracking Cookies
Third-party cookies are created by a web site other than the one you are currently visiting; for example, by a third-party advertiser on that site. The purpose of such cookies is usually to track your surfing habits, which is why third-party cookies are considered an invasion of privacy and riskier than first-party cookies, (thefreedictionary.com). [vii]
Online ads that are generated from the data captured by 3rd party cookies, are similar in nature to junk-mail, spam or telesales calls. The latter three are all designed and targeted at ‘profiled’ consumers based upon data that, in the majority of cases, the user has knowingly provided to an organization. Moreover the user also has the option to ‘opt-out’ of providing the data. Often online users don’t consciously supply this data and only recently have they been given the ability to ‘opt-out’ or ‘block’ 3rd party cookies!
In the same way that product managers, new product designers and buyers create, promote, manage and at times, rationalize their product portfolios. Online marketing managers build, extend, dissect and re-build their websites to better suit their target audience, whose utopian website exceeds their expectations, provides maximum functionality, easy-of-use and speed.
Changes to websites are made based upon data received from a plethora of sources, including the information from 1st party cookies. Other tools such as page tags and log files enable marketers to understand the journey that visitors take around their websites, inparticularly where sites experience drop-off, [via a process known as Funneling]. Thus enabling marketers to trial alternative scenarios, [A/B testing], and ultimately provide a better user experience for their visitors. 1st party cookies provide reference settings, convenience and relevance by enabling sites to store key information, such as shopping basket items and anticipate associated items of interest, i.e.; products, special offers, bespoke pricing, based upon previous buying patterns and user-profiling. Without the use of 1st party cookies none of these user features/benefits would be possible.
Whether it’s a surfers ‘right’ to total anonymity is a larger discussion. Whilst users shouldn’t ‘opt-out’ of receiving 1st party cookies due to functionality, relevance and convenience implications, surfers can manually delete their cookies – if required. This leads to further debate “should surfers be asked if they want to accept cookies on a site-by-site basis?” – this is certainly the case when consumers complete offline applications for credit cards, store cards or magazine subscriptions.
Alongside privacy comes security. Identify theft is one of the World’s fastest growing crimes and associates phishing as a tool for identity thieves. In a 2007 Canadian report, the CAFCC reported identity theft losses of over $72million and over 24,000 victims. [viii] Moreover the APWG received nearly 328,000 reports of phishing alone during 2007, (APWG, December 2007). [ix] Whilst many vendors follow ‘best practice’ procedures, there are many less scrupulous operators on the web. The exploitation of cookies can lead to a number of attacks such as phishing, (above), cross-site scripting, cookie poisoning, cross-site cooking, spyware, web bugs and social engineering.
Taking a step back and looking at the main reason for using cookies. Cookies are used to make site preferences possible. Otherwise users would have to remember the products they want to purchase, purchase them individually and complete the check-out process transaction by transaction – you get the drift! The interpretation of cookie information also allows organizations to profile their customers in order to improve the user experience. Website marketers utilize an assortment of tools such as cookies, web logs and page tagging allowing visitor profiling, journey statistics and abandonment to be assessed. However cookie data can be misleading due to IP address abnormalities, the deletion of cookies or any website log-in requirements. In fact Comscore MediaMetrix suggests that “frequent cookie deletion by 3 out of 10 U.S. internet users leads to overstatements in audience sizes by a factor as high as 2.5”. [x] Therefore are there alternative ways to extract this information and could these alternatives provide a more secure, more accurate, less obtrusive browsing environment?
Finally there’s the issue of duration. There is a significant difference between Persistent and Session cookies, the latter being ‘alive’ for the duration of the session, whilst the former is stored on your hard drive, potentially indefinitely. Webopedia.com describes them as:
- Persistent Cookie: Also called a permanent cookie, or a stored cookie, a cookie that is stored on a user’s hard drive until it expires (persistent cookies are set with expiration dates) or until the user deletes the cookie. Persistent cookies are used to collect identifying information about the user, such as Web surfing behavior or user preferences for a specific Web site, (Webopedia.com, April 2008). [xi]
- Session Cookie: Also called a transient cookie, a cookie that is erased when the user closes the Web browser. The session cookie is stored in temporary memory and is not retained after the browser is closed. Session cookies do not collect information from the user’s computer. They typically will store information in the form of a session identification that does not personally identify the user, (Webopedia.com, April 2008). [xii]
Very few users take umbrage with session cookies as they provide convenience during a particular search/transaction/operation. Yet persistent cookies have a more heinous side. The fact that they’re stored for longer increases the security risks, encompasses the whole notion of ‘big brother’ tactics and implicates the user to forgo privacy unless they want to manually cleanse their systems time-and-time again. Plus what about the data that’s collected from cookies, even ‘best practice’ organizations such as Google and Yahoo keep personalized user data for 18 months, before they anonymise it! [xiii] What if the data’s lost or stolen before it’s anonymised, which certainly happens, ask TJ Maxx, NY Transit and the British government!
[i] Data taken from domaintools.com/internet-statistics on April 7th 2008.
[ii] Extract taken from comscore.com, May 4th 2006.
[iii] Search Behaviour Analysis White Paper, mondosoft.com, extracted April 11th 2008.
[iv] Definitions taken from thefreedictionary.com, April 11th 2008.
[v] Extract taken from Wikipedia.org, Internet Privacy, page last modified on March 30th 2008.
[vi] Definitions taken from thefreedictionary.com, April 11th 2008.
[vii] Definitions taken from thefreedictionary.com, April 11th 2008.
[viii] The Canadian Anti-Fraud Call Centre, (CAFCC), Monthly report for December 2007, December 2007.
[ix] Anti-Phishing Working Group (APWG), Phishing Activity Trends Report, December 2007.
[x] Taken from Cookie-based counting overstates size of web site audiences, comscor.com, April 11th 2008.
[xi] Taken from Webopedia.com, persistent cookie definition, extracted April 11th 2007.
[xii] Taken from Webopedia.com, persistent cookie definition, extracted April 11th 2007.
[xiii] Taken from Search engines warned over data, bbc.co.uk, April 7th 2008.