Fact Sheets

Cookies – Following the crumbs

When you use a computer to visit a website, the website places a small piece of text, called a cookie, onto your computer.  The cookie is used to save information about you and the site.  Examples of such information might include your language preference or previous interactions.

There are different types of cookies.  Some of these can also be used to track what you do on the web, without you knowing or agreeing to it.  Cookies can be used to create detailed profiles about where you browse, as well as other information about you.  These profiles can be used to make certain advertisements show up on your screen when you browse the web.  This is called Behavioural Advertising or targeted advertising.

The Office of the Privacy Commissioner of Canada (OPC) has prepared some responses to Frequently Asked Questions (FAQs).  Tracking, profiling and targeting people online is of concern to the OPC.  We have also developed detailed information on cookies, the privacy challenges they present and how you can try to control them.

Frequently Asked Questions

What is a cookie?

A cookie is a small piece of text that is placed on your computer when you visit a website.  Cookies were created so that information could be saved between visits to a website.  They collect and store information about you based on your browsing patterns and information you provide.  Cookies record language preferences, for example, or let users avoid logging in each time they visit a site.  Almost all of the most popular websites use them.  Cookies can be very useful because, without them, you would have to enter certain bits of your personal information each time you visit your favourite site.

So, what has this got to do with privacy?

Cookies can be used to track what you do on the web – which sites you visit and what you do there.  From this information, third parties, such as advertisers, can build profiles about you.  These profiles can then be used to place advertisements on websites you visit.  These advertisements are thought to be more interesting to you because they are based on what someone thinks you like or who someone thinks you are (a man, a woman, single, married, etc.).  This practice of building profiles of computer users to tailor advertising to them is called “behavioural advertising”.

From a privacy perspective, this is okay – as long as you know what is going on and agree to it.  Many people, however, do not know about cookies and behavioural advertising.  Some people may know about them but may not want such advertisements and are unsure how they can stop them.

Some people may not like the idea of being tracked and profiled online.  They may worry about who has their information and what is going into their profile. 

I’ve heard about other cookies – like third-party cookies, Flash cookies or super cookies.  What are these?

Third-party cookies

At first, cookies were only shared between the website (the “first party”) and the user (the “second party”).  However, the use of cookies was expanded to “third parties”, such as advertising companies that display ads on certain websites. 

When you visit a website that has advertisement on it, a cookie may be passed from the advertising company (the third party) to your computer.  Later, when you revisit that same website, or another site that uses the same advertising company, the third-party cookie can be read by the advertising company.  If the cookie contains a unique identifier, then information about your visits to different websites can be linked together.  In this way, a detailed profile can be built about you (or other people who also use the same computer as you) and your browsing habits.  It can then be used to target advertising to you.

Flash cookies

Flash cookies were created by Adobe’s Flash browser add-on for multimedia.  Flash cookies can be used to save information between sessions and they are also used to track the websites you visit.  They are not normally visible to you.  Options to control or delete them are usually absent or difficult to find.  If web cookies (including third-party cookies) are deleted, Flash cookies can be used to recreate them.

Super cookies

Super cookies use new storage locations built into browsers to save information about you.  The storage mechanisms are larger and more flexible than traditional cookies, so more information can be stored.

What’s the problem with these types of cookies?

These types of cookies – third-party cookies, Flash cookies, and super cookies – raise privacy concerns because they are largely hidden from view, difficult to locate, and hard to delete – if they can be deleted at all.  See Web Tracking with Cookies for more information on the privacy challenges posed by these cookies.

Are cookies the only way to track me?

No. Your browsing history can also be tracked without using cookies.  Beacons (also called “web bugs”) are small, invisible image files included on a web page or hidden in an e-mail message.  When you visit that page or open the e-mail, the image is downloaded and information about you – your Internet address, where you are, the page you’re reading and so on –  are trackable.

I’m not sure I like this.  What can I do about it?

Web browsers provide some tools to control cookies.  You should check your browser, though.  The default may be to store all cookies indefinitely.  Your browser can be set to block cookies, but many websites insist that users accept cookies in order to use the service.  You should know that blocking cookies can impair the experience of some services. 

If you delete stored cookies, this may only clear traditional cookies and not Flash or super cookies.

Some browsers have a “private browsing mode,” but super and Flash cookies are not always covered by these settings.

If you want to clear all forms of cookies and web storage, you may have to install and use special applications.  The good news is that some developers are responding to concerns about cookies and tracking, and are working on ways for users, should they wish, to block and delete cookies.  At this time, however, there is little that can be done to prevent cookie-less tracking.

Web Tracking with Cookies

Cookies

When you visit a website, not only are you offered information or services, but your computer may also be offered a “cookie.” A cookie is a small file that is passed from a website to an end user’s (your) computer, often without your knowledge or consent. The cookie is used to save information about the interaction between you and the site, such as login credentials, preferences, and any work in progress. The cookie file is automatically stored by your browser (e.g., Internet Explorer or Firefox) on the local hard drive, and it can later be retrieved by the website.

Cookies were invented in 1994 so that information could be saved between visits to a website. This lets you avoid logging in for every visit, and cookies are also used to keep track of preferences and works in progress (such as items in an online shopping cart). Today, just about all of the top websites use cookies for one purpose or another. Cookies are a very useful feature of the web and, without them, web sessions would have no history; you would have to enter your information over and over.

Third-Party Cookies

Initially, cookies were only shared between the website (the “first party” in the transaction) and the user (the “second party”). Soon after cookies were invented, however, their use was expanded to third parties—organizations not directly involved in the interaction—such as advertising companies displaying ads on certain websites.

When an advertisement is on a web page supplied by a first party, the advertising content and a cookie are passed from the advertising company (the third party) to the end user’s (your) computer. Later, when you revisit that same first-party website, or another site that uses the same advertising company, the third-party cookie can be retrieved by the advertising company. If the cookie contains a unique identifier, then information about your visits to different websites can be linked together.

Further, if any of the sites (such as social networking sites) collect personal information, this information might also be collected by the advertisers. In this way, advertising companies are able to track the websites that you visit and build up detailed personal profiles, which may then be used to target further advertising to you.

Third-party cookies raise privacy concerns because the transactions typically involve unknown third parties and are conducted without your knowledge or consent. Unless you pay attention to an often-confusing set of options in your browser software, the cookies are created and used invisibly, and the information that is gathered may be stored forever. In addition, the tracking and profiling done by advertising companies can be extensive; it is common for your computer to collect dozens of third-party tracking cookies.

Flash Cookies

Flash cookies (also called Local Shared Objects or LSOs) are created by Adobe’s popular Flash browser add-on for multimedia. Like traditional cookies, Flash cookies can be used to save state information, as well as preferences, between sessions.  They are also used to track the websites that you visit. These cookies are normally not visible to you, the end user, and options to control or delete them are usually absent or very difficult to find. Flash cookies are frequently found on websites, and they are often used along with traditional web cookies. In fact, even if you delete web cookies, Flash cookies can be used to recreate them.

Flash cookies raise additional privacy concerns because they are more hidden than traditional web cookies, so you have to take extraordinary measures to remove them. Also, many privacy policies that describe the use of web cookies fail to mention Flash cookies, and procedures to opt out of web cookies often have no effect on Flash cookies.

Super Cookies

A third type of cookie, called “super cookies,” is also emerging. Super cookies use new storage locations built into browsers to save information about you.  For example, the Internet Explorer browser has “userData” storage, while Firefox has “DOM” storage”. The emerging HTML 5 specifications also set aside web storage that can last either for a browser session or permanently (until deleted). These storage mechanisms are larger and more flexible than traditional cookies so more information can be stored. Like web cookies and Flash cookies, you, as a user, are often unaware that super cookies exist.  You, as the user, are often not provided with tools to control the information that is stored.

Cookie-Less Tracking

A person’s browsing habits can also be tracked without cookies. One such method involves “web bugs”, which are small, invisible image files placed on a web page or hidden in an e-mail message. When you view the page or message, the image is downloaded from a server that can keep detailed logs.  These logs record such information as your location, Internet address, the page or message you are reading, and the current date and time.

When people view web pages, their browsers can reveal a lot of information. The browsers can be queried to determine their detailed characteristics, including version number, window size, settings, add-ons, and customizations. The combination of information, often called “device fingerprinting,” can be quite specific to an individual machine.  An experiment conducted by the Electronic Frontier Foundation suggests that this information may be unique to about one in one million people.

Web Privacy Tools

Unfortunately, protecting privacy while browsing the web is not an easy task. Web browsers provide some tools for storing and clearing cookies.  However, the default is to store all cookies indefinitely and the privacy tools are often hard to find and use.  Browsers can be set to block cookies, but many websites require that you, as a user, allow cookies to use the service. Even blocking third-party cookies can impair the experience of some services, so users are faced with the onerous task of allowing some cookies and not others. If you do configure your browser to delete stored cookies, this often only clears traditional cookies, without removing super cookies and Flash cookies.

Some browsers have recently implemented a “private browsing mode,” designed to protect privacy. In Firefox, for example, web cookies are deleted when a private browsing session is ended. Unfortunately, super cookies and Flash cookies are not always affected by these settings, so they are still stored during private browsing sessions. In order to clear all the different forms of cookies and web storage, you generally have to install and use special add-on applications. Some popular tools for Firefox, for example, are the BetterPrivacy, NoScript, and Targeted Advertising Cookie Opt-Out (TACO) plug-ins.

Conclusion

Cookies are powerful tools that give the web a memory, making for a better user experience. They do, however, also pose privacy concerns because they are often used without your knowledge or consent, and can be used to track your web habits and build detailed personal profiles about you.

To protect your privacy on the web, you need to learn about the cookie controls provided in your browser.  You should also investigate some specialized tools that can control all cookie types. Unfortunately, however, even if you do make the effort to control cookies, there is little that you can currently do to protect against cookie-less tracking methods.

The OPC is studying this issue.  We raised concerns about tracking practices in our Report on the 2010 Consultations on Online Tracking, Targeting, and Profiling, and Cloud Computing.  We will continue to address our concerns with industry, as appropriate.

Additional Reading

Eckersley, P. (2010) Browser versions carry 10.5 bits of identifying information on average.

Krishnamurthy, B. and Wills, C.E (2010). On the leakage of personally identifiable information via online social networks. ACM SIGCOMM Computer Communication Review, 40(1), 112—117.

McKinley, K. (2008). Cleaning up after cookies.

Schoen, S. (2009). New cookie technologies: Harder to see and remove, widely used to track you.

Soltani, A., Canty, S., Mayo, Q., Thomas, L. and Hoofnagle, C. (2009). Flash cookies and privacy.

Wall Street Journal. (2010). What they know.

May 2011