It’s True! There Really Are Cookie Monsters

Pawel Kuczynski — soap bubbles

They are called third party cookies and because of a bad mix between poor implementation of European privacy rules and refusal to acknowledge the Do Not Track standard they are now eating up a good part of our online experience.

My experience turned into a very time consuming and frustrating one when I wanted to see what events are happening this month and went to check on one of the most popular websites (it’s not my intention to pick on names here, as this is a wide spread phenomenon). The first thing that I laid my eyes on was the cookie banner. Just like you, I am very sensitive when it comes to my online privacy, so I first clicked on the settings button to manage my privacy preferences.

While different websites use different methods for opt out management, as an example, here’s how it looks like for TimeOut.com

At first, everything looked easy and encouraging. Two big red “ALL OFF” buttons for advertising and analytics & customization. But what happened after I clicked these buttons is that I got another banner:

Your browser is currently blocking 3rd party cookies. Many companies use third party cookies to remember that you have opted out, so you will need to enable them if you want all of the opt outs on this page to work.”

So basically companies are using the same type of cookies not only to track my behavior, but also to remember not to track me 🙄. If I enable third party cookies, then I must also turn into a cookie vigilante to make sure that I opt out of everything and don’t leave an open door for unwanted profiling and monitoring.

This is not feasible from a user’s perspective and from here it gets complicated. Technicalities and legalese below, but I’ll start describing my browser set up that might be the same as with many other privacy concerned persons.

My Firefox browser preferences are: third party cookies off, Do Not Track on. I also have uBlock Origin, Ghostery and Cookie AutoDelete, an addon that deletes cookies after I close the tabs. And one for deleting flash cookies as well (Clear Flash Cookies). This means my browser and addons reject third party cookies, so I cannot automatically turn off all the ads and analytics.

The two options that I have are:

1) stripping away my privacy by enabling third party cookies, allowing trackers, disabling the Do Not Track protection and pausing all ad blockers and cookie deletion addons — and then hope the “ALL OFF” button will actually work.

or 2) click on “ALL OFF” and then go to each of the remaining companies on the list and manually opt out. And basically start all over again next time I visit the same website if I don’t disable my browser add on that deletes all cookies😑

Here’s an estimation about how this manual effort looked like for me when visiting TimeOut.com:

For advertising:

  • 53 companies in total
  • 15 companies out of 53 do automatically opt out (27 do not automatically opt out)
  • 11 companies do *not* provide opt out at all
  • in about 8 cases I had to customize settings in a different opt out management system provided by Your Ad Choices (opt out within opt out — this is getting meta!)

For analytics and customization:

  • 70 companies in total
  • 18 companies out of 70 do automatically opt out (41 companies do not automatically opt out)
  • 11 companies do *not* provide opt out at all
  • 1 company has “on/off button” as well as “more options”?! (but with a broken link)
  • 2 company has “go to site” and “more options” but in my case the links didn’t work

In other words there’s a real possibility for me to automatically opt out of only 30 companies (14 companies for advertising and 16 for analytics and customization). There are 116 in total.

To recreate the experience, I am on the cookie settings page and I click “ALL OFF”. Not everything is really turned off and certain companies — a lot of them — do not even have an opt out mechanism. So I’m thinking why are these companies still listed in Evidon’s opt out solution if they don’t have an opt out?! Last time I checked explicit consent was mandatory for placing cookies on users’ devices (and you don’t have to believe me; there are legal obligations in the EU that require it, see details below). Also, what happened with privacy by design and by default? And how come that just by visiting 1 website it’s ok to have 116 companies tracking my data? Is this where “legitimate interest” leads to? (Legitimate interest is one of the legal basis which companies can use in order to process personal data without asking for consent. More legalese below.)

But it doesn’t stop here. Reading through the explanations from the “go to website” companies, I also find out that:

Since opt-outs listed at Ghostery Enterprise are generally specific to a particular kind of data use, companies that a person opts out from may still collect data about them for other purposes, unless their opt-out policies say otherwise.”

Great. Game over. Border line, screw my privacy. Keep ignoring the “Do Not Track” standard, and keep using cookies to figure out if I don’t want you to track me using cookies. Let’s all agree that the rights gained with GDPR have a very poor implementation in the most basic of online practices such as accessing a website.

Meme generated why memegenerator.net

Instead of making it better we are making it much, much worse

Instead of a bigger push for stronger and more efficient GDPR compliance on the industry’s side, we get technical solutions that are designed to block cookie dialogues all together (one is the beta version of the Opera browser and another one is an addon called “I don’t care about cookies”). The problem that comes along with enabling this option is that it has a legal implication. It means that you accept and consent to whatever terms the website offers. That you don’t want to exercise your rights and that you don’t care.

Yes, cookie banners are annoying, but blocking cookie dialogues will not solve the problem. It will just be a sign of resignation. And that’s not a healthy sign if we want to start changing things fundamentally.

Even more scary, there are companies engaging on tracking on a whole different level because cookies are so 2000… See Criteo’s privacy policy: “Criteo may use non-cookie technologies in limited cases where the by-default settings of your browser aim to prevent the use of cookies for cross-site personalization and only if you have unambiguously accepted our services after being asked to do so”. The different technologies could mean fingerprinting methods, which in turn means you should install another add on or figure out another way to stop being profiled.

There are (failed) attempts to control cookie settings and for managing multiple opt outs. For example, every time I tried YourAdChoices it never really worked in my case — not even when I disabled all anti-tracking features in my browser and all my addons. Same goes for Evidon’s opt out tool described above. Did it work for you?

Cookie banners, third party cookies, and bad opt out managers turn out to be only a part of the bigger ecosystem of third party tracking. Online advertising is still the most important source of income for many websites, apps, and online services and our data is seen as an economic asset. The power imbalance between individuals and companies has grown dramatically and we are left almost helpless in challenging them. Most of the times — either on web or mobile — we don’t even know who’s tracking us and we have little understanding of the consequences of tracking, and, for example, what are the implications for democratic processes. We also rarely fully understand how companies are collecting and using our data, with whom are they sharing it and for what purposes. This is where GDPR comes in and puts a legal obligation on companies to be more transparent and provide effective ways for users to exercise their rights such as providing consent, opting out, requesting a copy of their data or deleting, correcting or moving their data.

Action points

It’s true that there are limited tools that we can use to stop third party tracking, but there are a few things that we can do:

Addons and blockers.

> Installing addons and anti-trackers offer much more protection than having third party cookies enabled. A couple of addons that you might consider are uBlock Origin, Ghostery, Privacy Badger, Decentraleyes, Privacy Possum. You can also install addons that delete cookies, such as Cookies AutoDelete. Keep in mind that if you happen to be a website that uses third party cookies to remember not to track you, you should take an extra step and create whitelists in order not to again and again through the same cookie customization process. Whitelists are lists where you can add the pages where you want the addon to be disabled on.

> There are other types of tracking such as fingerprinting, mouse tracking, keystokes, local storage, session storage, authentication storage and even via Google fonts. Probably other ways of tracking are also emerging. There isn’t a single solution against tracking, but to protect yourself against profiling via fingerprinting you can use addons such as Chameleon or Random User Agent that provide websites random browser profiles and not your real data.

Put pressure on companies. Ask them what data they have about you and request them to delete it. Privacy International’s campaign on data brokers provides templates and advice on how to do this.

If you are in the Netherlands, use My Data Done Right tool to see what data companies have about you. And please help translate the tool in your language!!

Send formal complaints to Data Protection Authorities. You can formally complain about tracking and data exploitation practices to national data protection authorities. Here’s a list where you can find their contact details.

Tell your MEP to put privacy high on the agenda. In 2019, not only there will be European elections, but 13 member states will have elections at national level. Give MEPs a call and ask them to bring privacy forward to the political discussion, especially during the election campaign. Here’s a list of the European MEPs currently in office and their contact details — most of which will probably run for a second mandate.

Always. Need. To. Check.

The good thing is that it’s not as painful as described above with every single website interaction. When clicking on “manage settings’’ or “more info” links on pop up banners, you either get a long boring legal text shoved down your throat as cookie or privacy policies or you are pleasantly surprised to see (1) that you are offered a real possibility to opt out and even more amazed when (2) all trackers, cookies, ads are turned off by default. Ermm, as they should be.

However, it’s always frustrating that you lose time dealing with privacy notifications when all you need is a very basic information — like how many cups of milk you need for your rice pudding recipe or to find out how the weather is going to be like. I actually started using Tor Browser for this type of searches because it’s simply much more hassle free and I am not being tracked. Try it out: open a popular recipe website like AllRecipes.com with your current browser and separately open the same website with Tor (which most of the times exits from an US node) — better, right? No pop-up banners, plus many more other benefits. However, there’s a good distinction to be made between blocking ads, cookies, analytics and marketing stuff and having the choice of opting out, as provided by the GDPR.

Isn’t the GDPR supposed to be the golden rule that tells websites to inform about what tracking techniques are used but also to present a real choice whether you want to accept or not?

Website owners still getting used to the European privacy rules could, at the very least, show from the beginning if all advertising, analytics and monitoring is actually turned off or not. Just to show a little consideration for visitors. If there’ s no room for that, how about just following the law in place and turning everything off by default? Crazy idea, I know. What would companies do if they wouldn’t rely on exploiting data, creating profiles, tracking you all over the web to feed you the stuff that they presume “you are interested in” or even the stuff that “you should be voting on”.

You spent about 7–10 minutes reading this article about cookies. If you’re still up for it, here are the legal and technical bits regarding cookies, all explained in a human readable way. But all in all, should there be a general demand to websites providing flawed opt out solutions to get more serious with GDPR? Absolutely.

The technical part

What are cookies?

A cookie is a small file, made out of letters and numbers that can be downloaded to your device when you access a website (watch a 1:22 minute video here. Cookies are created when your browser displays a website. The website sends information to the browser and the browser creates a text file. Every time you access the website, the browser goes to this cookie file and sends it to the website’s server. In this way, the cookie tells the website each time you return back to the website.

Cookies could be used to improve the interaction between users and websites. For example, cookies can be used to store information about your online shopping cart or when you fill an online form, it can keep you logged in when you close and reopen a tab, it can remember your preferences for the website… But cookies can also be used to monitor your online activities and build user profiles for marketing purposes. Cookies can infer your preferences, what products you looked at, your potential age and this information can be used by all sorts of advertisers — political or not — to send commercials or information related to your preferences, behavior, psychological and demographic traits.

As mentioned in the legal section below, websites need to inform the user whether they use cookies, for what purpose and to offer the possibility to opt out (if the cookies are not purely technical).

What are 3rd party cookies?

This type of cookies are cookies that are not being placed on your computer by the operator of the website you want to access, but by someone else. Third party cookies are not strictly necessary for accessing a website since they are usually associated with a different service than the one you explicitly wanted when you accessed a particular website. For example: if you go to SimplyRecipes.com you’ll get third party cookies placed by the advertising, tracking and social media companies that work with this website.

What is Do Not Track?

Do Not Track is a standard that the World Wide Web Consortium (W3C) developed to allow users to express their option regarding the monitoring of their online activity. If turned on, Do Not Track instructs browsers to tell the websites that you access that you don’t want the website’s advertisers and other third party providers to get your browsing behavior and to track you. It’s designed as a tool primarily against third party cookies so it has it’s limitations in terms of protecting you from tracking. And, unfortunately, it is a voluntary mechanism that most websites simply choose to ignore it.

What are ad blockers and how they interact with websites?

Do Not Track, even if respected, will not mean that you will not get commercials anymore. It means that you are sending a message that you do not want to be monitored and profiled. If you want to stop seeing ads, you need to install an addon to your browser. Addons like uBlock Origin, Ghostery and others will remove advertisements from a web page. Same for opting out preferences — you just opt out of seeing personalized ads, not from seeing advertising period. This means that you will still see advertisements, but they will not be adapted to your presumed profile.

The legal bit

How did the cookie banner came into existence?

Until not so long ago the web was cookie banner free, but then came a very uninspired implementation of the 2002 ePrivacy Directive. One of the purposes of the directive was to eliminate spyware, web bugs, hidden identifiers and other similar trackers that could be placed on the user’s device without their knowledge. It did not interfere with technical storage or access for facilitating communication. The directive required prior, informed notice, but there were no restrictions that this could not be achieved at browser level for example (Article 5(3) of the ePrivacy Directive).

Also, in 2012 there was guidance issued by the body of European data protection regulators (Article 29 Working Party, currently the European Data Protection Board) explaining that first party cookies could be exempted from the general rule of prior consent in certain conditions (for example cookies used to personalize a website, such as by selecting the language) and if cookies were not used for additional purposes.

This positive regulatory effort was translated into, yes, the annoying cookie banner. It was meant to show and present users an option to reject cookies and other trackers. But what happened in practice was that websites started displaying a box with just one line of text and an “ok”-button. The notification warned that the website was using cookies and provided a link to a cookie or privacy policy. The only options were clicking ok, ignoring it completely or passively reading the long legal text. No real option to refuse.

How did it became a cookie monster?

The GDPR (General Data Protection Regulation) came into effect in May 2018 and it now requires companies to provide specific and accurate information about how personal data is being processed as well as to ask for prior consent (see definition of consent at Article 4 (11) and accompanying recitals), to offer the possibility to opt out and to document obtaining consent for a particular purpose of processing. Most companies instead of looking more closely at their data collection practices, just went for an even worse version of cookie banners. One that still doesn’t always offer opt out, one that cannot count as informed and explicit consent, one that makes our online experience worse without respecting our rights.

Is this going to be over?

If there’s no push from the user’s side it could actually get much worse. The ePrivacy Directive mentioned above is currently being revised and turned into a regulation — a directly applicable law that does not require transposition in member state’s national legislation. It is meant to raise the bar for companies who want to track users’ behavior, regardless if it’s on a computer, a mobile phone or other Internet of Things devices that are intimately connected to a user.

But who knows how this regulation will actually be interpreted in practice and if choices for end-users will indeed become more clear? That’s why the action point described above and putting privacy protections high on the political agenda is very important at the moment. For an easy introduction to the key points of the proposed ePrivacy Regulation see here and here.

For more friendly info on how to navigate online privacy and GDPR check out GDPR Explained guide and GDPR Today, an online hub for staying tuned to the (real) life of EU data protection law.

Meme: Cool story bro. Now, give me two cookies.