Cookies, ITP and how it affects your privacy

Tariq UrRahman
Jun 28, 2019 · 10 min read

Chances are that you’ve probably heard a lot of noise around something called “ITP” recently that has a lot of people worried. It’s a feature of Apple’s Safari browser, which has actually been around for quite a while (was first released in 2017). But some recent updates by Apple have brought sweeping changes that are poised to make a big impact on how online advertisers’ ability to track user behavior and web analytics in general.

Apple isn’t alone in this regard either, as Firefox has also recently launched it’s own version of cookie policing called “ETP”.

In this article, I will explain exactly what ITP/ETP is about and what it ultimately means for users and digital marketers. But before I do that, let me give you a brief primer on what cookies are and how they work.

So what exactly are cookies?

If you are familiar with the term “web browsing”, you’ve most certainly heard of “cookies”. Not the edible kind, no — but those pesky little things websites use to identify you and personalize your experience.

Cookies were created for the first time in 1994 by Lou Montulli, an employee of Netscape Communication as a solution to make shopping cart functionality possible on E-Commerce websites.

They are simple text files that are placed by websites on your device, whenever you visit a website. Cookies enhance a user’s experience by saving login information, visual preferences and any other helpful information (such as email address) voluntarily provided while visiting the website.

Besides this, cookies can also be used to store data that is useful to advertisers, such as ads recently seen, when they were seen and which websites displayed them. This is really important from a digital marketing perspective, as it allows for frequency capping, conversion tracking and audience targeting.

Cookies can of-course be deleted by users at any time, but this may result in losing personalized preferences (saved passwords, form data, etc) across previous visited websites.

Are there different types of cookies?

While there are quite a few, you may have most commonly heard of “first-party” and “third-party” cookies. The difference between them comes down to which domain created the cookie to begin with.

A first-party cookie means that the cookie was created by the domain that a user is visiting.

For example, when a user visits Google.com from a web browser, that browser sends a web request in the first context, a process which represents a high level of trust that the user is directly interacting with Google.com. The web browser subsequently saves this cookie to the user’s computer under the “Google.com” domain name.

Contents of a first-party cookie (set by Google.com)

Most web browsers come with first-party cookies enabled, as the alternative can present frustrations for most users — websites will never save passwords, or remember any user preferences.

Third-party cookies on the other hand, are set by other domains — different from the one the user is visiting. These are mainly used for tracking and online-advertising purposes.

Example: When a user visits a site, let’s say ABC.com, a first-party cookie is created by ABC.com and a third-party cookie is also created by ad.doubleclick.net. The reason for a third-party cookie is because the URL (ad.doubleclick.net) doesn’t match the domain (ABC.com). The cookie is left by a third-party advertising provider, hence the name third-party cookie.

The issues with Privacy

Generally first-party cookies have been considered safer (and a lot less creepy) than their third-party counterparts, who’s primary reason for existing is to stalk users online.

Browsers allow you to selective delete cookies (Firefox shown above)

Some web browsers such as Safari block third-party cookies out-of-the-box as a privacy measure. Other browsers such as Chrome don’t block them by default, but the user can choose to disable them if desired.

So as long as you block third-party cookies and accept only first-party ones, you should be all good right? Well, not exactly — as this next example will demonstrate.

How advertisers can re-purpose first-party cookies as trackers

In certain situations (shown in the example above), first-party cookies can be re-purposed by advertisers to act as trackers too.

Let’s take a closer look at what’s happening here:

  1. The user visits site.com and a first-party cookie (green) is created by the website in its domain (site.com) and assigned to the user.

It is important to note that step 2 above happens very quickly, almost “under the hood” and the user hardly ever notices the temporary redirect. These are known as “first-party bounce trackers” and are used widely by advertising networks and social media.

As a result, the Ad platform has now created a first-party cookie under its domain (ads.com) and assigned it to the user, it can now track the user as they move around the web and serve them with personalized ads.

This was possible only because the user clicked on the ad, which took them to the Ad platform’s domain. If the user had not clicked on the ad, then Ads.com would have only been able to create a third-party cookie at best.

Apple Safari and the furore with ITP

If you’ve followed this far, by now you probably realize why blocking third-party cookies is usually the right move for browsers that prioritize privacy for their users. But is it enough?

As we’ve seen in the example above, not really. And Apple clearly didn’t think so as well.

In 2017, Apple launched the ITP (or, “Intelligent Tracking Protection”) feature for the Safari browser, in an effort to prevent domains classified as having tracking capabilities from tracking users across different sites using third-party cookies.

The first version aimed to limit the lifetime of third-party cookies to 24 hours and then “put them on ice” for 30 days. If the user doesn’t interact with that cookie’s domain in 30 days, the cookies were deleted permanently.

The early versions of ITP (source: webkit.org)

The ad industry definitely did not like this and hence came up with workarounds to curtail ITP, such as the example we’ve seen above of storing third-party cookies as first-party cookies.

This just made Apple double down, making ITP increasingly more restrictive and harder to circumvent. Version 2.1 of ITP, which was released earlier this year introduced even harsher measures; Safari now deletes even first-party cookies after seven days and blocks all third-party cookies by default, rendering device fingerprinting and long-tail measurement nearly impossible. And with version 2.2, ITP further slashes the deletion window for some first-party cookies down to just 24 hours!.

For a detailed discussion on the technical differences between the various versions of ITP, please refer to this excellent article by Simo Ahava.

Mozilla released a fully fledged version of their own privacy tools for Firefox called ETP (or Enhanced Tracking Protection) in June 2019, which is very similar to the earlier versions of ITP, i.e. it blocks third-party trackers by default.

So what’s the impact of ITP?

If you are a Safari user, you can enjoy the extra privacy and peace of mind that a lot of those pesky advertisers can no longer track you across websites like they did before.

If you are a marketer or analytics practitioner however, things aren’t that straightforward.

Post ITP 2.1, platforms such as Google Analytics are also affected, as they rely on tracking website visitors via first-party cookies. As per available statistics, approximately 16% of users use the Safari browser, worldwide.

If you combine Firefox users with that, the number hovers around 20% of users that will be unreachable through ad targeting.

Browser Market Share Worldwide — May 2019 (source: statcounter.com)

Meaning advertisers and publishers will be unable to track this segment, which will impact not only ad revenue but also web analytics, personalization accuracy and quality of attribution.

You might be inclined to think that ITP is just another tool designed to protect users from shady advertisers, but the cost of preventing user tracking will also be borne by legitimate publishers, who will suffer low yields and lost revenue.

Additionally, limiting cross-website tracking for unscrupulous Ad tech firms is a win for user privacy for sure, but it’s also an unfair blow to non-malicious analytics solutions which make use of first-party cookies to measure website traffic.

As an example, using a tool like Google Analytics to measure data on your website for instance, is not a malicious practice — the intention is to optimize the website’s performance and usability to ultimately create a better experience and provide value for your visitors. But as ITP 2.1 limits the lifetime of first-party cookies at 7 days, you will lose all visibility of new vs. returning users who visit your site just once a month, unless alternative workarounds are considered.

Any solutions or workarounds for ITP? Do any even exist ?

As of the time of writing this article, it seems that the primary targets for ITP are client-side scripting methods (specifically, the Javascript document.cookie) by which websites set cookies on a visitor’s browser.

Safari intercepts these calls and sets the reduced expiration window for any cookies created by this method.

However, Safari does not currently catch cookies that are set server-side using HTTP headers (the Set-Cookie method). This may be because this approach requires development work and is as such considered a more legitimate approach (in terms of first party cookie implementation), or it could simply be a temporary loophole that Apple will patch with the next release of ITP.

A server-side workaround for ITP 2.1

And therein lies a workaround, at least for Google Analytics — if the Google Analytics tracking code is customized (using Tag Manager) to call a custom script that sets the cookie using a server-side Set-Cookie method, this would pass ITP’s scrutiny and work like any normal first-party cookie (with an expiration period that can be set as long as needed).

You would of-course need to host the external script on another server that you own, ideally on a subdomain of the website you’re tracking — this could be quite easily achieved by creating an endpoint with a VM running in a cloud solution, like Google Cloud Platform serving the script using App engine as an ideal example.

Beyond cookies and the future

Although resourceful marketers may still find workarounds for ITP in the short-term, we have to realize that we are slowly but surely moving into a digital universe that is unimaginably different from the early internet that cookies were originally invented for.

In fact, cookie trackers have been around for so long, that it’s actually high time to see them being majorly disrupted (like how ITP has done). It’s time to think of better solutions.

But we should also never forget that Ads on the internet are crucial to its existence — a lot of great content (that users take for granted) today would never have been made freely available if not for Ads and the revenue they generate for the content creators. The key here is balance; Ads need to be relevant, non-intrusive and most importantly provide choice to users — and respect their right to privacy.

So how do we stop relying on cookies and yet build better experiences for users at the same time?!

A few approaches include:

  1. Incentivize users to login, so you can use their unique identifier (e.g. email/phone number) to identify and measure unique users

This does not necessarily mean that marketers can’t serve Ads to users who block cookies, but rather they should be smart about it and use other implicit signals to serve these users.

Advertising platforms allow you to run contextual ads that are personalized to the sites they appear on, such as showing an Ad for Nike running shoes on a sports blog. This helps marketers build relevance and trust with their audience.

So the real question is, how long before other browsers follow the precedent set by ITP 2.1? Firefox have also recently announced that they will start experimenting with the 7-day expiration of JavaScript cookies.

Will Chrome be forced to take the same route as well eventually? And what strategies will Google implement to bridge the ever widening measurement gap that Safari (and other players) have introduced?

Only time will tell.

The Startup

Medium's largest active publication, followed by +611K people. Follow to join our community.

Tariq UrRahman

Written by

Analytics Director @ Jellyfish MENA

The Startup

Medium's largest active publication, followed by +611K people. Follow to join our community.

More From Medium

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade