Below, we will discuss the reasons that incited people, businesses and governmental agencies to employ web tracking, detailed and basic methods of avoiding web tracking, and various types of cookies and their effects on privacy, and we will also examine a brief court case that concerned a particular type of cookie. Then we have included some final notes and a conclusion inferring some deductions from the context of the discussion. 2. Reasons for web tracking Before we elucidate the means and methods of web tracking there is a simple question that ought to be answered: Why would someone want to track my web activity in the first place? Basically, there are four reasons why websites employ web tracking or website visitor tracking.
Firstly, they use web tracking for advertising purposes. One option is to send the collected data to a data aggregator. A data aggregator (e.g., ChoicePoint) is a company that is responsible for extracting and bringing together bits of data dispersed in huge databases comprising information about individuals. The data, after being extracted and compiled by the data aggregator, is sold to other third parties. The data aggregator creates aggregate reports on the basis of the collected information and sells it to local, state or federal authorities or businesses. Businesses are particularly interested in such information, because such personal information substantially boosts their marketing capabilities.
Nonetheless, sending chunks of data to data aggregators is far from the only reason why websites track your activity. Below are several tables that reveal why web tracking is utilized: PII* = Personally Identifiable Information (such as first, last or full name, email or physical addresses, cell or landline phone numbers, birth date, government-issued identifiers, and financial account numbers).
- More efficient provision of desired goods and services
- Delivery of messages that are connected with consumers interests.
- Means and methods of web tracking. The typical means of web tracking is to use cookies. These are necessary for session management, identification and authentication of visitors, as well as for various personalizations. 3.1. Basic information Cookies cannot consist of more than 255 characters and be more than 4K of disk space. For the successful functioning of the cookie it is only necessary for the cookie to have a name and a value. However, there may be more parameters embedded in the cookie’s structure—its expiration time, the requirement of a secure connection in order for the cookie to function, the domain name that created the cookie and that can read it, and the path that the particular cookie is valid for. Thus, cookies are composed of six parameters, while only two of them are mandatory for the successful functioning of the cookie. Cookies are text-only strings that become embedded in the memory of the browser. They can become a file if the lifetime of the cookie is set to be longer than the time you spent surfing the website, your browser then resends these cookies to the website they are meant for every time you revisit the particular website. 3.2. The various types of cookies and their effect on privacy 3.2.1 Zombie cookies Zombie cookies (supercookies or Flash cookies) are HTTP cookies that recreate themselves after being deleted via backups located outside the standard cookie storage of the user’s web browser. Such cookies can be stored both online and on the user’s machine and are designed to resist deletion attempts. They have serious privacy implications. Firstly, they function outside the safeguards that the browser maintains. Any web browser allows ordinary cookies only to be written, read, and deleted by the website that created them, whereas such flash cookies can track the client’s behavior and activity on multiple websites; in this way cookies do not limit themselves only to site parameters but go beyond them. They never expire and a portion of them take the name and the file path of crucial files. They are browser-independent, meaning that they can track activity in all browsers that you use, they allow information to be shared between domains and they reinstate themselves after being deleted from the browser’s dedicated cookie storage, which makes them comparable to Trojans. Finally, they can use 25 times the disk space of ordinary cookies. Thus, a zombie cookie can store a maximum of 100kb while an ordinary cookie can have a maximum size of 4kb. A way to get rid of zombie cookies is by installing the add-on BetterPrivacy. They have serious privacy implications, as their chief goal is to store personal data of users for different online marketing purposes. Furthermore, in 2010 websites that used Quantcast technology and Quantcast, which provided these zombie cookies, were sued on the grounds of violation of federal computer intrusion laws while the practice was claimed to breach also state and federal fair trade laws and eavesdropping and hacking laws. Quantcast themselves said that the zombie cookies were an unintended consequence of attempting to measure web traffic precisely. The details from the lawsuit describe the practice as a “pattern of covert online surveillance” and sought status as a class-action lawsuit. The plaintiffs sought unspecified damages and a court order forcing the companies to cease the practice in the future, remove the collected information and establish a transparent method of opting out. Quantcast settled and agreed to pay $2.4 million to settle the class-action lawsuit. The case can be found here: http://www.wired.com/images_blogs/threatlevel/2010/07/CV10-5484-GW-JCGx-Complaint-Summons-Civil-Case-Cover-Sheet1.pdf. Zombie cookies are actually Adobe Flash local shared objects (LSOs). Adobe Flash is a famous browser plug-in chiefly utilized for displaying web content that is animated or interactive. The flash plug-in enables servers to store LSOs (Flash cookies) which are like HTTP cookies but are managed by the Flash plug-in instead of a web browser. LSOs were created to circumvent restrictions of the traditional cookies, such as file size (traditional cookies have a limit of 4KB while LSOs 100KB). Since LSOs are not browser-specific but are common to all applications on the machine using the Flash plug-in, users can be identified regardless of the browser they open. Moreover, Adobe Flash allows developers to evade the same-origin policy that stipulates that sites cannot access data (cookies) stored by other domains. Hence, zombie cookies can take advantage of all these benefits conferred by LSOs and use them to track unsuspecting visitors. Lastly, Adobe Flash is found to be installed on around 98% of PCs, which makes possible for almost everyone to be a possible victim. These Flash cookies are typically stored in local shared objects of Adobe Flash but can be stored in many places, such as Silverlight isolated storage, web storage, web history, the window.name DOM property, the HTTP cookies storage, etc. 3.2.2 Third-party cookies Third-party cookies are not created for the domain that the customer is browsing, but for external domains from which the host website fetched supplementary information such as images. These cookies are sent to the third-party server regardless of the page that the visitor is browsing, as long as it has content from the third party. Third-party cookies are also undesirable. Tracking networks that want to track people can insert undetectable dummy images, a type of web bug. Every time you enter a website that has web bugs there is a request made to the domain hosting the web bug. This has the following effects on privacy:
The third-party’s tracking service is aware of the entry into the website with the particular web bug of your IP address. The third-party may establish a cookie containing a unique ID on the user’s computer (or a tracking cookie). Afterwards, this tracking cookie would be sent back to the third party each time you open a page that contain one of its web bugs.
Thus, an advertising company can have web bugs embedded in multiple sites. Therefore, it can track your activity throughout your surfing session because of its cookie network. To summarize some main points:
Each time someone enters a website, some of its content may originate from other websites, such as scripts, images, and videos. Parts of this content (undetectable dummy images) may originate from advertising networks. These ad networks can track which pages you are visiting and are aware when you have visited more than one website located within their network. After step 3, these ad networks or other entities, such as data aggregators, can sell or share the information with other interested parties.
Nonetheless, almost all browsers’ configurations can be modified to reject all cookies coming from a third party. Therefore, websites use the following technique: they redirect visitors to a page that belongs to the tracking company and the tracking company, accordingly, establishes a first-party cookie that can be afterwards read by web bugs present in other websites. 3.2.3 Other cookies Persistent cookies (tracking cookies) outlive the browsing session of a user. They can record valuable information, such as how the user found the website in the first place. They can reside in the browser’s dedicated cookie storage for years, depending on their max-age proviso, or they may be permanent unless deleted by the user. They also provide functionality to the user’s experience and are not necessarily negative for the user’s privacy. Persistent cookies are “in charge” of authentication, language, and theme preferences, in-site bookmarks and favorites, among other utilities. Other cookies, such as session cookies, are important for the proper operation of websites and provide functionality to the website being viewed. They expire at the end of each session and are not designed to stay longer or permanently on your machine, therefore, they do not have negative privacy effects. Session cookies are used, for example, when ordering products. Session cookies can store the relevant ordering information necessary for shopping carts to function; without session cookies, the users would have to memorize all the objects that they have placed in the shopping cart. Also, session cookies are used to store data about the customer’s page activities so the customer can easily continue browsing from the last viewed page. There are many other benefits that session cookies entail. Users may be identified via their IP addresses, but this is rather uncertain in today’s Internet for numerous reasons, so cookies offer the best method to identify each visitor. There are other cookies as well such as secure cookies and HttpOnly cookies. but these are not central to this particular discussion. There are also different varieties of supercookies (from the one we discussed above) 4. Ways to avoid being tracked. 5. Conclusion
Delete all HTTP cookies at the end of each browsing session. Stop/block third party cookies. Permit only session cookies. Delete every single Flash LSO at the end of each browsing session. Utilize a proxy server to mask your IP address as an anonymization service. Do not maintain a browser history. If you do not trust the particular website’s privacy policies do not use its social buttons. Use the “Do Not Track” feature. It is available for Internet Explorer, Safari and Firefox (http://donottrack.us). It enables you to opt-out of tracking by sites that you are not visiting such as analytics service providers and ad networks. “Do Not Track provides users with a single, simple, persistent choice to opt out of third-party web tracking”. Use the “HTTPS Everywhere” extension. It is currently available for Firefox and there is a beta version for Chrome (https://www.eff.org/https-everywhere). It encrypts your communication with many of the important websites as some of them provide only limited HTTPS, only some pages being secure or the communication channel defaults to unsecure HTTP at some point, “HTTPS Everywhere” is an attempt to remedy this, as its title suggests. If you want websites not to know how you end up on their site, what you typed in the search engine to get there, or which website’s link you followed, install the add-on “Referrer Control” http://goo.gl/G8vkC for Chrome and http://goo.gl/gdx8X for Firefox). You can block ads, whether in the form of banners, pop-ups or video, even if they are located in such websites like Facebook and Youtube with Adblock Plus (https://adblockplus.org/en/chrome). It is currently available for Chrome, Firefox, Opera, and Android. PeerBlock enables you to control the entities with which your computer is “talking” on the Internet. You can effectively stop and block any communications with ad-oriented or spyware-oriented servers, among other functionalities. Use a VPN to hide your IP address as an anonymization service Install the extension “Window Name Eraser” to stop user-tracking methods such as evercookies from transferring information via the window.name property (http://goo.gl/gkEW6) . You can also install Web of Trust (WOT), which will provide you with a warning if you encounter a potentially harmful website and leave you with the choice to enter the website or not and it will provide rating of website characteristics such as privacy and trustworthiness. You can get Priveazy, which will send you “notifications of problematic privacy and security settings as you browse…” (https://www.priveazy.com/) You can use the BetterPrivacy add-on to delete zombie cookies (https://addons.mozilla.org/en-US/firefox/addon/betterprivacy/ – Firefox). You can use Tor and Privoxy, preferably in pair.
Ensure that the website is safe before sharing any information there or filling out any registration forms (by checking the website’s privacy policy and commentaries about the website). Ensure that your online accounts in the different websites are configured for providing optimal privacy levels. Use an email provider that has a reliable dedication to the protection of the privacy of its customers. Enhance the privacy of your browser through various add-ons and extensions.
From the discussion above it can be concluded that cookies are a necessary part of the web browsing, although there are certain types of cookies that show the increasing interference of ad networks and businesses in the private life of individuals. It can be deduced that while cookies are positive in nature they also have certain negative. The reasons for web tracking are enumerated, shedding some light on the necessity of web tracking where it is justified and where it is for the proper, smooth functioning and development of the Web and its constituent websites and businesses, having their interests in mind. Furthermore, it can be concluded that the protection of privacy is a cumbersome process, a conclusion that can easily be deduced even from the short discussion on ways of protecting oneself from web tracking endeavors. 6. Final notes There are many other manners of web tracking and client identification, such as browser fingerprinting, JavaScript trackers (also known as beacons or web bugs), deep packet inspection, http referrer (actually mentioned in this article), identification by IP address (uncertain in today’s Internet), hidden form fields, URL query strings, HTTP authentication, and using the window.name DOM property. However, for the sake of this article we have constrained ourselves to reasonable bounds. 7. References:
Adobe, “Advertising services.” Available at: http://www.adobe.com/privacy/advertising-services.html VB, “How advertisers track you and what information they collect (infographic).” Available at: http://venturebeat.com/2013/03/04/online-tracking/ Ask MetaFilter, “What information can website owner track about visitors.” Available at: http://ask.metafilter.com/153927/What-information-can-website-owner-track-about-visitors Byron Acohido, “Web tracking has become a privacy time bomb.” Available at: http://usatoday30.usatoday.com/tech/news/2011-08-03-internet-tracking-mobile-privacy_n.htm Abine, “How you can be tracked online.” Available at: http://www.abine.com/tracking.php Niklas Schmucker, “Web Tracking.” Available at: http://www.snet.tu-berlin.de/fileadmin/fg220/courses/SS11/snet-project/web-tracking_schmuecker.pdf Wikipedia, “Like button.” Available at: https://en.wikipedia.org/wiki/Like_button Ereachconsulting, “Benefits of Targeted Advertisements: A Spotify Fail.” Available at: http://www.ereachconsulting.com/benefits-of-targeting-advertisements/ Ask Leo, “What is contextual advertising, and how does it affect my privacy.” Available at: http://ask-leo.com/what_is_contextual_advertising_and_how_does_it_affect_my_privacy.html Wikipedia, “Computer surveillance.” Available at: http://en.wikipedia.org/wiki/Computer_surveillance Savindra, “Web Tracking Techniques.” Available at: http://superoxideblog.wordpress.com/2013/03/19/web-tracking-methods/ NAI, “Personally Identifiable Information (PII).” Available at: http://www.networkadvertising.org/glossary/term/personally-identifiable-information-pii Chiron, “How to Protect Your Online Privacy.” Available at: http://www.techsupportalert.com/content/how-protect-your-online-privacy.htm Wikipedia, “HTTP cookie.” Available at: http://en.wikipedia.org/wiki/HTTP_cookie Wikipedia, “Zombie cookie.” Available at: http://en.wikipedia.org/wiki/Zombie_cookie Christian Olsen, “Supercookies: What You Need to Know About the Web’s Latest Tracking Device.” Available at: http://mashable.com/2011/09/02/supercookies-internet-privacy/ Cory Janssen, “Zombie cookie.” Available at: http://www.techopedia.com/definition/25736/zombie-cookie COOKIE CONTROLLER, “Flash cookies.” Available at: http://cookiecontroller.com/internet-cookies/flash-cookies/ AllAboutCookies, “What are persistent cookies used for.” Available at: http://www.allaboutcookies.org/cookies/persistent-cookies-used-for.html
