All you need to know about cookies - Part II (How third-party cookies track you online)
Cookies are small pieces of data that a website/web-server sends to your browser, so it can be stored in your computer’s hard-disk. The next time you make another request on the same website.
If you are new to the concept of cookies or have no idea of how cookies work, I recommend you read the first part of this series - All you need to know about cookies - Part I (How cookies work) before you proceed reading this post. Part I would serve as a primer to your overall understanding of this essay.
💡What's a cookie?
Cookies are small pieces of information/data that a website/web-server sends to your browser, so it can be stored in your computer’s hard-disk. The next time you make another request on the same website, your browser sends the cookie along with the request, so the website can identify you.
If you read the previous article, you would have realized how benign a cookie was meant to be. After all, a cookie helps maintain HTTP state, thereby making it easy for websites to personalize your experience with them. It makes surfing the web smooth and easy!
However,
Companies quickly realized that they could set their own cookies on pages belonging to other sites—with their permission and by paying for the privilege—and the third-party cookie was born.
- Data and Goliath by Bruce Schneier
🎥FourZeroThree - YouTube
A quick shout out! Here's a “video version” of the article. If you are the visual type, I recommend watching the video. I bet you’ll enjoy it :)
💡What is a third party cookie?
When you visit a website that displays ads, let’s say ecommerceweb[dot]com
, understand that the ads are embedded on ecommerceweb[dot]com
, but hosted on another server (example - ads[dot]com
). Cookies set by ecommerceweb[dot]com
are first-party cookies (set by the same website you are currently browsing). However, the ads displayed, served by ads[dot]com
also sets a cookie for you. Since this is a cookie set by another website (ad server) you are not directly browsing (you are on ecommerceweb[dot]com
), the cookie set by the ad server is a “Third-Party cookie”. Third-party cookies are also referred to as “Tracker cookies”.
But why would companies want to do this? Economic incentives (advertising, for example) are a primary reason for the birth of third-party/tracking cookies.
🍪How does third party cookie tracking work?
Third-party advertising
One of the reasons the Web has flourished and progressed so much is due to information available on-demand, and mostly for free too. But you see, people behind free websites/blogs/forums have to support themselves financially, to sustain and provide value. The web, for long, has sustained itself through advertising!
People handling websites or blogs are called “publishers”. And, most publishers, apart from various other business models, resort to earning revenue through displaying ads on their website. Rather than searching or reaching out to companies for sponsorship (which they could if they want to), they reach out to third-party advertising networks.
Similarly, “advertisers” (companies wanting to advertise their business) don’t have to go through the hassle of searching for publishers selling digital property, website real estate, or ad-space. They, like publishers, reach out to advertising networks.
Let’s say you have a special interest in cars and electronics. Most of your free time is spent visiting websites relevant to your interests. Now, it’s very important advertisers know this interest of yours. I mean, after all, of what use is it, if you are displayed an ad on washing machines. You see, displaying irrelevant ads to people means a loss of revenue and advertising funds for these companies.
💡Ads have to be personalized!
Ads have to be “personalized” or “targeted” for a maximum return on investment. What if you could be “tracked” on the internet and be displayed ads relevant to your interests and browsing habits? Targeted advertising is achieved with the help of tracking or third-party cookies.
I’ll use Google’s advertising network as an example to explain.
Apart from helping publishers and advertisers work in tandem, advertising networks like Google, help advertisers get maximum returns by personalizing ads.
Publishers and Google Adsense
Google has a program called Google Adsense, where publishers (websites/blogs/forums) could register. Publishers make it known through this program that they are willing to sell ad spaces to advertisers (monetizing their website through ads). On registering, publishers receive a “code snippet/script” that they should place on their website to display ads.
This way, the Google advertising network has a very large repository/network of publisher websites.
Advertisers and Google Ads
For advertisers, Google has a program called Google Ads. Companies/businesses wanting to advertise their products or services, register here.
This way, Google has a large network of advertisers wanting to advertise on publisher websites.
Third-party tracking for targeted ads
Let’s assume website1[dot]com
is a publisher who has registered with Google’s Adsense program. The publisher places the “code snippet/script” on his website to display ads.
When you call for
website1[dot]com
, your browser makes a request to the server.It gets back a response, rendering the website on your browser.
On rendering the website, the code snippet or script embedded in the website instructs your browser to request an ad from Google servers, like
doubleclick[dot]net
.Google servers, serve the ad on the website and also sets a third-party cookie for you ->
adid=456
(refer diagram)
The third-party cookie (adid=456
) set by doubleclick[dot]net
is a tracker cookie. This is a unique id set for you. When you visit another website, let’s say website2[dot]com
(another publisher registered with Adsense), that has a code snippet making a call to doubleclick[dot]net
, your browser sends your unique tracker cookie id -> adid=456
along with the request. The Google ad server (doubleclick[dot]net
) recognizes your id and makes a unique cross-site browsing profile of you. Google now knows that you have browsed website1[dot]com
and website2[dot]com
.
This way, as it builds a browsing profile of you through tracker cookies, Google advertising network knows your interests based on your browsing profile, and dynamically serves ads of relevance to you. Hence ads you are shown on website1[dot]com are very different from ads I would be shown on the same website (I would have a different browsing profile).
Tracking via social media icons/widgets
Social media websites also perform cross-site tracking of your browsing. You would have noticed numerous websites with social media widgets like the Facebook “like” or “share” button or the Twitter “tweet” button. Social media websites could track you via these widgets. However, social media websites track you with a first-party cookie but in a third-party context. Let me explain with the Facebook widget as an example.
You create/register an account on Facebook.
Once you do this, you are assigned a first-party cookie by Facebook that is unique to you (for example,
uid=3532
).
After this you open
website1[dot]com
, which has a Facebook “like” button on its page.You get back a response, rendering the website on your browser.
On rendering the website, the code snippet or script embedded in the website to render the Facebook “like” button, instructs your browser to make a request to Facebook servers. When doing this, your browser sends your Facebook cookie (
uid=3532
) along with the request.The Facebook server responds and the “like” button is displayed on
website1[dot]com
.
This way Facebook builds a cross-site browsing profile of you and would know you browsed website1[dot]com.
🛑Preventing Third-party cookie tracking
Well, for starters, you could modify your browser privacy settings. You could set it up such that your browser blocks third-party, cross-site tracking cookies. Also switch on the “Do not track” option.
Chrome browser
Firefox browser
Brave browser
You could set your browser such that it deletes all your cookies (including first-party) on closing it. However, this is a trade-off for convenience. Since this also deletes your first-party cookies, you would have to log in manually to every website every time you open a new session on your browser.
You could make your privacy more robust by installing ad/script blocking extensions like Privacy Badger, uBlock Origin, or Ghostery. There are many more privacy extensions you could explore.
Closing Notes
I thoroughly enjoyed reading and researching for this essay. Here are some articles I found very interesting.
Who Left Open the Cookie Jar? A Comprehensive Evaluation of Third-Party Cookie Policies
Detecting and Defending Against Third-Party Tracking on the Web
Opsec for OSINT – Why You Need To Deal With Browser Fingerprinting