English, Nederlands
LinkedIn, Facebook, Follow us on Twitter, Follow us on Instagram, Watch out videos, Support us at Patreon

Cookies and fingerprinting

Posted on march 26, 2021 by ASK-Solutions in discussion

Image of cookiesIn our last blog DOH, DOT, QUIC and our stance on privacy and security we discussed how, apparent, good things introduced recently by certain parties have a completely different ‘hidden’ side effect. One of these parties, Google, has recently announced that they are going to save your privacy by 2022 by blocking 3rd party cookies and prevent browser fingerprinting.

What are cookies?

Cookies are small pieces of data that are sent by your browser to the internet to add state to an otherwise stateless web. What does this mean? Normally the web, specifically the HTTP protocol used for most of the web, is stateless. A website consists of some text, images, layout and most often quite a bit of script. When your browser for instance want to pull in an image of a cat, it requests the cat image from a webserver. The webserver receives the request containing some data to identify the cat image, how to send back the image and some data that maybe of importance to send back the cat image (or not). The server knows little more, it does not know how often your browser downloaded the cat image, if other images were also downloaded, what your browser is going to do after the cat image, little on how your browser knew that there was a cat image, and so forth. With state, there’s information about those things. With state, it’s possible to serve an image of a dog, if your browser has requested the cat image more than ten times, it’s possible to serve a different cat image each time, its possible to not serve any image if you’ve not first visited a certain page, or if you’ve not agreed with the terms of use before.

Generally there are multiple types of cookies:

  • technical 1st party cookies
  • tracking 1st party cookies
  • tracking 3rd party cookies

Technical cookies are cookies that are only used to solve a technical problem, such as determining which shopping cart belongs to which visitor. Without such cookies the entire contents of your shopping cart would have to be passed back and forth between your browser and the server for each and every page visited. With the cookie, the shopping cart can be stored on the server and only a unique identifier, the technical cookie, is passed with every request. We use such a cookie on our site. The cookie is only used when: a) you are a customer of ours, b) you’ve decided to login in to your ASK-Solutions account, and c) it’s removed as soon as you logout. The cookie is not used to identify you, track which pages you visit, it’s only used to be able to download your invoices, show your order history and verify and change your personal data that is on file with us. Therefore, we dont have to annoy all our visitors with a cookie announcement.

Tracking cookies are used to separate visitors from each other. For every visitor a new cookie is generated and stored on the computer of each visitor. This cookie is then sent back and forth with every request. Thus enabling to record which pages, images, and other resources have been requested by each visitor. In other words: a log of everything you’ve done is kept by the website. With 3rd party cookies this is not done on a per website basis, but this is done spanning multiple websites. Google Analytics is one such a use. Many website owners voluntarily install a piece of code from Google on their website. This piece of code uses a 3rd party cookie to track what you’re doing on the internet all day. This enables Google to build a profile about you; who are you and what are your interests. A small part of this information is given in return for installing the piece of code to the website owner, the bulk of the information is used by Google to present you with relevant personalized advertisements in the Google search engine, and is sold to 3rd parties.

The past, present and future

However, cookies are a terrible method to accomplish this. It’s a nearly 30 year old concept. Lots of users have installed soft and/or hardware to block such cookies. Since 2016 there are changes in the HTTP protocol specifications to the way cookies should be identified and handled. Most browsers, except for Google’s Chrome browser, have been implementing these new specifications and already block 3rd party tracking cookies for years.

For many years, JavaScript, browser and device fingerprinting, location and biometric data have been used to track you instead. With a tracking cookie, the only information that can be collected is which pages, images and other resources your browser has requested. With a tracking script, it is also known how long you visit a page, where you scroll to on the page, how long you hover your mouse over certain regions, detailed information about your computer and installed software. On mobile devices, even what elements on a page you’ve looked at. On some devices, especially when permissions are not setup correctly, a picture of your face and other bio markers, like your voice, or a capture from the finger print sensor can be collected.

Browser fingerprinting

Cookies are almost irrelevant in modern day user tracking and personal data collection. So is browser fingerprinting through the data sent out by your browser following the RFC 1945, RFC 2068 and RFC 2616 HTTP specification. What is known is: your IP address, needed to sent back the page or image. For most users this address is constantly changing and only relevant for a short amount of time. The language that you prefer to read, very important data, to serve you a page in a language that you can actually read and understand. Some minor details about your browser which were needed in the past to serve a page that can be rendered correctly by your browser. This last information has become nearly obsolete with the HTML 4.01, CSS 2 and DOM standards we’ve helped to develop. Since those standards and their wide spread adaptation, all major browsers can successfully and without error render any standards compliant website, rendering details about your browser obsolete. Without the aid of scripts and user installed apps or toolbars, Google Chrome is the browser that sends out the most information about your device of all browsers. Information that is not necessary for the web to technically function properly, but is used to collect information about your device and identify you throughout extended periods of time.

The real impact

As seen, 3rd party tracking cookies only work on older browsers and the Chrome browser. They are very limited in their use. The same goes for browser fingerprinting. Google has, finally, announced to start following the specifications that other browsers are already doing (or rather, not doing) for a long time.

The real change is that Google Chrome is the most used browser and thus many wensites still use cookies and browser fingerprinting to track users. It’s a low investment option, and easy to implement. With this change, tracking through scripts and apps remains, which is already used for years and gives far more detailed information about you, your devices, your behavior and preferences. But this requires large investments and is very complex to utilize

When the changes in the Chrome browser are rolled out by Google, many companies that are currently tracking their users through cookies and browser fingerprinting are loosing out. Giving Google an even more prominent role in the data collection world. Google, Facebook, Amazon, Apple and Microsoft are currently the major parties that have invested big in tracking through other means than cookies and browser fingerprinting. Google is currently the most important party in collecting data through their search engine, Chrome browser, Google Analytics, Google DNS, Chromium, Android, the Google app store, Google Wallet, Google Play, Google Books, Google Assistant, Google Nest, Google Home, Google Fiber, Gmail, Google Documents, Google Drive, Google Maps, Google Calendar, Youtube, and their latest aquirement: Fitbit, a biometric data collection device.

The good thing is Google announcing to move away from selling detailed information on individuals to selling data about anonymous groups of people with similar interests; cohorts. They have to; because of EU privacy laws. But this does little in changing what Google knows about you, they're just no longer selling personalized data. This is good and bad. The good thing is that the parties Google is selling information to, know less about you. The bad thing is that those parties now remain dependent on Google in using the bought data. If a company buys personalized data, that company can directly reach the individuals with marketing either online or offline. With the cohort data, the bought information is more statistical and if the buyer of the data wants to reach their audience, they must do this through Google, giving them a monopoly.

ASK-Solutions complies with ISO 9001:2008 quality assurance