Sunday, January 01, 2006

Death by a cookie

The sky is falling! Not for everybody, but for a big segment of Internet business, for sure. As the story reported here among other places develops, people will come to realize how much their privacy is invaded by those tiny one-pixel tracking images used by web analytics service providers to collect information about users' behavior on the Internet.

What is the problem here? Well, it appears that as more and more websites get wired to collect data about web advertising performance, or to (innocently enough on the surface) analyse web site usability, either the web analytics service provider, or a third party capable of intercepting unencrypted traffic between Internet user and a web site using such tracking technology, is capable of recreating user's full experience. I find it obvious and unneccessary to elaborate why tracking someone's activity on the web is unwanted.

Who do we blame for this? At the root, it's reckless disregard for Internet user's privacy, multiplied by greed on part of web analytics service providers, and by lazyness/incompetence of their customers (usually those are marketing departments wooed by sexy reporting such service providers can offer).

Why is there blame to assign? Primarily, because source data and tools for reporting on that data are readily available to IT departments of web site operators. Analysing e.g. Apache access logs would not cross the boundary of different web domains and will guarantee users are not tracked globally.

Who's involved? Besides the already mentioned web anlytics service providers (WebTrends, <any>ture), and obvious pre-GOOG web ad resellers (<whatever>media?, <N-th>click?), the "inherently unevil" GOOG is in the number. How come? simply, any cookie planted at some point to be sent back to domain google.com will track us poor souls all the way across Internet. Asking questions of google while doing your research on an invention you're were about to patent while being logged on to google account? Reading news from websites of dissenting talk referred to by Google news? Planning trips using google local? Bad luck... It all can be accounted back to you, easily.

Can users do anything to fight such horrifying privacy invasion potential these technologies bring? Sure... kind of.

There's an option of simply disabling third-party content on loaded web pages (one would have to disable all kinds of plugins, too, as plugins are not bound by browser settings in this regard). Negatives of this approach are overwhelming: some web sites are not useable at all with plugins disabled (really, those sorry asses making their websites done as Flash movies and with no option to get to content in any other way had to be punished someday... is it now?) Besides, web sites that use egde caching technology (usually delivered by Akamai), are not useable after such a change, since images (and other static assets) are referred to by URLs that do not belong to domain of the web page itself.

There are various solutions on the market claiming to address these concerns. Issue here is basically one of trust. It can be quite hard for a user to distinguish spyware package in disguise from an honest privacy protection solution. Besides, the way web sites are made these days, as I explained just above, usability will suffer anyway.

Disclaimers: the above represents my personal (as much educated as it can be) opinion and is not guaranteed to be 100% correct, while I believe it is so. I hold no interest (including short) in any of the companies mentioned.

UPDATE: New web analytics implementation scandal involving Apple's iTunes, all over the Web. I wonder if the iTunes mini-store shares cookies with IE on Windows and Safari on Mac OS... Could test this later if find nothing better to do.

Funny thing, this is not new at all. In a book by Mr. Siebel I'm reading right now, he recalls one of Web pioneers as saying that cookies will be the death of the Web. I think I understand what he meant. And I would disagree with those Sun Microsystems founders who say "There is no privacy, get over it". I believe there are technical means of achieving the same goals without sacrificing privacy, at least as far as browsing from the privacy of one's home is concerned.

1 Comments:

Blogger denka said...

Sorry for not letting your message in sooner... This moderation thingie, I just turned it on recently and did not realize what responsibilities it wants of me.

On 3rd party cookies: not sure how is a cookie that is fetched when a request for an invisible 1-pixel image planted in a page is made. You are wrong, to the browser such cookie is first-class citizen. Damn, wanted to verify this but I have Firefox 1.5 and liveHTTPheaders is not working with it, yet. And such images, "beacons" are widespread beyond imagination. If a given website advertizes on such and such networks, it is plainly REQUIRED to plant beacons for each of these ad networks...

1/24/2006 9:20 PM  

Post a Comment

<< Home