Third-party cookies

Last updated

Third-party cookies are HTTP cookies which are used principally for web tracking as part of the web advertising ecosystem.

Contents

While HTTP cookies are normally sent only to the server setting them or a server in the same Internet domain, a web page may contain images or other components stored on servers in other domains. Third-party cookies are the cookies that are set during retrieval of these components.

A third-party cookie thus can belong to a domain different from the one shown in the address bar, yet can still potentially be correlated to the content of the main web page, allowing the tracking of user visits across multiple websites.

This sort of cookie typically appears when web pages feature content from external websites, such as banner advertisements. Although not originally intended for this purpose, the existence of third party cookies opened up the potential for web tracking of a user's browsing history and is used by advertisers to serve relevant advertisements to each user. Third-party cookies are widely viewed as a threat to the privacy and anonymity of web users.

As of 2024, all major web browser vendors had plans to phase out third-party cookies. [1] This decision was reversed for Google Chrome in July 2024. [2]

Mechanism

In this fictional example, an advertising company has placed banners in two websites. By hosting the banner images on its servers and using third-party cookies, the advertising company is able to track the browsing of users across these two sites. Third party cookie.png
In this fictional example, an advertising company has placed banners in two websites. By hosting the banner images on its servers and using third-party cookies, the advertising company is able to track the browsing of users across these two sites.

As an example, suppose a user visits www.example.org. This website contains an advertisement from ad.foxytracking.com, which, when downloaded, sets a cookie belonging to the advertisement's domain (ad.foxytracking.com). Then, the user visits another website, www.foo.com, which also contains an advertisement from ad.foxytracking.com and sets a cookie belonging to that domain (ad.foxytracking.com). Eventually, both of these cookies will be sent to the advertiser when loading their advertisements or visiting their website. The advertiser can then use these cookies to build up a browsing history of the user across all the websites that have ads from this advertiser, through the use of the HTTP referer header field.

As of 2014, some websites were setting cookies readable for over 100 third-party domains. [3] On average, a single website was setting 10 cookies, with a maximum number of cookies (first- and third-party) reaching over 800. [4]

The older standards for cookies, RFC 2109 [5] and RFC 2965, [6] recommend that browsers should protect user privacy and not allow sharing of cookies between servers by default. However, a newer standard, RFC 6265, [7] released in April 2011 explicitly allowed user agents to implement whichever third-party cookie policy they wish, and until the late 1990s allowing third party cookies was the default policy implemented by most major browser vendors.

While useful for advertisers, web tracking is widely seen as a threat to personal privacy. This prompted the creation of laws against tracking without user consent, the most notable of which is the European GDPR. [8]

This led to the creation of "cookie consent" dialogs, which rapidly became a standard feature across advertising-funded (and many other) websites, and notable for their use of dark patterns to attempt to force users to allow tracking by making it hard for them to refuse to grant consent.

Some websites also responded by simply geoblocking users from countries with privacy-friendly laws.

Blocking third-party cookies

Most modern web browsers contain privacy settings that can block third-party cookies, and some now block all third-party cookies by default - as of July 2020, such browsers include Apple Safari, [9] Firefox, [10] and Brave. [11] Safari allows embedded sites to use the Storage Access API to request permission to request first-party cookies when the user interacts with them. [12] In May 2020, Google Chrome 83 introduced new features to block third-party cookies by default in its Incognito mode for private browsing, making blocking optional during normal browsing. The same update also added an option to block first-party cookies. [13] Google planned to start blocking third-party cookies by default in late 2024, and in January 2024 started this process with a pilot scheme in which blocking has been implemented for 1% of all Chrome users. [14] [15]

Replacements

Since third-party-cookie-based web tracking was an essential part of the existing web advertising ecosystem, multiple proposals are being implemented to try to replace it.

Google proposes the use of browser-based interest targeting, in which users' interests can be recorded locally by the browser, and then signalled to advertising servers without directly revealing the user's identity. Google's Privacy Sandbox is one such implementation.

Other approaches include the use of browser fingerprinting to track users across sites, which is generally viewed as being as bad a threat to privacy as third-party cookies. There are also concerns that interest-based tracking may itself be abused to fingerprint users.

Circumvention of blocking of third party cookies

A number of methods exists for circumventing the blocking of third-party cookies. One is for the operators of websites to point a DNS name within the site's own domain at an advertiser's server, thus in effect making cookies set on that server first-party cookies from the viewpoint of the browser while still providing a third party with control over the cookie information.

Another approach is for the website operator to proxy traffic from the client to the tracking service's servers. As this would easily allow the website operator to serve false information to the tracking service, this is unlikely to be widely adopted.

Related Research Articles

<span class="mw-page-title-main">HTTPS</span> Extension of the HTTP communications protocol to support TLS encryption

Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It uses encryption for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS) or, formerly, Secure Sockets Layer (SSL). The protocol is therefore also referred to as HTTP over TLS, or HTTP over SSL.

<span class="mw-page-title-main">Basic access authentication</span> Access control method for the HTTP network communication protocol

In the context of an HTTP transaction, basic access authentication is a method for an HTTP user agent to provide a user name and password when making a request. In basic HTTP authentication, a request contains a header field in the form of Authorization: Basic <credentials>, where <credentials> is the Base64 encoding of ID and password joined by a single colon :.

Internet privacy involves the right or mandate of personal privacy concerning the storage, re-purposing, provision to third parties, and display of information pertaining to oneself via the Internet. Internet privacy is a subset of data privacy. Privacy concerns have been articulated from the beginnings of large-scale computer sharing and especially relate to mass surveillance.

Link prefetching allows web browsers to pre-load resources. This speeds up both the loading and rendering of web pages. Prefetching was first introduced in HTML5.

<span class="mw-page-title-main">Google Analytics</span> Web analytics service from Google

Google Analytics is a web analytics service offered by Google that tracks and reports website traffic and also mobile app traffic and events, currently as a platform inside the Google Marketing Platform brand. Google launched the service in November 2005 after acquiring Urchin.

<span class="mw-page-title-main">HTTP cookie</span> Small pieces of data stored by a web browser while on a website

HTTP cookies are small blocks of data created by a web server while a user is browsing a website and placed on the user's computer or other device by the user's web browser. Cookies are placed on the device used to access a website, and more than one cookie may be placed on a user's device during a session.

<span class="mw-page-title-main">HTTP referer</span> HTTP header field

In HTTP, "Referer" is an optional HTTP header field that identifies the address of the web page from which the resource has been requested. By checking the referrer, the server providing the new web page can see where the request originated.

A local shared object (LSO), commonly called a Flash cookie, is a piece of data that websites that use Adobe Flash may store on a user's computer. Local shared objects have been used by all versions of Flash Player since version 6.

HTTP Strict Transport Security (HSTS) is a policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers should automatically interact with it using only HTTPS connections, which provide Transport Layer Security (TLS/SSL), unlike the insecure HTTP used alone. HSTS is an IETF standards track protocol and is specified in RFC 6797.

Web tracking is the practice by which operators of websites and third parties collect, store and share information about visitors' activities on the World Wide Web. Analysis of a user's behaviour may be used to provide content that enables the operator to infer their preferences and may be of interest to various parties, such as advertisers. Web tracking can be part of visitor management.

<span class="mw-page-title-main">WebSocket</span> Computer network protocol

WebSocket is a computer communications protocol, providing a simultaneous two-way communication channel over a single Transmission Control Protocol (TCP) connection. The WebSocket protocol was standardized by the IETF as RFC 6455 in 2011. The current specification allowing web applications to use this protocol is known as WebSockets. It is a living standard maintained by the WHATWG and a successor to The WebSocket API from the W3C.

<span class="mw-page-title-main">Web browsing history</span> List of web pages a user has visited recently

Web browsing history refers to the list of web pages a user has visited, as well as associated metadata such as page title and time of visit. It is usually stored locally by web browsers in order to provide the user with a history list to go back to previously visited pages. It can reflect the user's interests, needs, and browsing habits.

Do Not Track (DNT) is a formerly official HTTP header field, designed to allow internet users to opt out of tracking by websites—which includes the collection of data regarding a user's activity across multiple distinct contexts, and the retention, use, or sharing of data derived from that activity outside the context in which it occurred.

Ghostery is a free and open-source privacy and security-related browser extension and mobile browser application. Since February 2017, it has been owned by the German company Cliqz International GmbH. The code was originally developed by David Cancel and associates.

Browser security is the application of Internet security to web browsers in order to protect networked data and computer systems from breaches of privacy or malware. Security exploits of browsers often use JavaScript, sometimes with cross-site scripting (XSS) with a secondary payload using Adobe Flash. Security exploits can also take advantage of vulnerabilities that are commonly exploited in all browsers.

In computer networking, TCP Fast Open (TFO) is an extension to speed up the opening of successive Transmission Control Protocol (TCP) connections between two endpoints. It works by using a TFO cookie, which is a cryptographic cookie stored on the client and set upon the initial connection with the server. When the client later reconnects, it sends the initial SYN packet along with the TFO cookie data to authenticate itself. If successful, the server may start sending data to the client even before the reception of the final ACK packet of the three-way handshake, thus skipping a round-trip delay and lowering the latency in the start of data transmission.

<span class="mw-page-title-main">Privacy Badger</span> Browser extension

Privacy Badger is a free and open-source browser extension for Google Chrome, Mozilla Firefox, Edge, Brave, Opera, and Firefox for Android created by the Electronic Frontier Foundation (EFF). Its purpose is to promote a balanced approach to Internet privacy between consumers and content providers by blocking advertisements and tracking cookies that do not respect the Do Not Track setting in a user's web browser. A second purpose, served by free distribution, has been to encourage membership in and donation to the EFF.

Client Hints are an extension to the existing Hypertext Transfer Protocol (HTTP) that allows web servers to ask the client for information about its configuration. The client can choose to respond to this request by advertising the requested information about itself through sending the data using a specific part of the HTTP protocol called HTTP Header fields or by exposing the same information to the JavaScript code being executed on a web page. This can then help the server tailor its responses to the client; for example, a server can choose to send a smaller image if a client advertises that they have a very small screen.

Federated Learning of Cohorts (FLoC) is a type of web tracking. It groups people into "cohorts" based on their browsing history for the purpose of interest-based advertising. FLoC was being developed as a part of Google's Privacy Sandbox initiative, which includes several other advertising-related technologies with bird-themed names. Despite "federated learning" in the name, FLoC does not utilize any federated learning.

<span class="mw-page-title-main">Privacy Sandbox</span> Google initiative

The Privacy Sandbox is an initiative led by Google to create web standards for websites to access user information without compromising privacy. Its core purpose is to facilitate online advertising by sharing a subset of user private information without the use of third-party cookies. The initiative includes a number of proposals, many of these proposals have bird-themed names which are changed once the corresponding feature reaches general availability. The technology include Topics API, Protected Audience, Attribution Reporting, Private Aggregation, Shared Storage and Fenced Frames as well as other proposed technologies. The project was announced in August 2019.

References

  1. Grossman, Josh (2023). "What is a third-party cookie and what is it used for?". Ketch. Retrieved 11 June 2024.
  2. "Google reneges on plan to remove third-party cookies in Chrome - CBS News". www.cbsnews.com. 2024-07-22. Retrieved 2024-07-25.
  3. "Third party domains". WebCookies.org. Archived from the original on 2014-12-09. Retrieved 2014-12-07.
  4. "Number of cookies". WebCookies.org. Archived from the original on 2014-12-09. Retrieved 2014-12-07.
  5. HTTP State Management Mechanism. sec. 8.3. doi: 10.17487/RFC2109 . RFC 2109.
  6. HTTP State Management Mechanism. doi: 10.17487/RFC2965 . RFC 2965.
  7. HTTP State Management Mechanism. doi: 10.17487/RFC6265 . RFC 6265.
  8. "Art. 4 GDPR – Definitions". General Data Protection Regulation (GDPR).
  9. Statt, Nick (2020-03-24). "Apple updates Safari's anti-tracking tech with full third-party cookie blocking". The Verge. Retrieved 2020-07-24.
  10. "Firefox starts blocking third-party cookies by default". VentureBeat. 2019-06-04. Retrieved 2020-07-24.
  11. Brave (2020-02-06). "OK Google, don't delay real browser privacy until 2022". Brave Browser. Retrieved 2020-07-24.
  12. "Introducing Storage Access API". WebKit. 21 February 2018.
  13. Protalinski, Emil (19 May 2020). "Chrome 83 arrives with redesigned security settings, third-party cookies blocked in Incognito". VentureBeat. Retrieved 25 June 2020.
  14. "Google now delays blocking 3rd-party cookies in Chrome to late 2024". Business Standard India. 28 July 2022. Retrieved 23 September 2022.
  15. "Google Chrome starts blocking data tracking cookies". BBC News. 2024-01-04. Retrieved 2024-01-05.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.