Third-party cookies

Last updated

Third-party cookies are HTTP cookies which are used principally for web tracking as part of the web advertising ecosystem.

Contents

While HTTP cookies are normally sent only to the server setting them or a server in the same Internet domain, a web page may contain images or other components stored on servers in other domains. Third-party cookies are the cookies that are set during retrieval of these components.

A third-party cookie thus can belong to a domain different from the one shown in the address bar, yet can still potentially be correlated to the content of the main web page, allowing the tracking of user visits across multiple websites.

This sort of cookie typically appears when web pages feature content from external websites, such as banner advertisements. Although not originally intended for this purpose, the existence of third party cookies opened up the potential for web tracking of a user's browsing history and is used by advertisers to serve relevant advertisements to each user. Third-party cookies are widely viewed as a threat to the privacy and anonymity of web users. As of 2024, support for third-party cookies is being phased out by all major web browser vendors.

Mechanism

In this fictional example, an advertising company has placed banners in two websites. By hosting the banner images on its servers and using third-party cookies, the advertising company is able to track the browsing of users across these two sites. Third party cookie.png
In this fictional example, an advertising company has placed banners in two websites. By hosting the banner images on its servers and using third-party cookies, the advertising company is able to track the browsing of users across these two sites.

As an example, suppose a user visits www.example.org. This website contains an advertisement from ad.foxytracking.com, which, when downloaded, sets a cookie belonging to the advertisement's domain (ad.foxytracking.com). Then, the user visits another website, www.foo.com, which also contains an advertisement from ad.foxytracking.com and sets a cookie belonging to that domain (ad.foxytracking.com). Eventually, both of these cookies will be sent to the advertiser when loading their advertisements or visiting their website. The advertiser can then use these cookies to build up a browsing history of the user across all the websites that have ads from this advertiser, through the use of the HTTP referer header field.

As of 2014, some websites were setting cookies readable for over 100 third-party domains. [1] On average, a single website was setting 10 cookies, with a maximum number of cookies (first- and third-party) reaching over 800. [2]

The older standards for cookies, RFC 2109 [3] and RFC 2965, [4] recommend that browsers should protect user privacy and not allow sharing of cookies between servers by default. However, a newer standard, RFC 6265, [5] released in April 2011 explicitly allowed user agents to implement whichever third-party cookie policy they wish, and until the late 1990s allowing third party cookies was the default policy implemented by most major browser vendors.

While useful for advertisers, web tracking is widely seen as a threat to personal privacy. This prompted the creation of laws against tracking without user consent, the most notable of which is the Europeaqn GDPR.

This led to the creation of "cookie consent" dialogs, which rapidly became a standard feature across advertising-funded (and many other) websites, and notable for their use of dark patterns to attempt to force users to allow tracking by making it hard for them to refuse to grant consent.

Some websites also responded by simply geoblocking users from countries with privacy-friendly laws.

Blocking third-party cookies

Most modern web browsers contain privacy settings that can block third-party cookies, and some now block all third-party cookies by default - as of July 2020, such browsers include Apple Safari, [6] Firefox, [7] and Brave. [8] Safari allows embedded sites to use the Storage Access API to request permission to set first-party cookies. In May 2020, Google Chrome 83 introduced new features to block third-party cookies by default in its Incognito mode for private browsing, making blocking optional during normal browsing. The same update also added an option to block first-party cookies. [9] Google plans to start blocking third-party cookies by default in late 2024, and in January 2024 started this process with a pilot scheme in which blocking has been implemented for 1% of all Chrome users. [10] [11]

Replacements

Since third-party-cookie-based web tracking was an essential part of the existing web advertising ecosystem, multiple proposals are being implemented to try to replace it.

Google proposes the use of browser-based interest targeting, in which users' interests can be recorded locally by the browser, and then signalled to advertising servers without directly revealing the user's identity. Google's Privacy Sandbox is one such implementation.

Other approaches include the use of browser fingerprinting to track users across sites, which is generally viewed as being as bad a threat to privacy as third-party cookies. There are also concerns that interest-based tracking may itself be abused to fingerprint users.

Circumvention of blocking of third party cookies

A number of methods exists for circumventing the blocking of third-party cookies. One is for the operators of websites to point a DNS name within the site's own domain at an advertiser's server, thus in effect making cookies set on that server first-party cookies from the viewpoint of the browser while still providing a third party with control over the cookie information.

Another approach is for the website operator to proxy traffic from the client to the tracking service's servers. As this would easily allow the website operator to serve false information to the tracking service, this is unlikely to be widely adopted.

Related Research Articles

<span class="mw-page-title-main">HTTPS</span> Extension of the HTTP communications protocol to support TLS encryption

Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It uses encryption for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS) or, formerly, Secure Sockets Layer (SSL). The protocol is therefore also referred to as HTTP over TLS, or HTTP over SSL.

Link prefetching allows web browsers to pre-load resources. This speeds up both the loading and rendering of web pages. Prefetching was first introduced in HTML5.

<span class="mw-page-title-main">HTTP cookie</span> Small pieces of data stored by a web browser while on a website

HTTP cookies are small blocks of data created by a web server while a user is browsing a website and placed on the user's computer or other device by the user's web browser. Cookies are placed on the device used to access a website, and more than one cookie may be placed on a user's device during a session.

<span class="mw-page-title-main">HTTP referer</span> HTTP header field

In HTTP, "Referer" is an optional HTTP header field that identifies the address of the web page, from which the resource has been requested. By checking the referrer, the server providing the new web page can see where the request originated.

A local shared object (LSO), commonly called a Flash cookie, is a piece of data that websites that use Adobe Flash may store on a user's computer. Local shared objects have been used by all versions of Flash Player since version 6.

DNS hijacking, DNS poisoning, or DNS redirection is the practice of subverting the resolution of Domain Name System (DNS) queries. This can be achieved by malware that overrides a computer's TCP/IP configuration to point at a rogue DNS server under the control of an attacker, or through modifying the behaviour of a trusted DNS server so that it does not comply with internet standards.

<span class="mw-page-title-main">Google Chrome</span> Web browser developed by Google

Google Chrome is a web browser developed by Google. It was first released in 2008 for Microsoft Windows, built with free software components from Apple WebKit and Mozilla Firefox. Versions were later released for Linux, macOS, iOS, and also for Android, where it is the default browser. The browser is also the main component of ChromeOS, where it serves as the platform for web applications.

HTTP Strict Transport Security (HSTS) is a policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers should automatically interact with it using only HTTPS connections, which provide Transport Layer Security (TLS/SSL), unlike the insecure HTTP used alone. HSTS is an IETF standards track protocol and is specified in RFC 6797.

Web tracking is the practice by which operators of websites and third parties collect, store and share information about visitors’ activities on the World Wide Web. Analysis of a user's behaviour may be used to provide content that enables the operator to infer their preferences and may be of interest to various parties, such as advertisers. Web tracking can be part of visitor management.

<span class="mw-page-title-main">Web browsing history</span> List of web pages a user has visited recently

Web browsing history refers to the list of web pages a user has visited, as well as associated metadata such as page title and time of visit. It is usually stored locally by web browsers in order to provide the user with a history list to go back to previously visited pages. It can reflect the user's interests, needs, and browsing habits.

<span class="mw-page-title-main">Comodo Dragon</span> Web browser based on the Chromium web browser

Comodo Dragon is a freeware web browser. It is based on Chromium and is produced by Comodo Group. Sporting a similar interface to Google Chrome, Dragon does not implement Chrome's user tracking and some other potentially privacy-compromising features, replacing them with its own user tracking implementations, and provides additional security measures, such as indicating the authenticity and relative strength of a website's Secure Sockets Layer (SSL) certificate.

Do Not Track (DNT) is a formerly official HTTP header field, designed to allow internet users to opt-out of tracking by websites—which includes the collection of data regarding a user's activity across multiple distinct contexts, and the retention, use, or sharing of data derived from that activity outside the context in which it occurred.

Ghostery is a free and open-source privacy and security-related browser extension and mobile browser application. Since February 2017, it has been owned by the German company Cliqz International GmbH. The code was originally developed by David Cancel and associates.

Browser security is the application of Internet security to web browsers in order to protect networked data and computer systems from breaches of privacy or malware. Security exploits of browsers often use JavaScript, sometimes with cross-site scripting (XSS) with a secondary payload using Adobe Flash. Security exploits can also take advantage of vulnerabilities that are commonly exploited in all browsers.

In computer networking, TCP Fast Open (TFO) is an extension to speed up the opening of successive Transmission Control Protocol (TCP) connections between two endpoints. It works by using a TFO cookie, which is a cryptographic cookie stored on the client and set upon the initial connection with the server. When the client later reconnects, it sends the initial SYN packet along with the TFO cookie data to authenticate itself. If successful, the server may start sending data to the client even before the reception of the final ACK packet of the three-way handshake, thus skipping a round-trip delay and lowering the latency in the start of data transmission.

<i>United States v. Google Inc.</i>

United States v. Google Inc., No. 3:12-cv-04177, is a case in which the United States District Court for the Northern District of California approved a stipulated order for a permanent injunction and a $22.5 million civil penalty judgment, the largest civil penalty the Federal Trade Commission (FTC) has ever won in history. The FTC and Google Inc. consented to the entry of the stipulated order to resolve the dispute which arose from Google's violation of its privacy policy. In this case, the FTC found Google liable for misrepresenting "privacy assurances to users of Apple's Safari Internet browser". It was reached after the FTC considered that through the placement of advertising tracking cookies in the Safari web browser, and while serving targeted advertisements, Google violated the 2011 FTC's administrative order issued in FTC v. Google Inc.

<span class="mw-page-title-main">Privacy Badger</span> Browser extension

Privacy Badger is a free and open-source browser extension for Google Chrome, Mozilla Firefox, Opera, and Firefox for Android created by the Electronic Frontier Foundation (EFF). Its purpose is to promote a balanced approach to internet privacy between consumers and content providers by blocking advertisements and tracking cookies that do not respect the Do Not Track setting in a user's web browser. A second purpose, served by free distribution, has been to encourage membership in and donation to the EFF.

DNS over HTTPS (DoH) is a protocol for performing remote Domain Name System (DNS) resolution via the HTTPS protocol. A goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks by using the HTTPS protocol to encrypt the data between the DoH client and the DoH-based DNS resolver. By March 2018, Google and the Mozilla Foundation had started testing versions of DNS over HTTPS. In February 2020, Firefox switched to DNS over HTTPS by default for users in the United States.

Federated Learning of Cohorts (FLoC) is a type of web tracking. It groups people into "cohorts" based on their browsing history for the purpose of interest-based advertising. FLoC was being developed as a part of Google's Privacy Sandbox initiative, which includes several other advertising-related technologies with bird-themed names. Despite "federated learning" in the name, FLoC does not utilize any federated learning.

<span class="mw-page-title-main">Privacy Sandbox</span> Google initiative to create web standards for advertising without the use of third-party cookies

The Privacy Sandbox is an initiative led by Google to create web standards for websites to access user information without compromising privacy. Its core purpose is to facilitate online advertising by sharing a subset of user private information without the use of third-party cookies. The initiative includes a number of proposals, many of these proposals have bird-themed names which are changed once the corresponding feature reaches general availability. The technology include Topics API, Protected Audience, Attribution Reporting, Private Aggregation, Shared Storage and Fenced Frames as well as other proposed technologies. The project was announced in August 2019.

References

  1. "Third party domains". WebCookies.org. Archived from the original on 2014-12-09. Retrieved 2014-12-07.
  2. "Number of cookies". WebCookies.org. Archived from the original on 2014-12-09. Retrieved 2014-12-07.
  3. HTTP State Management Mechanism. sec. 8.3. doi: 10.17487/RFC2109 . RFC 2109.
  4. HTTP State Management Mechanism. doi: 10.17487/RFC2965 . RFC 2965.
  5. HTTP State Management Mechanism. doi: 10.17487/RFC6265 . RFC 6265.
  6. Statt, Nick (2020-03-24). "Apple updates Safari's anti-tracking tech with full third-party cookie blocking". The Verge. Retrieved 2020-07-24.
  7. "Firefox starts blocking third-party cookies by default". VentureBeat. 2019-06-04. Retrieved 2020-07-24.
  8. Brave (2020-02-06). "OK Google, don't delay real browser privacy until 2022". Brave Browser. Retrieved 2020-07-24.
  9. Protalinski, Emil (19 May 2020). "Chrome 83 arrives with redesigned security settings, third-party cookies blocked in Incognito". VentureBeat. Retrieved 25 June 2020.
  10. "Google now delays blocking 3rd-party cookies in Chrome to late 2024". Business Standard India. 28 July 2022. Retrieved 23 September 2022.
  11. "Google Chrome starts blocking data tracking cookies". BBC News. 2024-01-04. Retrieved 2024-01-05.


This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.