Joho the Blog
An Entry from the Archives

Maybe I've really gone over to the dark side, but wouldn't you rather see ads that are interesting to you than not?

Is selling advertising so wrong?

I mean, assuming that's what they are doing, selling ads, and not ratting you out to DHS.

It's the privacy side of it that bothers me, although I'm not a big fan of ads.

Nevertheless, the percentage of targeted ads that are actually of interest to their target is still tiny compared to the number of ads presented, and if they're targeted but miss, they're more likely to distract me.

Hmmm--I tried to opt out of these various cookies and succeeded with all of them except for [x+1] cookie -- even after trying both through the Network Advertising page you link to and through [x+1]'s own privacy page.

On their own site, x+1 says I've opted out. But when I go back to the Network Advertising site, they claim I still have an active cookie from (only) x+1.

Trackback.

I recently started using Google Analytics (AKA Urchin) to track traffic to my sites. Then I noticed it drops cookies on all the visitors. I wonder if that will piss off visitors, and if Google uses the cookies for other purposes.

AAAAA!!!!

Cookies are not spyware. Please, please don't keep saying this - it's inaccurate, it's inflammatory and it creates the impression of a huge privacy issue where there simply is not one.

Look, cookies CAN be used to track you, David Weinberger, IF and ONLY if they can be correlated with your information. So, if you go to a site and browse around and you don't have an account on the site there is no privacy issue at all. There can't be - they have no idea who you are. What that site can do is drop cookies on your machine to see where you go on the site. That's a good thing if you believe that site owners will use these analytics to improve the site. Too often this is not done, or not done well, but for it to be done at all site owners need some way to look at the aggregate behavior of their visitors.

Ah, but we're talking about ad tracking cookies... those are evil right? Well, again, unless that cookie can be tracked to you specifically, there's no privacy issue - they have no idea that unique ID 123578 is David Weinberger. What they can do is characterize the web surfing of the owner of that cookie and show ads that their system feels will appeal to the person behind that cookie. Now, if you keep deleting them or opt out you'll still see ads... just not targeted ones. Of course, this means that, if the targeting was really helping, the ads will be less effective, the CPM might drop and the site owner might need to put more ads on the site to get the same revenue.

Spyware (software the reports back something about you) is a real threat. Let's not obscure that by getting all wound up about anonymous tracking cookies.

Rick, those are all good points and you're right: I shouldn't refer to ad tracking cookies as spyware. Point taken.

And yet...I still feel violated. I didn't agree to let all this information about my behavior be tracked. There is a — far-fetched — danger that by following my movements, you can figure out who I am. There is a less far-fetched danger that merchants will decide to put 2+2 together. And, besides, it's just creepy even if they don't know who I am. I didn't give them permission to infest my machine.

As for why having ads be more relevant is a good thing: Yes, there is a good side to it. But overall, ads make my life worse, not better. I'd skip them almost everywhere if I could. (But I can't because I'm usually given no choice, and they pay the bills for some companies). Having them be more targeted means they're more distracting.

Those whines aside, you're right that calling them spyware is alarmist and confuses them with stuff that's far more invasive.

Of COURSE Google uses those cookies for other purposes.

See the various articles I've written about Google for more information. The easiest entry is here:

http://www.aquick.org/blog/2006/10/10/google-has-your-logs-and-all-it-took-was-a-fart-lighting-video/

"Anonymous" tracking cookies are neither anonymous nor benign. For example, there's no technical barrier preventing Google from tying an "anonymous tracking cookie" to your search history from the same machine, or other sites you've visited, including any and every site that has an embedded Google Map or YouTube video and every other site that uses Google Analytics. Many of these sites may inadvertently leak personal information, which can then be tied to your "anonymous" browsing profile. Once the chain has been made, it's very difficult to break.

Google may in fact not do this, but we also have no reason to believe they're not, and the technology they've deployed looks suspiciously like it was designed for precisely this.

Frankly, there's no legitimate reason for any browser to either accept third party cookies or send a referer header (especially for third party remote inclusions in the page).

I should also point out that this site you've linked to requires you to accept third party cookies in order to opt out, which leaves you MORE vulnerable to future cookies being added to your machine without your knowledge or permission. Nice.

Adam,

Assert all you want. Evidence would be nice though...

Of course if you use GMail you're then signing in and giving up anonymity. Your activity on various Google properties then can all be tied to your account (and, in fact is). I don't think this result is very apparent and I believe Google should make it more so... but you DID choose to create a google account. No one is forcing you to do that.

David - Could someone tie together all of your surfing behavior and possibly determine who you are? Well, maybe... if they had access to all of it. But is that reality? The popular ad networks will certainly see some cross-site activity... but almost certainly this will be a small fraction of the sites you visit since none of the ad networks have close to monopolistic market share.

Might the various ad networks be getting together to share information in a dark server room somewhere? Well, yeah, but that direction takes us to Paranoia Street.

I'm not a huge fan of ads either... but non-commerce sites need to make money somehow and people paying for content is not a model that has worked with any real success. If people will nto pay for the content how else does a site that produces content stay in business? Information wants to be free is a nice sentiment, but the people making it have rent to pay and food to buy. And, anyway, that phrase means free as in speech, not free as in beer. Ads let you have it both ways though.

As for cookies dropped on your machine without notice... I can't sympathize. Cookies and the issues surrounding their use have been known for 10 years. Yes, I know that many, even most people don't have this top of mind, but this is not new.

In the same vein you don't need to sign up for any service at all.. Just set the cookie preferences in your browser so that 3rd party cookies are rejected. If you want, reject them all. You have control over this as does everyone else. If it bothers you... change your preferences. Clear your cookies. Use Firefox and set the Clear My Private Data when I close Firefox option to ON. The fact is, you DO have control over this.

What sort of evidence would you like? Isn't it enough to know that they do collect and keep the data, and that they won't say they don't put it all together?

They're on the record as saying that they keep basically everything they're allowed to (search engines other than Google have varying answers, as well). They can correlate a Google cookie OR an IP address (even if you don't accept the cookie) with its search history:

http://www.aquick.org/blog/2006/02/03/detailed-survey-of-verbatim-answers-from-aol-ms-yahoo-and-google-about-what-details-they-store/

Even if they're not doing it now, they certainly can later, and will as soon as it suits them to do so.

Spyware (software the reports back something about you) is a real threat. Let's not obscure that by getting all wound up about anonymous tracking cookies.

Help me out here, Rick. If anonymous tracking cookies are not anonymous, as Adam says, then they are "report[ing] back something about you" -- which makes them spyware.

So which is it -- are the cookies spyware, or is Adam mistaken?

It's not especially relevant to my question that I can turn off 3rd party cookies, or regularly clear all cookies (I do both). The vast majority of computer users, as far as I can tell, do neither and don't know how. Their lack of expertise hardly makes them fair game for privacy invasion.

I got here from: http://www.sennoma.net/main/archives/2007/03/an_optout_for_spyware_how_cons.php

And decided to repeat the comment I left there.

If you're concerned about tracking cookies, it's preferable to be able to just permit who you want to have the ability to set cookies and run JavaScript, rather than trying to opt out, which is a lot more work! Folks running the FireFox browser have two really good extensions to make that possible:

CookieSafe -- https://addons.mozilla.org/en-US/firefox/addon/2497

CookieSafe lets you easily control who and who isn't allowed to set cookies, and whether they're allowed to keep the cookies for more than one browser session.

NoScript -- http://noscript.net/

NoScript does the same, except for JavaScript. This can be especially important on Windows computers for security concerns--you don't want to allow just anyone the ability to run code on your computer. It could be malicious! You can temporarily (until the end of your browser session) allow sites to run JavaScript, or put them on a whitelist and always let them.

These two extensions do take some work to set up, but once you've whitelisted most of your frequently visited sites that require cookies or JavaScript, you'll be good to go and you won't have to explicitly "opt out" of anyone's tracking mechanisms anymore.