S2E2 - My Cookies, My Cookies Not My Cookies - Website Tracking

Feel free to send me a message if you have something specific you want me to cover this season. Or you can leave me a voicemail at ‪(503) 395-8030 if you have a creepy tech story you’d like shared on the next episode.

This week we are going to do a deep dive into website cookies, what they are, how we use them and the way they are changing our understanding of free will, privacy and how we behave as human beings.

Let’s jump right in!

Over the past few years you may have noticed that sometimes when you use a website for the first time, there is a little pop up.

This pop up usually says something along the lines of:

“We use cookies to make our site work, to understand how it is used, and to tailor advertisements presented on our site. By clicking “Accept”, you agree to us doing so. You can read more by clicking on our privacy policy here.”

They typically link to their privacy policy where you can read more about what data they collect, how they use it, who they share it with and even what will happen to your data if they sell their business or website.

So, what exactly are these cookie things? Well, you can think of cookies as a small collection of information. Like crumbs almost. They collect things like, your IP address, name, age, behavior on the website, what you add to your cart, how long you look at a product or even the amount of time it takes you to read an article.

Cookies are carried over between websites. Your browser keeps the cookies collected on each website for a specified amount of time. Which means, as long as that time limit hasn’t been reached, then every website you visit, will have the information from your last viewed websites.

They then use this information, to specifically tailor the current site that you are on just for you.

Meaning that if you were just on google searching for new a new phone to buy, then the next website may have advertisements for the specific phones you were just looking at on google.

Most of us don’t read these privacy policies, which is completely understandable. They are long, often very boring and we usually just want to get to the content as quick as possible, so we click accept without a second thought.

I found it interesting that most companies include the phrase “to make our site work” in their cookie pop up.

From the statement on the pop up, a lot of us may think that we wouldn’t be able to use the website if we didn’t agree.

But that’s not necessarily accurate. See, these websites can work perfectly even when you don’t agree to their use of cookies.

I decided to head to a website called Blavity.com which I knew, had a cookie pop up agreement to use as an example. To begin this dive, I started by looking at their privacy policy, where I read the following:

“Ads appearing on any Blavity websites may be delivered to users by advertising partners, who may set cookies. These cookies allow the ad server to recognize your computer each time they send you an online advertisement to compile information about you or others who use your computer. This information allows ad networks to, among other things, deliver targeted advertisements that they believe will be of most interest to you. This privacy policy covers the use of cookies by Blavity and does not cover the use of cookies by any advertisers.”

The Privacy policy continues to state that:

“Blavity visitors who do not wish to have cookies placed on their computers should set their browsers to refuse cookies before using Blavity’s websites, with the drawback that certain features of Blavity’s websites may not function properly without the aid of cookies.”

Yet another statement warning of the possibility that you may be missing out on something by not opting in.

Which made me wonder, would adjusting my browser settings actually change the website in any way. And if any critical parts of the website wouldn’t work without cookies, why didn’t they just design a version that does?

Anyway, there are two types of cookies, Session Cookies and Persistent cookies.

Both collect the same types of information; the major difference is that session cookies are temporary. Once you close your browser, any information it has collected will not be retained.

Persistent cookies collect identifying data from a user and will be stored on your hard drive until it is deleted. The data collected can include, website browsing behavior, IP addresses etc.

When you provide a website with your email address, or name it can then use that information in connection to any other data collected by their cookies. Most companies are simply using cookies to see how you use their sites and to target ads that you may be interested in. But over the past few years, the use of malicious cookies – which are cookies that track, collect data & build a user profile, has grown significantly.

This user profile can then be sold to third party companies, advertisers, or used by individuals to gain access to your other accounts or to send targeted phishing emails that you may fall for.

I wanted to see if I could find at least one website that would allow me to opt out directly on their site and I did have a hard time finding one. The closest I could find while researching this specific topic, was the CPO Magazine website where they did provide a link to customize my preferences for their use of cookies.

However, they did not have the options there to easily turn off cookie tracking. Instead, they provided a long-detailed page of information on the various websites, apps, advertisers and third parties that would be using the information they collect.

They also offered the following information:

“In addition to what is specified in this document, the User can manage preferences for Cookies directly from within their own browser and prevent – for example – third parties from installing Cookies.

Through browser preferences, it is also possible to delete Cookies installed in the past, including the Cookies that may have saved the initial consent for the installation of Cookies by this website.

Users can, for example, find information about how to manage Cookies in the most commonly used browsers at the following addresses: Google Chrome, Mozilla Firefox, Apple Safari and Microsoft Internet Explorer.”

They also provide an email address to contact if you do not want them to collect data.

Which does give you steps on how to stop the tracking, however, for those of us whose brains immediately shut off when we encounter a page filled with dense information, the TLDR syndrome usually convinces us that it’s fine, we’ll just accept instead of searching through the whole page just to opt out.

The reason I went to the CPO Magazine website was because one of their articles discussing the future of cookies caught my attention.

In the article they discuss how website tracking may work in the future. “The IAB (Interactive Advertising Bureau (IAB)) Tech Lab proposes the creation of a digital token that would become a single, unique identifier that follows you around the web in order to track your browsing habits and privacy preferences. Instead of hundreds of web tracking technologies on every web page, there would only be one centralized token that follows you.”

Meaning that this new way of tracking would create a token specifically for you. This token would carry all of the information collected about you between websites indefinitely.

The creator of this new tech, Jordan Mitchell noticed that the main problem with cookies (which were invented and first implemented around 20 years ago) is that all of these different websites are using their own proprietary Cookies instead of one standardized cookie for each user.

The use of so many different cookies leads to a lack of privacy between the website you are actually on, and all of the third-party websites that website works with. Any company could be essentially tracking your behavior with out you ever knowing.

Mitchells proposed centralized cookie would take into account the need for privacy bridges and it would require companies to prove that they are in fact following the guidelines and rules set by some governing or regulating agency which has yet to be formed.

Which of course brings up a handful of questions about trust. How would this regulating agency also be regulated? Who would be creating the guidelines and rules that they have to follow?

After they spoke with Brendan Eich, CEO of Brave, he “tweeted, “Who’re they kidding?” “A single token will uniquely identify you and be linked to your name and personal data in a trice.”

How would one create a single identifying token specifically for each user, but maintain the stance that even though information has been collected, that the user is still anonymous?

Your specific behavior, scrolling patterns, purchase history, location, IP address etc. would be more than enough to identify you.

The New York Times looked into exactly how much collected “Anonymized” data points it takes to identify any American and the amount is incredibly small.

The article by Gina Kolata states that: “The investigators developed a method to re-identify individuals from just bits of what were supposed to be anonymous data.”

Which is a statement I’m sure all of us have read at least one time on websites and apps we visit daily.

Kolata explain that “Even anonymized data sets often include scores of so-called attributes — characteristics about an individual or household. Anonymized consumer data sold by Experian, the credit bureau, to Alteryx, a marketing firm, included 120 million Americans and 248 attributes per household.”

Scientists at Imperial College London and Université Catholique de Louvain, in Belgium, reported in the journal Nature Communications that they had devised a computer algorithm that can identify 99.98 percent of Americans from almost any available data set with as few as 15 attributes, such as gender, ZIP code or marital status. Even more surprising, the scientists posted their software code online for anyone to use.”

While these scientists were hesitant to post this algorithm online, they still followed through and did it. It’s safe to assume that there are people out there already using it for this specific purpose.

Now this is not the first time that supposedly anonymous data has been found to not be so anonymous.

You may remember that in season one I covered the genetic testing company 23 & Me. I discussed that their privacy policy and terms of service agreement states that the samples you send them can be shared or would be shared with research institutions as well as some third-party companies that they work with. You can take a listen to episode 1 in season 1 if you would like to hear more about that.

Well, in 2016 something very interesting happened.

A woman named Anna Rosenberg, called up a data broker (which are companies like Experian, or Datalogix).

These companies collect user information, set up trend patterns, behavioral analysis etc. and sell these to companies or individuals who are interested in the information.

Anna Rosenberg, called up this broker and told them that she worked for a small start up in Tel Aviv and that she was working on training a neural network. She requested a free trail to be able to access the browsing history collected for 3 million Germans.

They even gave her live access to the information meaning that the data was refreshed every day.

It was later discovered that neither Rosenberg nor the start up actually existed.

In fact, the whole project was created by an undercover journalist Svea Eckert, who wanted to see just how easy it was to get access to this type of information about individuals.

Vice interviewed Eckert and walked through exactly what method was used to deanonymize this information.

She then partnered with a data scientist, Andreas Dewes, to see whether they could identify the individuals from the information they collected on them.

Eckert discovered that she was able to identify her colleagues by using their login ID’s at the company and cross listing it with the information collected.

She then reached out to one of her colleagues and asked them to delete one browser plugin every hour until he disappeared from the live view, after 7 deleted plugins his entries disappeared.

The creepy part is that this method can be used by anyone out there and it most likely is being used.

So how can we protect ourselves from this?

Well you can first navigate to your cookie settings in whichever browser you are using and turn off the permissions to websites and third parties.

You can then get a VPN – which I covered in Season 1 Episode 5.

Make sure that you also keep yourself signed out of any apps on your phone, websites you visit, and turn off location permissions to all apps on your phone.

Don’t install any apps without reading their policies.

And last of all, most phones and computers collect analytics. If you don’t want these sent to the manufacture (i.e. Apple or Microsoft) you can turn off those permissions as well.

That’s all I have for you this week & thank you so much for listening!

As I mentioned in the beginning of this episode, if you have a story that has to do with any creepy tech, just want to say hello or anything like that feel free to call ‪(503) 395-8030 & leave a voicemail. I’ll share it on one of the upcoming episodes!

You can find me on Instagram @Tech_Creepy, Twitter @TechCreepy