First-Party Cookies

The browser Mozilla Firefox version 22.0 will block third-party cookies by default. Content from a third-party origin will get only permission to set cookies if its origin already has at least one cookie set. (see: The New Firefox Cookie Policy). This policy will potentially block cookies from advertising networks that are used to track the browsing habits of users. Google, the main sponsor of Mozilla, is not affected by this policy because Firefox gets a Google cookie at first start.

Is blocking of third-party cookies useful to avoid the tracking of browsing habits of users by third parties? Let's make a small test. We installed a fresh Firefox and disabled third-party cookies in the configuration. This configuration setting is a little bit more restrictive than the new Firefox cookie policy, but suitable for our demonstration. Afterwards we opened 3 websites and took a look at stored cookies.

  1. Zeit.de (online portal of a German newspaper)
    cookies set by Zeit.de

    All cookies were classified as first-party content but some of them are used by third-party servers.

    • The cookie "rsi_segs" is used by www.audiencescience.com for behavioral based advertising.
    • "wt3_eid" and "wt3_sid" are used by WebTrekk.
    • The cookies "__umta" ... "__umtz" are used by Google Analytics.
    • The cookie "_chartbeat2" is used by www.chartbeat.com for real-time analysis of website vistors.

    The cookies are generated and send to the tracking service by Javascript. Because these cookies are used to transfer information to third parties it is a violation of user preferences.

  2. Zalando.de (commercial webshop)
    cookies set by Zalando.de

    Zalando.de uses Javascript generated cookies too. But additional we found two cookies for the sub-domain "track.zalando.de". This domain is a DNS alias for "zalando-de01.webtrekk.net", an external server not related to Zalando.de. By using the DNS alias for loading a 1x1 pixel transparent image (webbug), it became first-party status and was able to set the cookies "wteid_xxxxx" and "wtsid_xxxxx".

  3. Heise.de (German IT news portal)
    cookies set by Heise.de

    Heise.de is using WebTrekk too. Both methods of Zeit.de (1.) and Zalando.de (2.) are combined:

    • If Javascript is active, the cookies "wt3_eid" und "wt3_sid" are created with Javascript.

    • If Javascript was disabled, a 1x1 pixel webbug will be loaded from the sub-domain "prophet.heise.de". This sub-domain is a DNS alias for "heise02.webtrekk.net" and is used to get first-party status for the webbug. The webbug sets the cookies "wteid_xxxxx" and "wtsid_xxxxx" for tracking.

Conclusion

Tracking services are using sophisticated methods to get first-party status for their tracking elements to avoid blocking. The tracking services above are only small examples. Yahoo! Web Analytics sets a one-year, first-party, persistent cookie that includes a unique visitor ID number and is able to track 99,9% of website visitors.

It is not possible, to use first-party cookies for cross-domain tracking. These cookies are only valid and accessible within the context of one domain. But by using additional tracking features, it is possible to link tracking data of multiple domains together. WebTrekk collects Geo-location by IP address, screen size and color depth of your monitor, inner size of browser window, your preferred language, browser name and version, operating system and version, settings of Java (ON/OFF), Javascript (ON/OFF) and cookies (ON/OFF). It is possible to calculate a high quality browser fingerprint with this data. The browser fingerprint will be unique for most user and it may be possible to use it for linking tracking data over multiple domains.

To avoid tracking of your browsing habits by third parties we recommend the blocking of all cookies and Javascript. Enable session cookies or Javascript only for trusted websites if required to get it working as expected. Delete all cookies after leaving the website or at least by closing your browser. JonDoFox and JonDoBrowser are configured for this behavior. During your surf session you can delete cookies with click on the menu item "Tools - Clear Recent History" or you may hit CTRL-ALT-DEL.

Trackbacks

    No Trackbacks

Comments

Display comments as (Linear | Threaded)

    No comments


The author does not allow comments to this entry