Commentary

A Cookie Between Friends...In A Flash

A shy friend has written a piece about cookies that I thought merited visibility. With his consent, here it is:

Cookie, anyone? If you mention the term "cookie" to anyone outside the Internet business they will likely begin to salivate. If you mention the term "cookie" to anyone inside the Internet business they will immediately know you are referring to a small piece of information that is dropped on a user's computer by a Web site or Web server on the Internet.

The cookie began as a useful navigation tool for Web sites to store user preferences, login information or other data used by that Web site. Netscape first introduced the cookie in 1994 to enable and store user's inputs for virtual shopping carts. Since then the marketing industry has adopted the cookie as an integral part of user tracking for targeting of online advertising. To fully understand the cookie, it is critical to define the difference between "first" and "third" party cookies.

First party cookies are cookies that are dropped on a user's computer by the site they are visiting. If you visit www.amazon.com, they place a first-party cookie on your computer for auto-login next time you visit to seamlessly access preferences, shopping cart entries, profiles etc.

advertisement

advertisement

Third-party cookies are cookies that have been dropped on a user by someone other than the domain they are visiting. Third-party cookies enable cross-site behavioral tracking and are widely used by ad networks and exchanges. An external request from a Web site to a third party like an ad networks is common for publishers to display advertising creative from companies who specialize in ad placements. Generally third party cookies are delivered in combination with the creative....many times without the knowledge or consent of the user or publisher. With the explosion of the Internet and the rapid rise of online marketing, the cookie... mostly the third-party cookie... has come under privacy scrutiny. All new browsers have increased their security features in regards to cookies and allow users better control where and when a cookie gets dropped on their computer.

Most security and anti-virus software automatically delete third-party cookies as a security measure and many users are simply wising up and deleting unwanted cookies themselves. All this makes me wonder: Why is the Internet advertising industry so reliant on such an unstable and archaic technology? While the Internet advertising industry is heavily dependent on cookies, it's strictly taboo to actually discuss cookie blocking and deletion rates publicly. A cursory search shows several studies by prominent organizations like Nielsen and comScore that readily admit cookie deletion rates are anywhere from 31%-43%, for both first and third party cookies. All of these studies are from 2-4 years ago, prior to any advanced browser or user controls, making me believe that these numbers are likely higher now.

Many large publishers will unofficially admit that they are seeing cookie deletion rates over 40% domestically and even greater in European countries. Cookies blocking and deletion rates in Germany are estimated at well over 90%. Anyone on the ad network or exchange side of the ecosystem will quickly state the over-exaggeration of cookie deletion rates and nervously try to justify their tenuous business model that is completely reliant on third-party cookies.

The advertising industry associations and privacy groups will quickly point out that any user can opt-out of being tracked via a cookie. What I find humorous and ironic is that the opt-out of cookie tracking is via a cookie. Meaning, if I delete all of my cookies I also delete the cookies that request that I don't want be tracked by those cookies. WHAT?..... Exactly!

This is far from an exact science -- and the discussion of how, where, when and why to use cookies will likely continue to swirl inside the industry and on Capitol Hill for some time. Congress, and even the White House, is getting involved in the conversation as legislators have publically pushed industry groups to self-regulate. At the most recent OMMA Networks and Behavioral events the overarching theme for the first time was....you guessed....privacy!

The days of flying under the radar are over, and even industry figures like Dave Morgan are begging leaders to get involved in "implementing a self-regulatory framework, so that we might stave off the passage of broad and onerous new privacy laws and regulation." I find it hard to believe that any industry would self-regulate itself out of business, which likely explains why little has been done to satisfy the watchful eye of Washington.

The government easily waved their legislative wand with the Do-Not-Call list and destroyed the telemarketing industry over night. I hope it does not come to that in regards to regulating privacy online, but it is becoming increasingly clear that something needs to be done to educate and protect consumers. There are minimal alternatives to the cookie available today. Large sites like Yahoo, Microsoft and Google have the benefit of scale to use first-party cookies for tracking users across their own kingdoms. Many sites also rely on registration data to track users. However, most large marketers find registration data to be notoriously unreliable and the common deletion of first party cookies means the user must re-sign into the site for targeting to be possible.

Recent industry reports and academic research from UC Berkeley (http://www.wired.com/epicenter/2009/08/flash-cookie-researchers-spark-quantcast-change/ ) has uncovered that companies like Quantcast have been using Flash cookies for tracking. [Editor's Note: Quantcast resolved FSO cookie synchronization within 24 hours of the UC Berkeley report, and provides an overview on its blog.] Flash Cookies are different from conventional cookies because they store user information as a "local stored object" in all versions of Adobe Flash. The study showed that companies "used Flash cookies on the net's most popular websites to re-spawn traditional browser cookies after users had deleted them."

Other technology companies are contemplating the use of the Internet Protocol Address (IP Address) as a persistent and unique identifier of a consumer for behavioral and tracking purposes. The use of Flash Cookies and IP addresses are simply mechanisms to override consumer control. Even savvy Internet users who closely manage and delete unwanted cookies can't easily detect or opt out of being tracked by IP Address or Flash cookies.

Mandating user opt-in for targeting on mainstream sites is equally challenging, as publishers and networks will have to disclose their tracking practices or close off their sites until users relent. The origin of the cookie as a beneficial user navigation tool is sound. Use of the cookie by the online advertising industry, and the emerging work-arounds like Flash Cookies and IP addresses, raises serious questions about industry dependency and consumer privacy.

All this seems to indicate that we, as an industry require leadership which results in better mechanisms to protect user privacy, to foster innovation where consumer privacy is central, not an afterthought, and still allow the Internet advertising ecosystem to grow and thrive.

4 comments about "A Cookie Between Friends...In A Flash ".
Check to receive email when comments are posted.
  1. Michael O'faolain from Redwood Guardian - The Lost Scripts, August 25, 2009 at 1:59 p.m.

    When I'm on the internet it is like I'm walking along a public street. When I go into my own web site which contains my home page which I pay for, I'm home where there are no cookies.

    If I go into a restaurant, I know I'm going to be caught on a security camera and the purchase will be in the restaurant's records. That's a first-party cookie.

    When I enter Yahoo or Google property, I know they exist by selling third parties space for billboards which put tracking cookies in my pockets. I know I've entered a bad part of town so I try to button up my pockets and I clean the trash out that get's in my pockets. (Why people make their home page there is beyond me.)

    When I go into a reputable store, I don't expect that behavior. A third-party cookie is comparable to the restaurant owner permitting a billboard advertising a movie that places a tracking device in my pocket which then tracks when I enter a hardware store that has permitted a different billboard by the same billboard company.

    That would be an invasion of privacy in the real world. It's the disreputable store owners making money off of unrelated tracking of my activities.

    I would no more trust the advertising industry to protect internet user privacy than I would trust trust the police to determine without court supervision how and when they could use bugs and tracking devices.

  2. Paula Lynn from Who Else Unlimited, August 25, 2009 at 2:24 p.m.

    I'll give you all those calls I do not get because of the do not call list. No charge. The telemarketing business is under that umbrella of just because you can doesn't mean you should. Unfortunately, too many are still in business. Would anyone like my spam for free? It'll be tastier than cookies.

  3. John Grono from GAP Research, August 25, 2009 at 5:25 p.m.

    Congratulations Mitch - a great post.

    Of course, there is a further outcome of cookie deletion beyond that of BT and privacy that relates to audience measurement.

    I refer to the use of the term "unique browers" by publishers, ad networks et al, who use server-based data to generate these numbers. Clearly, anyone who deletes a cookie appears as though they are a 'different person' the next time they access a site. This leads to a huge over-reporting of "unique browsers" in any server-based metrics that are longitudinal. On any ONE day unique browsers and unique audience are basically the same. Over the standard reporting period of a month (hey, who came up with a month as the standard? I suppose it represents a campaign) these two metrics are miles apart. My counsel is if you are looking for unique audience you'll be MUCH closer to the truth (thought slightly under-cooked) if you use panel-based "unique audience" than server-based "unique browers" (which in reality are "unique browes" - the verb, not the noun).

    Keep up the good work Mitch.

  4. Tom Kelly from AOL, August 26, 2009 at 4:24 p.m.

    All good points. I agree with your logic, Michael, up to the point of the restaurant billboard. You see, you pay the restaurant to eat there. But if you're like me and the other 1.6 billion web users worldwide, you don't pay CNN to surf their site - or even pay Mediapost to read this content. So how else should they monetize their product?

    If that upscale restaurant served you their fine food for free, every day 24/7, then I'm sure you would gladly look at a billboard next to your table - I would.

    That being said, I agree that the industry can be doing more to educate consumers (something privacy advocates don't believe will work) and share their data (check out http://safecount.net/yourdata.php to see what WE know about you).

    Maybe consumers would feel differently about sharing their data if they could control it more?

Next story loading loading..
About the Author

, Programmatic TV Strategist, USIM