• by Tom Hespos , May 3, 2005

Not to belabor the issue, but my column from two weeks ago centered around a report from Atlas that claimed the sky wasn't falling on cookies, and that report has subsequently been corrected.

Reviewing the data accumulated for the last report, Atlas Director of Analytics Young-Bean Song took a deeper look at cookie lifespan distributions and found that the behavioral data from Atlas' study was in close agreement with earlier reports from Jupiter and others who took a survey-based approach to gauging the extent of the problem. While the sky may not be falling, the data confirmed that people who claim to delete their cookies regularly, generally do so.

This issue is incredibly complex for a number of different reasons:

• The difference between what people say they do in a survey and what they actually do is worlds apart in some cases.
• There are a number of ways to delete cookies, including erasing the files themselves and relying on a piece of software to do it on behalf of a user.
• Computers can have multiple users, one of whom may be deleting cookies while others may not.
• Users of anti-spyware applications or other privacy-oriented software may use them to delete cookies. In many cases, users may not actually be aware they're deleting them.

When significant differences can exist between reported behavior and actual behavior, as in cases like this, accuracy is best achieved by observing and reporting on actual behavior. A study based on observed behavior is the key to understanding the extent of the cookie deletion problem, and we need it as soon as we can get it.

While cookie deletion studies seem to be popular these days, with more research firms and analytics companies jumping on the bandwagon every day, I haven't yet seen anything that corrects for all of the problems I've outlined above. If we are to understand the extent of this problem, as well as how it evolves over time, direct observation of behavior is the way to do it.

In addition to understanding the extent of the problem, I'd like to know to what extent consumers are unknowingly erasing their ad server cookies through software packages they've installed to protect themselves from invasions of privacy or from spyware. It's become obvious to me, merely by observing the ways in which many anti-spyware and anti-virus packages handle ad server cookies, that they are often lumped into the same bucket as spyware and consumers may not be aware of what they're doing. My copy of one anti-spyware tool labels ad server cookies as "potential threats" and pre-checks them for removal from the system.

Put yourself in the shoes of the average consumer for a minute. If an anti-spyware tool tells you that you have a potential threat on your system, are you going to un-check it so that it won't be removed? Doubtful.

Now put yourself in the shoes of the anti-spyware software developer. Wouldn't identifying as many potential threats as possible make the consumer think that your software is superior to that of competitors? Perhaps this explains not only why ad server cookies are identified as threats, but also why many anti-spyware utilities call attention to each individual element of a spyware program when one mention will do.

In any case, what we need here is a study that is based on actual behavior. Behavior is the only trustworthy method by which we can gauge the extent of this problem.