The Slow Death of the Internet Cookie

Sara Fischer, writing for Axios: Over 60% of marketers believe they will no longer need to rely on tracking cookies, a 20-year-old desktop-based technology, for the majority of their digital marketing within the next two years, according to data from Viant Technology, an advertising cloud. Why it matters: Advertising and web-based services that were cookie-dependent are slowly being phased out of our mobile-first world, where more personalized data targeting is done without using cookies. Marketers are moving away from using cookies to track user data on the web to target ads now that people are moving away from desktop. 90% of marketers say they see improved performance from people-based marketing, compared with cookie-based campaigns.

Re: Not a lot of article content here...

[M0j0_j0j0]

Bitcoin!! You forgot Bitcoin you insensitive cod

Re:Not a lot of article content here...

[Cajun Hell]

The big WTF-are-they-talking-about clue was revealed in this line of nonsense: "Cookies don't really work on mobile." (Wut?) The paragraph basically goes on to explain they're expecting many users to stop using web browsers altogether, and just run native apps that request ads by user id. Basically, the problems that cookies were invented to solve, are already solved by the apps having their owmn version of local storage (and without all those pesky controls and options that web browsers give to users).

Re:

[ras]

The big WTF-are-they-talking-about

Actually, it's just a big WTF, followed by oh they are sprouting shit in order to get a few clicks (including mine, sadly).

They are saying no advertiser will be using cookies in 2 years because people are moving from browsers to mobile apps. Lets turn this around: they are saying that in two year no advertisers will bother tracking people who use browsers. So in two years I can stop blocking Facebook, uninstall Privacy badger because the web will be sweet and innocent agai

Re: Not a lot of article content here...

[TheOuterLinux]

They are only redefining the "cookie" and calling it something else. The Internet decided that its version of "plain toothpaste" wasn't enough and added "whitening," if you catch my meaning. Also, Google isn't the only one with "bubble" technology. Hard drives are getting larger and cheaper and they have the resources to store info on every person leaking an "ip/mac address/canvas/OS" digital fingerprint. When my website was active (too expensive; hosts holding hostage), I honored the "Do Not Track" option

Re:

[jellomizer]

Being that many add companies are implemented across many sites, one can simply track by connection info IP Address, browser settings, time of day, original sites.... To paint a picture good enough for advertising.

The old tracking cookies were not any better then tracking connection info.

How do they track without cookies?

[jecowa]

>Advertising and web-based services that were cookie-dependent are slowly being phased out of our mobile-first world, where more personalized data targeting is done without using cookies. Don't mobile devices have cookie support? Or do mobile devices provide tracking features that are better than what cookies provided?

Re:

[Son of Rea]

I'd assume they will make you log in every time then save your data on their servers?

Re:

[doug141]

"people-based marketing," which is all the services you need to log in to use. Fitbit, amazon, facebook, alexa....

Re:

[omnichad]

services you need to log in to use

Using cookies...

Re:

[jecowa]

Even though it's still using cookies, the data is linked to a user account instead of to a randomized cookie identifier.

Re:

[TFlan91]

I'm not sure what they are talking about either.

My guess is some use of local storage [mozilla.org].

Re:

[Xylantiel]

My bet: Third-party location-based tracking. Moral: any app you download, turn off location access. This started by ad-supported apps asking for your location to target ads based on your current location, but has turned into snarfing your location history and targeting based on analysis of that (e.g. correlation with other people, where you sleep, etc) which is insanely invasive.

Re:

[Teun]

Not everyone got such a shitty provider.

Re:

[Anonymous Coward]

For the obviously tech savvy people on /. and similar sites (Hacker News), this is simple to avoid with a VPN. Its trivially easy to set up a VPN and your home network and point your mobile phone back to it, paying once for everything on your network and not twice. Add a Pi-hole to block DNS requests to ads, beacons, and trackers, and you further cut down on the privacy invasion.

A simple, key effort in helping to combat this kind of tracking is to use multiple browsers. I always have to different browsers u

Re: How do they track without cookies?

[reanjr]

But how much of the web is still http? And how much of that is serving anything important?

Re:

[jbmartin6]

Browser extensions and similar offerings with 'anonymous usage data used to enhance user experience', which is corporate-speak or 'it reports everything you do back home for resale of the data.'

Re:

[Actually, I do RTFA]

Or do mobile devices provide tracking features that are better than what cookies provided?

Far better. Why do you think every website wants you to download their app?

Shoot, until iOS 10.3, you had to turn off allowing apps to access your MAC address (well, it was hashed with a few other values). And I believe Android still allows it.

Re:

[Actually, I do RTFA]

Huh, I wasn't talking about websites. I was talking about apps. You know, software you download and run on your device. Specifically as differentiated from websites.

Hardly

[nospam007]

The cookie is what really is the so-called pay-'wall' of the New York Times, Washington Post, The Guardian etc.
Delete them and you can read as much as you want.

Guardian paywall since when?

[tepples]

Since when does The Guardian have a paywall? It offers an optional subscription to ad-free access for $84/year [theguardian.com]. Slashdot used to offer subscriptions, but this broke years ago.

Re:

[Teun]

The cookies are gone, from now on it will be .... Cake, or biscuits or chips

either way, at the end of the day, all of them will end up in the restroom

Pig, if you ever come over to my place I sure hope you use the toilet...

Re:

[Anonymous Coward]

There are two kinds of websites: those on which you log in to an account, and those that have no legitimate use for cookies.
I allow cookies on a short whitelist of the first category.
If a cookie is needed to make a website work on which you don't log in to an account, the website was written wrong. Hanlon's Razor be damned; I don't care why the website was written wrong.

Replacement?

[unixcorn]

So the cookie is dying. The article says nothing about how we will be tracked in the future. Or how we are being tracked now when I reject cookies.

Re:

[havock]

Browser fingerprinting is quite reliable when you reject cookies. Canvas, Font, GPU, CSS API's are all good sources of identifiable data. Of course if you turn off Javascript *and* Cookies, there isn't much left to fingerprint.

Re:

[ichimunki]

The browser fingerprint my Firefox 58 on Windows 10 gives is certainly different than what Silk on my Fire tablet gives. Which makes it totally useless for figuring out that I'm the same person using both browsers. On the other hand, the fact that I access the same Amazon shopping cart from both browsers... dead giveaway.

Re:

[ichimunki]

Cookies are still going to be critical to any user tracking, I'd think. It's just that advertisers won't be relying on their OWN cookies to do the work. Because if they set a cookie on each browser and platform you use, they then have to figure out how to correlate all *your* cookies after the fact. And if you're logging into your same GMail account at work, at home, on your phone, on a tablet, etc, it's better for them to figure out a way to latch onto that. But Google is still going to be using a cookie a

Re:

[Carewolf]

So the cookie is dying. The article says nothing about how we will be tracked in the future. Or how we are being tracked now when I reject cookies.

They now have new and much more invasive HTML5 mechanisms of tracking you that people aren't as aware of, and thus less likely to turn off or protect against.

People-based marketing is a euphemism

[Anonymous Coward]

It means they've found easier ways to fingerprint you. [PDF] [digiday.com] Marketers don't want generic "cookies" they want specific, verified identification.

They're going to have a better spy network than is legal for most governments to have.

Re:

[Actually, I do RTFA]

They're going to have a better spy network than is legal for most governments to have.

Your use of the future tense is cute.

Re:

[Falos]

They prefer verified, but they're more than happy to casually bridge causality. Even to establish "verified". Courts may admit than IP != identity (usually...) but the bigdata team (who need to have some material to present at the quarterly review or whateverthefuck) doesn't care.

Geolocation = Fact! https://xkcd.com/713/ [xkcd.com]

I think the real preference is moving up the skill curve. Cookies are pretty user-controlled, browsers/mods/etc are happily handing over tools. Other fingerprints are beyond the reach of sur

Fingerprinting is replacing tracking

[bahwi]

Fingerprinting is replacing tracking and has been for at least 10 years when I was very peripherally involved with testing a company that did it for work.

It's one way they get you with cookies once you've "cleared" them and they are able to reattach the same ones as before.

EFF has testing: https://panopticlick.eff.org/ [eff.org]

And yes, multiple fingerprints can be attached to a single user. You have 10 unique devices and all 10 of those fingerprints get attached to you after logging into a site or account. It can take awhile, but you can't block it.

Slight changes are accounted for, profiles updated. It's not as "fool-proof" as cookies, but that's not really a requirement.

Re:

[jetkust]

This, and they are also selling hoards of information about you between themselves. I wonder if for any company that keeps my fingerprint in a database, could I legally request any data associated with that fingerprint. It doesn't seem all that unreasonable to me.

Re:

[gl4ss]

In EU you can.. and few months down the line now if they disagree they can't avoid it.

this is why facebook etc already let you download all your data. you can also request the data to be removed.

Re:

[Actually, I do RTFA]

With JavaScript off, they're limited to my agent-string and resolution (and IP address, and other headers).

Re:

[bahwi]

Yeah, selective NoScript is a good alternative too. I've been using pi-hole for my DNS as well.

Re:

[Actually, I do RTFA]

I assume pi-hole is a Rasp. Pi distro? I looked into setting SQUID up on a Pi, but that seemed to be a chore.

Question: Can you set it up to intersect HTTPS requests (assuming you stick a self-signed cert on the Pi Hole?) And if so, how do you get it to check the certificate authority of who it is man-in-the-middling?

Re:

[bahwi]

Not a distro, but works best on Raspbian IIRC, but works on any linux box now I believe.

It acts as a dns server, and has a large block list (mine is 640k domains) which resolve to the raspberry pi's address, which it gives a quick explanation, or in the case of HTTPS, connection refused. It's not the best solution in the world but works really well.

So, no need for SSL certs, since it's just blocking. Hope that helps!

Re:

[Actually, I do RTFA]

Ah, got it.

Weakening the Web

[Mandrel]

I'm getting concerned that browser-makers, in the interests of privacy and security, are clamping down so much on what websites can do with cookies, local data, and iframes, that they're weakening the power of the open Web relative to mobile apps that ask, and almost always get, permission to do all sorts of powerful things. Perhaps it's time for cookie and iframe permission requests to pop-up when a website is first used, so that trusted sites can still do powerful things.

Terminology

[fisted]

You know you're on a mainstream news site when nobody objects to the term "Internet cookie". Jesus. What's next, Internet pages?

Finally!

[fieldstone]

I work in tech support, and after years and years of scare pieces on the news, this has been a long time coming. A large percentage of the people I work for are paranoid about all cookies. Cookies are bad! Cookies will destroy your computer! Some of these people clear out ALL their cookies daily or weekly, even though I've told them they only need to be concerned with scanning for tracking cookies.

Not that we should cater to ignorance, and not that this problem won't go away once there are no more Boomers

Misleading... or just plain wrong?

[zarmanto]

It seems to me that there's an awful lot of misinformation here. Cookies have been given a bad name, because the moment they sprung into existence, they were misused and/or abused by advertisers and marketers. The reality is, cookies aren't going away at all... they're just being used more inline with their original intent, that's all. A cookie gives any standard web browser (including those on mobile devices) the feature of storing small chunks of identifying personal data ("login" data) for the user currently using that browser, in order to allow that user to personalize their experience on any given website. (If you're using a mobile app instead of a browser, than that app obviously doesn't need cookies; it can just use local memory natively to store your login credentials.) The abuse started when advertisers realized that they didn't need you to actively "login" to their service, in order to identify you and track you with cookies. Naturally, people don't like it when someone tracks them without first asking for permission... but that's not the cookies fault; they're just tools. A hammer is still intended to be used on nails, even when someone with no scruples uses it on your toes -- but nobody ever blames the hammer for that, and rightly so.

So in other words, "people based marketing" just means that the service you're actively logging into (such as Google, for example) has successfully established themselves as the primary marketer, and they've made arrangements to sell all of your activity to advertisers. Likewise, those advertisers no longer see much return-on-investment in doing the heavy lifting of attempting to gather all of that activity data themselves, in part because so many people have gone to great lengths to stop those advertisers from doing so. Which brings us back to simple the fact that: you're really the product that's being marketed, and the advertisers are the customers. (Which is just as it has always been, really.)

The more things change, the more they stay insane.

Re: Misleading... or just plain wrong?

[dj245]

I can recall that one of the Easter eggs in Fallout 1 or 2 was the cookie. If you ate one, your hard drive seeked and the light blinked (no other item had this action). This was back in the day when games werenâ(TM)t reading constantly from the disk, and hard drive seeks were noisy, so it was noticeable.

sessions

[Anonymous Coward]

Once I had access to server-side processing, like ASP and PHP, I found the use case for cookies to be really small. That would be, basically, using the cookie to keep track of sessions. Besides that, the 4KB limit really hindered what you could do, as all of the metadata (property names, expiration dates, etc) counted towards the limit. I'd hit all sorts of edge cases like where it would partially store or unexpectedly forget stuff. Not really worth the trouble.

Re:

[tepples]

Once I had access to server-side processing, like ASP and PHP, I found the use case for cookies to be really small. That would be, basically, using the cookie to keep track of sessions.

Whether the cookie stores the raw data or a session ID matters little. It's common practice for each adtech provider to establish a long-lived session for each viewer who visits a site that uses that adtech provider. Viewing a single document might cause several dozen sessions to be automatically established, one for each adtech provider.

Justifying Firefox

[freeze128]

This sounds like an article that is justifying what Firefox is doing: dropping cookie management from the newest version. I don't agree, and I insist that Firefox keep some sort of cookie management facility.

Re:

[Rick Schumann]

If the browser drops it someone will write an add-on of some sort to allow you to manage them -- or you can just find the subdirectory they're in and delete them yourself.

Re:

[fisted]

If the browser drops it someone will write an add-on of some sort to allow you to manage them -- or you can just find the subdirectory they're in and delete them yourself.

And then a new Firefox version appears which happens to break all addons.

Re:

[Rick Schumann]

What's your point exactly? The add-on will just get updated. Are you looking for a conspiracy where there is none or something?

Re:

[fisted]

What's your point exactly? The add-on will be abandoned

FTFY. Some time later, somebody will write a new addon, and the cycle repeats.

Are you looking for a conspiracy

No.

or something

I'm looking at an astonishingly long series of exceptionally bad design decisions.

Now if you'll excuse me, I have to watch some videos on youtube. Oh wait, I can't because fuck the audio backend that has worked well for everybody for the last decade, let's add a hard dependency on pulseaudio; the hordes of people having issues with it are probably just using it wrong.

this is covered by

Re:

[fisted]

Oops, last line should've read "this is covered by Hanlon’s Razor though, so I don't think it's a conspiracy"

Re:

[freeze128]

I don't know how to delete just certain select cookies from the about:config window. I searched for "cookie" and all I see are integer or boolean values.

Firefox's cookie management is terrible because I don't want to look through a tiny mail-slot at my huge list of cookies. Let me RESIZE the window FFS! But that doesn't mean I want the whole thing to GO AWAY!

Re:

[Espectr0]

That's really an ignorant way of justifying it. 99% of the websites i visit have a banner somewhere saying "this website is using cookies". Cookies aren't going away anytime soon. While some marketers/spammers may use more advanced techniques, most will remain using cookies for the foreseeable future.

Facebook, Amazon, Google, Apple, etc

[edi_guy]

Reality is that they have all the info they need on you already. Awhile back it was said that 81% of adult Americans who use the internet have a Facebook account Google, FB, Amazon, already have a data model on you which is pretty accurate, and likely will match pre-established trends as you get older, have a family, retire, whatever. Your credit card data, your geo-physical presence via cell phone (Google maps), your cell provider tracking your browsing, its all there

And yes, there are several clever,

Replaced with what

[gurps_npc]

The article does not say they aren't tracking us anymore, they instead say the cookies are obsolete.

But it failed to mention what is replacing cookies.

That's far more important than the death of cookies.

Re:

[Tony Isaac]

The thing that has replaced cookies is the "tracking pixel." https://en.ryte.com/wiki/Track... [ryte.com]

Every Web company's marketing department gets their software team to include these on their sites. They only too happily send your info to Facebook, Google, and others. Every click, every page load.