UK websites place average of 44 cookies on first visit
ico.org.ukThis article is completely incompetent.
Firstly - any number of cookies from a single domain are equivalent, you can always use whatever identifier is in the cookie's data to store and retrieve an arbitrary amount of data about the user. That there are lots of them implies either that the site is using a bunch of different front end libraries / components that don't talk to one another (which is irrelevant from a privacy perspective) or that more data is being stored/cached directly in the browser rather than being retrieved from a remote server which is the opposite of a privacy issue, since it's keeping your data in your browser.
Secondly - cookies are one of: "session", "expiring", "perpetual". With the first set to expire when you close the browser, the second expiring at some period between now and when your browser/cache/computer/operating system gets wiped or replaced (i.e. ~<12 months) and the third expiring at any arbitrary date after that (i.e. anything with an expiration date of more than ~12 months is the same, who cares if it's two years or ten thousand).
It's horrifying that this is a study paid for with public money and fed back to the public from a source purporting to be an expert.
Edit: by saying "from a single domain" I'm expressly avoiding the differentiation between first and third-party cookies - it obviously makes a difference how many third parties you share data with, which defensibly has some relationship to the number of different domains that serve third party cookies on a site.
I completely disagree with your assessment, and I don't understand why you're so offended by it.
The article is accurate and provides details of the methodology and results. Of particular note, if you look at the report, is that two thirds of cookies on UK sites are third-party ones. That's a significant number, and means the average site places 30 third-party cookies on a users machine.
Your proviso about being 'from a single domain' is pretty much irrelevant – that's not the issue at all!
You're right, the study's not worthless - the "key findings" are all accurate and portray a reasonably sensible, true-to-life picture of the results, and we do need more easily-consumable, experimentally-justified content to help ensure that the public doesn't end up backing stupid laws.
That said, the article's focus on 31st December 9999 and outliving the lifespan of the user, the discussion around the number of cookies served (rather than the number of parties serving cookies, and the amount and type of data that they're storing, which is what we're really concerned about here), and the click-baity headline to both the page and the HN article take what was probably a very sensible study and pervert the reader into drawing conclusions for all the wrong reasons. Giving public funding to something that's going to place that sort of bias (which in a private news publication would be fine) between the public and science I find pretty galling.
>> opposite of a privacy issue, since it's keeping your data in your browser.
In a way instantly accessible to the host site. Data I wasn't really consulted about. Data I might not be comfortable sharing every time you ask for it.
This whole law about disclosing cookie use, which I will agree is not necessarily a good approach to the problem, does nevertheless exist because of a problem - People getting tracked, followed and profiled without their permission. Website operators and browser-makers seemed to be complicit in this. Some website operators seem to think it's their god-given right to do whatever they want in the browser on my computer...
As a website owner I'm free to respond with any HTTP headers I feel like like when your computer makes a request. You're free to use a browser that doesn't decide to store cookies when you get a reply with those headers.
Indeed you are! Now, how many people have any idea about this, and what have browser-writers been doing to make this area visible and controllable?
Not really very much. Particularly in the mobile space.
Evil ad networks only need a handful of cookies to track you. They could probably go without cookies entirely, just by fingerprinting the browser. They have the resources and know-how.
This happens because many webmasters build frankensites by copying and pasting snippets of code to get the functionality they need. Those load a bunch of resources from all over the net and dump a jar of cookies in your lap. It's the same laziness that makes devs set expiration to 9999.
The popouts, or banners, with cookie information are a pointless annoyance, not an encouraging development.
Not disagreeing with what you say, but browser fingerprinting is a great deal less accurate than cookie-based tracking, so the ad networks would certainly like to retain a cookie on the client machine, if they can.
It seems a bit disingenuous to present numbers like that. For the lay person, it may sound scary that there as 44 cookies on a given page, but that's a completely arbitrary measure. I would think that the important thing isn't the number of cookies, but rather what which entities they are shared with and to some extend the information attached to them. First party cookie for example are not a privacy issue at all.
In my opinion it is actually pretty scary.
As I see it, a website should upon landing either set zero or one cookie, depending on if the website has some sort of persistent functionality (like a message to first time visitors).
The other 43 cookies are, in my view, therefore unnecessary to the normal functioning of the website, and is therefore more likely being used for other purposes such as tracking and advertising.
Sadly I think that a lot of businesses either don't care or don't think about the cookies and tracking added to their site.
In my experience it's usually the marketing department that want much, not all, of the things that end up setting cookies. It's not that it's a bad idea necessarily, but it's adding tracking upon tracking upon tracking and rarely a request to remove something. Some sales person try to sell marketing "Yet another up-sell tool" or "customer retention solution" and no one considers that the site already have five of those tools installed, 3 of which isn't actually used anymore and the last two we aren't really sure of.
I think it's a scam mostly, trying to convince businesses that they're leaving profit on the floor. The providers of these tools leave real businesses jumping from one tracking/data-mining/customer-spying to another in the hope that it will boost their sales by a few percent. Do we really need to know know that much about our customer? Probably not.
My company had a client that would add "Yet another up-sell/retention tool" every week or so. (I know, because I added them every time.) I swear they had every single one in existence. Didn't stop them from filing bankruptcy.
I agree that a lot of functionality can be encapsulated in a session cookie. But for some cases it might not be worth the server overhead, ie language or currency selection for unregistered users.
I agree that if you start using the website, setting more cookies to remember choices and such is perfectly fine. I was referring to when you first land on the website, that first page load.
Ah yeah, my bad. I agree.
The full details are right there in the the report, but I don't think that's a misleading headline number to use.
Self plug: we've developed cookie-checker.com. A way to check which cookies are placed with first time visitor.
ico.org.uk places 3 cookies (1 session, 2 other valid up to today and 2017): http://www.cookie-checker.com/check-cookies.php?url=ico.org....
When I visit the ICO site I also get a "civicCookieControl" cookie which you don't list. I guess that this is probably coming from javascript and your site isn't processing this?
It's running a headless browser with JS enabled so it should be there... not sure why it doesn't pick it up. Thanks for the mention :-)
If you are running PhantomJs, did you encounter any issues like memory leaks and socket errors ?
I'd be interested in the solutions you used to solve issues like that if it's not proprietary / private.
Also interested, I've tried similar things with watir webdriver and a xvfb/headless mode but the only real 'solutions' I've come across are time-outs. Needless to say it could've been heaps better.
I didn't do much testing since PhantomJS 2.0 but I know that in the past, it was recommended to reload PhantomJS every +/- 50 pages to free the leaked memory.
We're running HTMLUnit [1]
It could also be that the cookies handed out vary geographically, or if a page includes adverts in iframes via an ad provider network the cookies you get will depend which member of the network your request is redirected to this time.
humorously, checking the site itself seems to trip it up: http://www.cookie-checker.com/check-cookies.php?url=cookie-c...
that's a feature ;-)
Got a chuckle from the article alerting me to its use of cookies.
This article alone places 9 on my system, plus a small lorry loads worth from .youtube.com due to the embedded video.
Good thing we get header compression with HTTP/2, isn't it? /s
I never understood why cookies receive so much attention in various privacy discussions. They are the one thing the user has full control over.
Yes it takes some effort to delete them, but so does looking left and right before crossing the street.
Part of the problem is that the browser just mindlessly goes along with it.
We've got into a situation where the vast majority of users don't know and don't want to know about any of the details of what's going on, and by default most browsers just allow them to be tracked in a variety of different ways. Website writers/maintainers quite often don't know themselves what a framework is doing, and everyone writes using the assumption that cookies are something they can just use. It sometimes looks like everyone except the end user was involved in the development of the situation.
First thing you should do when setting up a new browser is blocking third party cookies - unless you're using Safari which blocks them by default.
The number of sites that don't work with 3rd party cookies is very small - whenever I run into one I usually use an alternative site or complain.
When cookies were first introduced a number of sensible people had reasonable concerns about privacy.
I'm not sure how we got from there to here - a sub-optimal law and not-great research (81 sites?) all while companies aggressively collect and mine data.
Laziness and greed. But really, it's mostly laziness. If you tell someone cookies are 100% bad because they kill kittens, people won't use them unless they want to kill kittens. If you nebulously say that they might potentially be used to kill kittens at some point in the future, nobody cares.
you can keep a whitelist of allowed permament/session/temporary cookies with https://addons.mozilla.org/en-US/firefox/addon/cslite-mod/
That sounds similar to Self-Destructing Cookies[1], which I'm using. Has anyone tried both and can compare them?
1. https://addons.mozilla.org/en-US/firefox/addon/self-destruct...
The advantage of selfdestructingcookies is that, without any intervention, it allows cookies while the site that set them is open in a tab, but once the tab is closed the cookies are promptly deleted (configurable delay).
Same with Vanilla cookie manager on Chrome, except I don't think it deletes localstorage, flash cookies, etc because of limitations of Chrome's api for extensions. I think the attitude with Chrome is that you're supposed to use Incognito windows for this purpose.
I've been using Self-Destructing along with BetterPrivacy[1] which handles LSO (Flash cookies) that are usually not available in the browser
or you can block third party cookies all together. That's what I do, it's a simple setting on chrome.If it breaks a website well too bad,it shouldn't.