NONE: Re: ONLINE-ADS>> Cookie crumbs
Re: ONLINE-ADS>> Cookie crumbs
Chris Tyler (chris_at_woodstock.global.proximity.on.ca)
Tue, 10 Jun 1997 09:28:44 -0400
Denman Maroney <denman_at_pipeline.com> wrote:
>
> The article by Whit Andrews in Webweek, to which your AdBytes newsletter
> provided a link, says in part,
>
> "Cookies, a system through which individual users may be uniquely identified
> by Web sites, initially were touted as accessible only by the Web sites that
> issued them. The passage of time showed that networks of objects on
> disparate Web sites could access the same cookie, a technical loophole that
> ad servers exploit to improve ad targeting. "
>
> I never heard this before. Is it true?
Yes (and no)...
(1) It is true that it is only possible to send cookies back to the domain or
host on which they came (at least, when the cookie mechanism complies with the
original spec from Netscape). The default is the exact host from which the
request originates; this can be changed to the second- or third-level domain
(or lower) through the Set-cookie: request header.
The problem is that a web page is a composite of information from various URLs;
thus images on a site can be from a different domain than the page text. This
is how banner servers (such Doubleclick) work. (I'll pick on Doubleclick here
because they are using tracking in some of the most useful and interesting
ways).
Thus, if you visit 20 different sites which all serve Doubleclick banners, and
Doubleclick sets a cookie when you visit the first site, then they are capable
of tracking your surfing between those 20 different sites. This is because you
keep retrieving information *from the same domain* (Doubleclick's) despite the
fact that you are "visiting" different domains. Doubleclick actually considers
this a Good Thing(tm) because they can avoid sending more than N impressions to
a given browser, and they can sequence ads seen by a particular browser-- e.g.,
do a Letterman-style "Top 10 Reasons", or send a riddle followed by the answer,
even across multiple sites.
(2) It is difficult to have a banner server communicate this tracking
information back to the site serving the pages containing the banner; about the
only way that this cross-reference can be performed is if (i) the site with the
main content sets a cookie also, and then (ii) sends that cookie to the banner
server by modifying the arguments to the query string in the URL of the banner
request, e.g., using an image tag something like <IMG
SRC="BannerServer.BannerCompany.com?CallingURL=http://thisPage&CookieThatThisSit
eSet=cookievalue">
... this then requires the image tag to be CGI-generated and the two companies
to later sit down and cross-reference their log files.
Possible, yes; easy, so-so; worthwhile, probably not.
Personally, I think that it's a Win for me that banner companies can track me.
I *do* like ad-sponsored content (I hate to shell out $ for content) so I'm
glad to "put up" with ads; but I'd rather have interesting ads-- so if cookies
can limit the number of impressions of each ad that I see, then I'm pleased.
Likewise, if Doubleclick can determine that I'm surfing from Canada based on my
IP address (they can and do) and therefore serve me ads for services and
products available in Canada, in Canadian dollars, then I'm that much happier.
Note also that most banner systems resort to guessing (about tracking) based on
your IP address if you don't accept cookies. Most of the time, these guesses
are accurate, but only within the same call to your ISP.
A good, simple technical reference on cookies is available on the Netscape site
(http://www.netscape.com/newsref/std/cookie_spec.html); it's marked
'Preliminary' but serves as the canonical reference. Note that many versions of
Netscape accept only the first "Set-cookie:" header in a http response, despite
what the document says.
I recently hosted the Woodstock Business Internet Conference and was fascinated
that there were many, many questions about cookies. The level of fear about
cookies and privacy was quite high, perhaps due to the popular press.
--
Chris Tyler <Chris_at_Global.Proximity.ON.CA>
Global Proximity Corporation http://Global.Proximity.ON.CA/
Internet and Computer Consulting (519) 421-3541 / fax (519) 421-2107
*** Organizers of the Woodstock Business Internet Conference ***
