Of Cookie Monsters and Men: The War for Data Privacy

Since the invention of cookies by Lou Montulli in 1995 at Netscape, they have been used with gay abandon in the pursuit of providing to internet-users the best possible experience. At least, that was the intended purpose of the innovation. However, these blocks of data, originally intended to create a consistent experience for users between HTTP requests have become the tool of data monopolies such as Facebook and Google to exploit users for advertising revenue. They have been used for data collection, fingerprinting, and cross-site tracking, invading users’ privacy and holding other companies to ransom, as there does not exist a better way to target consumers and monitor their user analytics. Tracking scripts have been insidiously injected by these companies on other sights as well through the use of Google Analytics tags, and the Meta Pixel.

Cookies are pieces of plain text that contain some data and are passed back and forth between your browser and web servers. There are two types of cookies based on persistence: single session and multi session. Single session cookies are destroyed once you navigate away from the web page on which the cookie is first set, and multi session cookies remain until your browser destroys them, usually a week or two after they are set (Wagner 2020). Cookies can also be classified on the basis of the party that sets them into first party and third party cookies. First party cookies are those that are used exclusively by the website that set them while you are visiting it, and does not track your activity on other websites. These cookies are essential to the experience of surfing the web, as they help you stay logged in and maintain a cart, for example. Third party cookies, on the other hand, track your activity on other websites with the purpose of gaining more information about you, usually for marketing purposes (Wagner 2020).

A New York Times article shows the various cookies, trackers, and IDs that were assigned to a user while surfing the web for a brief period (Manjoo 2019). The roundabout way in which companies identify users without explicitly asking them to identify themselves is baffling and motivates the thought of a better solution than such invasive linkages.

After increasing pressure from law-makers, acts like the EU's GDPR (General Data Protection Regulation) and California’s CCPA (California Consumer Privacy Act) were passed and enacted. However, even these regulatory acts have been ineffective. They require websites to provide Consent Management tools to their users, to allow them to decide whether or not to allow themselves to be tracked, but do not specify how they should be implemented. This has resulted in companies making tracking the default, and blocking trackers and cookies is a friction-filled experience (Matte 2020). Pre-selected choices nudge (and hyper-nudge) users toward the status quo (Matte 2020).

An alternative method to cookie based tracking that has arisen in the recent past is fingerprinting. Fingerprinting uses information like operating system, fonts, and other device-specific settings to identify users without the use of cookies (Rubenking 2022). However, it is far more difficult to identify users in this way, which is a small win in the context of privacy. While fingerprinting does offer some benefit to cookie based tracking in that it provides pseudo-anonymity, the basic philosophy with which the technology was designed remains the same as that of cookie based tracking. It is designed to identify users without their explicit consent or permission.

The adage that ‘data is the new oil’ seems to indicate that companies are extracting value out of a naturally occurring substance. However, this is not the case. The data that drives most, if not all, of their revenue is being stolen from users, who should have a right to own the data that they created. There existed in Europe a similar system where the majority of the population were made to work on platforms that they didn’t own and pay tribute to their superiors. It was feudalism. In a talk given at Harvard, Shoshana Zuboff hinted at the key component in the breaking down of this feudalist system being that of ownership (Zuboff 2022). However, we don’t have a great picture of what data ownership looks like. Data is a digital asset, and the ownership of digital assets, the heart of the blockchain and web3 revolution, is very much in flux at the time of writing. Articles like NFTs and Cryptocurrencies offer a glimpse into what the future of ownership may look like but their volatility and intangibility present serious problems. One thing that data does have over pictures of bored apes is that demand for it from companies is not based on hype or inflated expectations.

However, such ownership would require a behavior change on the part of consumers, as they do not presently see their data as valuable. Artist Risa Puno conducted a social experiment, seeing if people would trade personal information of theirs in exchange for free cookies (Beckett 2014). The experiment was conducted on 380 New Yorkers, out of which more than half allowed the artist to take their picture, just under half shared what they claimed to be the last four digits of their social security, and about a third shared their fingerprints (Beckett 2014). While this is a decidedly unscientific experiment of small scale, it showcases how people perceive the use of their data by companies as harmless, and linked to the obtainment of a free service.

While this 2014 artwork does present a challenge to my hypothesis, I have reason to believe that consumer behavior is changing. A 2021 Pew Research Center report found that over 90 percent of those surveyed thought that they had lost control of their personal data (Peterson 2021). Additionally, over 66 percent were in favor of regulation of advertising companies, and 60 percent were uncertain that the collection of personal information significantly improved their online experiences (Peterson 2021). These statistics highlight the pre-GDPR and CCPA concerns about data privacy. The insidious cookie-based marketing and tracking practices of major tech companies has become increasingly obvious to consumers, and they are unhappy about it.

The relationship between a consumer and a company is heavily influenced by the way in which they communicate (Palmer 2005). There is now a custodial middleman (the data broker) between the consumer and the company that is advertising, and enough companies are making use of this middleman’s services that consumers are wary of their relationship with the middleman, i.e. the company doing the tracking (Google or Facebook).

One solution to the problem of insidious tracking practices is self-sovereign data. Instead of controlling the tracking of users, what if we instead controlled the flow of this tracking data to advertisers. Advertisers can invent increasingly insidious tracking technologies faster than lawmakers can regulate them. This arms race has no logical end. With self-sovereign data, we do not limit the creation of consumers' data, but provide said consumers with the tools to control access to it.

Self-sovereign identity (Soltani 2021) is becoming increasingly popular in the web 3 space. In my opinion, this new primitive of a self-sovereign decentralized identity can replace invasive techniques like fingerprinting and third party cookies and enable self-sovereign data. Single sign-on (usually with Google or Facebook as identity providers) shared across platforms enables great interoperability between products, but only really provides these services with customers’ names and email addresses because that is all they can legally disclose. This is because the identity providers are acting as custodians of the consumer’s data. If instead, the consumer controlled their own data and identity, they could choose to enable greater interoperability for their convenience while also revoking access to maintain privacy.

References

Beckett, Lois. “How Much of Your Data Would You Trade for a Free Cookie?” ProPublica, October 1, 2014. https://www.propublica.org/article/how-much-of-your-data-would-you-trade-for-a-free-cookie.

Peterson, Andrea. “Americans Believe They Live in a Privacy Dystopia, Report Finds.” The Washington Post. WP Company, December 6, 2021. https://www.washingtonpost.com/news/the-switch/wp/2014/11/12/americans-believe-they-live-in-a-privacy-dystopia-report-finds/.

Rubenking, Neil J. “You Tossed Your Cookies but They're Still Tracking You; Here's How to Hide Your Browser Fingerprint.” PCMAG. PCMag, October 17, 2022. https://www.pcmag.com/how-to/you-tossed-your-cookies-but-theyre-still-tracking-you-heres-how-to-hide.

Palmer, Daniel E. “Pop-Ups, Cookies, and Spam: Toward a Deeper Analysis of the Ethical Significance of Internet Marketing Practices.” Journal of Business Ethics 58, no. 1-3 (2005): 271–80. https://doi.org/10.1007/s10551-005-1421-8.

Wagner, Paul. “Cookies: Privacy Risks, Attacks, and Recommendations.” SSRN Electronic Journal, 2020. https://doi.org/10.2139/ssrn.3761967.

Zuboff, Additional Authors:Shoshana. “Digital Feudalism: The Future of Data Capitalism - Shoshana Zuboff.” Harvard Kennedy School, October 18, 2022. https://www.hks.harvard.edu/centers/mrcbg/programs/growthpolicy/digital-feudalism-future-data-capitalism-shoshana-zuboff.

Manjoo, Farhad, and Nadieh Bremer. “I Visited 47 Sites. Hundreds of Trackers Followed Me.” The New York Times. The New York Times, August 23, 2019. https://www.nytimes.com/interactive/2019/08/23/opinion/data-internet-privacy-tracking.html?smtyp=cur&smid=tw-nytimes.

Matte, Celestin, Nataliia Bielova, and Cristiana Santos. “Do Cookie Banners Respect My Choice? : Measuring Legal Compliance of Banners from IAB Europe’s Transparency and Consent Framework.” 2020 IEEE Symposium on Security and Privacy (SP), 2020. https://doi.org/10.1109/sp40000.2020.00076.

“Orchard: Differentially Private Analytics at Scale - Usenix.” Accessed October 24, 2022. https://www.usenix.org/system/files/osdi20-roth.pdf.

Soltani, Reza, Uyen Trang Nguyen, and Aijun An. “A Survey of Self-Sovereign Identity Ecosystem.” Security and Communication Networks 2021 (2021): 1–26. https://doi.org/10.1155/2021/8873429.