Cookies and trackers

Cookies, and cookie banners or notices have been around for a long time now. These notices are aimed at gaining consent to process personal information but it is often hard to see what that actually means. There are times it must happen, for example to provide a service or a product the company concerned does need to know who you are. But the spread of cookies across the Web has a far more sinister use and is often not understood by the general public.

Consider this: When someone goes to website A and looks for toilet rolls and petrol cans (!) and then goes to website B and is presented with that website’s toilet rolls and petrol cans, this may be because a cookie was set on website A which stored the person’s searches and this cookie can be read by website B. This is what laws such as the DPA / GDPR and PECR aim to get consent for from the person looking, and is why websites need to tell the user what cookies are being used and why. Thus cookie banners. But it ignores some other forms of trackers.

Of course, the general public hate these cookie banners and will just click OK to get to where they want to go. And they rarely see other trackers such as those used by Facebook.

But let’s put this into a real, physical world scenario. Consider two supermarkets, A and B. These are different stores, not in the same chain and there is no association between the two. Shopper A goes to Supermarket A and looks at toilet rolls and petrol cans. They are watched by a member of staff A. Shopper A then goes to Supermarket B but the staff member A rushes out and beats them there. The staff member A tells Supermarket B staff member B what Shopper A was looking at and staff member B meets Shopper A as they enter the store and shows them toilet rolls and petrol cans. Not at all creepy… but exactly what advertisers are using the web for.

Think of it like this. Advertisers traditionally used a variety of media to show adverts. These include adverts in magazines and newspapers, billboards, TV and radio adverts, flyers and direct marketing. Direct marketing – ‘junk mail’ and phone calls are generally regarded in a very poor light. Other forms of advertising target people passively. You may be interested in buying an item and see an advert for one. You may pass a billboard and see something which you might be interested in. It does not specifically target a person, it is a broadcast method simply aimed ‘out there’ rather than at you specifically. But there is no feedback except perhaps where a company carries out a survey or when a product is purchased one is asked where one found the information.

Advertisers changed this model into one that can target an individual by profiling them. A prime example of this is Facebook which uses tracking code on all its links, even the ones shown as actual URLs. An example taken at random for an insurance company has a link which contains a considerable amount of information (this has been stripped as it will contain trackers personal to my own Facebook account):

  • The URL called when the advert is clicked: https://l.facebook.com/l.php – so, already by clicking on what appears to be a company URL one is directed first to Facebook.
  • The target URL, this is the actual URL shown on the advert: u=<REDACTED URL of the target company the advert is for>
  • Information appended to the target URL which will be sent to the company when the URL is clicked. Note the ‘fbclid’ field which presumably contains code that shows it was me, or rather my Facebook account that as displaying the advert when clicked: ?cmp=bsc-bra-brn-fac-3251%26fbclid=<REDACTED>
  • Three more fields follow which are also sent to Facebook. The purpose of these is not investigated further but each contains tracking codes: h=<REDACTED>, __tn__=<REDACTED>, c[0]=<REDACTED>

Thus, by clicking the URL associated with the advert being displayed by Facebook both Facebook and the company concerned will know that it was my Facebook account that clicked, and in the majority of cases one must assume that this identifies an individual.

Another example is a certain cartoon that I read daily. Nowadays, on entry one is presented with a cookie notice with the usual accept or ‘manage preferences’ options. Clicking on ‘manage preferences’ reveals a page where one can either reject or accept all cookies or chose those you will permit. This is all well and good and I will not drill down into the dozens of options and companies to which your data is sent should you allow it. The issue is when one choses the ‘reject all’ option Safari still announces that three trackers were prevented from profiling and Cookie shows that 17 cookies were set even though ‘reject all’ was chosen. So, what did it actually reject? As a test I reloaded and this time accepted all cookies. It still sets 17 but for some reason this time Safari only said it had blocked two trackers.

Let’s be realistic here. Advertisers will try any trick to figure out who you are and what you are interested in. It’s Big Money. Cookie banners only serve to annoy people and there is a tendency to simply click them away. Some websites have a simple message at the top or bottom of the page detailing cookies and even better some do not have boxes pre-checked so clicking the message away does not set the nasties. Other sites have half the screen or an almost whole screen banner that you cannot get past without reading lots of legal notices that are hard to understand at the best of times. And of course others hide the whole process anyway and give no choice. There are technical measures one can take but why on Earth should we?

And for those designers who claim that their website cannot work without cookies… go back to school. I have cookies disabled on my phone for general browsing and so far I have only come across two websites that actually fail to work at all, both of which were hopelessly written. Yes you probably need a cookie for a shopping cart, but to show your home page? Come on.

Potential changes to data protection laws to get rid of cookie notices is a step in the wrong direction. (1) But things are not yet certain. On one hand, perhaps the regulator will do more to promote privacy by saying no, these cookie banners need to go by not setting these invasive cookies at all, rather than just allowing them. On the other hand, and worryingly so, if they simply want to

The government appear to want to get rid of that OK checkbox by changing the categories of necessary data to encompass pretty much everything this is very backwards. The public will see this as a win as the annoying cookie popups will vanish but in so doing will lose control of their personal information and not even realise.

(1) https://www.bbc.co.uk/news/technology-58340333

End to end encryption?

WhatsApp messages are end to end encrypted (E2EE). Messages are encrypted in the app itself before being sent to recipients and WhatsApp themselves point out that they have “no ability to see the content of messages or listen to calls that are end-to-end encrypted.” (1) This is indeed how we understand E2EE.

Ok, all well and good. Except for an event that occurred today. I had sent a message to a WhatsApp group mentioning a particular make and model of car, among a whole stream of general messages. Nothing outstanding there. Imagine my surprise when a bit later on I went into Facebook and was presented with an advert, seemingly at random, for that very make and model of car! I hardly ever see car adverts in Facebook, so this one stands out somewhat.

I have checked the group properties and the app does indeed say that all messages to it are E2EE. I had not activated any other apps in between the WhatsApp message and me going into Facebook.

As far as I can see there are three possibilities here:

  • This was truly a coincidence. That doesn’t feel right…
  • WhatsApp somehow grabbed the ‘car make + model’ string from my message. But it’s E2EE, so no way, right?
  • There is some other channel by where the WhatsApp app stored the ‘car make + model’ string or even the whole chat locally in a way that the Facebook app could access. Now, there’s a though…!

(1) https://faq.whatsapp.com/general/security-and-privacy/end-to-end-encryption/?lang=en

The problem of stats

No, not statistics in itself. The problem I am writing about is website statistics, and it started a long time ago.

Back in the day we simply used web server logs to analyse website traffic. One could see an incoming IP address and see where the associated browser went in the website. This worked well back then as websites were simple affairs and essentially all one big lump. Of course, this was an era when web servers were run almost in the spare time of those few IT (and indeed non-IT) that had any interest in the web. Back then I was not in the central IT team but I was afforded some latitude for experimenting with new things, especially when redundant hardware could be used. It was 1992 and the IMG tag was still in the realm of fantasy.

Later, there were two open source packages that became very popular, one called Analog and the other Linklint. The former produced statistics about website visitors and the latter could be used to check for errors, missing pages for example. Analog could, when provided with valid data estimate which countries visitors were coming from, very useful when your organisation markets itself globally.

Of course, the marketeers desired more. I was once asked to find out where everyone who only looked at our home page went next. Ok, where they visited another of our own web servers this was do-able, but the question was expanded to ask which of our competitors they visited next. This was new thinking, by which I mean thinking that one could not associate with any other media. For example, if the publisher of one newspaper wanted to know which other newspaper a person took after only glancing at their own it would need some form of physical surveillance, or perhaps a questionnaire. Neither would be particularly reliable, the questionnaire in particular.

Enter, stage left, Google Analytics. I had attended a launch event – well of a sort anyway – where a new product was described which would enable one to search all across the web. The name? Google. We had rudimentary search products by this time but nothing like what was being described. Bells were ringing, but rather quietly. I think we could see back then that all of a sudden content has value, just not to us. But, Google search aside we later got wind of Google Analytics ad the bells got louder amongst those of us who could already see future issues.

Google Analytics arrived with two quite major advantages. First, IT people no longer had to do anything, and second, the marketeers would have access to easy to understand graphs. But those of us who had this nagging voice about global surveillance and the fact that a corporate entity would effectively have access to data indicating where everyone browsed were ignored. Fast forward to the later times of the GDPR and the coming soon and already years late PECR replacement, cookie laws and all that and I resist shouting we told you so but we did and it was back in 1994.

Of course, there was still an issue. Ok, we have this useful global search facility now but how do we include local content which is not accessible from outside? Google again to the rescue. I had a pair of Google Search Appliances (GSA) installed, one in each of our main data centres and fronted by a NetScaler appliance. This provided resilience to the loss of a single GSA. Being on our LAN the GSAs were able to spider content that was restricted to local access and which therefore could not be spidered by Big Google. It also provided a useful facility whereby we could rank, to some extent, content and could apply keyword and key phrase matching to direct searches to specific content which would then appear top in the list of results. This little Google was far more friendly, not being bloated by the desire of the mothership to know all things of all people. Perhaps no surprise then that Google eventually retired the GSA product in favour of a cloud based provision. You guessed it, they wanted to know who was accessing all your secret stuff too.

Are we really where we are because marketing people wanted to know everything about everyone and companies, not just Google cashed in on it? Yes, I think so, and you can see just how far by those invasive adverts that themselves continually leverage new technologies to further invade. Remember pop-ups? And then pop-up blockers? And of course the whole cookie debate where a really quite useful facility enabling shopping carts among other things was hijacked in order to track us across webspace. Yeah, those. Remember the good old doubleclick cookie, adware, ad blockers, layers upon layers of this stuff. It is almost all because of marketing.

Advertising is here to stay and I have absolutely no issue with it. Although I generally ignore it I will admit to having seen something advertised that I was unaware of and which actually filled a need. But there is a constant battle between the marketeers and the techies which will continue because all of this, the Internet, the web, email is designed to help us and  be easy to use and to access. And that’s where it all went wrong but it could not really exist any other way.