All the Cookies in the Cookie Jar

We are talking about HTTP cookies, not delicious baked goods

I’d wager that I’m probably not alone when I say that I didn’t know much about cookies until a few years ago. Sure, I knew that cookies were something on the internet that came from websites and that people had lots of opinions about them, but that was about it. I’ll even admit that for the last three years of my professional career, I was consumed with GDPR, the EU’s General Data Protection Regulation, and making sure my company was compliant without actually knowing what cookies were. And to clarify, when I mean consumed, I mean I was the one writing all those annoying “We’ve updated our privacy policy” emails, setting the actual pop-up prompts, and telling folks how we should be handling customer data. I won’t knock myself too hard though, I wasn’t trying to be a software engineer then so I didn’t really need to know much about them. I just needed to make sure my company and our clients were happy.

So now that I find myself at Flatiron, I can happily say that I finally understand what cookies are, how they function, and what they are capable of when used. And let me tell you, they are crazy things…

Cookies are pretty amazing things that singlehandedly changed the landscape of the internet as we know it. Back in 1994, a young software developer at Netscape named Lou Montulli was trying to figure out a way to make eCommerce websites viable. At the time, websites were basically blind and deaf to users in that they had no idea who you were, how many times you had been there or anything about you. It was like having a conversation with “10 second Tom” for all you Adam Sandler/Drew Berrymore/Romcom fans out there…

So how did we go from eCommerce being a pipe dream to Jeff Bezos, founder of Amazon, being the richest person in the world? You guessed it: cookies!

HTTP cookies, or cookies as they are commonly called, are just pieces of data, set in key/value pairs, that get passed from a server to a browser with the purpose of collecting information for identification. It’s what allows you to create a user account on Instagram and then verify that it is you when you log on. Cookies that are set by the website you are visiting are referred to as “first-party” cookies and they are what make online shopping and general browsing through a website possible and enjoyable. Without these first-party cookies, you would have to sign in again every time you loaded a new page on Facebook or refill your shopping cart when looking at different items on Etsy. Think of them as wristbands you get at a music festival or at a dance club. Once you have identified yourself to the security personnel, you are given a token in the form of a wristband that allows you to leave, return and even access VIP spaces without having to prove who you are at every turn. Cookies allow a site to say, “Hey, we know who you are — you’ve been here before! No need for ID checks, just keep having fun.”

This all sounds pretty convenient, so why are people up in arms about cookies recently?

Cookie notices are commonplace now and require you to accept them in order to access the site.

So no one really complains about first-party cookies; people love those. What people are getting really itchy about are third-party cookies and the security and privacy concerns that come along with them.

In terms of security concerns, there are a number of ways cookies can be used maliciously, including session hijacking, cross-site scripting, and cross-site request forgery to name a few. While these types of attacks are no joke, privacy is really at the center of the recent cookie wars. This is because of “third-party” cookies or tracking cookies as they are colloquially called.

A snapshot of some first and third-party cookie set on my browser

Third-party cookies allow domains that you are not currently on, to drop cookies via resources that are on the actual site you are visiting. This is most commonly done by ads and sharing icons but it can also include other resources such as images and files.

Let’s say, for example, that I’m on a publication website, like Vox, looking through some articles. I don’t click on any ads I see, nor do I even share the articles using the icons for Twitter or Facebook. Regardless, both these companies now have set third-party cookies that will relay information about my internet habits. If I go to a shoe store’s website immediately after and that site uses Facebook Pixel for advertising, Facebook is now able to connect the dots of where I’ve been across multiple locations on the internet.

Common social media sharing icons present on most websites. These set their own cookies even if you don’t use them.

What happens next? As I keep traversing the internet, I will most likely keep hitting facebook cookies that are continuously added to my browser. After inspecting my cookies on Chrome for this article, I had easily over 400 cookies saved, of which a significant portion are from companies I have never heard of, much less visited their site. All of these cookies help ad companies to build profiles of me to better target me for advertising. The more information an ad company has on me, the stronger that profile becomes which is why ad companies are incentivized to share and purchase this information. This is how you end up with ads following or “stalking” you on every single corner of the web.

Obviously this alone is a big privacy issue because no one wants to feel like a version of them is being bought and sold for the explicit purpose of making money. The thing that further worries folks are that platforms like Google and Facebook pretty much have access to every piece of information about you because they contain your information in the form of user accounts to their sites, they serve ads to you via Google Ads and Facebook Pixel on sites across the internet, and they drop cookies wherever their resources are used, like sharing icons or maps. That is a lot of data and it’s pretty safe to say that they might know you better than you know yourself.

If you are terrified by the idea of all these companies tracking such vast amounts of information, the good news is that cookies are just temporary pieces of data that can be deleted from your browser. Of course, this means that you might be throwing out those saved logins to your most frequented sites or giving up access to pages altogether.

On a larger scale, governments across the globe have been taking steps to define what rights users have in our modern internet ecosystem. Laws such as GDPR Europe and CCPA are providing guidelines on how companies collect, interact and share this data, and require them to explicitly ask for the user’s permission (hence the wave of pop-up cookie banners and “We’ve updated our privacy policy emails”). These laws are also defining rights for the users and placing the ownership of their collected data back in the user’s hands. While these laws are engendered by specific regions of the world, the internet is an open universe meaning that these laws themselves reach far beyond their own borders. As someone who worked on this in a past life, I can tell you that companies are treating these regulations as the new standard for data management because there will be more coming down the road.

All in all, I would say that cookies have illuminated a brand new portion of the world for me, and I’ve only hit the tip of the iceberg. I certainly have a bigger appreciation for my past experience working with these data regulations, a more keen and astute eye for what I’m being shown on the internet and the information I willingly give, and a greater understanding of larger privacy and human rights issues they present.

Below are some wonderful resources that go into greater detail on all things cookie and data regulations:

Software Engineer, volleyball player, lover of tiny houses and all things spicy.