Would Exchanging Cookies Defeat DoubleClick?

An Anonymous Coward asks: "After reading all the articles on cookies, DoubleClick, etc., an idea occurred to me and i thought i'd throw it out to the community to comment/flame and/or hopefully implement: since privacy is compromised because cookies *correlate* you with where you've been and other info, would it be feasible to host a "cookie exchange" server and application? e.g. you'd run this app before you surf, and it would reach into your browser cookie jar and *exchange* your DoubleClick cookie with somebody else's who is also running Cookie Exchange. Repeat for each site you wish to remain anonymous for. It seems that this would be more effective than disabling cookies, as it would mess up DoubleClick's correlations and tracking - you'd never have the same profile from day-to-day!" While an interesting thought. It doesn't exactly address the problem. I can imagine this making even more SPAM because one user's tracking profile now contains useless information from someone else's cookies. Would this be a good idea or even a fun way to protest DoubleClick?

IP logging and Dial-Up customers? Think again.

[NKJensen]

I never get the same IP number when I dial up the ISP. The said filter will not work with any dial up user, or am I missing a point here?

Sounds good to me!

[Tairan]

This idea sounds pretty good! No matter what we do, marketing gurus will always find some way to collect new user data. Advertising people live by the data they collect. They have to prove their use! If we can effectively destroy their databases, then no one will believe them. The only drawnback I could see, would be Doubleclick taking the results as fact, and using that to get more people to sign up under its campaign, giving us more spam. (check out some preliminary figuring I did over at my site. Tell me if you see any major flaws in my math) Still, I am interested in helping set something like this up. Any other takers? Send me an email at john@johncglass.com if you are also interested!

Pointless

[cperciva]

Doubleclick keeps track of IP addresses. If their computers see someone connecting from random IP addresses all over IPv4-space (ie, not from within a pool of modems belonging to a single ISP), they will mark that "user" as bogus.

There is absolutely no difference between playing cookie-exchange and simply disabling doubleclick cookies.

Re:Pointless

[Zan+Thrax]

Well, it'll make them implement said filter, wonder how long ago their data was first corrupted, cause customers to ask if the data isn't now useless, and generally be annoying. There are differences, they may not be important to you or to me, but some people may consider them of enough value to create such a gizmo...

Why take it that far?

[ArcticChicken]

That really seems like a lot of unnecessary effort. I edit my cookies file by hand once every month or so and screw around with the entries I don't care for - randomizing the hex values, exchanging FALSE values for TRUE, etc..

Worst case, I figure this creates a mess at their end of things when invalid data turns up (that I'm sure they just ignore and reset). Best case is what I've had happen a few times - something I change gets interpreted correctly and all of a sudden I start seeing ads for stuff that's just ridiculously off-target for me. As a 24 year-old male techie, it's a bit amusing to suddenly find yourself bombarded with women's jewelry ads, expectant mother products, etc..

Well, it would make cookies more useful...

[satch89450]

The proposal would poison DoubleClick's database. This would force DoubleClick to separate its banner-ad operation from its tracking operation...and then guess how long it will take for HTTP proxy packages to start filtering the 1x1 (or smaller than 8x8) GIFs.

Count me out, though. I block all the DoubleClick domains I can in my DNS server, and I see no reason to unblock those domains.

Slashdot occasionally has doubleclick ads

Watch the skies, or, alternatively, the top of your page in slashdot and check the URL. Doubleclick occasionally appears. Cheers, slashdot.

Well, ALMOST no diff.

[twisteddk]

I will agree as far as to the fact that to DoubleClick, this will make little or no diff, unless you REALLY try hard to avoid their detection (by only excahnging with the same 3-4 people all the time for a while, then slowly altering Your pattern to something else, or simply exchange the CONTENTS of the cookie in which case DoubleClick WOULD be screwed, as the IP would be the same, but the recorded "habits" change all the time).
However, for those of us who can now truly say: "Doubleclick thinks I'm bogus.. Yeah" there IS a difference, namely that we should no longer be counted as "reliable info" which at least keeps us out of their "target group" or whatever. And at the same time make us feel better, knowing that we've done our bit to make the world safe from democracy (pardon the pun).
Personally, I think that it would be much more efficient to mess with their data, but seeing as the number of people who would participate in a venture such as this would probably only mess up so small a percentage of their DB that they'd hardly notice, then what's the point ? I mean those of us who object are also the same ones who knows how to do something about the problem. WE are NOT the ones that give them accurate data by keeping the cookies. Like so many others, I just delete mine after a while.
No if we REALLY want to do something about DoubleClick, it should be transparent to the user. Something more like a "cookie-virus" that would mess up peoples double-click cookie without them knowing. This could easily hit a VERY large part of their users, and SERIOUSLY corrupt their data. Ofcourse having the cookie look into a "legit" cookie-excahgne DB to find new intresting values might not be a bad idea, in which case this program/DB would be nice to have.
But all in all.. The program on it's own is not worth much... Not ANYTHING really.

Re:Well, ALMOST no diff.

This would be an interesting experiment for a small program (perl script would be my first choice, but how many windows users have perl installed) that you configure to scramble cookies, and while we're at it, lets modify those ip address fields to someone we all don't like, let's use JonKatz's private IP addr as an example, double click will send the trafic and the message queue on his system may crack, DDOS over port 25, I love it

cool idea, but probably not helpful

[evil_deceiver]

I agree with what others have said; this is a pretty nifty idea but would ultimately just force DoubleClick et al. to implement a workaround. All they'd have to do would be to add some data to the contents of the actual cookie that says "this cookie really came from DoubleClick". Then we'd have to find that field and tamper with it, and then they'd find some other workaround, and so on. Plus, giving a site someone else's cookie might cause the site to display incorrectly, in some cases. And if you mind cookies, but you don't mind broken sites, well, then just turn cookies off.

A Cookie Corruptor....

[scotpurl]

What we really need is two things:

1. The cookie equivalent of RBL or ORBS. Some list of bad-guys. (Yeah, I know about JunkBusters. Tried it, but it was clunky.) It should work over the 19.2 and 28.8 connections I'm plagued with at hotels.
2. A little program or plug-in, that when evil attempts to store 1k of information on my computer, it crushes the cookie, and returns completely random information. But nicely formatted random information.

I'll settle for #2. I guess I know what program I'm going to be starting on. :-)

It would be nice for the cookie alert pop-ups most browsers had two more buttons: "Always Accept from This Domain", and "Ban EVERYTHING from This Domain".

I don't want the cookie, the traffic, the graphic.

Re:A Cookie Corruptor....

[dave_d]

The latest Mozilla milestone has this also. It's pretty nice.

Re:A Cookie Corruptor....

[Hynman]

Mozilla (16+ i know from personal exp) allows cookie refusal like that, except you have to tell it what cookies to ban.

Re:A Cookie Corruptor....

[Rob+Kaper]

It would be nice for the cookie alert pop-ups most browsers had two more buttons: "Always Accept from This Domain", and "Ban EVERYTHING from This Domain".

You'll like the new KDE Konqueror browser. The two actions "reject" and "accept" have three options "all cookies", "all cookies from this domain" and "this cookie only". Works real nice.

Whenever I see anything ad related, it's reject for the entire domain. And sites I _do_ trust get a permanent clearance.

Re:Why go through the trouble..

[Sir+Nimrod]

Part of the problem is that the opt-out isn't forever. I have a cron job running that alerts me when my DoubleClick cookie changes away from OPT_OUT. I think I get at least one hit a week; when I look, the cookie has changed from "OPT_OUT" to "A".

What's happening here? I've heard that client-side Javascript can change cookies, and that some sites use older scripts that don't know about OPT_OUT. Regardless of why it's happening, the important this is that it does happen.

So why "A"? Probably just a bug in the script. I haven't let it sit around to see what happens to it; I just flip it back ASAP.

My solution is slightly kludgy. I have two Perl scripts:

• The first prunes my cookie file of any entries with suffixes I haven't specified.
• The second resets my DoubleClick cookie to OPT_OUT and randomizes my Preferences.com cookie. (They have no opt-out.)

I'd like to run this at least once a day, but I have two problems:

1. I run an HP-UX workstation that doesn't require rebooting.
2. Netscape doesn't crash that often, so I'd have to shut it down to change its cookies.

(Okay, these are "problems" only in relation to the issue at hand.)

So right now, I run the scripts when I get warned that my DoubleClick cookie has changed. As I said, that usually means at least once per week. Not ideal, but I can live with it.

well

[nomadic]

Even if they implement a workaround, we could just implement one around that. Do you really want to admit that we're not smarter than a bunch of advertising executives?
--

Why go through the trouble..

Just go to http://www.doubleclick.net/optout/def ault.asp and it will set a blank cookie to disable tracking on your client. If you wanted to, you could setup a proxy for your entire company that would send that cookie for all request.

Besides that, I could never understand why people cared about such things.. After all - would you rather see an ad for something you don't care about, or something that supposedly might be interesting for you? (And no, don't give me "I would rather see no ads at all" - people who create the very sites you are visiting do need to get paid)

Re:Why go through the trouble..

[Royster]

Preferences.com now has an opt-out (the cookie name is "PreferencesID" and the value is "OPT-OUT" in the root path, if you want to set it manually).

I don't get it. People know not to reply to "opt-out" spam. Why would I want to put an opt-out cookie in my browser? I just don't trust Doubleclick.com or Preferences.com that much.

I browse with cookies set to ask (and reject if from different domain if that's available) and I use the Esc key (or the N key in IE) to reject cookies. Sites with too many cookies are ones I don't visit much. I'll sometimes accept a cookie valid only for the session, but I'm very unlikely to accept a persistant cookie especially one with an expiration date out in 2047.

Re:Why go through the trouble..

[toh]

Preferences.com now has an opt-out (the cookie name is "PreferencesID" and the value is "OPT-OUT" in the root path, if you want to set it manually).

There's no secret Javascript method required to change a cookie - the ad server could change the opt-out one into something else on any connection. If you do want to prevent these cookies from being changed without your consent, just edit your cookie file to contain those few cookies you actually want (probably the opt-outs, plus a few auto-login cookies like your slashdot one), then make the file read-only. Session cookies will still work fine, since they're only ever set in memory anyway. When you want to set a new persistent cookie just make the file temporarily writeable. Note that you can also do this without ever setting any opt-out cookies and get more-or-less the same result that the Ask Slashdot question is looking for, since you'll then get a new "persistent" cookie for each new browser session, and Doubleclick et al will get a very inflated database full of distinctively uninformative microusers. I prefer the opt-out since it should prevent them from ever tying those microusers to any real-world identifying info, in case I ever let some leak.

This works on any version of Netscape (Unix, Mac, Windows) and with some Resedit shenanigans ("Lock" & "Protect" the cookies resource in the Internet Preferences file) on the Mac version of MSIE. Dunno if there's a registry hack to do it under Windows IE, probably not.

Re:Why go through the trouble..

[toh]

I don't get it. People know not to reply to "opt-out" spam. Why would I want to put an opt-out cookie in my browser? I just don't trust Doubleclick.com or Preferences.com that much.

Uh, because it's a completely different issue? I don't trust them any more than you, but you don't need to because you can see the contents of the only cookie you'll get from the domain in question (a literal "opt-out" or something similar), see that it's not capable of identifying anyone uniquely, and see that once it's set you receive no other cookies from that site (not even session cookies). At least you can with a browser that allows you to easily see the current in-core cookie set, like Mac IE or iCab (and perhaps Opera). Cookies are a darn useful tool if they're not abused, and this at least allows you to prevent that abuse from these sites. The only real criticism is that the default should be no tracking at all, and those who want "personalised" ads should have to opt in, but that's a pipe dream for the foreseeable future and this will have to do. In fact I manually lengthen the expiry date of some opt-out cookies, since they're sometimes designed to require periodic reopt-out and that sucks - the whole point is to not have to deal with cookie dialogs and other wasted time.

Funny, but worth it?

[sonnerbob]

Pretty funny idea...similar to the game of swapping grocery store discount cards. (see this USAToday column)

But beyond amusement, this wouldn't serve much purpose IF you could pull it off. On a large enough scale, it might amount to a form of protest, but why? Okay...Doubleclick has become the poster child of the profiling evil empire. And now Coremetrics has received the brunt of the privacy policy ignorance of its clients, putting the spotlight on third party data-mining. In either case, cookies represent an essential tool to get their jobs done. If you don't like it...your options are simple:

• Configure your browser.
• Use a local proxy or filter. Adsubtract is a good one. I like Proxomitron.
• Use a browser "companion". IDcide works well. It's free.
• Use a proxy service that manages cookies like Privada or Freedom (yep, sneaking my affiliate ID in that URL). Zapada is a clever Java applet approach to keeping Doubleclick et.al. out.
• Periodically clean out your cookie files, either manually or using any number of file tools like Webroot's WindowWasher.
• Just install Doubleclick's opt-out cookie. I've assembled the URLs in one convenient location at http://webveil.com/optout.html.
• Or physically edit your cookie file/directory to be read only...after installing the cookies you want in order to get personalized service...like here at Slashdot.

Cookie angst is so overwrought, but if they bother you...whip 'em into shape. You certainly have options. An exchange system would be interesting and entertaining, but enough to be worth the effort? I'll participate if someone does the work, but I think there are better uses of your programming time.

but that's the long way around...

[invenustus]

Wouldn't it be easier to have a little perl script (or executable for mac and win users) to run at startup of the OS or browser that would just delete or scramble the doubleclick cookie? What do you gain by exchanging?

read-only cookie file

[beagle]

This works in both UNIX and Windows. Make your cookie file read-only. I have my NY Times login, my slashdot login, and my OPT_OUT DoubleClick cookies in my read-only cookie file.

What other cookies do I need? I have my browser set to accept all cookies, so I never get bothered with the "accept this cookie?" prompt, but I never have to trim my cookies file either because it's read-only.

Now, when I -do- want to keep a cookie, I unfortunately have to shut down Netscape, chmod the file, and restart, but it's an extreme rarity that I actually want to add a cookie to the file.

If you wanna have more fun with DoubleClick and the like, do what I did above, but remove the DoubleClick OPT_OUT cookie. That way, each individual browser session (e.g. every separate time you run Netscape) will get a unique DoubleClick cookie, but you can't be tracked between sessions because the cookie won't be saved.

Re:read-only cookie file

[toh]

You shouldn't actually need to shut down Netscape. Just make the file writeable, cause the cookie (or any cookie) to be set, and make it read-only again. Opening and closing the preferences dialog may also cause the persistent cookie store to be rewritten, though I haven't tested that.

I've been advising concerned people to lock their cookie files/resources for at least three years; glad to see it's finally catching on. ;)

The best way to block ads (no extra software requi

[Echo|Fox]

http://209.204.196.48/hosts.zip Grab that file. On a Windows box, find the directory that your HOSTS.SAM file is, and extract the HOSTS file in this ZIP into that directory. With modification, you could use it on a *BSD or Linux box. It's a BIIIGGG list of most of the known ad servers in the world, and from my experience, it gets almost all of them. A friend of mine from IRC found a small list, and added his own additions to it and passed it around, and as a result, I haven't had to look at a banner ad in a long time. Basically what it does is override the IP->host mapping with 127.0.0.1 (i.e. localhost) for all known adservers ... so you get almost the same effect as junkbuster or whatever, but without needing to use proxy software, and its instaneous, no lag.

Mozilla style with cookies

[blakestah]

This is one area where mozilla has it done properly. Mozilla allows you to accept or reject cookies on a domain name by domain name basis, and remember the decisions.

I use a very simple criteria. If the cookie will do me substantial good, I will accept it. Thus I accept cookies for sites with passwords and logins, and customizable content. I never accept cookies for advertisements like doubleclick.

The beauty of it shows up in the remembering sites part. I only need to refuse a doubleclick ad once. Then it is bit-bucketed forever.

Your browser should do things that are in your best interest, such as the way mozilla handles cookies.

Does yours ?!

Re:The best way to block ads (no extra software re

[chowda]

rad... I just cut and pasted that list into my /etc/hosts file in linux... works great! thanks for the list! it would be cool to have a list like this in a db people could add to..

Re:The best way to block ads (no extra software re

[chowda]

does anyone know what the performance ramifications of a 200 line hosts file is under linux?