Net Marketers Worried as Cookies Lose Effectiveness

Saint Aardvark writes "The Globe and Mail reports that Internet marketers are worried about the decreasing persistence of cookies. Almost 40% of surfers delete them on a monthly basis, says Jupiter Research -- a fact one marketers attributes to incorrect associations with spyware and privacy invasion. United Virtualities' Flash-based tracking system is mentioned as a possible substitute...though they don't mention the Firefox plugin that removes them, or talk in any meaningful way about why people might want cookies gone. Still, the article is a good overview of life from the marketer's perspective."

The other side of things.

[XorNand]

Going to play the devil's advocate here, because I know how most of the rest of you feel:

I used to be the web architect for a .com a few years ago. I created a custom metrics program that intergrated into into our (also custom) ecommerce application. To track users, I gave them a single, persistant cookie that contained only a GUID. I used this information to determine our converstion ratio (number of visitors to buyers), figure out the top paths through the site, determine percentage of traffic that was return visitors, etc.

All this stuff was entirely anonymous unless they purchased something from us. But, even then their site history was really only incidently linked to their contact info because we never correlated the data together. Why would I? Knowing that "John Smith" visited our site 3 times a week isn't really any more insightful that knowing that "User #5233258" visited us 3 times a week. The data was only useful in aggregate. For example, knowing that the last page 20% of people visited was our contact page, yet only 10% of those people actually submitted the form would make me reevaluate that page. Maybe the contact form wasn't very user friendly? So, I'd tweak it and then recompare the metrics.

The whole point of my tracking was to better serve our visitors and eventual customers. I wanted to make it easier for them to do what they came to our site to do. Or it would help us target our advertising for effectively. If a lot of people clicking through from a banner ad we had on Site A tended to buy Widget B, we'd decide to modify the banner ad to specifically highlight Widget B. Maybe my attitude is different than most, but I can't be unique. I never looked down upon our visitors, feeling that I was hearding cattle together to be slaughtered, or at least ripped off. Quite the opposite. These visitors wanted to be on my site, elsewise they wouldn't have dropped by. It felt pretty cool that so many people were coming to a site that I was responsible for managing. These people were supplying my paycheck and I had to make sure that they preffered our site to our competitors'. If a lot of visitors deleted that single cookie I used, that made that job much more difficult.

Does that still make me evil?

Re:The other side of things.

[Enigma_Man]

I have a similar story. I design / manage the website for a company, and we had a reasonably big problem with using cookies for internal "tracking" purposes. Not to track customers in the "evil" way, but just to keep track of things in their shopping cart, and other similar info to what you stated. The problem we had was with people having cookies shut off. At first, we'd just not track them at all, and the shopping cart would ask them to turn on their cookies, and gave some quick directions, and links to detailed directions for different browsers. A lot of people seemed to be totally turned off by this, based on the amount of people that read the instructions and then didn't even start shopping.

What we ended up doing was using alternate methods for tracking users as they browse around our site, mainly using links with generated tails attached to them that were unique to each visitor. Like, instead of linking to index.cfm in the navigation window, It would be index.cfm?user=5012345, and we'd keep track internally. Obviously this isn't a safe use for a shopping cart type thing, but we used other methods to secure that.

Mainly, I just wanted to say that there are methods other than cookies that work just as well.

-Jesse

Re:The other side of things.

[Enigma_Man]

user 17.123.23.5 might be 30,000 computers, that's why. IP addresses are not a good way of tracking individual users because of network routing / NAT etc.

-Jesse

Don't delete cookies

[i.r.id10t]

I don't delete 'em. I log in to various sites that use them (that I want to use them), then I close the browser and then make the cookies.txt file read-only (chmod or chattr, or attrib). Get the benefit for sites I want the customizations on, don't get the tracking

That's not the intended purpose of cookies

[dpbsmith]

Cookies were intended to allow sites to serve users by providing a convenient method of preserving client-side state.

They're intended to do legitimate things like let a site remember who you are so you don't need to log in every time you visit it, or assign a transaction code to make it easy for things like shopping carts to work... and prevent you from double-ordering if you click the "Order" button twice.

They were never intended for the purposes to which marketers have misappropriated them.

It's just another example of information being ostensibly collected for a purpose the user approves of, and then being secretly used for purposes the user is unaware of and might not approve of, and it justifiably makes people angry.

Dynamic IP's.

[KitesWorld]

How many visitors are on an old dial up connection or connecting via proxy? I.P. numbers simply aren't a reliable way of providing usage statistics.

3rd party cookies

[Avohir]

I keep 3rd party cookies blocked... that keeps everything nice and clean.

For the layman, the way these tracking cookies work is when you're visiting site A, site A has a banner from site Z. If you have 3rd party cookies enabled, not only can site A set a cookie to your harddrive, so can site Z. Now, you go to site B which also uses site Z's ads... and site Z can see you were also at site A. Block 3rd party cookies however, and you cant get a cookie from site Z unless you actually VISIT site Z.

Disabling 3rd party cookies lets you keep their useful functions (login information at ebay, etc) and restrict the illegitimate ones (tracking my useage).

Mike Healan from Spywareinfo.com has a good article about cookies and their spyware-esque function here: http://www.spywareinfo.net/july20,2005#cookies

Re:Why not?

[ip_fired]

Cookies don't track which sites you go to. A cookie has a domain that it actually is assigned to. When you visit that domain, the web browser sends that cookie to the server. If I go to amazon.com and they put a cookie on my system, then the only people who can look at it is amazon.com. They can't tell that I also went to overstock.com and looked at books. And overstock can't tell that I've been to amazon.

The only time they can get this information is if a third party has an Ad, or some other content on both sites (which is what makes cookies from ad sites more dangerous).

So really, when you go to the gas station, the attendant doesn't have to put a tracking device on your car. Just record your license plate (after all, isn't that all a GUID is?) Your car always has it's license plate, and so they can see who it is. Then they can track your usage at the gas station.

Cookies can provide useful information to the site developer. You like visiting well designed websites right? Getting information that will help you streamline the site is a good reason to track those statistics.

You are being too paranoid. Get adblock, only allow cookies to be set by the originating website and use a hosts file that blocks most ad sites and then you won't have to worry about it.

Please stop the cookiephobia

[scode]

Alright, fine. Some types of cookies can be easily exploited, but there is one type of cookie that you DON'T want to turn off (and don't want people in general to turn off), and that is the session cookie.

All this 'anti cookie' propaganda is really getting out of hand. Session cookies are a great way to securely identify a series of otherwise unrelated requests as belonging to the same session. By turning off cookies one is also disabling this very valuable feature.

"But it doesn't matter" you say, because web sites can use URL rewriting instead. Well, think about it:

* If URL rewriting is used, exactly how is this better, from a privacy stand-point, than a session cookie? The exact same information is propagated, so nothing is gained in terms of privacy. In addition, the "evil" people whom everybody is presumably trying to prevent from tracking a user's session can also use this technique.

* On the issue of security and technical convenience however, you are making it worse. URL rewriting is inherently less secure in the fact of 'accidents' such as paste:ing a link (which the average joe won't understand contains sensitive information) to a work collegue sitting behind the same NAT:ing gateway. And how about referrer URL:s making it into web server logs? (There is no guarantee that the session identifier is encoded such that a security conscious browser can spot it, and refrain from sending it as part of a referrer URL to another web server.)

Overall, session cookies are vastly superior to URL rewriting in a number of different situations. But this overzealous anti-cookie paranoia is forcing people to use URL rewriting *anyway*. In tryng to increase privacy, it has actually been lessend - along with security!

Just to give one example of how the ACP (anti cookie paranoia) can interact with web pages: I was recently involved in a situation where some browsers would disable cookies (even session cookies) for requests that were made as part of an IFRAME on a page hosted on another domain (presumably for privacy concerns). This resulted in, for practical purposes, a total inability to use cookies on that site. URL rewriting is now used instead, to a detriment of security and privacy.