Research To "Reveal the Unseen World of Cookies"

An anonymous reader writes "The Guardian newspaper has teamed up with Mozilla to research the monitoring of online behavior through cookies and other web trackers. After downloading the Collusion add-on for Firefox, you can generate a visual representation of all the cookies that have been downloaded which are linked to the sites you have visited. This shows quite an interesting picture. The Guardian staff then want the data from Collusion to be uploaded to their site, after which they say 'we can build up a picture of this unseen world. When we've found the biggest players, we'll start tracking them back — finding out what data are they monitoring, and why.'"

Great Idea

[thesaintar]

I hope implementing it in the right way (with publicly accessible statistical and analysis methods) will shed some light into how we're being tracked. Is there an equivalent of Collusion for Chrome?

Re:Great Idea

[WrongSizeGlass]

Is there an equivalent of Collusion for Chrome?

I believe it's called Google Ads ;-)

Re:Great Idea

Who goes on the internet to BUY porn?!

Re:Great Idea

You mean those ads which are displayed on all browsers and are in no way tied or targeted to Chrome?

Either you're a troll or that was a bad joke.

It's interesting to me how someone joking around is considered a 'troll' to you. You are what is wrong with /. these days. 'Troll' is the new 'I disagree with you'.

Did he REALLY evoke an emotional response from you by saying what he said? Did it truly upset you to the point where you were incensed and bitter over his words? If so, then maybe he is, indeed, a troll. Otherwise, shut up.

Re:Great Idea

[tehcyder]

I'm not saying they might be trolling because I disagree. I said it because the entire premise of the joke is factually without basis.

Hate to break the news to you, but jokes don't have to be factually accurate or even vaguely plausible.

You seem to have issues with people criticising Google in a humourous way. I suppose at least you're not an Apple fanboy, but a Google fanboy isn't much better.

Get over it, they're computer companies not our Lord Jesus Christ.

How to get rid of them

[GameboyRMH]

On Firefox, disable HTML5/DOM storage, install CookieMonster 1.5 and BetterPrivacy.

Pot kettle spy.

[FatLittleMonkey]

we'll start tracking them back — finding out what data are they monitoring, and why.

Well, here's my contribution;

The Guardian page in the link has six trackers:
24/7 Real Media
Audience Science
ForeSee
Maxymiser
Optimizely
Quantcast

I don't know what any of them do, and I blocked them all. Fuck 'em.

Re:Pot kettle spy.

[Lucky75]

I actually see 9:

24/7 Real Media
Audience Science
ForeSee
Google Adsense
Maxymiser
Omniture
Optimizely
Quantcast
Twitter Button

Re:Pot kettle spy.

[FatLittleMonkey]

Story of my life. I brag about having 6, and the other guy has 9.

Re:Pot kettle spy.

[bfree]

You missed some more!

googleapis
simplifydigital
guim
llnwd
ophan
ytimg
youtube
quantserve
wunderloop
revsci
cogmatch
imrworldwide

I'll leave it as an exercise for the reader to de-dupe the above list (e.g. quantserve Vs quantcast and ytimg Vs youtube) and decide for themselves which ones are innocuous.

I didn't even bother to let any of them run any javascript to discover what else they might try to sneak in. I'm also willing to bet I missed something.

You have to love the "obfuscation" and attempts to get past blocking, from the simple noscript web-bugs to

document.write('<scr' + 'ipt type="text/javascript"

Re:Pot kettle spy.

Hi,

I'm the Guardian journalist working on this.

Unsurprisingly, if you install Collusion after reading an article on The Guardian, you tend to log cookies that our website sets. So we're noticing quite a few of the trackers we use on guardian.co.uk turn up in the project. :)

We're ok with that - better to be open that our website uses cookies for registration, analytics and advertising (just like most others!), than pretend or hide away the fact. Actually, we did another article on the same day showing how we use them: http://www.guardian.co.uk/technology/2012/apr/13/new-law-cookies-affect-internet-browsing.

The ones in that list above are a mix of third-party advertising cookies, analytics and A/B testing (so I'm learning!).

When it comes to the data we're going to try and get from the Collusion info - we can't really infer much about what behaviours have been tracked from the exported data. However, it gives us a nice long JSON string that associates certain cookies as being set when visiting certain sites. At the moment we're using that to find out how many instances of each type of tracker we're seeing across multiple sites.

We're then going to take the most prolific ones and find out more about what they do, who owns them, how they work, etc. However, we're going to be using old-fashioned journalism to do that - research and phone calls.

However, I was thinking of putting up open documents like this: https://docs.google.com/document/d/1lCp8H9i-MJwyORj_MOZflH6BCt9j6HIbQkyS2536knM/edit
so you could see where I'd got to and put me right if I was going off track (as it were). Good idea? Bad idea?

Joanna.

Re:Pot kettle spy.

[SpaceLifeForm]

You will all see different cookies because they are coming from various machines on the net. Upstream intermediates are inserting them on the fly.

Re:Pot kettle spy.

[FatLittleMonkey]

Eh? If Ms Geary puts it anywhere public online, google can see it anyway. (As can the actual NSA.) So unless you're saying that Google will censor her work, your comment makes no sense.

Cookieculler

[MLCT]

Bit of a shoutout for the firefox extension cookieculler.

I have never found anything that matches cookieculler for features: it doesn't just purely delete cookies, it operates with a white-list based system (the way everything on the web should work). Cookieculler deletes all cookies each time you close the browser, except the ones you have whitelist "protected", that keep login information etc. as you choose.

Along with noscript, cookieculler is the main reason I stay on firefox.

Re:Cookieculler

[Lucky75]

I've found "Ghostery" to be pretty damn good. Blocks them rather than allowing+ deleting them.

Re:Cookieculler

[emilv]

How is cookieculler different from setting a default policy in Firefox and then using the built-in whitelist in Firefox to give permissions for certain sites?

Re:Cookieculler

[MLCT]

Granted firefox can offer something close, but not quite. Cookieculler offers finer control, because you can whitelist the *cookies* rather than the domain. So I can (and do) choose to protect my /. cookie, but not anything else that /. place in my browser (hypothetical example, as /. don't place any other cookies).

Re:Cookieculler

[plover]

Citation really needed.

Cookies or COOKIES!?!?

Anyone else read the title and thought people were taking a deeper look at why those delicious baked goods are so tantalizing?

Internet marketing

[Roberticus]

If average folks become aware of how many cookies get set (along with getting a user-friendly way* of turning them off), that could have a huge and entertaining effect on the world of Internet marketing**.

For example, right now, I can assume enough website visitors have JavaScript enabled to make it almost 100% (and not worth writing HTML for the case where they don't). But if I can only reasonably assume, say, 50% of my visitors/email through-clickers/etc. have cookies active, that plays havoc with my reporting.

* "User-friendly" defined as "something my dad can do without asking me for help".
** I spend all day every workday in this world.

Facebook

[Lucky75]

You'd be shocked at how many cookies come from facebook across multiple sites. I use an extension called Ghostery (https://addons.mozilla.org/en-US/firefox/addon/ghostery/) to block most of them.

Re:Facebook

[19thNervousBreakdown]

Spoiler: It's practically every site.

Yo Dawg

[Z80xxc!]

Yo dawg... I heard u dislike being tracked, so we put a tracker in your trackers so you could be tracked while we track.

"What Data they are monitoring and why"

[dmomo]

It will be interesting to see not only the results of this analysis, but also how they came any conclusions that they do.

Many cookies are used only to store a unique identifier. They data about a user many websites actually store is housed and maintained on their server, keyed by the unique id. This could include "pages visited", "duration of visit", "browser/system specs/settings" along with any derived demographic data.

It would be hard (though not necessarily impossible) to determine this from a cookie analysis.

Collusion is quite fascinating...

[dryriver]

I found out using its automated "graph-builder" that the 3 - 4 supposedly "safe" sites I visit most often, actually pass my user data on to Google, Facebook, DoubleClick, Mediaplex, Adroll and other services. Its quite educational to watch the graph go from a blank page to a fairly complex network of interconnections as you continue to browse. Its going to be interesting to see what results from this when the Guardian gets all the aggregate data from Collusion. It does seem indeed that there is such a thing as a "secret world of cookies" out on the internet, and I personally support that this "secret world" be uncovered fully, so we get to see what entities are clandestinely mining our supposedly "private" user information as we surf. --- The whole thing also reminds me of the book "Brandwashed", where the author explains at length how commercial establishments collect all sorts of data on us, and exploit it to sell us more products.

porn

[Sperbels]

finding out what data are they monitoring, and why

Well, all the porn websites seem to know that I prefer brunettes over blonds.

Re:porn

[joannageary]

But do they also know that you buy your underwear from Marks & Spencers? That's the interesting sort of thing I'm hoping we'll find out - what companies are tracking over such varied sites and what information (if any) they then sell back to their clients.

Cookies not the only way to do this...

[isaac]

Cookies are not the only evidence of tracking. Even Flash LSO, HTML5 local storage, etc.

There's a surprising amount of identifying information in request headers and what's available to javascript. (see http://panopticlick.eff.org/ for a demonstration.) That means, one often needn't accept or store a cookie to be tracked.

A really comprehensive pro-privacy browser extension would munge request headers and enumeration of fonts, plugins, screen resolutions, etc. to match one of, say, the top 5 most common desktop browser fingerprints - and to change every so often (Changing per request would itself be a trivially detectable signature.)

-Isaac

Methodology Issues

[TaoPhoenix]

You know already who the "Big Players" are - Google, Facebook, Microsoft, your choice of a couple more related ones.

Then it descends into all these little companies. I would expect that some of them are subsidiaries of the big guys etc.

The ideal goal of each of these "thingies" (cookies, flash objects, etc etc) is to nail down who visits down to a unique user if possible.

So just copy the Ghostery block list, maybe the AdBlock block list, your choice of a couple more tools.

If you want a "market share per ad company" report then get one of those.

There's something bothering me with your study design but it's not clear yet.