The Slow Death of the Internet Cookie (axios.com)

← Back to Stories (view on slashdot.org)

The Slow Death of the Internet Cookie (axios.com)

Posted by msmash on Tuesday March 6, 2018 @03:20AM from the new-ammunition dept.

Sara Fischer, writing for Axios: Over 60% of marketers believe they will no longer need to rely on tracking cookies, a 20-year-old desktop-based technology, for the majority of their digital marketing within the next two years, according to data from Viant Technology, an advertising cloud. Why it matters: Advertising and web-based services that were cookie-dependent are slowly being phased out of our mobile-first world, where more personalized data targeting is done without using cookies. Marketers are moving away from using cookies to track user data on the web to target ads now that people are moving away from desktop. 90% of marketers say they see improved performance from people-based marketing, compared with cookie-based campaigns.

56 of 97 comments (clear)

Min score:

Reason:

Sort:

How do they track without cookies? by jecowa · 2018-03-06 03:33 · Score: 1

>Advertising and web-based services that were cookie-dependent are slowly being phased out of our mobile-first world, where more personalized data targeting is done without using cookies. Don't mobile devices have cookie support? Or do mobile devices provide tracking features that are better than what cookies provided?

--
my opportunity to freely express myself with the potential persecution and hangings and such
1. Re:How do they track without cookies? by Son+of+Rea · 2018-03-06 03:44 · Score: 1
  
  I'd assume they will make you log in every time then save your data on their servers?
2. Re:How do they track without cookies? by doug141 · 2018-03-06 03:45 · Score: 1
  
  "people-based marketing," which is all the services you need to log in to use. Fitbit, amazon, facebook, alexa....
3. Re:How do they track without cookies? by TFlan91 · 2018-03-06 03:46 · Score: 1
  
  I'm not sure what they are talking about either.
  My guess is some use of local storage.
4. Re:How do they track without cookies? by Xylantiel · 2018-03-06 03:56 · Score: 1
  
  My bet: Third-party location-based tracking. Moral: any app you download, turn off location access. This started by ad-supported apps asking for your location to target ads based on your current location, but has turned into snarfing your location history and targeting based on analysis of that (e.g. correlation with other people, where you sleep, etc) which is insanely invasive.
5. Re:How do they track without cookies? by jbmartin6 · 2018-03-06 04:09 · Score: 1
  
  Browser extensions and similar offerings with 'anonymous usage data used to enhance user experience', which is corporate-speak or 'it reports everything you do back home for resale of the data.'
  
  --
  This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
6. Re:How do they track without cookies? by omnichad · 2018-03-06 04:18 · Score: 1
  
  services you need to log in to use
  Using cookies...
7. Re:How do they track without cookies? by Actually,+I+do+RTFA · 2018-03-06 04:31 · Score: 1
  
  Or do mobile devices provide tracking features that are better than what cookies provided?
  Far better. Why do you think every website wants you to download their app?
  Shoot, until iOS 10.3, you had to turn off allowing apps to access your MAC address (well, it was hashed with a few other values). And I believe Android still allows it.
  
  --
  Your ad here. Ask me how!
8. Re:How do they track without cookies? by jecowa · 2018-03-06 04:31 · Score: 1
  
  Even though it's still using cookies, the data is linked to a user account instead of to a randomized cookie identifier.
  
  --
  my opportunity to freely express myself with the potential persecution and hangings and such
9. Re: How do they track without cookies? by reanjr · 2018-03-06 04:59 · Score: 1
  
  But how much of the web is still http? And how much of that is serving anything important?
10. Re: How do they track without cookies? by Actually,+I+do+RTFA · 2018-03-06 05:41 · Score: 1
  
  Huh, I wasn't talking about websites. I was talking about apps. You know, software you download and run on your device. Specifically as differentiated from websites.
  
  --
  Your ad here. Ask me how!
11. Re: How do they track without cookies? by Teun · 2018-03-06 06:48 · Score: 1
  
  Not everyone got such a shitty provider.
  
  --
  "The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
12. Re: How do they track without cookies? by Anonymous Coward · 2018-03-06 06:59 · Score: 1
  
  For the obviously tech savvy people on /. and similar sites (Hacker News), this is simple to avoid with a VPN. Its trivially easy to set up a VPN and your home network and point your mobile phone back to it, paying once for everything on your network and not twice. Add a Pi-hole to block DNS requests to ads, beacons, and trackers, and you further cut down on the privacy invasion.
  A simple, key effort in helping to combat this kind of tracking is to use multiple browsers. I always have to different browsers up: one for random fun surfing (heavily protected), and one, also heavily protected for just business like banking, etc. Never the two shall meet. You can easily set up multiple VPN tunnels to obfuscate your traffic. This stuff is trivially easy and less than $50 year.
  Use one email address for banking. Use another for personal use. Use yet another for random crap.
  Use a Raspberry Pi running Pi-hole ($35 one-time fee), use a good VPN ($3-5 month), disable network prefetch, disable HTTP/S referer, disable CSS visited links, disable geo location, whitelist JS. Use uBlock Origin, Privacy Badger, Decentraleyes, and No Coin. Opera has a free VPN with several countries of origin from which to choose. There really are loads of options to choose from. All of this takes less than an hour to complete and it works. Run your browser through Panopticlick and other online testers to see where your weaknesses lie. All of this is obviously not 100% effective, but it allows you to maintain a sense of privacy and security without giving away the keys to the kingdom. And perhaps most importantly, pay for your email with a service like Fastmail (no affiliation, just happy customer). Free services make you the product, never a customer.
Hardly by nospam007 · 2018-03-06 03:33 · Score: 1

The cookie is what really is the so-called pay-'wall' of the New York Times, Washington Post, The Guardian etc.
Delete them and you can read as much as you want.
Replacement? by unixcorn · 2018-03-06 03:36 · Score: 2

So the cookie is dying. The article says nothing about how we will be tracked in the future. Or how we are being tracked now when I reject cookies.
1. Re:Replacement? by havock · 2018-03-06 03:46 · Score: 2
  
  Browser fingerprinting is quite reliable when you reject cookies. Canvas, Font, GPU, CSS API's are all good sources of identifiable data. Of course if you turn off Javascript *and* Cookies, there isn't much left to fingerprint.
2. Re:Replacement? by ichimunki · 2018-03-06 04:26 · Score: 1
  
  Cookies are still going to be critical to any user tracking, I'd think. It's just that advertisers won't be relying on their OWN cookies to do the work. Because if they set a cookie on each browser and platform you use, they then have to figure out how to correlate all *your* cookies after the fact. And if you're logging into your same GMail account at work, at home, on your phone, on a tablet, etc, it's better for them to figure out a way to latch onto that. But Google is still going to be using a cookie as part of authenticating you... at least until whatever client/server framework they're using replaces cookies with something else that does the same thing. But the nice thing about cookies from a web framework perspective is that their already part of the standard request/response cycle.
  
  --
  I do not have a signature
3. Re:Replacement? by ichimunki · 2018-03-06 04:32 · Score: 1
  
  The browser fingerprint my Firefox 58 on Windows 10 gives is certainly different than what Silk on my Fire tablet gives. Which makes it totally useless for figuring out that I'm the same person using both browsers. On the other hand, the fact that I access the same Amazon shopping cart from both browsers... dead giveaway.
  
  --
  I do not have a signature
4. Re:Replacement? by Carewolf · 2018-03-06 04:54 · Score: 1
  
  So the cookie is dying. The article says nothing about how we will be tracked in the future. Or how we are being tracked now when I reject cookies.
  They now have new and much more invasive HTML5 mechanisms of tracking you that people aren't as aware of, and thus less likely to turn off or protect against.
People-based marketing is a euphemism by Anonymous Coward · 2018-03-06 03:36 · Score: 5, Informative

It means they've found easier ways to fingerprint you. [PDF] Marketers don't want generic "cookies" they want specific, verified identification.
They're going to have a better spy network than is legal for most governments to have.
1. Re:People-based marketing is a euphemism by Actually,+I+do+RTFA · 2018-03-06 04:42 · Score: 1
  
  They're going to have a better spy network than is legal for most governments to have.
  Your use of the future tense is cute.
  
  --
  Your ad here. Ask me how!
2. Re:People-based marketing is a euphemism by Falos · 2018-03-06 04:51 · Score: 1
  
  They prefer verified, but they're more than happy to casually bridge causality. Even to establish "verified". Courts may admit than IP != identity (usually...) but the bigdata team (who need to have some material to present at the quarterly review or whateverthefuck) doesn't care.
  Geolocation = Fact! https://xkcd.com/713/
  I think the real preference is moving up the skill curve. Cookies are pretty user-controlled, browsers/mods/etc are happily handing over tools. Other fingerprints are beyond the reach of surface dwellers and casuals. Even the user agent is considered gospel compared to fragile, paper-in-a-bottle cookies.
Fingerprinting is replacing tracking by bahwi · 2018-03-06 03:48 · Score: 2

Fingerprinting is replacing tracking and has been for at least 10 years when I was very peripherally involved with testing a company that did it for work.
It's one way they get you with cookies once you've "cleared" them and they are able to reattach the same ones as before.
EFF has testing: https://panopticlick.eff.org/
And yes, multiple fingerprints can be attached to a single user. You have 10 unique devices and all 10 of those fingerprints get attached to you after logging into a site or account. It can take awhile, but you can't block it.
Slight changes are accounted for, profiles updated. It's not as "fool-proof" as cookies, but that's not really a requirement.
1. Re:Fingerprinting is replacing tracking by jetkust · 2018-03-06 03:58 · Score: 1
  
  This, and they are also selling hoards of information about you between themselves. I wonder if for any company that keeps my fingerprint in a database, could I legally request any data associated with that fingerprint. It doesn't seem all that unreasonable to me.
2. Re:Fingerprinting is replacing tracking by Actually,+I+do+RTFA · 2018-03-06 04:33 · Score: 1
  
  With JavaScript off, they're limited to my agent-string and resolution (and IP address, and other headers).
  
  --
  Your ad here. Ask me how!
3. Re:Fingerprinting is replacing tracking by bahwi · 2018-03-06 05:15 · Score: 1
  
  Yeah, selective NoScript is a good alternative too. I've been using pi-hole for my DNS as well.
4. Re:Fingerprinting is replacing tracking by Actually,+I+do+RTFA · 2018-03-06 06:35 · Score: 1
  
  I assume pi-hole is a Rasp. Pi distro? I looked into setting SQUID up on a Pi, but that seemed to be a chore.
  Question: Can you set it up to intersect HTTPS requests (assuming you stick a self-signed cert on the Pi Hole?) And if so, how do you get it to check the certificate authority of who it is man-in-the-middling?
  
  --
  Your ad here. Ask me how!
5. Re:Fingerprinting is replacing tracking by bahwi · 2018-03-06 07:36 · Score: 1
  
  Not a distro, but works best on Raspbian IIRC, but works on any linux box now I believe.
  It acts as a dns server, and has a large block list (mine is 640k domains) which resolve to the raspberry pi's address, which it gives a quick explanation, or in the case of HTTPS, connection refused. It's not the best solution in the world but works really well.
  So, no need for SSL certs, since it's just blocking. Hope that helps!
6. Re:Fingerprinting is replacing tracking by Actually,+I+do+RTFA · 2018-03-06 09:15 · Score: 1
  
  Ah, got it.
  
  --
  Your ad here. Ask me how!
7. Re:Fingerprinting is replacing tracking by gl4ss · 2018-03-06 18:07 · Score: 1
  
  In EU you can.. and few months down the line now if they disagree they can't avoid it.
  this is why facebook etc already let you download all your data. you can also request the data to be removed.
  
  --
  world was created 5 seconds before this post as it is.
Re: Not a lot of article content here... by M0j0_j0j0 · 2018-03-06 03:54 · Score: 3, Funny

Bitcoin!! You forgot Bitcoin you insensitive cod
Weakening the Web by Mandrel · 2018-03-06 04:04 · Score: 1

I'm getting concerned that browser-makers, in the interests of privacy and security, are clamping down so much on what websites can do with cookies, local data, and iframes, that they're weakening the power of the open Web relative to mobile apps that ask, and almost always get, permission to do all sorts of powerful things. Perhaps it's time for cookie and iframe permission requests to pop-up when a website is first used, so that trusted sites can still do powerful things.
Re:that's just sick by Anonymous Coward · 2018-03-06 04:09 · Score: 1

There are two kinds of websites: those on which you log in to an account, and those that have no legitimate use for cookies.
I allow cookies on a short whitelist of the first category.
If a cookie is needed to make a website work on which you don't log in to an account, the website was written wrong. Hanlon's Razor be damned; I don't care why the website was written wrong.
Terminology by fisted · 2018-03-06 04:14 · Score: 1

You know you're on a mainstream news site when nobody objects to the term "Internet cookie". Jesus. What's next, Internet pages?

--
CLI paste? paste.pr0.tips!
Finally! by fieldstone · 2018-03-06 04:18 · Score: 1

I work in tech support, and after years and years of scare pieces on the news, this has been a long time coming. A large percentage of the people I work for are paranoid about all cookies. Cookies are bad! Cookies will destroy your computer! Some of these people clear out ALL their cookies daily or weekly, even though I've told them they only need to be concerned with scanning for tracking cookies.
Not that we should cater to ignorance, and not that this problem won't go away once there are no more Boomers to hold these views. But I do feel like if you get better results with other kinds of advertising, tracking cookies are a stupid form of marketing because every anti-malware tool available knows how to remove them and will encourage users to do so.
Misleading... or just plain wrong? by zarmanto · 2018-03-06 04:22 · Score: 4, Interesting

It seems to me that there's an awful lot of misinformation here. Cookies have been given a bad name, because the moment they sprung into existence, they were misused and/or abused by advertisers and marketers. The reality is, cookies aren't going away at all... they're just being used more inline with their original intent, that's all. A cookie gives any standard web browser (including those on mobile devices) the feature of storing small chunks of identifying personal data ("login" data) for the user currently using that browser, in order to allow that user to personalize their experience on any given website. (If you're using a mobile app instead of a browser, than that app obviously doesn't need cookies; it can just use local memory natively to store your login credentials.) The abuse started when advertisers realized that they didn't need you to actively "login" to their service, in order to identify you and track you with cookies. Naturally, people don't like it when someone tracks them without first asking for permission... but that's not the cookies fault; they're just tools. A hammer is still intended to be used on nails, even when someone with no scruples uses it on your toes -- but nobody ever blames the hammer for that, and rightly so.
So in other words, "people based marketing" just means that the service you're actively logging into (such as Google, for example) has successfully established themselves as the primary marketer, and they've made arrangements to sell all of your activity to advertisers. Likewise, those advertisers no longer see much return-on-investment in doing the heavy lifting of attempting to gather all of that activity data themselves, in part because so many people have gone to great lengths to stop those advertisers from doing so. Which brings us back to simple the fact that: you're really the product that's being marketed, and the advertisers are the customers. (Which is just as it has always been, really.)
The more things change, the more they stay insane.
1. Re: Misleading... or just plain wrong? by dj245 · 2018-03-06 05:16 · Score: 1
  
  I can recall that one of the Easter eggs in Fallout 1 or 2 was the cookie. If you ate one, your hard drive seeked and the light blinked (no other item had this action). This was back in the day when games werenâ(TM)t reading constantly from the disk, and hard drive seeks were noisy, so it was noticeable.
  
  --
  Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
sessions by Anonymous Coward · 2018-03-06 04:23 · Score: 1

Once I had access to server-side processing, like ASP and PHP, I found the use case for cookies to be really small. That would be, basically, using the cookie to keep track of sessions. Besides that, the 4KB limit really hindered what you could do, as all of the metadata (property names, expiration dates, etc) counted towards the limit. I'd hit all sorts of edge cases like where it would partially store or unexpectedly forget stuff. Not really worth the trouble.
1. Re:sessions by tepples · 2018-03-06 04:39 · Score: 1
  
  Once I had access to server-side processing, like ASP and PHP, I found the use case for cookies to be really small. That would be, basically, using the cookie to keep track of sessions.
  Whether the cookie stores the raw data or a session ID matters little. It's common practice for each adtech provider to establish a long-lived session for each viewer who visits a site that uses that adtech provider. Viewing a single document might cause several dozen sessions to be automatically established, one for each adtech provider.
Guardian paywall since when? by tepples · 2018-03-06 04:33 · Score: 1

Since when does The Guardian have a paywall? It offers an optional subscription to ad-free access for $84/year. Slashdot used to offer subscriptions, but this broke years ago.
Justifying Firefox by freeze128 · 2018-03-06 04:40 · Score: 4, Interesting

This sounds like an article that is justifying what Firefox is doing: dropping cookie management from the newest version. I don't agree, and I insist that Firefox keep some sort of cookie management facility.
1. Re:Justifying Firefox by Rick+Schumann · 2018-03-06 05:21 · Score: 1
  
  If the browser drops it someone will write an add-on of some sort to allow you to manage them -- or you can just find the subdirectory they're in and delete them yourself.
2. Re:Justifying Firefox by freeze128 · 2018-03-06 06:23 · Score: 1
  
  I don't know how to delete just certain select cookies from the about:config window. I searched for "cookie" and all I see are integer or boolean values.
  
  Firefox's cookie management is terrible because I don't want to look through a tiny mail-slot at my huge list of cookies. Let me RESIZE the window FFS! But that doesn't mean I want the whole thing to GO AWAY!
3. Re:Justifying Firefox by Espectr0 · 2018-03-06 17:22 · Score: 1
  
  That's really an ignorant way of justifying it. 99% of the websites i visit have a banner somewhere saying "this website is using cookies". Cookies aren't going away anytime soon. While some marketers/spammers may use more advanced techniques, most will remain using cookies for the foreseeable future.
  
  --
  Open Source Java Web Forum with LDAP authentication
4. Re:Justifying Firefox by fisted · 2018-03-06 19:42 · Score: 1
  
  If the browser drops it someone will write an add-on of some sort to allow you to manage them -- or you can just find the subdirectory they're in and delete them yourself.
  And then a new Firefox version appears which happens to break all addons.
  
  --
  CLI paste? paste.pr0.tips!
5. Re:Justifying Firefox by Rick+Schumann · 2018-03-07 06:24 · Score: 1
  
  What's your point exactly? The add-on will just get updated. Are you looking for a conspiracy where there is none or something?
6. Re:Justifying Firefox by fisted · 2018-03-07 06:49 · Score: 1
  
  What's your point exactly? The add-on will be abandoned
  
  FTFY. Some time later, somebody will write a new addon, and the cycle repeats.
  
  Are you looking for a conspiracy
  No.
  
  or something
  I'm looking at an astonishingly long series of exceptionally bad design decisions.
  Now if you'll excuse me, I have to watch some videos on youtube. Oh wait, I can't because fuck the audio backend that has worked well for everybody for the last decade, let's add a hard dependency on pulseaudio; the hordes of people having issues with it are probably just using it wrong.
  this is covered by
  
  --
  CLI paste? paste.pr0.tips!
7. Re:Justifying Firefox by fisted · 2018-03-07 06:51 · Score: 1
  
  Oops, last line should've read "this is covered by Hanlon’s Razor though, so I don't think it's a conspiracy"
  
  --
  CLI paste? paste.pr0.tips!
Re:Not a lot of article content here... by Cajun+Hell · 2018-03-06 05:08 · Score: 5, Informative

The big WTF-are-they-talking-about clue was revealed in this line of nonsense: "Cookies don't really work on mobile." (Wut?) The paragraph basically goes on to explain they're expecting many users to stop using web browsers altogether, and just run native apps that request ads by user id. Basically, the problems that cookies were invented to solve, are already solved by the apps having their owmn version of local storage (and without all those pesky controls and options that web browsers give to users).

--
"Believe me!" -- Donald Trump
Re: Not a lot of article content here... by TheOuterLinux · 2018-03-06 05:29 · Score: 1

They are only redefining the "cookie" and calling it something else. The Internet decided that its version of "plain toothpaste" wasn't enough and added "whitening," if you catch my meaning. Also, Google isn't the only one with "bubble" technology. Hard drives are getting larger and cheaper and they have the resources to store info on every person leaking an "ip/mac address/canvas/OS" digital fingerprint. When my website was active (too expensive; hosts holding hostage), I honored the "Do Not Track" option and had a dummy cookie option for browsers that didn't support it but for those that didn't do either one, I could get your IP (censored most of it), your operating system, your device, screen resolutions, where you came in from, what you interacted, how long on each page, and where you left to. And the relevant part, if you were a returning viewer. That was with free and open source tools (Piwik); I'd hate to think what others like Google and Facebook are doing. I would also assume that they're depending on mobile users with smart phones and with applications that contain Google or Facebook libraries. More and more applications are including them by default all the time and don't think for a second there isn't any back scratching going on with your personal browsing, text messages, photos, etc.
Facebook, Amazon, Google, Apple, etc by edi_guy · 2018-03-06 05:57 · Score: 1

Reality is that they have all the info they need on you already. Awhile back it was said that 81% of adult Americans who use the internet have a Facebook account Google, FB, Amazon, already have a data model on you which is pretty accurate, and likely will match pre-established trends as you get older, have a family, retire, whatever. Your credit card data, your geo-physical presence via cell phone (Google maps), your cell provider tracking your browsing, its all there
And yes, there are several clever, tin-foil hat, Slashdotters who have managed to evade this tracking...but on aggregate the marketers are fine with the percentages they have.
Re:Not a lot of article content here... by jellomizer · 2018-03-06 06:00 · Score: 1

Being that many add companies are implemented across many sites, one can simply track by connection info IP Address, browser settings, time of day, original sites.... To paint a picture good enough for advertising.
The old tracking cookies were not any better then tracking connection info.

--
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Replaced with what by gurps_npc · 2018-03-06 06:41 · Score: 1

The article does not say they aren't tracking us anymore, they instead say the cookies are obsolete.
But it failed to mention what is replacing cookies.
That's far more important than the death of cookies.

--
excitingthingstodo.blogspot.com
1. Re:Replaced with what by Tony+Isaac · 2018-03-06 07:18 · Score: 1
  
  The thing that has replaced cookies is the "tracking pixel." https://en.ryte.com/wiki/Track...
  Every Web company's marketing department gets their software team to include these on their sites. They only too happily send your info to Facebook, Google, and others. Every click, every page load.
Re:It's true by Teun · 2018-03-06 06:56 · Score: 1

The cookies are gone, from now on it will be .... Cake, or biscuits or chips
either way, at the end of the day, all of them will end up in the restroom
Pig, if you ever come over to my place I sure hope you use the toilet...

--
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
Re:Not a lot of article content here... by ras · 2018-03-06 10:34 · Score: 2

The big WTF-are-they-talking-about
Actually, it's just a big WTF, followed by oh they are sprouting shit in order to get a few clicks (including mine, sadly).
They are saying no advertiser will be using cookies in 2 years because people are moving from browsers to mobile apps. Lets turn this around: they are saying that in two year no advertisers will bother tracking people who use browsers. So in two years I can stop blocking Facebook, uninstall Privacy badger because the web will be sweet and innocent again. Ohkay....
For what it's worth, the page carrying this bullshit installed 3 cookies of its own, plus 7 from twitter. It is true google analytics, sail-horizon, and crwdcntrl didn't install cookies. The injected their tracking data directly into the page using javascript.