Disabling Third-Party Cookies Doesn’t (Meaningfully) Improve Privacy

Cookies aren't just for the dark side.

I noticed in some discussion on Hacker News about Google Chrome an argument that disabling third-party cookies somehow improved privacy.  I don’t intend to comment on the rest of the debate, but this particular assertion is troubling.

At time of writing, only two browsers interfere with third-party cookies in any meaningful way.  Internet Explorer denies setting third-party cookies unless a P3P header is sent.  This is basically an evil bit, and just as pointless.  No other browser even pretends to care about this standard.

The other is Apple’s Safari browser, which denies setting third-party cookies unless a user has “interacted” with the framed content.  The definition of “interacted” is a bit fuzzy, but clicking seems to do it.  No other browser does this, or anything like it.  There are some laughably simple hacks around this, like floating an iframe under the user’s cursor (and, for some reason, submitting a form with a POST method).  Even if those hacks didn’t exist, the idea is still pointless.

The reason I know about these rules is that we had to work around them when implementing auto-logins at Stack Exchange (there was an earlier version that straight up did not work for Safari due to reliance on third-party cookies).  This also came up when implementing the Stack Exchange OpenID Provider, as we frame log in and account creation forms on our login page.

For auto-logins, I ended up using a combination of localStorage and postMessage that works on all modern browsers (since it’s not core functionality we were willing to throw IE7 under a bus at the time, and now that IE9 is out we don’t support IE7 at all).  StackID tries some workarounds for Safari, and upon failure displays an error message providing some guidance.

These methods are somewhat less nefarious than this, but just slightly.

The joke is that there are alternatives that work just fine

ETags have gotten a lot of press, the gist being that you re-purpose a caching mechanism for tracking (similar tricks are possible with the Last-Modified header).  This is a fundamental problem with any cache expiration scheme that isn’t strictly time based, as a user will always have to present some (potentially identifying) token to a server to see if their cache is still valid.

Panopticlick attacks the problem statistically, using the fact that any given browser is pretty distinctive in terms of headers, plugins, and so on independent of any cookies or cache directives.  My install of Chrome in incognito mode provides ~20 bits of identifying information, which if indicative of the population at large implies a collision about every 1,200 users.  In practice, most of these strings are globally unique so coupled with IP based geo-location it is more than sufficient for tracking if you’re only concerned with a small percentage of everyone on Earth.  Peter Eckersley’s paper on the subject also presents a rudimentary algorithm for following changing fingerprints (section 5.2), so you don’t even have to worry about increased instability when compared to third-party cookies.

You can get increasingly nefarious with things like “image cookies,”  where you a create a unique image and direct a browser to cache it forever.  You then read the colors out via HTML5’s Canvas, and you’ve got a string that uniquely identifies a browser.  This bypasses any same origin policy (like those applied to cookies and localStorage) since all browsers will just pull the image out of cache regardless of which domain the script is executing under.  I believe this technique was pioneered by Evercookie, but there may be some older work I’m not aware of.

If you’ve been paying attention, you’ll notice that none of these techniques are exactly cutting edge.  They’re still effective due in large part to the fact that closing all of these avenues would basically break the internet.

They aren't the most friendly of UIs, but they exist.

Why do we stick to cookies and localStorage?

The short of it is that we over at Stack Exchange are “Good Guys™,” and as such we don’t want to resort to such grey (or outright black) hat techniques even if we’re not using them nefariously.  I hope the irony of doing the “right thing” being more trouble than the alternative isn’t lost on anyone reading this.

More practically, after 15 years of popular internet usage normal people actually kind-of-sort-of get cookies.  Not in any great technical sense, but in the “clear them when I use a computer at the library” sense.  Every significant browser also has a UI for managing them, and a way to wipe them all out.  It’s for this reason that our OpenID provider only uses cookies, since it’s more important that it be practically secure-able than usable; at least when compared to the Stack Exchange sites themselves.

For global login, localStorage is acceptable since clearing it is somewhat less important.  You can only login to existing accounts, only on our network, and on that network there are significant hurdles preventing really nefarious behavior (you cannot permanently destroy your account, or your content in most cases).

This reference predates Internet Explorer's cookie support.

What good does Safari’s third-party cookie behavior do?

Depending on how cynical you are, one of: nothing, mildly inconveniencing unscrupulous ad networks, or childishly spiting Google.  I’m in the “nothing” category as there’s too much money to be had to believe it deters the seedier elements of the internet, and the notion that Apple would try to undermine a competitor’s revenue stream this way is too conspiracy theory-ish for me to take seriously.

I can believe someone at Apple thinks it helps privacy, but in practice it clearly doesn’t.  At best, it keeps honest developers honest (not that they needed any prompting for this) and at worst it makes it even harder for user’s to avoid tracking as more and more developers resort to the more nefarious (but more reliable!) alternatives to third-party cookies.

There may be legitimate complaints about browser’s default behavior with regards to privacy, but having third-party cookies enabled by default isn’t one of them.

5 Comments on “Disabling Third-Party Cookies Doesn’t (Meaningfully) Improve Privacy”

  1. Great article Kevin!

    Why do people pick on poor old cookies? Over here in Europe we’ve got the absolutely ridiculous EU cookie law to look forward to: http://www.guardian.co.uk/law/butterworth-and-bowcott-on-law/2011/may/27/cookie-law-shambles-web-browsers

    In no way will this make the internet better.

  2. Jay says:

    This article is informative in many way but is slanted and the conclusion is lame.

    So you are saying turning on blocking of third party cookies in Firefox won’t effectively stop 3rd party trackers such as doubleclick and google analytics dead in their tracks?

    Of course blocking third party cookies improve privacy, but are not the final answer. Add in clearing of cache on browser exit and using active tracking blocking (Ghostery or IE9 tracking protection) and you have effective recourse against tracking, even against first party trackers such as Facebook. For those companies that use browsing fingerprinting, a simple javascript inspection will show what they are doing and these companies will be named and shamed.

    • I would point out that Firefox’s third-party cookie blocking is substantively different from Safari’s (it doesn’t send third-party cookies ever, while Safari just blocks new ones). It really does muck up the internet for normal people too.

      Also, blocking third party cookies does jack-all to Google Analytics as those cookies are often attached under the actual domain serving content. Break out dev tools on many sites and you’ll find __utma et. al.; Techcrunch is a pretty good example of all the little tracking hooks you can run into on one site (Stack Exchange sites also have GA cookies). There’s nothing keeping any ad network from colluding with domains hosting the ads in a similar manner.

      My point is not so much that blocking or deleting cookies doesn’t provide some temporary improvement to privacy, but that it isn’t a meaningful improvement. If IE, Chrome, or FireFox shipped with no way to attach third-party cookies one of the workarounds I talk about (or one which I’m not aware of) would be all over the internet in a matter of months. It’d be an arms race, one which would require constant user retraining.

      … these companies will be named and shamed.

      This is a dangerous pipe dream. In practice nobody ever, ever, quits using a service due to unsavory tracking. If this were the case, facebook wouldn’t be the internet Juggernaut it is. This is even ignoring the difficulty a typical user would have determining if a site is embedding resources from some theoretically “shamed” site.


      Add in clearing of cache on browser exit…

      This would just “break the internet” from the perspective of almost every normal user, it’s not tractable. You can get pretty good privacy if you’re willing to wget everything and read it in vim too.

  3. Jay says:

    “Break the internet” is hyperbole. This is the party line of advertisers with $$ as the the only metric. Because comments sections in blogs don’t work sometimes? Because single sign on cookies don’t work anymore? These sorts of issues would work themselves out naturally if the balance on the internet shifted towards more privacy instead of the current advertising free for all.

    You haven’t been following the news if you thing naming and shaming does not work. Many cases of flash cookies and supercookies left companies with their tail between their legs when they got outed. In most cases quiety changing their behavior, for both PR and legal reasons.

    • These sorts of issues would work themselves out naturally

      … so it would break the internet, but eventually we’ll fix it? Yeah, so while exciting new tracking techniques are being deployed users are also struggling with broken websites.

      The only high profile case of super-cookie revocation I’ve heard of it is Hulu/Kissmetric. If you think they’re the only ones to try any of these techniques in the years they’ve been available you’re a bit delusional.