If Congress Thinks Cookies Violate Your Privacy, Wait’ll They Hear About This!


If you were to go to the Scout Analytics website dig into the info about their offerings, you’ll find that they tested their patent-pending technology for the last six months on hundreds of thousands of users (see the Press Release entitled “Scout Analytics(TM) Quantifies the Inaccuracy of Cookies as a Measure of Unique Users‘) The two techniques they cite as the basis for this study: biometric signatures and device signatures. The release is more revealing about the biometric approach than it is about the device signatures. The biometric signature is essentially an identifiable pattern in a person’s typing style. The device signature is something they are vaguer about, saying only it is based on “data elements collected from the browser to eliminate errors in device counting such as cleared cookies”. The test was meant to see not only how much overcounting of unique users there was, but how many unlicensed users there were of subscription content via multiple use of the same user account.
I wonder if they got the explicit permission of the subscribers to have their keystrokes and machines profiled? If this kind of approach were to spread beyond detection of licensing violations, I wonder how much sympathy regulators and legislators would have for it?

The Cookie vs. The LSO – Should I Care? Should I Worry?

Here’s a question that savvy web users were being asked by their parents 10 years ago:
What the heck is a cookie, and why do I have them on my computer? Do I need to delete them? How do I delete them?

Don’t be surprised if the question starts to come up again, in a new form:
What the heck is an LSO, and why do I have them on my computer? Do I need to delete them? How do I delete them?

The issue is emerging again because of the people in the business of targeting ads or offers are trying to do their job better, and cookies are not doing the job advertisers want done. So, some web programmers are exploiting a feature of Flash to create “stealth cookies” called LSOs, in hopes that you won’t delete them because you probably don’t know how.

Remind me: What is a cookie again?
A cookie is a small text file that is created via your browser to keep track of session “state” and historic entries and site activity.

What is a cookie for?
The connectionless protocols used by the web do not automatically keep track of any history. If there is no state or history information provided with a page request, then the page will have no idea who you are, even if you just entered that info on a different page in the same site.

What’s so scary about that? Well, people just don’t like their activity being recorded without their permission or awareness. It annoys them. That said, there are useful things that this kind of snooping makes possible:

  • remembering your site settings and preferences
  • remembering and auto-entering your userid in the login screen
  • automatically logging you in when you arrive at a site
  • not showing you ads for things you don’t care about and would never buy
  • remembering the contents of your shopping cart from your last visit
  • remembering the contents of your wish list
  • .
  • At the same time, it makes possible:

  • targeting you for ads based on prior site searches
  • targeting you for ads based on prior site surfing
  • snooping and prying for evil reasons
  • .
  • Cookie Deletion
    When many people figured all this out it became a big kerfuffle, and this led to user behavior such that 23% of all cookies are deleted when they are one week old, and that less than half of all cookies (43%) live to be more than eight weeks old (click here to see Microsoft research about cookie deletion). Users can use functionality in their browsers to delete cookies and to control cookie-related policies within the browser.

    So who cares? What problems does cookie deletion cause?
    If you are an internet advertiser, it adds one more layer of complexity to the already difficult problem of tracking internet ad campaigns. You’ll have tracking pixels in ads to capture views and clicks, but knowing how many times someone has seen an ad during a campaign (frequency) and how many distinct individuals have seen an ad (reach) is pretty critical to understanding what is going on in a campaign, especially as more brand advertising comes online. Measurement is made difficult in internet advertising by these factors:

  • 1. The same person will browse from multiple computers
  • 2. The same person will see the same campaign on screens other than computers (smartphones, etc.)
  • 3. The same computer can be used by multiple people who may or may not have separate logins
  • 4. Many machines have multiple browsers installed, and a person might not always use the same one – cookies belong to a specific browser
  • 5. Some people severely restrict cookie functionality using browser security settings
  • 6. Many people delete the cookies from their computers, with different people doing so at different intervals
  • .
  • Net/Net: Bad Measurements
    On balance, these issues push the measurements in the direction of overcounting reach and undercounting frequency.
    Some of the other deficiencies of cookies from an advertiser point of view are that cookies don’t store very much information (4KB), and there can only be so many cookies related to a given domain (20). Privacy considerations additionally limit how much cross-site behavior can be captured in cookies (and banner campaigns are cross-site, mostly).

    LSOs Addess Some of These Shortcomings For Advertisers (Yay!), But Create New Ones for Users (Boo!)

    An LSO (Local Storage Object) is a cookie-like file that Flash uses to store information for Flash applications. Except that they are used by clever web programmers for far more than that – they are used by some sites just like really big cookies (as much as 25 times bigger than a cookie) that you don’t know about and so won’t delete. In addition, the same LSOs are accessible from all browsers. Your browser security controls have little or no impact on these things.

    You Might Want To Check Your Computer For LSOs Right Now

    If you don’t believe me, go to the Macromedia page that lets you see what LSOs are on your machine (it also lets you delete them, enable/disable them, and control their behavior).
    It is located here: http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html.
    While you are there, delete the ones for sites you don’t want your boss to know about.

    As for where this is all going, all privacy loopholes on the web are temporary, and there are already browser add-ins that let you control and delete LSOs, and at some point the browsers will absorb that functionality to make it easy for you to use. If I were you, I’d worry more about the things you can’t see: The new keystroke dynamics technique for identifying users announced by Scout Analytics (here) and backend ISP- and CDN- based tracking – all these are fodder for more paranoid posts in the future.

    Get Adobe Flash player