In recent months, there has been a lot of fuss around the fact that Facebook tracks its users across the internet. So how do they do this? Before we dive in, let’s look at what cookies are and why they exist.
Let’s start with some quick history. The cookie was created in 1994 by an employee of Netscape Communications, the same company that made the browser. He was creating an online shop, and he didn’t want to store the contents of the shopping cart on the server. Instead, he wanted a way to save it on the computers of the visitors, right until they made their purchase. The reason for this is simple: if the server doesn’t have to keep track of everyone’s shopping cart, it has less work and can save money. In 1994 the Netscape browser implemented cookies and the next year Internet Explorer followed suit. However two years later – in 1996 – the first concerns were raised when it was discovered that cookies could potentially invade our privacy. That would turn out to be very true, but we’re getting ahead of ourselves here. Let’s take a look at how cookies work.
Let’s imagine we have a website that requires people to log in to see the contents of the site. When you log in, your browser sends your username and password to the server, who verifies them and – if everything checks out – sends you the requested content. However, there is a small caveat. The HTTP protocol – which is what we use to browse the internet – is stateless (HTTPS = STATELESS).
That means that when you make another request to that same server, it has forgotten who you are and will ask you to log in again. Can you imagine how time-consuming it would be to browse around a site like Facebook and having to log in again every time you click on something? So cookies to the rescue! You still log in to the website, and the server still validates your credentials. If everything checks out, however, the server not only responds with the content but also sends a cookie to your browser. The cookie is then stored on your computer and submitted to the server with every request you make to that website.
The cookie contains a unique identifier that allows the server to “remember” who you are and keep you logged in. As you can see, cookies are very useful, and they make our lives a lot easier. But it doesn’t stop there! Besides keeping you logged in, cookies can also be used to store your settings.
To remember that you’re logged in, Facebook stores a cookie on your computer, nothing unusual about that, many other sites do the same thing. This cookie is scoped, or bound to Facebook’s domain name, meaning that no one else besides facebook.com can read what’s in the cookie. Let’s now imagine that you browse away and you land on someone’s blog. The blog cannot read your Facebook cookie, and the scope prevents that. Facebook also can’t see that you’re on this blog. All is well.
But let’s now assume that the owner of the blog places a Facebook like button on his website. To show this like button, your browser has to download some code from the Facebook servers, and when it’s talking to facebook.com, it sends along the cookie that Facebook set earlier. Facebook now knows who you are and that you visited this blog. I’m using Facebook as the example here, but this technique is used by many other companies to track you around the internet. The trick is simple convince as many websites as possible to place some of your code on their sites.
Here is an overview of how many cookies they expose you to. Reading some tech news on CNET: 100 cookies, Finding a song on last.fm: 82 cookies, Reading The New York Times: 57 cookies, Finding a job or connecting with your network on LinkedIn 28 cookies. And then some companies take it to the extreme. The company behind Yahoo mentions that their websites could use up to 455 third-party cookies. 455! That’s just outrageous! Granted, not all of these cookies track you around. In fact, a handful of them are essential for the site to work correctly, like a session cookie to remember that you’re logged in. However, the majority of cookies on these websites don’t serve the user.
They are there to track you or to display more targeted ads. So what can we do to prevent these cookies from tracking us on the internet? As a user, you can protect yourself from trackers by installing a browser extension that blocks them like Privacy Badger or Ghostery. You could also switch to a browser with built-in privacy protection tools like Brave or Safari. And if you don’t want to do anything, the law is on your side. More and more politicians realize that cookies are a threat to privacy and that the use of trackers should be regulated.
However, the downside is that cookies, along with other techniques, can be used by large corporations to follow us around on the internet and gather data about us that they can potentially sell to others.