So we’ve all heard how companies like Facebook and Google can use cookies to follow us around the internet and keep track of what we’re interested in. They do this to sell targeted ads or in some cases even share that data with others without our permission. 

In recent months, there has been a lot of fuss around the fact that Facebook tracks its users across the internet. So how do they do this? Before we dive in, let’s look at what cookies are and why they exist. 

Let’s start with some quick history. The cookie was created in 1994 by an employee of Netscape Communications, the same company that made the browser. He was creating an online shop, and he didn’t want to store the contents of the shopping cart on the server. Instead, he wanted a way to save it on the computers of the visitors, right until they made their purchase.  The reason for this is simple: if the server doesn’t have to keep track of everyone’s shopping cart, it has less work and can save money.  In 1994 the Netscape browser implemented cookies and the next year Internet Explorer followed suit. However two years later – in 1996 – the first concerns were raised when it was discovered that cookies could potentially invade our privacy. That would turn out to be very true, but we’re getting ahead of ourselves here.  Let’s take a look at how cookies work.

Let’s imagine we have a website that requires people to log in to see the contents of the site. When you log in, your browser sends your username and password to the server, who verifies them and – if everything checks out – sends you the requested content. However, there is a small caveat. The HTTP protocol – which is what we use to browse the internet – is stateless (HTTPS = STATELESS).

That means that when you make another request to that same server, it has forgotten who you are and will ask you to log in again. Can you imagine how time-consuming it would be to browse around a site like Facebook and having to log in again every time you click on something?  So cookies to the rescue! You still log in to the website, and the server still validates your credentials.  If everything checks out, however, the server not only responds with the content but also  sends a cookie to your browser.  The cookie is then stored on your computer and submitted to the server with every request  you make to that website. 

The cookie contains a unique identifier that allows the server to “remember” who you  are and keep you logged in.  As you can see, cookies are very useful, and they make our lives a lot easier.  But it doesn’t stop there!  Besides keeping you logged in, cookies can also be used to store your settings. 

Let’s say you change the number of results your favorite search engine should return.  Chances are high that they save this preference in a cookie and not on their servers.  But there are also some restrictions on the use of cookies.  Most browsers only allow websites to store a maximum of 300 cookies and they cannot contain  a lot of data (just 4096 bytes).  The biggest limitation, however, is the fact that cookies set by one website, cannot be  read by another.  And that restriction raises the question: how can companies use cookies to track us  around the internet?  Especially if a cookie from one website cannot be read by another.  How can Facebook for instance track what sites we visit?  Well, the whole process starts when you log in to Facebook. 

To remember that you’re logged in, Facebook stores a cookie on your computer, nothing  unusual about that, many other sites do the same thing.  This cookie is scoped, or bound to Facebook’s domain name, meaning that no one else besides  facebook.com can read what’s in the cookie.  Let’s now imagine that you browse away and you land on someone’s blog.  The blog cannot read your Facebook cookie, and the scope prevents that. Facebook also can’t see that you’re on this blog. All is well. 

But let’s now assume that the owner of the blog places a Facebook like button on his  website.  To show this like button, your browser has to download some code from the Facebook servers,  and when it’s talking to facebook.com, it sends along the cookie that Facebook set earlier. Facebook now knows who you are and that you visited this blog.  I’m using Facebook as the example here, but this technique is used by many other companies  to track you around the internet. The trick is simple convince as many websites as possible to place some of your code on  their sites. 

Facebook has it easy because a lot of people want a like or share button on their website.  Google also has an easy job because many websites rely on its advertisement network or on Google  Analytics.  At this stage, cookies are getting out of hand.  I read the cookie policy of a few popular websites. 

Here is an overview of how many cookies they expose you to.  Reading some tech news on CNET: 100 cookies, Finding a song on last.fm: 82 cookies, Reading The New York Times: 57 cookies, Finding a job or connecting with your network  on LinkedIn 28 cookies.  And then some companies take it to the extreme.  The company behind Yahoo mentions that their websites could use up to 455 third-party cookies.  455!  That’s just outrageous!  Granted, not all of these cookies track you around.  In fact, a handful of them are essential for the site to work correctly, like a session  cookie to remember that you’re logged in.  However, the majority of cookies on these websites don’t serve the user. 

They are there to track you or to display more targeted ads.  So what can we do to prevent these cookies from tracking us on the internet?  As a user, you can protect yourself from trackers by installing a browser extension that blocks  them like Privacy Badger or Ghostery.  You could also switch to a browser with built-in privacy protection tools like Brave or Safari.  And if you don’t want to do anything, the law is on your side.  More and more politicians realize that cookies are a threat to privacy and that the use of  trackers should be regulated. 

In Europe, we have the GDPR which requires websites to be transparent about their use  of cookies and requires sites to offer users a simple way to opt-out.  You’ve probably seen these annoying cookie banners asking for your permission.  Next time you see them, don’t just click on accept but look at what cookies the website  wants to place on your computer and for what purpose.  So to summarize: cookies were invented to make our lives easier and allow us to stay  signed into websites or remember the settings that we changed. 

However, the downside is that cookies, along with other techniques, can be used by large  corporations to follow us around on the internet and gather data about us that they can potentially  sell to others.