Will “Mass Surveillance” Report Hasten The Cookiepocalypse?

CookiesThe prevalence of cookie-free mobile devices and growing hostility to third-party cookies has marked the cookie for almost certain death. A new report will add to the chorus calling for the end of third-party cookies as an online tracking tool.

The report (cited by TheVerge) from Princeton researchers details how relatively simple it is to connect browsing behavior across the internet and to real identity. The report (embedded below) is called “Cookies that give you away: Evaluating the surveillance implications of web tracking.”

The researchers undertook the study following, and in part motivated by, the NSA-Snowden revelations.

The researchers sought to determine how much could be learned and inferred about real-world identify simply by passively “eavesdropping” on the network and analyzing cookies. The study concludes “mass surveillance” is possible from watching and matching data generated via third-party HTTP tracking cookies.

The report finds that even HTTPS doesn’t do much to impede the surveillance capability:

We conducted automated web crawls of 65 simulated users’ web browsing over three months, and found that unique cookies are so prevalent that the eavesdropper can reliably link 90% of a user’s web page visits to the same pseudonymous ID. (We omitted pages that embed no ID cookies at all, but those are a minority.)

We also found that the cookie linking method is extremely robust and succeeds under a variety of conditions (Section 4.1). We considered how variations in cookie expiration dates, the size of the user’s history (i.e., the number of pages visited), and the types of pages visited affect the eavesdropper’s changes, and found the impact to be minimal. Perhaps most significantly, however, we found that this surveillance method can still link about 50% of a user’s history to the same pseudonymous ID even with just 25% of the current density of trackers on the web. This means that even if 75% of sites or trackers adopt mitigation strategies (such as deploying HTTPS), the eavesdropper still learns a lot.

Matching Cookies to Identify Single Users

Cookie user identification

Source: Princeton University, “Cookies that give you away” (April 2014)

In the diagram above, the report illustrates how third party cookies can be used to connect the dots and identify the same user even when there are three different IP addresses involved in visits to different sites at different times.

The researchers describe the “threat” scenarios they envision from this type of passive surveillance of the network:

The adversary may have one of two goals: first, the adversary might want to target a specific individual for surveillance. In this case the adversary knows either the target’s real-world identity or a single ID cookie known to belong to the target (whether on a domain that’s typically a first party or on a tracker domain). Second, the adversary might be engaged in mass surveillance. This adversary would like to “scoop up” web track and associate real-world identities with as much of it as possible.

The researchers say, in conclusion, that they hope the report will contribute to the “policy debate on both surveillance and the web tracking ecosystem.” They say also they hope their findings will help provide an impetus to “fix the problems we identified with non-use of HTTPS on first party sites.”

Related Entries

Related Topics: Channel: Industry | Legal: Privacy | Top News


About The Author: is a Contributing Editor at Search Engine Land. He writes a personal blog Screenwerk, about SoLoMo issues and connecting the dots between online and offline. He also posts at Internet2Go, which is focused on the mobile Internet. Follow him @gsterling.

Connect with the author via: Email | Twitter | Google+ | LinkedIn

Marketing Day:

Get the top marketing stories daily!  


Other ways to share:

Read before commenting! We welcome constructive comments and allow any that meet our common sense criteria. This means being respectful and polite to others. It means providing helpful information that contributes to a story or discussion. It means leaving links only that substantially add further to a discussion. Comments using foul language, being disrespectful to others or otherwise violating what we believe are common sense standards of discussion will be deleted. You can read more about our comments policy here.
  • http://BullishData.com/ ReevesJB

    While I actually agree with much of this analysis, I wonder if the authors haven’t considered the alternative. Digital fingerprinting is gaining in sophistication as an alternate measurement technology, and is already seeing use. I just blogged on that topic today, in case anyone is interested: http://www.bullishdata.com/2014/04/07/fingerprinting-tracking-dare-speak-name/

Get Our News, Everywhere!

Daily Email:

Follow Marketing Land on Twitter @marketingland Like Marketing Land on Facebook Follow Marketing Land on Google+ Subscribe to Our Feed! Join our LinkedIn Group Check out our Tumblr! See us on Pinterest


Click to watch SMX conference video

Join us at one of our SMX or MarTech events:

United States


Australia & China

Learn more about: SMX | MarTech

Free Daily Marketing News!

Marketing Day is a once-per-day newsletter update - sign up below and get the news delivered to you!