Top sites are covertly cramming cookies down users' throats

Two new studies show top sites let hundreds of different third parties track customers' online behavior -- and most violate common privacy standards

Judging by the latest spate of high-profile password heists from such popular websites as eHarmony and LinkedIn, companies simply aren't interested in embracing the most basic of best security practices to keep users safe. They are, however, ready and willing to let all sorts of third parties slurp up information about their site visitors, judging by a couple of separately released studies on how companies track users online.

One of the reports, released today from Keynote, found that 86 percent of the 269 leading news, financial, travel, and retail websites install third-party tracking cookies on users' machines, and 60 percent of the sites have at least one tracker that violates good industry privacy practices. A separate study out of UC Berkeley found that sites are increasingly using flexible HTML5 local storage in favor of Flash cookies to track users.

"The number of websites that allow visitors to be tracked by third parties may be surprising to some, but as consumers begin to understand that their online behavior can be recorded, enterprises will have to work even harder to ensure that consumers' privacy expectations are met," said Ray Everett, Keynote's director of privacy services.

According to Keynote, much of the data that companies collect via cookies is used for behavioral advertising. Third-party trackers place cookies to track a user's clicks and path through the Web and to know what a visitor buys at any given site.

The problem here is, users don't have a clear way of knowing which third parties are planting cookies, how they're using the data they collect (beyond, say, providing more expensive travel offers to Mac users), or how well those third parties are protecting potentially sensitive data. Given that users are becoming increasingly concerned about their online privacy, site operators may feel greater pressure from customers, advocacy groups, and the feds to do a better job.

"Ultimately, the burden of policing third-party trackers falls on the shoulders of website publishers," said Everett. "A publisher is responsible for the content of their website, including the practices of the advertisers appearing on it. Monitoring the constantly changing advertising ecosystem is a daunting task, but the consequence of failure is the placing of your brand's reputation at tremendous risk."

Broken down by industry, Keynote's analysis showed that nearly all travel and media websites have third-party tracking (95 and 96 percent, respectively). What's more, nearly three out of four financial services sites exposed visitors to third-party tracking -- and 52 percent of those third-party trackers violate at least one of the industry's most common privacy standards, such as participation in industry self-regulatory programs or offering consumers opt-out choices.

Making matters worse for users, Keynote found that only one of the 211 third-party trackers it investigated is committed to honor a visitor's request not to be tracked via the Do Not Track feature that browser vendors are implementing.

The study out of UC Berkeley, called Web Privacy Census, points to which third parties are planting those cookies and how're they're doing it. Nathan Good, chief scientist and principal of Good Research, and Chris Jay Hoofnagle, director of information privacy programs at the Berkeley Center for Law and Technology, worked with online privacy company Abine to conduct three separate crawls of the top 100 most popular websites, as well as the top 1,000 and top 2,500.

Notably, the report found that organizations are increasingly turning to HTML5 storage to drop cookies while the use of Flash cookies is on the decline. That finding jives with a report last year, titled "Flash Cookies and Privacy II: Now With HTML5 and ETag Respawning," in which researchers cautioned that sites were phasing out Flash cookies in favor of HTML5.

"HTML5 storage offers many advantages over ordinary cookies, and since it does not involve using a plug-in (like Flash), HTML5 may become a more universal tracking mechanism. Like Flash cookies, HTML5 storage is more persistent than HTTP cookies," according to that report. "HTTP cookies expire by default, and in order to make them persistent, developers must use a complex syntax and constantly update the expiration date. HTML5 data are persistent until affirmatively deleted by a web site or user. Storage size is important too. While Flash cookies have a default limit of 100KB, HTTP cookies store just 4KB, compared to 5MB for HTML5 storage."

The study found most of the cookies -- around 84 percent -- were placed by one of 446 different third-party hosts. Google had cookies on 16 of the top 100 sites, and the company's ad-tracking network, DoubleClick, had cookies on 73. Combined, Google has a presence on 78 of the top 100 websites. Among the 63,000-plus cookies the researchers found among the top 1,000 websites, 87 percent came from third parties. Google had cookies on 105 of the top 1,000 sites whereas DoubleClick had 685. Looking at the 2,500 most popular websites, the researchers discovered that 87 percent had cookies and found a total of 442,055 cookies in all. Of those, 76 percent came from one of 17,949 third-party hosts. Google had cookies on 770 of the top 25,000 sites; DoubeClick had cookies on 8,554.

Google isn't the only company baking and distributing cookies, of course. Other top trackers included data-analytics company BlueKai, Quantserve (via Quantcast), and ScoreCareResearch (via comScore) -- and there are many, many others.

"The Web advertising ecosystem is sprawling and complicated, with hundreds of ad networks all competing to gather as much targeting data on consumers as they possibly can," Keynote's Everett said. "It's very much still a 'wild west' mentality and the activities of aggressive tracking companies can place website publishers in a difficult position: How do you monetize your website without alienating your visitors and exposing yourself to legal risk?"

This story, "Top sites are covertly cramming cookies down users' throats," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Join the discussion
Be the first to comment on this article. Our Commenting Policies