Cookie variants skirt blockers, anti-spyware tools

Just because your Web browser is set to block third-party tracking cookies that doesn't mean all of them are being blocked.

A growing number of Web sites are quietly resorting to the use of "first-party," subdomain cookies to skirt anti-spyware tools and cookie blockers and allow third-party information gathering and ad serving, according to some privacy advocates and industry analysts.

Though the cookies are not fundamentally different from other third-party cookies, they are very hard to detect and block, said Stefan Berteau, research engineer with CA's anti-spyware research team. The result: companies could theoretically use the cookies to quietly gather and share consumer information with little risk of detection, he said.

So far, the use of first-party, subdomain cookies appears to be less prevalent than standard third-party cookies, Berteau said. "But it's the kind of thing that might catch on quickly."

The growing, but largely hidden, issue of online consumer-tracking and information-sharing burst into the open in recent days because of the controversy generated by Facebook's Beacon ad-serving technology. In that case, the use of tracking technology was acknowledged by the company, though it has been blasted for not allowing users to easily opt out and for failing to disclose how extensively it was being used.

First-party, sub-domain cookies are those that appear to be served up by the primary Web site a user is visiting; in reality, they are being issued by an external third party. For example, a company whose primary domain name is xyz.com could create a sub-domain called trackerxyz that falls within the xyz.com domain so it would look like this: www.trackerxyz.xyz.com

This subdomain actually points to a third party's server. But because the parent domain names are the same, the user's browser sees that server as belonging to the parent -- and treats cookies from both equally.

Web sites that allow such cookies are taking advantage of the fact that the standards used to categorize cookies rely on domain names, not IP addresses, Berteau said. In other words, whether a cookie is seen as a first-party cookie or a third-party cookie depends on the domain from which the cookie was served up, not on the IP address of the server itself. "Basically a sub-domain can be pointed to any IP address" while still having its cookies treated as first-party cookies, he said.

In many cases, first-party, sub-domain cookies serve legitimate purposes, said Carolyn Hodge, marketing director for TRUSTe. For instance, a bank might have a relationship with an external bill pay vendor, and might set cookies that appear to come from the bank but actually have been set by the bill pay vendor.

"Where it becomes an issue is if there are any sort of secondary uses" associated with those cookies such as activity tracking or ad serving that are being done without notice, she said. In such cases, it would be incumbent on the Web site to disclose that it is using such cookies, she said.

Concerns about the practice could soon prompt a review of TRUSTe's policies surrounding the acceptable use of such cookies, Hodge added. "Our program does not disallow the use of third-party cookies, but we have strict requirements for privacy" related to them.

TRUSTe basically certifies and monitors a Web site's privacy and e-mail policies; Its TRUSTe privacy seal is used by more than 2,500 companies in 56 countries.