The use of first-party, sub domain cookies is relatively new and seems to be a response to the widespread blocking of third-party cookies that is done routinely by anti-spyware tools and Internet browsers, said Alain Zidouemba, senior research engineer at CA.
CA's own anti-spyware tools look at the domain from which a cookie is served to decide whether a cookie is third-party or not. The tools then use a score card method to decide whether to block or allow the cookie. The decision is based on self-disclosed information that each third-party cookie is required to have in the form of a compact P3P statement. That statement basically comprises a series of 3-letter tags representing a particular statement about that cookie's privacy policies, which are used to pass or fail a cookie.
In a test of 205,000 randomly selected unique URLs earlier this year, CA discovered more than 20,000 URLs setting nearly 24,300 third-party cookies that were classified as a threat to privacy. More than half of those third-party cookies were issued by tracking networks such as advertising.com, specificclick.net, 2o7.net and spylog.com. The tracked information ranged from a user's IP numbers, to data on queries to a search engine, logs of account activity, information generated by the purchase of products and services and demographic data such as gender, age and income.
Detecting such cookies would be a lot harder if they are served up as first-party sub domain cookies, Zidouemba said.
For users, blocking them could get more difficult. "So far, we are not aware of a simple way for users to protect themselves, because it is relatively difficult to automatically detect them when they occur," Zidouemba said. "Particularly advanced users could manually investigate each of their cookies, and then use their browser to block the ones which are being redirected to sites they do not approve of."
But that can be a time-consuming and fairly tedious process, "not at all something which an everyday user would be able to undertake, he added.