The end of third-party cookies and the law of unintended consequences

Welcome back to my weekly cyber security blog and I hope you all had a wonderful week. You’re innocently browsing the web, looking for a new TV, you find that 4K Ultra LED Smart TV of your dreams and add it to your basket, before changing your mind. You just close the tab and move onto the next thing, suddenly, you’re seeing adverts for that TV in all the websites you visit. Are you still thinking about it and is this a coincidence… nope, this is the world of third-party cookies tracking you across the web. Advertisers want to know as much about us as possible to show targeted ads, but are we willing to be tracked across the internet? For most, the immediate answer is no, and as our expectations of privacy have increased, laws and regulations have changed. However, as in many areas in life, there is a rule of unintended consequences. At first, tracking cookies (more on that in a minute) silently tracked us across the internet. Then, new rules came in that required we consent first, and the cookie banner became a part of our lives. Now, when visiting almost any website we must click the button to accept cookies. This has become so common that most people just click “Accept All” (usually the most prominent option) and quickly move on. Do we know what we just agreed to? Well my friends, let’s find out as we explore the world of browser tracking, privacy regulations and the death of the third-party cookie.

Chocolate chip all the way

Anyone who knows me would not be surprised to know that I’m chocolate chip over oatmeal raisin. However, we’re talking browser cookies, which are simply small text files which get saved on your device by the web browsers as you use the internet. Cookies were originally developed by Lou Montulli at Netscape in 1994 (I know I’m showing my age but does anyone else remember Netscape Navigator?) and are essential to modern websites. For example, once we’re logged into Amazon, we stay logged in and don’t have to re-enter our password again every time we visit, why is this, Cookies!

Cookies provide a personalised web experience, enabling sites to remember logins, personal preferences, shopping carts, and history. Essentially the cookie allows the web server to know who we are and link us back to an account or login session in its database (sneak preview - cookie theft also allows malicious hackers to bypass multi-factor authentication which I will talk about in next weeks blog). This uncontroversial type of cookie is a first party cookie, also known as a session cookie and is generated by and used by the site we’re visiting.

What’s more, well… creepy are third-party cookies (or tracking cookies). These are the kind which follow us around the internet. Website ads usually embed tracking cookies from AdTech companies into their code so that as the ad is displayed, a cookie is added to our browser which is then used to track our interactions across multiple websites and build a profile of our behaviour and activities. ??

Closing the cooking jar

Third party cookies have a bad reputation so laws like GDPR started requiring websites to be open about their use of cookies, bringing us the ubiquitous cookie banner. Now, when we visit any site, we must consent to the use of cookies. Problem solved right? Well, no. Of course I’m in favour of transparency, however, I would argue that cookie banners are not. It’s normally complicated and time consuming to click anything other than “Accept All” and it’s not easy to know what we’ve agreed to. Tech companies saw this too, as all the way back in 2013, Firefox and Safari started blocking third-party cookies by default. Now, Google have finally announced that Chrome browser (with it’s 64% market share) will do the same by the end of 2024 (having delayed this from 2022 and 2023).

That’s good right, and now our privacy will be restored. I’m sure you can guess, nope. Here we find the rule of unintended consequences again. The modern internet runs on targeted advertising which relies on detailed data about us. This makes many services free (well, we’re paying with our data rather than our money, but you get the idea). Up until now, that data has mainly been gathered using third-party cookies, and whilst I agree that removing them is a positive step, it may lead to less transparency. Although we may not like third-party cookies, we do at least control them. We can choose to delete them, or have our browser delete them automatically. The end of support for third-party cookies forces AdTech to get more creative about gathering data.

Everyone is Unique

It’s well known from watching TV crime drama that everyone’s fingerprint is unique (1 in 64 billion apparently), and whilst they don’t have fingers, did you know that electronic devices, our phones, laptops and tablets also have unique fingerprints?

When we access any website or most apps, our browsers and apps are sharing data with web servers, and you may be surprised just how much data is shared. In the same way that ridges on our fingertips form a unique pattern, our devices and how we use them also do the same. A combination of factors including, device hardware, operating system, geolocation, apps, browser, browser extensions, IP address, battery level and more can be tracked by websites and form a unique device fingerprint.

For example, I tested my personal laptop for a fingerprint using Cover Your Tracks and found my browser shared 17 identifying pieces of information, making my device unique amongst the 184,169 tested in the last 45 days. My browser shared, operating system, CPU, memory, time zone, language, privacy settings, name of browser, list of browser plugins, cookies, screen size, colour depth, and list of fonts.

In addition to this basic information, websites use a variety of other techniques, for example by having the browser draw images rather than loading images files, different browsers and graphics hardware will draw these slightly differently and the results can be tracked. Websites can also monitor the exact spacing between components on a page as it’s rendered on a device to gather more data. The same also apples to sound, by having the browser play a sound, the result can identify the hardware used to do it. All of these factors together form a fingerprint and whilst the fingerprint does not link to a specific person, it does link to a specific device and allow AdTech to track it, even if they delete all their cookies.

This is the unintended consequence, AdTech evolves, and as fingerprinting happens entirely on the server, we cannot see it or stop it by deleting cookies. There is action we can take though, whilst we cannot prevent fingerprinting (blocking all the data the browser sends would stop websites from functioning correctly and be inconvenient. Not to mention that not sharing common data would be another form of fingerprint). There are some things we can do to help reduce the tracking. Privacy focused search engines like DuckDuckGo, and privacy focused browsers like Mullvad or Brave reduce fingerprinting by randomising some of the data returned, making the fingerprint less useful and specific. The Electronic Frontier Foundation (EFF) has created a browser plugin called Privacy Badger which, rather than being an ad-blocker is designed to block trackers. It is available for Chrome, Edge, Firefox and Opera.

Privacy is a vital part of our individual freedom, however, on the modern internet we expect services to be free to use, and companies rely on targeted advertising as a core part of their business models. This will always result in a balancing act between privacy, convenience and functionality. As technology and regulations evolve and we move away from the third-party party cookies that have tracked us for decades, we will need to be aware of new ways of tracking and decide where on that scale we want to sit.

I believe in our cyber security community and that by sharing and helping each other that we can all be safer. So, everything above is just my opinion, what’s yours? Please share in the comments below and stay safe.