Browser cookies are dead, but online tracking is still alive and kicking

Tracking cookies are so five minutes ago. The new privacy boogiemen? Google's AdID and browser fingerprinting.

I have to admit, online tracking seemed a lot more dangerous before Ed Snowden came along. The idea of advertisers compiling dossiers of your Web movements which may or may not be anonymous seems like Pee Wee’s Playhouse compared to news of NSA skullduggery.

I am here to argue that online tracking is still worth caring about, for at least two reasons:

a) The odds of the NSA snooping on you personally are still pretty slim. The likelihood that ad companies are compiling data about you are almost certain, unless you’ve taken measures to stop them.

b) The potential uses of tracking data – as well as the potential to tie it to your actual legal identity – are still mostly unknown. Today, they’re used to deliver targeted ads. Tomorrow, your Web history could determine whether you get hired or qualify for a credit card.

And, of course, any data trove that can be mined and used to place you in large categories (soccer mom, NASCAR dad, possible terrorist) are also fair game for Spooks Inc.

With that in mind, here are three things to be aware of.

1. Do Not Track is off the rails

Earlier this week, the Digital Advertising Alliance resigned from the W3C’s Tracking Protection Working Group. This follows the resignation last month of Peter Swire, who was appointed last fall to try and herd all the TPWG kittens toward some kind of workable conclusion by the end of July, and the departure in July of Stanford security researcher Jonathan R. Mayer, a particularly frisky kitten on the privacy advocacy side.

The DAA was the ad industry’s answer to FTC calls for Do Not Track legislation. It’s the group responsible for those little blue Ad Choices triangles you’ll see on an increasing number of Web ads. Managed by Evidon, the Ad Choices program allowed you to view which companies were tracking you and to opt out from some of them, though actually opting out was so difficult and limited that it was largely an exercise in public relations, I think.

In my humble opinion, the DAA was only interested in a solution that ensured the vast majority of Netizens did absolutely nothing to prevent advertisers and their cronies from tracking them. Mayer was only interested in a system that gave free and unfettered choice to consumers, making it easy for them to opt out (I was with him on that one). Swire got a better offer, having been asked to join President Obama’s intelligence review panel. 

At this point, it’s hard to hold out any hope that anything useful will come out of this process at all, despite a great deal of effort by a great many smart and dedicated folks. (I lurk on the electronic mailing list of the TPWG, and it’s a fascinating study in both the sheer complexity of Internet privacy and bureaucratic dysfunction.)

So I’ll just say it. Do Not Track is dead, Jim. In fact, tracking cookies themselves are headed towards the tar pits. What’s going to replace them could well be far worse.

2. Google is following you

According to a report that appeared in Tuesday’s USA Today, Google is planning to abandon cookies and develop its own tracking technology. Exactly how the new system, called AdID, works is not explained. Per the story:

The AdID would be transmitted to advertisers and ad networks that have agreed to basic guidelines, giving consumers more privacy and control over how they browse the Web, the person said, on condition of anonymity…

The AdID may be automatically reset by the browser every year, and users will be able to create a secondary AdID for online browsing sessions they want to keep particularly private, the person explained..

So AdID might well be a good thing. I suspect a big reason Google decided to take this route was the clear lack of agreement in the Do Not Track standards group. Then again, this is Google, so they’ll be sure to monetize that data in as many ways as they can. We’ll have to see how it plays out. (And, again, we all now know how chummy Google is with the NSA.)

But what it means in the big picture is that tracking cookies are kaput. Crumbled. Swept into the dustbin of Internet history. As it becomes obvious to everyone that the Do Not Track process is in a persistent vegetative state, I predict that browsers that block cookies by default will become much more prevalent.

More important, though, cookies are dead because there are more insidious ways of identifying you on the Web.

3. Your fingerprints cannot be erased

And by “fingerprints” I mean browser fingerprints. Advertisers and their buddies won’t need cookies to identify you, because they can use the information provided for free by your browser to mark you as, well, you.

The Electronic Frontier Foundation has a free tool called Panopticlick that lets you see exactly how unique your browser really is.

Among other things, the applet looks at your “user agent” (like Mozilla or IE, the kind of browser you’re using to access the site), your screen resolution, the time zone where you live, and the plug-ins and fonts you have installed. Using just these bits of data, the java applet can uniquely identify your browser more than 85 percent of the time. Even so called “private” browsers, like Epic, can be easily fingerprinted.

ty4ns-panopticlick results for epic.png

Add in other data like your IP address, and the uniqueness percentage verges closer to 100, at least for desktops and laptops. Mobile browsers are harder to identify – at least, so far. But as far as I am aware, there is no way to effectively stop browser fingerprinting from occurring, though running Javascript blockers like No Script helps slightly.

True, this technology has been around for several years and has yet to take off. But there are a number of startups in the browser fingerprinting market that are just getting ramped up. Rest assured that as cookies decline, fingerprinting will ascend.

And then you may long for the days when there were still cookies left to crumble.

Got a question about social media or privacy? TY4NS blogger Dan Tynan may have the answer (and if not, he’ll make something up). Visit his snarky, occasionally NSFW blogeSarcasm or follow him on Twitter: @tynanwrites. For the latest IT news, analysis and how-to’s, follow ITworld on Twitter and Facebook.

Now read this:

Web trackers are totally out of control

Further adventures in data mining, or welcome to my Lear Jet Lifestyle

Four reasons why Do Not Track turned into Do Not Trust

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon