Profile picture
, 36 tweets, 11 min read
My Authors
Read all threads
A thread on 1st-party vs. 3rd-party cookies, and how tracking companies are actively trying to undermine users' privacy preferences.

First, some basics (this is simplified):

A cookie is a key/value pair (a variable) that allows websites to save data in users' web browsers. 1/
Cookies aren't always bad: they allow settings to be saved, as well as enable things like shopping carts. But they can—and are—used for tracking people: a website can assign a user a unique identifier, so that they know what pages that user visits on a site over time. 2/
Each cookie is bound to a domain name: every time the browser requests a URL from that domain name, it automatically sends that web server all previously-set cookies (that haven't expired or been manually deleted) for that domain name. 3/
A website can contain content from other domains, each of which can set its own cookies when that content is loaded. For example, cnn.com embeds an image from facebook.com. When the browser loads that image, facebook.com sets a cookie. 4/
These are known as "third-party" cookies. That is, cookies set by domains other than what appears in the browser's URL bar. 5/
When a user returns to cnn.com, CNN knows that it's seen this user before (based on its first-party cookie), and Facebook also knows that this user previously visited CNN (via its third-party cookie). 6/
If a company has its 3rd-party content embedded in many different websites (as Facebook/Google/Adobe do), they can track users across all of them, allowing them to build a detailed profile of a user's behavior.

Since this happens automatically, it's mostly invisible to users. 7/
Worse, embedded 3rd-party content often isn't part of the user experience (e.g., useful images and widgets), but is explicitly for tracking: images that are a single transparent pixel, so that they are (1) invisible to users and (2) allow the 3rd-party to set tracking cookies. 8/
To give users some modicum of control over this, browsers allow users to block third-party cookies, if they so choose.

Until very recently, third-party cookies were stored by browsers by default, and a user had to take proactive steps to configure their browser to block them. 9/
Similarly, this is how a lot of browser privacy extensions work: they simply don't allow third-party cookies to be set. Many will use lists of known tracking domains and block cookies being set by those domains (e.g., this is one of the things that @disconnectme does). 10/
This brings us to "cookie syncing":

For security, cookies are only sent to the domain that set them: a browser won't send facebook.com cookies set by cnn.com. 11/
Thus, if companies want to "share" identifiers they've created to track users, they need to be creative.

If CNN wants to automatically and uniquely identify its users to Facebook, they can't simply share the same cookie. They need to do what's known as "cookie syncing." 12/
There's a good explanation of the details of cookie syncing by @s_englehardt here: freedom-to-tinker.com/2014/08/07/the…

13/
This brings us to syncing of first-party cookies:

Because many third-party cookies are blocked by privacy tools when users don't want to be tracked, many of the biggest players have shifted to colluding with websites to set first-party cookies instead. 14/
The way this works is:
1) CNN sets its own first-party cookie to uniquely identify a user.

cookie name: "_fbp"
cookie value: "fb.1.1574792864436.1680904631"
cookie domain: "*.cnn.com"

("_fbp" is the name of Facebook's tracking cookie.)

15/
2) CNN appends the value of this cookie to a URL pointing to Facebook's web server. (The extraneous information after the "?" in a URL is known as a "query string"; it allows additional information to be embedded in a URL, readable by a web server and scripts on the page.) 16/
3) This URL is then embedded in CNN's website, which points to a 1x1 transparent pixel, hosted by facebook.com. The browser sees this as an image it needs to retrieve, and in so doing, transmits the query string containing the value of CNN's cookie to Facebook. 17/
Before, sites would embed trackers—often 3rd-party images—so when browsers load them, a 3rd-party server would send a "Set-Cookie" HTTP header to set a 3rd-party cookie.

Now, tracking companies use 1 of 2 ways to set these as 1st-party cookies (less likely to be blocked): 18/
1) JavaScript on a webpage can set cookies for that webpage's domain. So if a tracking company convinces a website operator to include their JavaScript, they can set 1st-party cookies without having them appear in HTTP traffic. Facebook offers this:
facebook.com/business/help/… 19/
2) If the 3rd-party's server appears to actually be within the 1st-party domain, the browser will be tricked into seeing these cookies from a 3rd-party as 1st-party cookies. This is what Adobe is asking websites to do; a CNAME is a DNS alias.



20/
So, by setting 1st-party cookies instead of 3rd-party cookies, trackers are able to more easily evade users' preferences to block them. 21/
However, when cookies are set by 1st parties, cookie syncing is needed. That is, these 1st-party cookies will get shared with the 3rd-party via the method I described above (e.g., including their values as query strings for 3rd-party URLs embedded in the page). 22/
That is, Facebook's JavaScript will set a new 1st-party cookie for every 1st-party website the user visits. All of these will get sent to Facebook as query strings, but Facebook needs a way of determining that they all came from the same user. 23/
There are multiple ways that this can be accomplished:

1) The 1st-party website can append additional identifying information to the query string that gets sent to Facebook. For example, an email address, name, etc. 24/
In fact, Facebook explicitly instructs website operators to do this:
developers.facebook.com/ads/blog/post/…

However, the websites setting the cookies may not have this information. 25/
2) Another way that they can do it is via "browser fingerprinting," which basically just means uniquely identifying users based on the characteristics of their web browsers. The EFF provides a great demo of how this works here: panopticlick.eff.org

26/
A fingerprint generated in the browser can have relatively high entropy (i.e., be uniquely identifying). In conjunction with an IP address, more so.

We previously showed that users can be identified based on the fonts they have installed: guanotronic.com/~serge/papers/… 27/
3) Finally, trackers can use their own 1st-party cookies to do this cooke syncing:

When software blocks 3rd-party cookies, they generally do so by preventing cookies from being *set* by 3rd-parties; they often don't prevent existing cookies from being *sent* to 3rd parties. 28/
That is, imagine going to Google and logging in. This will result in a 1st-party cookie being set. If you're blocking 3rd-party cookies, that won't prevent this.

29/
Once set in the 1st-party context, this cookie could later be transmitted in the 3rd-party context (i.e., another website may embed URLs pointing to google.com, which when loaded, will automatically be sent the previous google.com cookie). 30/
This is why Google and Facebook are pushing for using 1st-party cookies and have no qualms about blocking 3rd-party ones: it's a competitive advantage for them since users are likely to have their cookies stored in 1st-party contexts (i.e., many users log into their sites). 31/
While I pick on Google, Facebook, and Adobe here—and I'm not sure "picking on" is the correct term, since this is all empirical—there are likely many others doing this. This is an industry-wide shift. 32/
What's galling about all of this is that it's being done *explicitly* to prevent users from exercising control over their privacy.

In most of these cases, the companies' marketing materials make this very clear. 33/
For example, from Google's documentation: support.google.com/analytics/answ…

Here, "more reliable" means making it harder for users to opt out.

34/
Facebook writes about using first-party cookies to "reach more customers": facebook.com/business/help/…

...using only third-party cookies is "less effective." 35/
But they care very deeply about the privacy of their users!

Fin.
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Serge Egelman

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @v0max see all

Profile picture
Serge Egelman
@v0max
More research showing why the "privacy paradox" is a misnomer.

For those unfamiliar, the "privacy paradox" refers to the notion that people *say* they care about privacy, but then *act* in ways that are at odds with those stated preferences (e.g., sharing information online). 1/
The idea that people's intentions often don't match their actions is nothing new. This has been well-studied with regard to behavior change in psychology. For example, in Ajzen's "Theory of Planned Behavior"
(en.wikipedia.org/wiki/Theory_of…), perceptions of control moderate behavior. 2/
That is, people might *want* to behave a certain way, but if they don't believe they have control, often they will ultimately fail to act. This doesn't mean their intentions weren't true. 3/
Read 11 tweets
Profile picture
Serge Egelman
@v0max
Today's personal story of machine learning run amok (thread):

My research group is looking at the privacy behaviors of paid apps. Doing so requires us to purchase lots of paid apps. The Play Store processes each purchase separately, as opposed to batching them. 1/
So, purchasing, say, 1,000 apps will result in 1,000 credit card authorizations. Banks enforce a maximum number of card authorizations per day. In conducting this study, it appears as though this number is in the double digits. Thus, my card was repeatedly frozen. Repeatedly. 2/
After multiple hourly calls to my bank to explain the problem, they said there's nothing that can do: their fraud detection algorithm will always lock the account after this number of transactions. Okay, Plan B: we'll buy gift cards. 3/
Read 11 tweets
Profile picture
Serge Egelman
@v0max
A primer on privacy as "contextual integrity" and why privacy notices on mobile platforms (both Android and iOS) are insufficient for attaining informed consent. Thread:

If your doctor asked for permission to collect your medical history, you would probably say yes.

1/
However, if that doctor asked to collect your medical history to give to marketers for advertising purposes, you would probably decline.

The difference is, in the first case, you're making assumptions about how the data will be used based on who is making the request.

2/
Knowing just the type of data requested and the requester are insufficient to make an informed decision: people also consider the purpose and other constraints (e.g., will data be resold, stored securely, etc.), which are equally important factors.

3/
Read 7 tweets

Related threads

Profile picture
Miracle ValentineBoy (JACOB, Prince)
@Princejv2
PONDER ON THE WORD BELOW (A #THREAD):

God created this world and brought man, a living being unto which He bestowed life, into it. Next, the man came to have parents and kin and was no longer alone.
Ever since man first laid eyes on this material world, he was...

#Thread
1/
destined to exist within the ordination of God. The breath of life from God supports each and every living being throughout growth into adulthood.

During this process, no one feels that man is growing up under the care of God; rather, they believe that man is...

#Thread
2/
doing so under the loving care of his parents, and that it is his own life instinct that directs his growing up. This is because a man knows not who bestowed his life, or from whence it came, much less the way which the instinct of life creates miracles. He knows...

#Thread
3/
Read 41 tweets
Profile picture
Okechukwu Ifeora
@isocroft
So, my thread on how to choose databases for your web apps starts in 20 minutes time. Hope y'all are ready ?However, this time i would love it to be an interactive session where we can learn from each other about database preferences for specific web apps and the use case
#thread
This is what we want to talk about today. Take a really good look at the image below. Study it well. Also notice the words at the 3 vertexes of the triangle. CONSISTENCY, AVAILABILITY & PARTITION-TOLERANCE (Big English - but fear not, we shall demystify all and it'll all be easy)
If we also look at the image in the previous tweet on this thread we can see some popular databases placed at certain sides of the triangle. It is important to note also the positioning of some of a particular point on each side. We shall discuss this in more detail soon. #thread
Read 48 tweets
Profile picture
Vivaldi
@vivaldibrowser
Your browser is (probably) one of the apps you use most throughout the day. What can it do to protect your privacy online? Let's take a look.

vi.tc/2CICDnZ

#privacy #Security #YourBrowserMatters
Your browser:

1. Secures your connection to websites.

When you connect to a secure (https) website, your browser establishes a secure connection with that website. All data is encrypted so that only the browser and the website can see what is being sent over the connection. 🔒 The site info pane in Vivaldi browser
2. It checks for certificates.

Your browser checks the certificates sent by the website to make sure you’re connecting to the real domain. That stops attackers from pretending to be that website. Simply put, an attacker will not have the website’s certificate.
Read 13 tweets
Profile picture
DespicableDrew
@DespicableDrew
#THREAD: the #Epstein case vs the #MichaelJackson case: for those talking about "getting away" with "crimes", let's take a look at how (white) privilege really works. And why nobody talks about Epstein, while #MJ is being subjected to another slanderous mockumentary. (1)
For a good comparison, we'll take a look at the timeline of the #Epstein case versus that of the #MJ case. You'll see the differences in approach, treatment and mediatic consequences by yourself. #JusticeforMJ #ExposeTheLiars (2)
miamiherald.com/news/local/art…
As per screenshot 1, the parents of #Epstein's alleged victim, a 14-y.o. girl, reported the alleged crime to the police. In 1993, the first allegations against MJ started with an extortion plan and a search for a "highly profitable settlement". (3) More: themichaeljacksonallegations.com/the-1993-alleg…
Read 40 tweets
Profile picture
AeroDynamic Women
@AeroWomen
#Thread of responses from women in aerodynamics to the question, 'what would you like to see in order for women's career progression in your field to be sustained and better supported?'

Responses incl. career flexibility, mentoring and more women in leadership roles #WomeninSTEM
1. "I think young female engineers need to see more female role models and mentors in my field. Having a visible example of someone that looks like you and is succeeding in their field is important. Having an opportunity to meet with a mentor like that can be very powerful."
2. "I would like to see that any career promotion is based on own merits and value added to the company or the society independently of the gender. I want that women are measured with the same rules as men and are given equal opportunities."
Read 68 tweets
Profile picture
Oby Ezekwesili
@obyezeks
From Poverty Central to Prosperity: How the Obiageli 'Oby' Ezekwesili Presidency will lift 80+ million Nigerians out of poverty. #Thread
#Fight4Naija
Today is an exciting day for this campaign as we will be sharing the most important issue in our ambitious plan for Nigeria that shows our readiness to govern from Day One. I will be telling you how we intend to lift 80 million Nigerians out of poverty. #Fight4Naija
We expect citizens to hold us to account for every word we say and every promise we make, not just on our innovative solutions for tackling poverty which I would be sharing today, but on our entire manifesto to be released to the public on Friday. #Fight4Naija
Read 237 tweets

Trending hashtags

#political #PoliciaDeInvestigaciones #leiDAtransparência #Hezbollah #BolsonaroTeEnganouBabaca #BolsoSilvioVemAi #Lavajato #LosPrisoneros #LAI #direitos #CarabinerosDeChile #Flow #indiginousLand #LaMarchaMásGrandeDeChile #ForMigration #abismo #GOPE #EmbaixariaBrasileira #Bíblia #Retrospectiva2018 #EUAvisei #FuerzasEspeciales #EstoNoPrendio #polêmicasBolsonaro #zorrillo
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!