Cookies: Taking Transparency a Step Further

Contrary to the belief of some, the EU E-Privacy Directive was never about stopping cookies. It was always about raising awareness of what they are, which ones are set and how they can be misused. It was, and still is, a cause of annoyance for many - especially as only four member states have currently adopted the provisions.

Whilst I don't think the implementation was correct, the underlying principle is sound - we should be ensuring users are aware of what data we're storing in their browser and how it's used. Most sites, in my opinion, don't go nearly far enough to achieve this, instead just scraping the minimum standard.

In this post, we'll be exploring what I think we're doing wrong, and what we should be aiming for.

 

Choice

When the law was first implemented in the UK, giving the user an informed choice formed a huge part of the directive. We were told that users should be told that cookies would be set, and given the option to opt-out (even if this meant they simply couldn't use the site).

Many of the bigger companies opted to ignore this requirement, instead choosing to show a banner that essentially said "We use cookies, we'll assume you agree if you use the site". At the 11th hour, the Information Commissioners Office stated that this was an acceptable implementation, and the idea of an informed choice was dead.

Now whenever we browse UK sites, we're plagued with banners telling us what most of us already knew - sites set cookies. So the net effect, really, is that we've increased bandwidth usage slightly but made no real gain otherwise. For those of us who tried to stick to the original interpretation, the end result was a large decrease in traffic as users were scared off by the cookie choice screen. There's not much point in trying to help protect users if your attempts drive them away!

 

Cookies were misunderstood

I've never quite decided whether this was a case of the message getting watered down, or simple technical ineptitude on the part of legislators. I'd assume, though, that the truth lies somewhere between the two.

The simple fact is, cookies are not inherently evil. They serve a useful purpose, and there are uses that can only be efficiently fulfilled with cookies. The problem is, that they can be misused - the most common example being setting an "anonymous" ID which is then used to track and profile your browsing habits across the net. Everyone likes to point at a particular advertising giant, but the social networks are just as bad.

In some ways the Social Networks are worse, I can at least install something like AdBlockPlus to stop advertisers from tracking me, though I'd probably need to block the Analytics systems as well. How many sites give you the option to block social media icons? Most of these load in an iframe and set whatever cookies the SM networks want. Every time you visit a page with a 'Like' button, Facebook knows you've been there.

 

There's more to this than Cookies

Cookies were singled out, but they are perhaps the most benign of mechanisms that can be used. They may be the most widely used, but are by no means the only way of tracking you around the net. At least most users will have heard of cookies (in the computing sense), even before the Privacy Directive hit the news.

How many have even heard of a Local Stored Object, let alone know what one is? How many of those will know how to clear them, to view what's been set, or to set them to be deleted when the browser is closed. Local Stored Objects (in the Flash sense) have been in use for a long time, and certain slimebags have even used them to re-surrect standard cookies after the user deletes them!

Browsers that support HTML5 (in as much as you can support something that's not a formal standard...) also have local storage objects - Local Storage and Session Storage. The latter is automatically cleared when your session ends, but the former can persist forever. It's an incredibly useful feature, but also something that's open to misuse.

 

It's not us paying the price

Think about the following examples, all of which we regularly encounter when browsing

  • Social Media Share Buttons
  • Adverts
  • Analytics

Every single one of these costs Site Administrators (anyone else miss the term Webmaster?), nothing. It may take a small amount of time to add the relevant code, but they cost nothing and bring huge benefits.

Share buttons allow our readers to share our content with their online connections, potentially bringing in more traffic. Advertising generates us revenue, and Analytics help us improve almost every aspect of the way our site works in order to generate higher traffic (and so increase revenue).

As a user though, the benefits are far smaller. Share buttons bring convenience, but every one of the above allows our behaviour to be tracked and profiled online - often without our immediate knowledge. Obviously advertisers would like us to believe that ads enrich our lives, offering new opportunities etc, but I'm dubious, to say the least.

The true beneficiaries, of course, are those who provide these integrations - they can collect vast quantities of data on our browsing habits, usually in order to display 'more relevant' ads. It's this behavioural tracking (and the associated profiling) that led to the Privacy Directive, and yet we continue to enable it!

 

So what are we doing wrong?

Ultimately, we cannot expect users to understand what cookies and storage objects are. Personally, I'm not convinced it's unreasonable to ask them to gain an understanding, but the realistic outcome is that 99% of users just won't bother - they feel they should just be able to use a computer without an understanding of how it works. I don't agree with the outlook, but it's not for us to say who should and shouldn't have privacy, just because they aren't willing to learn about the tools they're using.

But, then, we don't actually need users to understand the basics. All we need them to know is 

  1. Data can be/is stored in their browser
  2. This data can be misused - and some of the implications
  3. What data is being stored

We're slowly getting there on points 1 and 2, but most sites don't even begin to touch number 3. Most have a cookie policy, detailing what cookies are set, and why but it just doesn't go far enough.

Relying on that page is entirely dependant on those policies being updated when things change. An unrealistic expectation, given the huge level of integration on most sites.

You may update your cookie policy when you add something new to the site, but will you update it if Twitter decides to set an extra cookie when your 'Tweet' button displays (will you even know you need to)? 

 We've already seen that the integrations we use benefit us at the cost of our users privacy, the very least we can do is show them exactly what is being set.

It's for precisely that reason that I began developing mod_yourData, allowing Joomla! based sites to display exactly what data is being set. At the moment it doesn't include Flash storage objects, or items set by other domains on the site, but it's a start. Users can now view the dedicated page on my site to see what's been set.

It's something I'd like to see far more sites doing, trying to get users to care about cookies may not be working, but that doesn't mean we shouldn't still be striving to be as transparent as possible. It is their data, after all.

 

What Doesn't Work

The idealist in me would love to see Opt-In rather than Opt-Out systems, but the reality is that it just won't work in today's world - at least not on a site-by-site basis. Most users don't care enough to Opt-Out which means they'll also never Opt-in. Many of the free resources we enjoy on the Internet are there because of advertising, the adverts displayed may not make the site a profit, but they at least offset the costs of keeping the site online.

How many users are actually going to choose to turn ads On?

If we want Opt-In systems, it's those that actually set the cookies that need to change. It's perfectly possible to display ads without tracking users browsing habits in detail, but it's down to the users to ask for that to happen, and I'm not convinced we're always asking the right people.

Ultimately, for individual sites, there's a real balance to be struck between limiting privacy concerns and generating revenue/traffic. No-one wants to expose their users to tracking cookies, but it's also important to ensure the site remains viable. If every other site contains Share buttons, what's the likelihood that your content is going to be shared on Social Media without? The proliferation of one-click buttons has made users increasingly lazy, so the quality of your content has to be higher and higher for them to consider it worth typing an additional URL just to share. No traffic means that you're talking to yourself, and footing the hosting bills for nothing more than the privilege of typing out a post that no-one will read.

What I would like to see, however, is more sites offering the functionality I've implemented recently - the ability to block (some or all of) those services that set cookies.

I've still got to decide whether to allow the blocking of Ads (most of those who really care are probably using an ad-blocker anyway), but users can already choose to block Social Icons and Google Analytics on my site. Although not currently supported, I'm intending to add the ability to block items to mod_yourData so that users can not only see what's being set, but decide what shouldn't be set in future.

 

Conclusion

Not much has changed since the Privacy Directive was adopted. We're generally more aware of cookies, largely because of the irritating banners that appear everywhere, but it's not clear that anyone actually cares any more than they did before. Certainly the original aim of giving users an informed choice has fallen by the wayside, and those who led to the original concerns haven't really changed their behaviour at all.

Whilst there are plenty who care about privacy, we're still falling well short of what we should be aspiring to - transparency - and privacy seems to be an afterthought to a lot of people, at least until a past mistake comes back to haunt them. The ideals of online privacy just aren't going to happen - those we need to be asking are too vested and won't change, and those we are asking don't have the power to change anything but a few sites, putting themselves at a disadvantage in the process - but there are steps we can (and should) take to allow those who do care to make their own choice.

It's down to each administrator to weight the commercial interests against the potential privacy impact, and the Crowd Mentality comes into play here - if every other site is using social icons and Google Analytics, why wouldn't you?

I'd love to see a lot of this change, and plan to release a number of tools to help Site Administrators give individual users a choice, in the same way I've started to. Being able to opt-out of Google Analytics across the entire Internet is all well and good, but it only addresses a tiny proportion of the issue.