Andrew Hosgood

OO PHP Web Developer specialising in User Interface Design and User Experience

Don't Fear the Cookie!

29th November 2013

Cookies. You may have heard about them. Let's get the obvious long-running joke out of the way and make this post unambiguous by stating up-front that I don't mean the delicious ones with chocolate chips. I mean the ones that have been in the news recently – the bad ones. The ones that will jump you in a dark alleyway, beat you up, steal your wallet and use the money to buy drugs.

Well hang on, why are we so quick to judge these horrible things; do you even know what a cookie is? Let's start simple:

What is a cookie?

A cookie is simply a piece of data. But before you run away screaming about data privacy and all whatnot, where is this piece of data stored? Government servers? Your ISP? No, cookies are stored in your browser – on your machine. If you have ever visited a site and when you came back, your settings were remembered then that is a cookie or two doing their job.

The problem

There are two types of cookies, first-party and third-party. If the site you were visiting saved a cookie for you, it's a first-party. Sometimes though, sites will utilise tools built by other companies, such as including a Facebook 'Like' button or using Google Analytics. These (obviously, I hope) are third-party cookies and are saved not against the site you are visiting, but the site that wrote the tool.

Third party cookies can be used to track you, and here's how:

  1. You visit a blog with a Facebook 'Like' button
  2. The button is linked to the Facebook API and if you are logged in, the tool saves a few third-party cookies in your browser for example: "Who? Andrew Hosgood. Site?"
  3. If you visit another site that used the same code to produce another 'Like' button, the tool (which has access to cookies it created) can ask "Who? Andrew Hosgood. Visited anywhere else?"

These are known as cross-domain cookies and it is here where the problem lies. Sites can build up a profile and history of people's web surfing.

The new EU cookie "law"

The politicians in Brussels (who somehow wrangled getting paid obscene amounts of money to sit around and come up with absurd time-wasting rules) bored with banning olive oil, defining how bendy our bananas should be and banning diabetics from driving recently (over a year ago – I write slowly) passed a law that affected my job – the EU cookie law. Well I say "law", but each country can enact their own legislation and apply it in their own way.

By exploiting people's ignorance of cookies and keeping the masses scared of data theft, the self-elected Elders of the Internet managed to pass legislation that basically says websites now have to get the user to opt-in to any "non-essential" cookies. The International Chamber of Commerce has a more thorough explanation of this in their ICC UK Cookie guide (PDF – 289 kB). I can only imagine that no one in the room when they made the decision knew anything about computers and were probably "advised" by the same sort of "experts" that work for the Daily Mail.

Don't panic!

Firefox Cookie Settings

The solution is a simple one. It's your browser – you should have COMPLETE control over what it stores. Taking Firefox as an example, there are easy-to-find controls for your cookie management in your preferences, but Chrome and Safari are just as easy if you have a quick poke through the settings.

If you want to disable cookies completely, check out this WikiHow on how to disable cookies in your browser. If you are still worried, you can be as covert as me and disable certain JavaScript and Flash on sites. If you still have a niggling feeling, you probably should step away from your computer now. There are many ways to collect data about people without using cookies and this legislation won't stop companies from doing so. This is why data protection officials in Germany are making the absurd claim that Google Analytics (aimed partly at helping developers collect mostly-anonymous data about user's computers to help make better websites) is illegal. Data protection officials are such fun-loving guys.

It's my problem, not yours

At the end of the day, you don't have to worry about much. As the web developer in this relationship, I am the one that has to make sure all my sites comply to the directive. Even if I don't agree with it

Websites will continue to track you using other methods, some companies will choose to ignore the legislation, others will be fined. The geniuses in Brussells will continue to get paid, I will carry on protesting and you will carry on surfing.

All I ask is that you sigh a little and think of me whenever you next click the box that says "Yes, I understand this site uses cookies".