Loading ...
Sorry, an error occurred while loading the content.

First Party Vs. Third Party Cookie

Expand Messages
  • lovelovelove
    I m a new to web analytical solution. I was reading the write up from Webtrends about First Party Vs. Third Party Cookies. Here s my question: 1. Webtrends
    Message 1 of 10 , May 26, 2005
    • 0 Attachment
      I'm a new to web analytical solution. I was reading the write up from
      Webtrends about First Party Vs. Third Party Cookies. Here's my question:
      1. Webtrends says that there are numerous analytics solutions that
      claim to serve a 1st-party cookie by asking permission to write to a
      company's DNS server, and using a cookie masquerading technique to
      "trick" the internet browser client to make the cookie from the
      analytics vendor look like a legitimate 1st-party cookie.
      --- I assume by above they actually mean using CNAME to let a third
      party analytics company set first party cookie. Is that right?

      2. Webtrends also says We don't recommend this approach as we believe
      it does not follow the spirit of what a 1st-party cookie actually is
      and is vulnerable to being a practice picked up by anti-spyware
      applications or potentially being the focus of legislation.
      --- So what is the legitimate first party cookie approach?

      Any links to documentation on above would be appreciated. Thanks in
      advance.
    • Tomas Remotigue
      1. Yes 2. I would tend to disagree, simply because this is no different than any other hosted service that thousands of companies use everyday for handling
      Message 2 of 10 , May 31, 2005
      • 0 Attachment
        1. Yes

        2. I would tend to disagree, simply because this is no different than any other hosted service that thousands of companies use everyday for handling CRM, order fulfillment, and other services. The issue as I see it is really the fact that it distills down to the negative connotations that people have of 3rd party cookies, and how that would be a deception of the consumer if that were instead registered as a 1st party cookie. Yet at the same time, people don't complain if they get redirected to a 3rd party domain when they are attempt to get tech support for an issue from a product manufacturer.

        My hope is that as the consumer becomes more educated, saner heads will prevail and realize that the privacy implications all around are overblown. Of course, there are certain parties that might want to set malicious 3rd party cookies, however if those parties can convince a company to set up a CNAME so as to enable them to set that cookie as a first party cookie, that to me is know different than me setting up a fraudulent business under a reputable companies' name with their authorization (even their support!). Who would be to blame there? Just my $0.02.

        Tom

        On 5/26/05, lovelovelove <mahesh_swam@...> wrote:
        I'm a new to web analytical solution. I was reading the write up from
        Webtrends about First Party Vs. Third Party Cookies. Here's my question:
        1. Webtrends says that there are numerous analytics solutions that
        claim to serve a 1st-party cookie by asking permission to write to a
        company's DNS server, and using a cookie masquerading technique to
        "trick" the internet browser client to make the cookie from the
        analytics vendor look like a legitimate 1st-party cookie.
        --- I assume by above they actually mean using CNAME to let a third
        party analytics company set first party cookie. Is that right?

        2. Webtrends also says We don't recommend this approach as we believe
        it does not follow the spirit of what a 1st-party cookie actually is
        and is vulnerable to being a practice picked up by anti-spyware
        applications or potentially being the focus of legislation.
        --- So what is the legitimate first party cookie approach?

        Any links to documentation on above would be appreciated. Thanks in
        advance.





        ---------------------------------------
        Web Metrics Discussion Group
        Moderated by Eric T. Peterson
        Author, Web Analytics Demystified
        http://www.webanalyticsdemystified.com




        Yahoo! Groups Links

      • Stephen Turner
        ... I don t think you ve understood what people s main worries about third-party cookies actually are. Or at least, if we set aside all the conspiracy
        Message 3 of 10 , Jun 1, 2005
        • 0 Attachment
          --- In webanalytics@yahoogroups.com, Tomas Remotigue <tomremo@g...>
          wrote:
          >
          > The issue as I see it is really
          > the fact that it distills down to the negative connotations that
          > people have of 3rd party cookies, and how that would be a deception
          > of the consumer if that were instead registered as a 1st party
          > cookie. Yet at the same time, people don't complain if they get
          > redirected to a 3rd party domain when they are attempt to get tech
          > support for an issue from a product manufacturer.
          >
          > My hope is that as the consumer becomes more educated, saner heads
          > will prevail and realize that the privacy implications all around
          > are overblown. Of course, there are certain parties that might want
          > to set malicious 3rd party cookies, however [...]
          >

          I don't think you've understood what people's main worries about
          third-party cookies actually are. Or at least, if we set aside all the
          conspiracy theories, there is still a genuine issue. It's that a lot
          of companies all use DoubleClick for their advertising, so that
          DoubleClick can piece together everything that I do on all the sites I
          visit. Of course, I expect a company to know about what I do on their
          own site. When they start contracting it out to a third party, and
          moreover every other site contracts it out to the same third party,
          that seems a step too far.

          Web analytics is different from DoubleClick, because DoubleClick
          really does want to tie together everything you do and so only uses
          one cookie, whereas we use a separate cookie for each site, and keep
          the data separate. But that's subtle -- people still feel that one
          company knows everything they do, even if in fact we can't piece it
          together.

          Whether this worry is justified or misplaced is something people can
          debate endlessly; but I think it's at least one that intelligent
          people can hold, and I think it helps to understand what the issue
          actually is so that we can address it. And to turn it on its head, let
          me recall what Alex Chudnovsky said on 8th April:

          > Come to think of it -- is there _ANY_ good reason for a surfer NOT
          > to block all 3rd party cookies? I can't see a single one at all,
          > can you?

          As far as I can see, all third-party cookies are for the benefit of
          the site owner, not the visitor. The only benefits for the visitor are
          indirect ones (keeping the cost of the site down etc.).

          --
          Stephen Turner
          CTO, ClickTracks http://www.clicktracks.com/
        • Joe Wilson
          WARNING: If you are tired of the debate over third party cookies and privacy, don t bother reading this post. You have been warned! :o) ... I am not sure
          Message 4 of 10 , Jun 1, 2005
          • 0 Attachment
            WARNING: If you are tired of the debate over third party cookies and
            privacy, don't bother reading this post. You have been warned! :o)

            Stephen Turner wrote:

            >I don't think you've understood what people's main worries about
            >third-party cookies actually are. Or at least, if we set aside all the
            >conspiracy theories, there is still a genuine issue. It's that a lot
            >of companies all use DoubleClick for their advertising, so that
            >DoubleClick can piece together everything that I do on all the sites I
            >visit. Of course, I expect a company to know about what I do on their
            >own site. When they start contracting it out to a third party, and
            >moreover every other site contracts it out to the same third party,
            >that seems a step too far.
            >
            >
            >
            I am not sure that I buy this argument. DoubleClick is a member of the
            Network Advertising Initiative (http://www.networkadvertising.org),
            which places strict limits on what a member can do with regards to data
            collection and usage. In the interest of full disclosure, my company -
            Tacoda - is also an NAI member.

            A publisher chooses to be affiliated with DoubleClick (or Tacoda or
            ....) and to allow them to track their users. Any user can choose to
            opt-out (and in fact, can opt-out of all NAI member sites with a visit
            to a single page -
            http://www.networkadvertising.org/optout_nonppii.asp). No PII may be
            merged with non-PII data and links to the opt-out must to be placed on
            the privacy policy of any website using the service. See
            http://www.networkadvertising.org/aboutnai_principles.asp for a complete
            set of principles of the NAI.

            Contrast this to the standard (and might I add ubiquitous) credit card -
            they have PII, sell this data indiscriminately to catalog and direct
            marketing firms and know far more about you than DoubleClick or Tacoda,
            as it also includes purchase information from the mudane to the
            extravagant to the esoteric. All of this is buried in terms of service
            of the credit card printed in type so small that a magnifying glass is
            usually required to read it. On top of this, it is exceedingly
            difficult to opt-out of this program. And yet, I don't hear anybody
            calling for restrictions on the use of this data by credit card
            companies. For this invasion of privacy we get the convenience of not
            having to pay cash for everything and the benefit of carrying debt at
            extravagant interest rates. (OK, so maybe I am over-dramatizing this
            just a bit ;o) )

            >Web analytics is different from DoubleClick, because DoubleClick
            >really does want to tie together everything you do and so only uses
            >one cookie, whereas we use a separate cookie for each site, and keep
            >the data separate. But that's subtle -- people still feel that one
            >company knows everything they do, even if in fact we can't piece it
            >together.
            >
            >
            >
            >
            Agreed, but I think it is not quite so different as you make it out to
            be. Is it a reasonable use of third-party cookies to track a website
            visitor across sites owned by a single corporate parent? For example,
            there are a number of large publishing conglomerates in the US that have
            websites ranging from major daily newspapers to television stations and
            a variety of other media. They would claim that any customer of one
            business is thereby a customer of the parent organization and it is well
            within their rights to collect and use this data as they see fit. In
            addition, sometimes a single logical website is made up of a series of
            vanity URLs - take a look, for example, at iVillage.com, which uses
            different domains for different content.

            What about a publishing partner that provides some part of the content
            on a site or network of sites (cars.com, Associated Press, etc)? Is it
            reasonable for a site to track their visitor's usage on those sites if
            they were the conduit through which the pages were consumed? How about
            a e-commerce affiliate model such as Amazon or eBay, isn't it reasonable
            that a site owner be able to track the effectiveness of referrals of a
            visitor as they move off the site and potentially buy something from the
            affiliate partner?

            >As far as I can see, all third-party cookies are for the benefit of
            >the site owner, not the visitor. The only benefits for the visitor are
            >indirect ones (keeping the cost of the site down etc.).
            >
            >
            >
            I am not trying to be argumentative, but it seems the same could be said
            of all cookies and all tracking (including web analytics). The tie
            between tracking of visitor usage on a single site and some benefit to
            the visitor is tangential at best (improved site navigation, more
            relevant content, etc). There is no direct benefit to the consumer for
            any of these activities (with the possible, and I would claim trivial,
            exception of site personalization).

            It is my perspective that the debate over third party cookies is a
            canard. The real issue is control over data, who has that control and
            what the balance should be between a consumers right to privacy and the
            rights of a business to maximize the value of their business data.
            Cookies are simply a tool, and sadly, the only tool we have available to
            us to mediate this interaction between consumer and business.

            If a publisher clearly discloses their data collection practices and a
            visitor has a clear mechanism for opting out of data collection
            practices that they disagree with, I believe that a publisher is well
            within their rights to form whatever partnerships that they choose to
            maximize the value of that data.

            Regards,

            Joe Wilson
            Chief Scientist
            Tacoda
          • Stephen Turner
            ... All tracking, but not all cookies. Some sites, such as Craig s site LOVEFiLM, inherently require you to be logged in. They are unusable without cookies, or
            Message 5 of 10 , Jun 1, 2005
            • 0 Attachment
              --- In webanalytics@yahoogroups.com, Joe Wilson <joe.wilson@m...>
              wrote:
              >
              > Stephen Turner wrote:
              >
              > >As far as I can see, all third-party cookies are for the benefit of
              > >the site owner, not the visitor. The only benefits for the visitor
              > >are indirect ones (keeping the cost of the site down etc.).
              >
              > I am not trying to be argumentative, but it seems the same could be
              > said of all cookies and all tracking (including web analytics). The
              > tie between tracking of visitor usage on a single site and some
              > benefit to the visitor is tangential at best (improved site
              > navigation, more relevant content, etc). There is no direct benefit
              > to the consumer for any of these activities (with the possible, and
              > I would claim trivial, exception of site personalization).
              >

              All tracking, but not all cookies. Some sites, such as Craig's site
              LOVEFiLM, inherently require you to be logged in. They are unusable
              without cookies, or at least some sort of session id. They don't
              require persistent cookies, but it's convenient to me not to have to
              log in again every day.

              > It is my perspective that the debate over third party cookies is a
              > canard. The real issue is control over data, who has that control
              > and what the balance should be between a consumers right to privacy
              > and the rights of a business to maximize the value of their business
              > data.
              >

              I think that's a fair point. Individuals put that balance in different
              places, and different cultures do too. In particular, Europeans tend
              to be much more skeptical of "rights of a business" in general. With
              regard to personal data, in the UK we have laws requiring businesses
              to reveal all personal data they hold about me for a £10 fee, and
              to give me an opportunity at data collection time to opt out of having
              my details passed to any other company. So I think the average
              European and the average American may have different perspectives on
              this.

              --
              Stephen Turner
              CTO, ClickTracks http://www.clicktracks.com/
            • Joe Wilson
              ... Undoubtedly true on all accounts. In fact, I have no problem with the process you describe. It is very much in line with the principles of the NAI and I
              Message 6 of 10 , Jun 1, 2005
              • 0 Attachment
                Stephen Turner wrote:

                >I think that's a fair point. Individuals put that balance in different
                >places, and different cultures do too. In particular, Europeans tend
                >to be much more skeptical of "rights of a business" in general. With
                >regard to personal data, in the UK we have laws requiring businesses
                >to reveal all personal data they hold about me for a £10 fee, and
                >to give me an opportunity at data collection time to opt out of having
                >my details passed to any other company. So I think the average
                >European and the average American may have different perspectives on
                >this.
                >
                >
                Undoubtedly true on all accounts. In fact, I have no problem with the
                process you describe. It is very much in line with the principles of
                the NAI and I suspect would be acceptable to most publishers in the US
                as well.

                Out of curiosity, how is "personal data" defined? Does it include
                anonymous behavioral information (i.e. clickstream data)? If so, that
                would seem an enormous burden on the business to keep behavioral data
                around in detail form for some period of time.

                We do not yet do business in Europe so I have managed to remain
                willfully ignorant (other than a basic familiarity) of European privacy
                regulations. Frankly, just keeping up with the state of affairs in the
                US is more than enough to keep me occupied. :o)
              • Stephen Turner
                ... No, I believe it s only personally identifiable information. So it s not strictly relevant to web analytics, except as a general cultural reluctance for
                Message 7 of 10 , Jun 1, 2005
                • 0 Attachment
                  --- In webanalytics@yahoogroups.com, Joe Wilson <joe.wilson@m...>
                  wrote:
                  > Stephen Turner wrote:
                  >
                  > Out of curiosity, how is "personal data" defined? Does it include
                  > anonymous behavioral information (i.e. clickstream data)? If so,
                  > that would seem an enormous burden on the business to keep
                  > behavioral data around in detail form for some period of time.
                  >

                  No, I believe it's only personally identifiable information. So it's
                  not strictly relevant to web analytics, except as a general cultural
                  reluctance for companies to hold any form of personal data, and
                  certainly to share it with other companies. (Of course, this attitude
                  exists in certain American subcultures as much as in Europe.)

                  --
                  Stephen Turner
                  CTO, ClickTracks http://www.clicktracks.com/
                • Craig Sullivan
                  Well, Thanks for the mention there Stephen. We do require people to accept first party cookies to use our site but it isn t down to pure marketing reasons
                  Message 8 of 10 , Jun 1, 2005
                  • 0 Attachment
                    [webanalytics] Re: First Party Vs. Third Party Cookie
                    Well,
                     
                    Thanks for the mention there Stephen.  We do require people to accept first party cookies to use our site but it isn't down to pure marketing reasons <grin>.  We have a balance to strike between ensuring session security (see www.owasp.org) and measuring visitor traffic in a way that helps me improve the site experience.
                     
                    Yes,  the big difference I feel between many UK firms and US firms is that we in the UK are very aware of our responsibilities under the Data Protection laws.  In the USA, I think that there are some (not all) firms that take advantage of the information provided to abuse the relationship between consumer visits and the desire to market to these visitors.  I don't think the regulatory framework is strong enough in the US and I'm quite happy to work with the rules we have here in the uk (and EU)....
                     
                    We are just completing our membership of the bonded sender program (sic) and this will allow us to get regular system emails to our customers.  We don't view this work as a way of sending rubbish to people but to ensure that our customers get timely, useful and pertinent information relating to their account subscription with us. 
                     
                    There IS a benefit to web metrics and like Star Wars, this can always be used for the 'Dark Side' as well as for the good of the force.  I try to use this to benefit customers in meaningful ways.  For example, I've noticed that lots of people need new envelopes so I'm working on a 'request an envelope' system.  Some 'Dark Side' marketing folks probably would like to send them a co-branded envelope and several emails but I simply want to help people get what they want.
                     
                    Cookies, logins, session IDs and other information can be used or misused - it all depends on the intent of the company involved. 
                     
                    Craig Sullivan
                    Product Manager, LOVEFiLM.
                    www.lovefilm.com
                    
                    Sign up with code EM25 for a free month on me!
                    Tel: + 44 (0) 20 7751 7547
                    Fax: + 44 (0) 20 7751 7505
                    Mobile: + 44 (0) 7711 657 315 


                    From: webanalytics@yahoogroups.com on behalf of Stephen Turner
                    Sent: Wed 6/1/2005 2:31 PM
                    To: webanalytics@yahoogroups.com
                    Subject: [webanalytics] Re: First Party Vs. Third Party Cookie

                    --- In webanalytics@yahoogroups.com, Joe Wilson <joe.wilson@m...>
                    wrote:

                    >
                    > Stephen Turner
                    wrote:
                    >
                    > >As far as I can see, all third-party cookies are for
                    the benefit of
                    > >the site owner, not the visitor. The only benefits
                    for the visitor
                    > >are indirect ones (keeping the cost of the site down
                    etc.).
                    >
                    > I am not trying to be argumentative, but it seems the
                    same could be
                    > said of all cookies and all tracking (including web
                    analytics).  The
                    > tie between tracking of visitor usage on a single
                    site and some
                    > benefit to the visitor is tangential at best (improved
                    site
                    > navigation, more relevant content, etc).  There is no direct
                    benefit
                    > to the consumer for any of these activities (with the possible,
                    and
                    > I would claim trivial, exception of site
                    personalization).
                    >

                    All tracking, but not all cookies. Some sites, such as Craig's site
                    LOVEFiLM, inherently require you to be logged in. They are unusable
                    without cookies, or at least some sort of session id. They don't
                    require persistent cookies, but it's convenient to me not to have to
                    log in again every day.

                    > It is my perspective that the debate
                    over third party cookies is a
                    > canard.  The real issue is control
                    over data, who has that control
                    > and what the balance should be between a
                    consumers right to privacy
                    > and the rights of a business to maximize the
                    value of their business
                    > data. 
                    >

                    I think that's a fair point. Individuals put that balance in different
                    places, and different cultures do too. In particular, Europeans tend
                    to be much more skeptical of "rights of a business" in general. With
                    regard to personal data, in the UK we have laws requiring businesses
                    to reveal all personal data they hold about me for a £10 fee, and
                    to give me an opportunity at data collection time to opt out of having
                    my details passed to any other company. So I think the average
                    European and the average American may have different perspectives on
                    this.

                    --
                    Stephen Turner
                    CTO, ClickTracks   http://www.clicktracks.com/





                    ---------------------------------------
                    Web Metrics Discussion Group
                    Moderated by Eric T. Peterson
                    Author, Web Analytics Demystified
                    http://www.webanalyticsdemystified.com
                    Yahoo! Groups Links

                    <*> To visit your group on the web, go to:
                        http://groups.yahoo.com/group/webanalytics/

                    <*> To unsubscribe from this group, send an email to:
                        webanalytics-unsubscribe@yahoogroups.com

                    <*> Your use of Yahoo! Groups is subject to:
                        http://docs.yahoo.com/info/terms/




                  • Andrew Edwards
                    But what is personal data ? Web analytics tracks usage anonymously--or at least it does when properly practiced. I think the suspicion surrounding cookies is
                    Message 9 of 10 , Jun 1, 2005
                    • 0 Attachment
                      But what is "personal data"? Web analytics tracks usage anonymously--or
                      at least it does when properly practiced.

                      I think the suspicion surrounding cookies is actually an expressed
                      desire for invisibility rather than anonymity--which I think may be
                      unreasonable in some cases.

                      Stephen Turner wrote:

                      >--- In webanalytics@yahoogroups.com, Joe Wilson <joe.wilson@m...>
                      >wrote:
                      >
                      >
                      >>Stephen Turner wrote:
                      >>
                      >>
                      >>
                      >>>As far as I can see, all third-party cookies are for the benefit of
                      >>>the site owner, not the visitor. The only benefits for the visitor
                      >>>are indirect ones (keeping the cost of the site down etc.).
                      >>>
                      >>>
                      >>I am not trying to be argumentative, but it seems the same could be
                      >>said of all cookies and all tracking (including web analytics). The
                      >>tie between tracking of visitor usage on a single site and some
                      >>benefit to the visitor is tangential at best (improved site
                      >>navigation, more relevant content, etc). There is no direct benefit
                      >>to the consumer for any of these activities (with the possible, and
                      >>I would claim trivial, exception of site personalization).
                      >>
                      >>
                      >>
                      >
                      >All tracking, but not all cookies. Some sites, such as Craig's site
                      >LOVEFiLM, inherently require you to be logged in. They are unusable
                      >without cookies, or at least some sort of session id. They don't
                      >require persistent cookies, but it's convenient to me not to have to
                      >log in again every day.
                      >
                      >
                      >
                      >>It is my perspective that the debate over third party cookies is a
                      >>canard. The real issue is control over data, who has that control
                      >>and what the balance should be between a consumers right to privacy
                      >>and the rights of a business to maximize the value of their business
                      >>data.
                      >>
                      >>
                      >>
                      >
                      >I think that's a fair point. Individuals put that balance in different
                      >places, and different cultures do too. In particular, Europeans tend
                      >to be much more skeptical of "rights of a business" in general. With
                      >regard to personal data, in the UK we have laws requiring businesses
                      >to reveal all personal data they hold about me for a £10 fee, and
                      >to give me an opportunity at data collection time to opt out of having
                      >my details passed to any other company. So I think the average
                      >European and the average American may have different perspectives on
                      >this.
                      >
                      >
                      >
                    • webbanalys
                      The tracks are never anonymous if enough data is available and these various sources are combined. Example: Using the cookie to pinpoint a unique browsers
                      Message 10 of 10 , Jun 5, 2005
                      • 0 Attachment
                        The tracks are never anonymous if enough data is available and these
                        various sources are combined.

                        Example: Using the cookie to pinpoint a unique browsers connection to
                        an IP, one can combine that information with the data found in a
                        firewall/proxy to pinpoint which computer that made the request.
                        There are companies today who use and have access to ISP registration
                        data to get more details of the visitor that were submitted when the
                        ISP surf account was activated.

                        A cookie alone containing IP number and random number doesn't have
                        any personal information, the danger lies in how other sources are
                        managed. I.e. a cookie policy can essentially be a blow in the air
                        given the other sources that when misused can be utilized to pinpoint
                        who the user is. Properly practiced and used a cookie is harmless.

                        /F

                        --- In webanalytics@yahoogroups.com, Andrew Edwards <aedwards@t...>
                        wrote:
                        > But what is "personal data"? Web analytics tracks usage anonymously-
                        -or
                        > at least it does when properly practiced.
                        >
                        > I think the suspicion surrounding cookies is actually an expressed
                        > desire for invisibility rather than anonymity--which I think may be
                        > unreasonable in some cases.
                      Your message has been successfully submitted and would be delivered to recipients shortly.