Loading ...
Sorry, an error occurred while loading the content.

Re: First Party Vs. Third Party Cookie

Expand Messages
  • Stephen Turner
    ... I don t think you ve understood what people s main worries about third-party cookies actually are. Or at least, if we set aside all the conspiracy
    Message 1 of 10 , Jun 1, 2005
    • 0 Attachment
      --- In webanalytics@yahoogroups.com, Tomas Remotigue <tomremo@g...>
      wrote:
      >
      > The issue as I see it is really
      > the fact that it distills down to the negative connotations that
      > people have of 3rd party cookies, and how that would be a deception
      > of the consumer if that were instead registered as a 1st party
      > cookie. Yet at the same time, people don't complain if they get
      > redirected to a 3rd party domain when they are attempt to get tech
      > support for an issue from a product manufacturer.
      >
      > My hope is that as the consumer becomes more educated, saner heads
      > will prevail and realize that the privacy implications all around
      > are overblown. Of course, there are certain parties that might want
      > to set malicious 3rd party cookies, however [...]
      >

      I don't think you've understood what people's main worries about
      third-party cookies actually are. Or at least, if we set aside all the
      conspiracy theories, there is still a genuine issue. It's that a lot
      of companies all use DoubleClick for their advertising, so that
      DoubleClick can piece together everything that I do on all the sites I
      visit. Of course, I expect a company to know about what I do on their
      own site. When they start contracting it out to a third party, and
      moreover every other site contracts it out to the same third party,
      that seems a step too far.

      Web analytics is different from DoubleClick, because DoubleClick
      really does want to tie together everything you do and so only uses
      one cookie, whereas we use a separate cookie for each site, and keep
      the data separate. But that's subtle -- people still feel that one
      company knows everything they do, even if in fact we can't piece it
      together.

      Whether this worry is justified or misplaced is something people can
      debate endlessly; but I think it's at least one that intelligent
      people can hold, and I think it helps to understand what the issue
      actually is so that we can address it. And to turn it on its head, let
      me recall what Alex Chudnovsky said on 8th April:

      > Come to think of it -- is there _ANY_ good reason for a surfer NOT
      > to block all 3rd party cookies? I can't see a single one at all,
      > can you?

      As far as I can see, all third-party cookies are for the benefit of
      the site owner, not the visitor. The only benefits for the visitor are
      indirect ones (keeping the cost of the site down etc.).

      --
      Stephen Turner
      CTO, ClickTracks http://www.clicktracks.com/
    • Joe Wilson
      WARNING: If you are tired of the debate over third party cookies and privacy, don t bother reading this post. You have been warned! :o) ... I am not sure
      Message 2 of 10 , Jun 1, 2005
      • 0 Attachment
        WARNING: If you are tired of the debate over third party cookies and
        privacy, don't bother reading this post. You have been warned! :o)

        Stephen Turner wrote:

        >I don't think you've understood what people's main worries about
        >third-party cookies actually are. Or at least, if we set aside all the
        >conspiracy theories, there is still a genuine issue. It's that a lot
        >of companies all use DoubleClick for their advertising, so that
        >DoubleClick can piece together everything that I do on all the sites I
        >visit. Of course, I expect a company to know about what I do on their
        >own site. When they start contracting it out to a third party, and
        >moreover every other site contracts it out to the same third party,
        >that seems a step too far.
        >
        >
        >
        I am not sure that I buy this argument. DoubleClick is a member of the
        Network Advertising Initiative (http://www.networkadvertising.org),
        which places strict limits on what a member can do with regards to data
        collection and usage. In the interest of full disclosure, my company -
        Tacoda - is also an NAI member.

        A publisher chooses to be affiliated with DoubleClick (or Tacoda or
        ....) and to allow them to track their users. Any user can choose to
        opt-out (and in fact, can opt-out of all NAI member sites with a visit
        to a single page -
        http://www.networkadvertising.org/optout_nonppii.asp). No PII may be
        merged with non-PII data and links to the opt-out must to be placed on
        the privacy policy of any website using the service. See
        http://www.networkadvertising.org/aboutnai_principles.asp for a complete
        set of principles of the NAI.

        Contrast this to the standard (and might I add ubiquitous) credit card -
        they have PII, sell this data indiscriminately to catalog and direct
        marketing firms and know far more about you than DoubleClick or Tacoda,
        as it also includes purchase information from the mudane to the
        extravagant to the esoteric. All of this is buried in terms of service
        of the credit card printed in type so small that a magnifying glass is
        usually required to read it. On top of this, it is exceedingly
        difficult to opt-out of this program. And yet, I don't hear anybody
        calling for restrictions on the use of this data by credit card
        companies. For this invasion of privacy we get the convenience of not
        having to pay cash for everything and the benefit of carrying debt at
        extravagant interest rates. (OK, so maybe I am over-dramatizing this
        just a bit ;o) )

        >Web analytics is different from DoubleClick, because DoubleClick
        >really does want to tie together everything you do and so only uses
        >one cookie, whereas we use a separate cookie for each site, and keep
        >the data separate. But that's subtle -- people still feel that one
        >company knows everything they do, even if in fact we can't piece it
        >together.
        >
        >
        >
        >
        Agreed, but I think it is not quite so different as you make it out to
        be. Is it a reasonable use of third-party cookies to track a website
        visitor across sites owned by a single corporate parent? For example,
        there are a number of large publishing conglomerates in the US that have
        websites ranging from major daily newspapers to television stations and
        a variety of other media. They would claim that any customer of one
        business is thereby a customer of the parent organization and it is well
        within their rights to collect and use this data as they see fit. In
        addition, sometimes a single logical website is made up of a series of
        vanity URLs - take a look, for example, at iVillage.com, which uses
        different domains for different content.

        What about a publishing partner that provides some part of the content
        on a site or network of sites (cars.com, Associated Press, etc)? Is it
        reasonable for a site to track their visitor's usage on those sites if
        they were the conduit through which the pages were consumed? How about
        a e-commerce affiliate model such as Amazon or eBay, isn't it reasonable
        that a site owner be able to track the effectiveness of referrals of a
        visitor as they move off the site and potentially buy something from the
        affiliate partner?

        >As far as I can see, all third-party cookies are for the benefit of
        >the site owner, not the visitor. The only benefits for the visitor are
        >indirect ones (keeping the cost of the site down etc.).
        >
        >
        >
        I am not trying to be argumentative, but it seems the same could be said
        of all cookies and all tracking (including web analytics). The tie
        between tracking of visitor usage on a single site and some benefit to
        the visitor is tangential at best (improved site navigation, more
        relevant content, etc). There is no direct benefit to the consumer for
        any of these activities (with the possible, and I would claim trivial,
        exception of site personalization).

        It is my perspective that the debate over third party cookies is a
        canard. The real issue is control over data, who has that control and
        what the balance should be between a consumers right to privacy and the
        rights of a business to maximize the value of their business data.
        Cookies are simply a tool, and sadly, the only tool we have available to
        us to mediate this interaction between consumer and business.

        If a publisher clearly discloses their data collection practices and a
        visitor has a clear mechanism for opting out of data collection
        practices that they disagree with, I believe that a publisher is well
        within their rights to form whatever partnerships that they choose to
        maximize the value of that data.

        Regards,

        Joe Wilson
        Chief Scientist
        Tacoda
      • Stephen Turner
        ... All tracking, but not all cookies. Some sites, such as Craig s site LOVEFiLM, inherently require you to be logged in. They are unusable without cookies, or
        Message 3 of 10 , Jun 1, 2005
        • 0 Attachment
          --- In webanalytics@yahoogroups.com, Joe Wilson <joe.wilson@m...>
          wrote:
          >
          > Stephen Turner wrote:
          >
          > >As far as I can see, all third-party cookies are for the benefit of
          > >the site owner, not the visitor. The only benefits for the visitor
          > >are indirect ones (keeping the cost of the site down etc.).
          >
          > I am not trying to be argumentative, but it seems the same could be
          > said of all cookies and all tracking (including web analytics). The
          > tie between tracking of visitor usage on a single site and some
          > benefit to the visitor is tangential at best (improved site
          > navigation, more relevant content, etc). There is no direct benefit
          > to the consumer for any of these activities (with the possible, and
          > I would claim trivial, exception of site personalization).
          >

          All tracking, but not all cookies. Some sites, such as Craig's site
          LOVEFiLM, inherently require you to be logged in. They are unusable
          without cookies, or at least some sort of session id. They don't
          require persistent cookies, but it's convenient to me not to have to
          log in again every day.

          > It is my perspective that the debate over third party cookies is a
          > canard. The real issue is control over data, who has that control
          > and what the balance should be between a consumers right to privacy
          > and the rights of a business to maximize the value of their business
          > data.
          >

          I think that's a fair point. Individuals put that balance in different
          places, and different cultures do too. In particular, Europeans tend
          to be much more skeptical of "rights of a business" in general. With
          regard to personal data, in the UK we have laws requiring businesses
          to reveal all personal data they hold about me for a £10 fee, and
          to give me an opportunity at data collection time to opt out of having
          my details passed to any other company. So I think the average
          European and the average American may have different perspectives on
          this.

          --
          Stephen Turner
          CTO, ClickTracks http://www.clicktracks.com/
        • Joe Wilson
          ... Undoubtedly true on all accounts. In fact, I have no problem with the process you describe. It is very much in line with the principles of the NAI and I
          Message 4 of 10 , Jun 1, 2005
          • 0 Attachment
            Stephen Turner wrote:

            >I think that's a fair point. Individuals put that balance in different
            >places, and different cultures do too. In particular, Europeans tend
            >to be much more skeptical of "rights of a business" in general. With
            >regard to personal data, in the UK we have laws requiring businesses
            >to reveal all personal data they hold about me for a £10 fee, and
            >to give me an opportunity at data collection time to opt out of having
            >my details passed to any other company. So I think the average
            >European and the average American may have different perspectives on
            >this.
            >
            >
            Undoubtedly true on all accounts. In fact, I have no problem with the
            process you describe. It is very much in line with the principles of
            the NAI and I suspect would be acceptable to most publishers in the US
            as well.

            Out of curiosity, how is "personal data" defined? Does it include
            anonymous behavioral information (i.e. clickstream data)? If so, that
            would seem an enormous burden on the business to keep behavioral data
            around in detail form for some period of time.

            We do not yet do business in Europe so I have managed to remain
            willfully ignorant (other than a basic familiarity) of European privacy
            regulations. Frankly, just keeping up with the state of affairs in the
            US is more than enough to keep me occupied. :o)
          • Stephen Turner
            ... No, I believe it s only personally identifiable information. So it s not strictly relevant to web analytics, except as a general cultural reluctance for
            Message 5 of 10 , Jun 1, 2005
            • 0 Attachment
              --- In webanalytics@yahoogroups.com, Joe Wilson <joe.wilson@m...>
              wrote:
              > Stephen Turner wrote:
              >
              > Out of curiosity, how is "personal data" defined? Does it include
              > anonymous behavioral information (i.e. clickstream data)? If so,
              > that would seem an enormous burden on the business to keep
              > behavioral data around in detail form for some period of time.
              >

              No, I believe it's only personally identifiable information. So it's
              not strictly relevant to web analytics, except as a general cultural
              reluctance for companies to hold any form of personal data, and
              certainly to share it with other companies. (Of course, this attitude
              exists in certain American subcultures as much as in Europe.)

              --
              Stephen Turner
              CTO, ClickTracks http://www.clicktracks.com/
            • Craig Sullivan
              Well, Thanks for the mention there Stephen. We do require people to accept first party cookies to use our site but it isn t down to pure marketing reasons
              Message 6 of 10 , Jun 1, 2005
              • 0 Attachment
                [webanalytics] Re: First Party Vs. Third Party Cookie
                Well,
                 
                Thanks for the mention there Stephen.  We do require people to accept first party cookies to use our site but it isn't down to pure marketing reasons <grin>.  We have a balance to strike between ensuring session security (see www.owasp.org) and measuring visitor traffic in a way that helps me improve the site experience.
                 
                Yes,  the big difference I feel between many UK firms and US firms is that we in the UK are very aware of our responsibilities under the Data Protection laws.  In the USA, I think that there are some (not all) firms that take advantage of the information provided to abuse the relationship between consumer visits and the desire to market to these visitors.  I don't think the regulatory framework is strong enough in the US and I'm quite happy to work with the rules we have here in the uk (and EU)....
                 
                We are just completing our membership of the bonded sender program (sic) and this will allow us to get regular system emails to our customers.  We don't view this work as a way of sending rubbish to people but to ensure that our customers get timely, useful and pertinent information relating to their account subscription with us. 
                 
                There IS a benefit to web metrics and like Star Wars, this can always be used for the 'Dark Side' as well as for the good of the force.  I try to use this to benefit customers in meaningful ways.  For example, I've noticed that lots of people need new envelopes so I'm working on a 'request an envelope' system.  Some 'Dark Side' marketing folks probably would like to send them a co-branded envelope and several emails but I simply want to help people get what they want.
                 
                Cookies, logins, session IDs and other information can be used or misused - it all depends on the intent of the company involved. 
                 
                Craig Sullivan
                Product Manager, LOVEFiLM.
                www.lovefilm.com
                
                Sign up with code EM25 for a free month on me!
                Tel: + 44 (0) 20 7751 7547
                Fax: + 44 (0) 20 7751 7505
                Mobile: + 44 (0) 7711 657 315 


                From: webanalytics@yahoogroups.com on behalf of Stephen Turner
                Sent: Wed 6/1/2005 2:31 PM
                To: webanalytics@yahoogroups.com
                Subject: [webanalytics] Re: First Party Vs. Third Party Cookie

                --- In webanalytics@yahoogroups.com, Joe Wilson <joe.wilson@m...>
                wrote:

                >
                > Stephen Turner
                wrote:
                >
                > >As far as I can see, all third-party cookies are for
                the benefit of
                > >the site owner, not the visitor. The only benefits
                for the visitor
                > >are indirect ones (keeping the cost of the site down
                etc.).
                >
                > I am not trying to be argumentative, but it seems the
                same could be
                > said of all cookies and all tracking (including web
                analytics).  The
                > tie between tracking of visitor usage on a single
                site and some
                > benefit to the visitor is tangential at best (improved
                site
                > navigation, more relevant content, etc).  There is no direct
                benefit
                > to the consumer for any of these activities (with the possible,
                and
                > I would claim trivial, exception of site
                personalization).
                >

                All tracking, but not all cookies. Some sites, such as Craig's site
                LOVEFiLM, inherently require you to be logged in. They are unusable
                without cookies, or at least some sort of session id. They don't
                require persistent cookies, but it's convenient to me not to have to
                log in again every day.

                > It is my perspective that the debate
                over third party cookies is a
                > canard.  The real issue is control
                over data, who has that control
                > and what the balance should be between a
                consumers right to privacy
                > and the rights of a business to maximize the
                value of their business
                > data. 
                >

                I think that's a fair point. Individuals put that balance in different
                places, and different cultures do too. In particular, Europeans tend
                to be much more skeptical of "rights of a business" in general. With
                regard to personal data, in the UK we have laws requiring businesses
                to reveal all personal data they hold about me for a £10 fee, and
                to give me an opportunity at data collection time to opt out of having
                my details passed to any other company. So I think the average
                European and the average American may have different perspectives on
                this.

                --
                Stephen Turner
                CTO, ClickTracks   http://www.clicktracks.com/





                ---------------------------------------
                Web Metrics Discussion Group
                Moderated by Eric T. Peterson
                Author, Web Analytics Demystified
                http://www.webanalyticsdemystified.com
                Yahoo! Groups Links

                <*> To visit your group on the web, go to:
                    http://groups.yahoo.com/group/webanalytics/

                <*> To unsubscribe from this group, send an email to:
                    webanalytics-unsubscribe@yahoogroups.com

                <*> Your use of Yahoo! Groups is subject to:
                    http://docs.yahoo.com/info/terms/




              • Andrew Edwards
                But what is personal data ? Web analytics tracks usage anonymously--or at least it does when properly practiced. I think the suspicion surrounding cookies is
                Message 7 of 10 , Jun 1, 2005
                • 0 Attachment
                  But what is "personal data"? Web analytics tracks usage anonymously--or
                  at least it does when properly practiced.

                  I think the suspicion surrounding cookies is actually an expressed
                  desire for invisibility rather than anonymity--which I think may be
                  unreasonable in some cases.

                  Stephen Turner wrote:

                  >--- In webanalytics@yahoogroups.com, Joe Wilson <joe.wilson@m...>
                  >wrote:
                  >
                  >
                  >>Stephen Turner wrote:
                  >>
                  >>
                  >>
                  >>>As far as I can see, all third-party cookies are for the benefit of
                  >>>the site owner, not the visitor. The only benefits for the visitor
                  >>>are indirect ones (keeping the cost of the site down etc.).
                  >>>
                  >>>
                  >>I am not trying to be argumentative, but it seems the same could be
                  >>said of all cookies and all tracking (including web analytics). The
                  >>tie between tracking of visitor usage on a single site and some
                  >>benefit to the visitor is tangential at best (improved site
                  >>navigation, more relevant content, etc). There is no direct benefit
                  >>to the consumer for any of these activities (with the possible, and
                  >>I would claim trivial, exception of site personalization).
                  >>
                  >>
                  >>
                  >
                  >All tracking, but not all cookies. Some sites, such as Craig's site
                  >LOVEFiLM, inherently require you to be logged in. They are unusable
                  >without cookies, or at least some sort of session id. They don't
                  >require persistent cookies, but it's convenient to me not to have to
                  >log in again every day.
                  >
                  >
                  >
                  >>It is my perspective that the debate over third party cookies is a
                  >>canard. The real issue is control over data, who has that control
                  >>and what the balance should be between a consumers right to privacy
                  >>and the rights of a business to maximize the value of their business
                  >>data.
                  >>
                  >>
                  >>
                  >
                  >I think that's a fair point. Individuals put that balance in different
                  >places, and different cultures do too. In particular, Europeans tend
                  >to be much more skeptical of "rights of a business" in general. With
                  >regard to personal data, in the UK we have laws requiring businesses
                  >to reveal all personal data they hold about me for a £10 fee, and
                  >to give me an opportunity at data collection time to opt out of having
                  >my details passed to any other company. So I think the average
                  >European and the average American may have different perspectives on
                  >this.
                  >
                  >
                  >
                • webbanalys
                  The tracks are never anonymous if enough data is available and these various sources are combined. Example: Using the cookie to pinpoint a unique browsers
                  Message 8 of 10 , Jun 5, 2005
                  • 0 Attachment
                    The tracks are never anonymous if enough data is available and these
                    various sources are combined.

                    Example: Using the cookie to pinpoint a unique browsers connection to
                    an IP, one can combine that information with the data found in a
                    firewall/proxy to pinpoint which computer that made the request.
                    There are companies today who use and have access to ISP registration
                    data to get more details of the visitor that were submitted when the
                    ISP surf account was activated.

                    A cookie alone containing IP number and random number doesn't have
                    any personal information, the danger lies in how other sources are
                    managed. I.e. a cookie policy can essentially be a blow in the air
                    given the other sources that when misused can be utilized to pinpoint
                    who the user is. Properly practiced and used a cookie is harmless.

                    /F

                    --- In webanalytics@yahoogroups.com, Andrew Edwards <aedwards@t...>
                    wrote:
                    > But what is "personal data"? Web analytics tracks usage anonymously-
                    -or
                    > at least it does when properly practiced.
                    >
                    > I think the suspicion surrounding cookies is actually an expressed
                    > desire for invisibility rather than anonymity--which I think may be
                    > unreasonable in some cases.
                  Your message has been successfully submitted and would be delivered to recipients shortly.